Volume 3.02 January 24, 1996
 Commerce Department Releases Crypto Report  Court finds Constitutional Right of Privacy in Pharmacy Records  Avrahami Asks Court for Summary Judgment  New Book Examines FBI Surveillance  UK Medical Association Recommends New Security Standards  Upcoming Conferences and Events
 Commerce Department Releases Crypto Report
Following a six month delay, the US Department of Commerce released a report on January 19 on the international market for encryption software. The report finds that there are foreign products available which "can have an impact on US competitiveness" and that US export controls "may have discouraged US software producers from enhancing the software features of general purpose software to meet the anticipated growth demand by foreign markets." It anticipates that there will be steadily increasing demand for crypto to be included in general use software products. Commerce Secretary Ron Brown told Blumberg Business News that, "If your foreign competitors are exporting products with encryption capability and you are not, that puts you at a tremendous competitive disadvantage." The report, which was jointly produced by the Commerce Department's Bureau of Export Administration and the National Security Agency, reviews the foreign availability of encryption products and other nations' import, export and domestic use policies. Significant portions of the report have been removed at the request of the NSA. In December 1995, EPIC filed suit under the Freedom of Information Act to obtain a full copy of the report and will continue to demand its release in its entirety. A copy of the Executive Summary and more information on crypto policy is available at: http://www.epic.org/crypto/
 Court finds Constitutional Right of Privacy in Pharmacy Records
In the past month, two federal courts have ruled on the privacy of an employee's use of prescription drugs. Using different legal bases, the court decisions bring a measure of legal protection into an area where there is no specific federal privacy law. In one decision filed last week, a federal district court judge in Denver ruled that a private ski resort violated the Americans With Disability Act when it required its employees to disclose the prescription drugs they used. The court found that "a policy that requires employees to disclose the prescription medication they use would force the employees to reveal their disabilities to their employer." Employees argued that requiring disclosure could result in them deferring from taking needed medication for fear of employer retailiation. According to the Wall Street Journal, the ski resort will not appeal the decision. In late December, the Third Circuit Court of Appeals ruled that individuals have a constitutional right to privacy in prescription records. The court based its decision on previous holdings of the Supreme Court that individuals have a right of privacy in their medical records. In applying the precedent to prescription records, the appeals court stated: It is now possible from looking at an individual's prescription records to determine a person's illnesses, or even to ascertain such private facts as whether a woman is attempting to conceive a child though the use of fertility drugs. This information is precisely the sort to be protected by penumbras of privacy ... An individual using prescription drugs has a right to expect that such information will customarily remain private. In protecting the information, the court ruled that an intermediate level of scrutiny should be used in balancing the privacy rights against an employer's interest in obtaining the information to prevent abuses of its health program. However, in cases where there is a severe intrusion, the court suggested that the stronger "compelling interest analysis" should be used. The case came about after Rite-Aid pharmacy sent the director of the South Eastern Pennsylvania Transportation Authority (SEPTA) a list of SEPTA employees and the prescription drugs they were receiving as part of a SEPTA-Rite-Aid contract for health services. Included in that list was the plaintiff, who was taking medication for treatment of HIV-related illnesses. The plaintiff also sued Rite-Aid for the disclosure and Rite-Aid settled, agreeing not to provide employees names in future reports. John Doe v. SEPTA, 3rd Circuit, Case No. 95-1559 (December 28, 1995). More information on medical privacy is available at: http://www.epic.org/privacy/medical/
 Avrahami Asks Court for Summary Judgment
Ram Avrahami, the Virginia man who brought suit against US News and World Report for selling his personal data without his permission, filed a motion with the Virginia court on January 16 for summary judgment. The motion is an effort to simplify the case, where there is no dispute over material facts, by asking the judge to rule on the original motion as a matter of law. "The law is explicit," said Jonathan C. Dailey, who represents Avrahami in this case. "Virginia Code 8.01-40 has been interpreted by the Virginia Supreme Court as creating a property right in a person's name, a right that is vested in all people, including ordinary citizens. When USN&WR received a commercial benefit from Mr. Avrahami's name, as little as it may be, without first obtaining his express written consent, it violated the law." USN&WR had already admitted in a previous court filing that it had traded Avrahami's name under a "list exchange agreement" with the Smithsonian. According to the motion, a Spring 1995 edition of the Direct Marketing List Source, a list industry catalog, both USN&WR and the Smithsonian Magazine were sell subscribers' names (2.2 million of USN&WR, 1.9 million of the Smithsonian) for $80-85 per thousand. Mr. Avrahami said that this demonstrates that the exchange of lists is a clear commercial transaction. "USN&WR has systematically used my name for a commercial benefit, either for receipt of money or as a way to get reciprocal names of similar value so as to increase its own circulation. The law proscribes such practices and the magazine should stop exchanging names without the express written consent of its subscribers." The court is expected to rule on the motion on the scheduled day of the trial, Feb. 6. If the court rules in Avrahami's favor, the court will then consider the issue of damages. More information on the case is available at: http://www.epic.org/privacy/junk_mail/ In another case challenging junk mail, a small claims court in California ruled in favor of a man who sued Computer City for sending him unsolicited mail. In April, Bob Beken purchased merchandise from the store and indicated on the back of a check that the store could not sell his name or send him mail and that if it did, he could recover $1,000. The statement said: Computer City agrees NOT to place Robert Beken on any mailing list or send him any advertisements or mailings. Computer City agrees that a breach of this agreement by Computer City will damage Robert Beken and that these damages may be pursued in court. Further, that the damages for the first breach are $1,000. The deposit of this check is agreement with these terms and conditions. The court upheld the contract and awarded Beken $1,021 in damages and fees.
 New Book Examines FBI Surveillance
A new book on the Justice Department by former New York Times reporter David Burnham reviews federal surveillance activities and current controversies involving the nation's chief law enforcement agency. The book, "Above the Law: Secret Deals, Political Fixes, and Other Misadventures of the U.S. Department of Justice" (Scribner 1996), is an extensive survey of the history of the Justice Department and the political machinations of the agency. In a chapter entitled "Keeping Track of the American People: The Unblinking Eye and Giant Ear," Burnham examines new technologies of surveillance used by law enforcement agencies. Using both public and classified documents, he describes the activities of the FBI's Rapid Prototyping Facility in Quantico, Virginia, which develops miniature "microphones on a chip," the growing use of transactional records including direct marketing files and telephone toll records by the FBI and the DEA, and the FBI's new artificial intelligence-enