EPIC logo

                          E P I C  A l e r t
Volume 10.02                                           January 31, 2003

                           Published by the
             Electronic Privacy Information Center (EPIC)
                           Washington, D.C.

Table of Contents

[1] European Commission Orders Microsoft to Modify Passport
[2] Critical Hill Action Pending on "Total Information Awareness"
[3] Opposition to Data Retention Grows in Europe
[4] Public Voice Conference at OECD-APEC Forum on the Digital Economy
[5] FTC, New York Attorney General Take Action to Protect Privacy
[6] Privacy International Seeks Nominations for Big Brother Awards
[7] EPIC Bookstore: The GigaLaw Guide to Internet Law
[8] Upcoming Conferences and Events

[1] European Commission Orders Microsoft to Modify Passport

European governments, seeking to protect the privacy rights of
computer users in the European Union, have required Microsoft to
modify Passport, an online authentication system that identifies
Internet users and enables the transfer of personal information
between various Web sites around the world.  The European Union
Working Party on Data Protection ("WP29") issued a Report that found
Microsoft's Passport system violated several EU data protection rules.
The WP29 Report requires Microsoft to better inform users of their
privacy rights under European laws and more fairly collect and process
their personal data.  The Report also requires Microsoft to make it
easier for Passport users to know what personal information Microsoft
and its Passport affiliates collect about them, and to allow users to
restrict the use and sharing of that information for commercial and
marketing purposes.

The WP29 Report also gives users the right to indicate on a
site-by-site basis which personal information they wish to disclose.
Pursuant to the Report, Microsoft has to make substantial changes to
Passport.  The Report also discusses competing online authentication
systems, such as the Liberty Alliance Project, without mandating
specific changes at this point.  The WP29 will continue monitoring
future developments in those authentication services and companies
developing them will need to follow its guidelines.  European
Commissioner Bolkestein said that companies will need to follow the
Working Party Guidelines for all future services.

The outcome in Europe comes almost a year and a half after EPIC and a
coalition of consumer and privacy organizations initiated a complaint
against Microsoft at the Federal Trade Commission in July 2001,
alleging that Passport violated Section 5 of the Federal Trade
Commission Act and constituted an "unfair and deceptive trade
practice."  The FTC found that Microsoft had in fact made false
representations concerning Passport and associated services.  The FTC
said that Microsoft must establish a comprehensive information
security program for Passport, and that it must not misrepresent its
practices of information collection and usage.  Microsoft agreed to
comply with the FTC order, as well as to undergo independent audits
every two years for the next 20 years to ensure compliance.

In March 2002, an EC member submitted questions to the Commission
raising many of the same issues included in EPIC complaints to the FTC
and questioned Passport's impact on European consumers' privacy.  The
European Commission subsequently promised to look to this issue as a
matter of priority.  During its discussions with the Commission,
Microsoft had reportedly alleged that its service always complied with
European privacy laws because it gave European users the right to
change or delete any personally identifiable information about them.
The WP29's Report makes it now clear that substantial changes are
required in Passport before the system can be considered in compliance
with European laws.

The Commission's decision has an impact on the online privacy of more
than 250 million Passport users, most of them based in the US, since
Passport does not discriminate between the nationality of its users.
The WP29 Report also urges the development of anonymous and
psuedonymous authentication systems and recommends the development of
systems that minimize the amount of personal information collected and
limit the use to that which is necessary.  Additionally, the Report
emphasizes that users should be given full control over decisions
affecting the use of their personal data for profiling purposes, and
mandates that transfers of personal information to third countries be
adequately protected pursuant to European privacy rules.

WP 29's Working Document on on-line authentication services (WP 68)
(January 29, 2003) (PDF):


European Commission press release (Jan. 30, 2003):


Press release by the Article 29 working party (Jan. 29, 2003):


European Union data protection rules:


FTC Consent Order, In the Matter of Microsoft Corporation, File No.


Rotenberg, ed., The Privacy Law Sourcebook (EPIC 2002) (includes the
EU Data Protection Directive and the initial WP29 report on
authentication services):


EPIC's Microsoft Passport Investigation Docket:


[2] Critical Hill Action Pending on "Total Information Awareness"

The short-term fate of the controversial Total Information Awareness
(TIA) program is likely to be decided within the next two weeks.  A
coalition of Senators on January 23 attached an amendment to the
omnibus spending bill that would limit the TIA system.  Senators Ron
Wyden (D-OR), Dianne Feinstein (D-CA), Jon Corzine (D-NJ), Harry Reid
(D-NV), and Barbara Boxer (D-CA) sponsored the measure, which is known
as Amendment 59.  Sen. Charles Grassley (R-IA) had offered a similar
amendment and supported inclusion of the Wyden amendment in the
spending package.  The amendment will now be the subject of
negotiations in a conference between the Senate and the House on the
omnibus spending bill.

Under Amendment 59, funding for development of TIA will end 60 days
after the passage of the omnibus spending bill, unless the
intelligence community submits a detailed report to Congress on the
privacy and civil liberties implications of the system.  However,
exceptions in the amendment would allow President Bush to approve
continued funding for TIA if he determines that issuing the report is
impracticable and that a cessation of TIA research would endanger
national security.  The amendment further requires Congressional
authorization before TIA is actually deployed by any agency.  The
amendment would allow TIA to be deployed only for military purposes
outside the United States and for foreign intelligence activities
conducted against non-citizens or wholly outside the country.

Individuals wishing to support the TIA moratorium should immediately
contact the omnibus spending bill conferees in the House of
Representatives and the Senate (see link below).

Senate Amendment 59:


H. J. Res. 2, Omnibus Appropriations Bill:


List of House and Senate Conferees:


EPIC Total Information Awareness page:


[3] Opposition to Data Retention Grows in Europe

A multi-party coalition of 38 European Parliament members have
recommended that the European Council and some Member States abandon
their plans to monitor and retain data on people's private
communications.  Condemning the practice of data retention as a
violation of the European Convention of Human Rights, its case law,
and the EU Data Protection Directive, the group argued for alternative
solutions to fight crime and urged the adoption of stricter limits on
the storage and use of communications for law enforcement.  As an
example of less privacy-invasive measures, the coalition argued that
preservation of data on a case-by-case basis would be more suitable to
achieve the objectives pursued by police and security agencies.

Concurrently, in Great Britain, a parliamentary committee has rejected
the government's current data retention proposal, in which it had
planned to retain private communications data for up to a year.  The
All Party Internet Group ("APIG"), a parliamentary inquiry panel,
examined the Home Office's data retention scheme, which is part of the
Anti-Terrorism Crime & Security Act 2001 ("ATCS").  They concluded
that the government's proposals were impractical, the cost of
retention had been underestimated, and the concept of data retention
appeared to be violating the UK Human Rights Act, which incorporates
the European Convention on Human Rights into English Law.  They also
showed that the industry was not willing or able to comply with
mandatory data retention requirements, and recommended that the Home
Office negotiate with industry players a "targeted data preservation"
scheme instead, as a more viable option.  In reaction to the report,
the UK government denied some of its findings, rejected the idea of
data preservation as the most adequate solution to fight crime, and
promised to establish a better dialogue with industry, without
mentioning how it would address civil liberties issues.  The Home
Office nevertheless made clear that if industry actors could not agree
on a voluntary code of practice on data retention, the government
would go forward with the planned retention.

The crucial issue in the current debate on electronic surveillance of
communications data under the new EU Directive on Privacy and
Electronic Communications (2002/58/EC) is whether law enforcement
authorities can justifiably claim that the retention of all people's
private communications data for long periods and in a systematic
fashion is necessary to fight crime and terrorism.  The
"communications data" referred to in the European context are all
traffic and location data held by Internet service providers and
landline and mobile telephone companies about their customers.  This
includes people's browsing patterns, phone and e-mail details
(geographic location of mobile phone users, call time and duration,
number dialed, callers' and recipients' names, e-mail addresses),
chatroom user IDs, credit cards, etc.  The European Council is
currently working on a framework decision that could make the
principle of data retention -- which can be defined as the systematic
and mandatory storage of large categories of traffic and location data
for a specified period -- compulsory for all EU Member States;
however, data preservation -- the storage of specific data related to
a particular criminal investigation of a specified individual for a
specified period of time, accessed pursuant to legal and
constitutional safeguards and subject to judicial review -- is favored
in most countries.

For more information and news items about data retention, see EPIC's
Data Retention page:


All Party Internet Group report:


[4] Public Voice Conference at OECD-APEC Forum on the Digital Economy

The Public Voice Coalition held a conference in conjunction with the
joint OECD-APEC Forum on the Future of the Digital Economy from
January 14-17 in Honolulu, Hawaii.  The Public Voice provides the
opportunity for civil society organizations to participate in
international policymaking forums that might otherwise be limited to
business and government.  Attendees included representatives from the
Association for Computing Machinery (ACM), Consumers International,
the Electronic Privacy Information Center (EPIC), the Federal Trade
Commission, the National Consumers League, the Office of Consumer
Protection in Hawaii, the Organization for Economic Cooperation and
Development (OECD), and the Trade Union Advisory Council (TUAC), as
well as experts in technology, security, and Internet law and policy.

Public Voice participants addressed two topics under consideration by
the OECD and the Asia Pacific Economic Cooperation forum (APEC):
Security and Trust in Ecommerce, and Inclusion and Participation in
the Information Society.  The latter was also the subject of a WSIS
(World Summit on the Information Society) preparatory meeting held on
January 17, immediately after the OECD-APEC forum.

An important theme that emerged from the conference was that
policymakers should focus more on serving the needs of end users of
Information and Communications Technologies (ICTs).  The digital
marketplace is a demand-driven economy; therefore, in order for
commerce to thrive, policy frameworks must provide an environment that
fosters trust and security for consumers.  Governments also have great
potential to use ICTs to provide various services to their citizens,
including e-government, e-learning and e-health; however, the
government must be more responsive to citizens' needs, and should
address the concerns of the public in the design of any such

Participants made several specific recommendations to the OECD and
APEC.  Key recommendations included the following: (1) While good
consumer, privacy and security guidelines are vital, policymakers must
also focus their attention on the challenges of implementation,
including building effective cross-border and internal enforcement
mechanisms; (2) Privacy and security guidelines need to be applied to
the databases and record systems established by government. Too often
the protection of privacy is misconceived as a national security risk.
In fact, given the vulnerability of citizens and the continued
weakness of many security systems, the lack of privacy is quickly
becoming the real national security risk; (3) As the profile of ICT
users rapidly moves away from technologically savvy users, there is a
growing need for governments to provide simple, clear regulations that
protect users and educate them about their rights; (4) There is a
pressing need to develop online rights for online workers to protect
worker's rights to organize and communicate in the electronic
workplace; (5) Governments must bring more technical expertise to the
decision making process when considering emerging technologies.
Recent developments concerning copyright protection, electronic
voting, and the proposal for "Total Information Awareness" lack
adequate input from the technical community and often result in
counterproductive or misguided proposals; and (6) While promoting
inclusion and participation in the information society, it is
important to provide more than access.  Governments should focus on
reducing the barriers to enable actual participation in the use and
development of the Internet, this might include expanding the public
domain and allowing new ICTs such as Wi-Fi networks to freely develop.

The Public Voice will continue working closely with the OECD and now
with APEC to bring civil society voices to international decision
making forums.

For reports, presentations, and background information, visit:


More information about Public Voice events and activities can be found


[5] FTC, New York Attorney General Take Action to Protect Privacy

The Federal Trade Commission (FTC) and New York Attorney General
(NYAG) have both taken actions that will improve privacy protections
nationwide.  The FTC and the NYAG have settled actions into the
business practices of student marketers.  In a separate case, the NYAG
recently settled a lawsuit against a spam company.  Additionally, the
FTC has issued a report on consumer protection that shows that
identity theft is a major threat to consumers.

Both the FTC and NYAG have recently completed actions against Student
Marketing Group (SMG), a company that collected information from
students for marketing purposes under the pretense of college
financial aid assistance.  Through teachers, SMG distributed surveys
to students that collected personal information, and then sold that
information to credit card, student loan, cosmetics, magazine, and
clothing companies.  These settlements demonstrate that data
collectors who mislead individuals by not fully disclosing secondary
uses of personal information will run afoul of consumer protection

In a separate action, the NYAG obtained a court order enjoining
MonsterHut, a now-defunct e-mail marketing company, from falsely
representing that individuals consented to receiving its spam.  As a
result of this order, list purchasers are likely to require e-mail
address sellers to guarantee that individuals' information was
obtained with proper consent.  A February hearing will determine
whether MonsterHut will be subject to restitution and civil penalties.

Finally, the FTC has released its annual report about identity theft
and the top ten fraud complaint categories reported by consumers.
Identity theft topped the list -- continuing the trend for a third
year -- constituting 43 percent of complaints in the FTC's "Consumer
Sentinel" complaint database.  The number of reported identity theft
complaints increased from 31,117 in 2000 to 86,198 in 2001, and surged
to 161,819 in 2002.

FTC Consumer Alert on Student "Surveys:"


FTC Student Marketing Group Settlement:


NYAG Student Marketing Group Settlement:


EPIC Student Privacy Page:


NYAG MonsterHut Settlement:


FTC Report on National and State Trends in Identity Theft


EPIC Fair Credit Reporting Act Page:


[6] Privacy International Seeks Nominations for Big Brother Awards

In April 2003, Privacy International (PI) will hold the fifth U.S.
"Big Brother Awards" to name and shame the public and private sector
individuals and organizations that have done the most to invade
personal privacy in the United States in the past year.

Three distinctive "Orwell" statues of a golden boot stomping a head
will be presented to the government agencies and officials, companies
and initiatives that have done the most to invade personal privacy in
the previous year.  The "Admiral John M. Poindexter Lifetime Menace"
award will also be presented to an organization that has
systematically invaded privacy over a long period of time.  Previous
"winners" include the Federal Bureau of Investigation, the National
Security Agency, DoubleClick, ChoicePoint, Trans Union, Oracle, the
FAA's BodyScan system, the Department of Commerce and Microsoft.

"Brandeis" awards will also be given out to champions of privacy.  The
Brandeis Award is named after U.S. Supreme Court Justice Louis
Brandeis, who is considered the father of American privacy law,
describing privacy as "the right most valued by civilized" persons.
The awards are given to those who have done exemplary work to protect
and enhance privacy.  Previous winners include Phil Zimmermann,
creator of PGP; Beth Givens, founder of the Privacy Rights
Clearinghouse; and Robert Ellis Smith, editor of the Privacy Journal.

The judging panel, consisting of lawyers, academics, consultants,
journalists and civil rights activists, is currently inviting
nominations from members of the public.  Nominations can be submitted
via the PI Web site.  Privacy International will post the most popular
current nominations on its site.

The U.S. Big Brother Awards are now in their fifth year.  There have
also been ceremonies in the UK, Germany, Austria, Belgium, Bulgaria,
Finland, Spain, Switzerland, Hungary, France, Denmark and the
Netherlands.  The initiator of the awards, Privacy International, was
founded in 1990, and campaigns on a wide range of privacy issues
around the world.  Substantial support for the Awards is made through
the Public Voice Campaign.

The ceremony will be held at the New Yorker Hotel in New York City at
the 13th Annual Conference on Computers, Freedom and Privacy.

Privacy International Big Brother Awards Page:


Conference on Computers, Freedom, and Privacy:


The Public Voice:


[7] EPIC Bookstore: The GigaLaw Guide to Internet Law

The GigaLaw Guide to Internet Law, by Doug Isenberg (Random House


In this comprehensive guide, Isenberg succinctly covers every aspect
of Internet law -- from intellectual property, free speech, and
privacy to contract and employment law -- in a concise and
non-"legalese" style.  His coverage provides the reader with realistic
and business-oriented solutions to the most common problems relating
to conducting online business in America, and is especially aimed at
policy makers, researchers, company lawyers and decision-makers.
Although the book is not particularly consumer-oriented, it offers a
good outline of current privacy issues and raises the average reader's
awareness on some of today's most important privacy risks when surfing
or expressing oneself on the Internet.


EPIC Publications:

"The Privacy Law Sourcebook 2002: United States Law, International
Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2002).
Price: $40. http://www.epic.org/bookstore/pls2002/

The "Physicians Desk Reference of the privacy world."  An invaluable
resource for students, attorneys, researchers and journalists who need
an up-to-date collection of U.S. and International privacy law, as
well as a comprehensive listing of privacy resources.


"FOIA 2002: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Mark Zaid, editors (EPIC 2002). Price: $40.

This is the standard reference work covering all aspects of the
Freedom of Information Act, the Privacy Act, the Government in the
Sunshine Act, and the Federal Advisory Committee Act.  The 21st
edition fully updates the manual that lawyers, journalists and
researchers have relied on for more than 25 years.  For those who
litigate open government cases (or need to learn how to litigate
them), this is an essential reference manual.

"Privacy & Human Rights 2002: An International Survey of Privacy Laws
and Developments" (EPIC 2002). Price: $25.

This survey, by EPIC and Privacy International, reviews the state of
privacy in over fifty countries around the world.  The survey examines
a wide range of privacy issues including data protection, telephone
tapping, genetic databases, video surveillance, location tracking, ID
systems and freedom of information laws.


"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.


"The Consumer Law Sourcebook 2000: Electronic Commerce and the Global
Economy," Sarah Andrews, editor (EPIC 2000). Price: $40.

The Consumer Law Sourcebook provides a basic set of materials for
consumers, policy makers, practitioners and researchers who are
interested in the emerging field of electronic commerce.  The focus is
on framework legislation that articulates basic rights for consumers
and the basic responsibilities for businesses in the online economy.


"Cryptography and Liberty 2000: An International Survey of Encryption
Policy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price:
$20. http://www.epic.org/crypto&/

EPIC's third survey of encryption policies around the world.  The
results indicate that the efforts to reduce export controls on strong
encryption products have largely succeeded, although several
governments are gaining new powers to combat the perceived threats of
encryption to law enforcement.
EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:
     EPIC Bookstore
     "EPIC Bookshelf" at Powell's Books
[8] Upcoming Conferences and Events

O'Reilly Bioinformatics Technology Conference. February 3-6, 2003.
San Diego, CA. For more information:

10th Annual Network and Distributed System Security Symposium. The
Internet Society. February 5-7, 2003. San Diego, CA. For more
information: http://www.isoc.org/ndss03/

Civil Liberties in the Information Age. Potomac Institute. February 6,
2003. Washington, DC. For more information, contact Dan Dayton at

Politics of Code: Shaping the Future of the Next Internet. Oxford
University Programme in Comparative Media Law and Policy. February 6,
2003. Oxford, England. For more information:

Call for Proposals: February 15, 2003. O'Reilly Open Source
Convention. July 7-11, 2003. Portland, OR. For more information:

Third Annual Privacy & Data Security Summit: Implementing & Managing
Privacy in a Complex Environment. International Association of Privacy
Professionals. February 26-28, 2003. Washington, DC. For more
information: http://www.privacyassociation.org/html/conferences.html

Quality Labels for Web Sites: Alternative Approaches to Content Rating.
Programme in Comparative Media Law and Policy (PCMLP), Oxford
University. February 27, 2003. Kirchberg, Luxembourg. For more
information: http://saferinternet.org/news/Quality-label-workshop.asp

The Law and Technology of DRM: What will DRM technologies mean for the
future of information? University of California, Berkeley, School of
Information Management and Systems and Boalt Hall School of Law.
February 27 - March 1, 2003. Berkeley, CA. For more information:

Legal and Pedagogical Aspects of a Safer Internet. Safer Internet For
Knowing and Living (SIFKaL). February 28, 2003. Kirchberg, Luxembourg.
For more information: http://rechtsinformatik.jura.uni-sb.de/sifkal/

Spectrum Policy: Property or Commons? Stanford Law School Center for
Internet and Society. March 1, 2003. For more information:

P&AB's Privacy Practitioners' Workshop and Ninth Annual National
Conference. Privacy & American Business. March 12-14, 2003.
Washington, DC. For more information:

Big Brother Technologies. A Choices and Challenges Forum. Center for
Interdisciplinary Studies, Virginia Polytechnic Institute and State
University. March 27, 2003. Blacksburg, VA. For more information:

CFP2003: 13th Annual Conference on Computers, Freedom, and Privacy.
Association for Computing Machinery (ACM). April 1-4, 2003. New York,
NY. For more information: http://www.cfp2003.org/

28th Annual AAAS Colloquium on Science and Technology Policy. American
Association for the Advancement of Science. April 10-11, 2003.
Washington, DC. For more information:

Integrating Government With New Technologies '03: E-Government, Change
and Information Democracy. Riley Information Services. April 11, 2003.
Ottawa, Canada. For more information: http://www.rileyis.com/seminars/

RSA Conference 2003. RSA Security. April 13-17, 2003. San Francisco,
CA. For more information: http://www.rsaconference.com/

O'Reilly Emerging Technology Conference. April 22-25, 2003. Santa
Clara, CA. For more information: http://conferences.oreilly.com/etcon/

Privacy2003. Technology Policy Group. September 30 - October 2, 2003.
Columbus, OH. For more information: http://www.privacy2000.org/

Subscription Information
Subscribe/unsubscribe via Web interface:

Subscribe/unsubscribe via e-mail:
     To: epic_news-request@mailman.epic.org
     Subject line: "subscribe" or "unsubscribe" (no quotes)
Help with subscribing/unsubscribing:

     To: epic_news-request@mailman.epic.org
     Subject: "help" (no quotes)
Back issues are available at:

The EPIC Alert displays best in a fixed-width font, such as Courier.
Privacy Policy
The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities.  We do not sell, rent or share our
mailing list.  We also intend to challenge any subpoena or other legal
process seeking access to our mailing list.  We do not enhance (link
to other databases) our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe your e-mail address
from this list, please follow the above instructions under
"subscription information".  Please contact info@epic.org if you would
like to change your subscription e-mail address, if you are
experiencing subscription/unsubscription problems, or if you have any
other questions.
About EPIC
The Electronic Privacy Information Center is a public interest
research center in Washington, DC.  It was established in 1994 to
focus public attention on emerging privacy issues such as the Clipper
Chip, the Digital Telephony proposal, national ID cards, medical
record privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Act
litigation, and conducts policy research.  For more information,
e-mail info@epic.org, http://www.epic.org or write EPIC, 1718
Connecticut Ave., NW, Suite 200, Washington, DC 20009.
+1 202 483 1140 (tel), +1 202 483 1248 (fax).
If you'd like to support the work of the Electronic Privacy
Information Center, contributions are welcome and fully
tax-deductible.  Checks should be made out to "EPIC" and sent to
1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009.
Or you can contribute online at:

Drink coffee, support civil liberties, get a tax deduction, and learn
Latin at the same time!  Receive a free epic.org "sed quis custodiet
ipsos custodes?" coffee mug with donation of $75 or more.
Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the
right of privacy and efforts to oppose government regulation of
encryption and expanding wiretapping powers.
Thank you for your support.
   ---------------------- END EPIC Alert 10.02 ----------------------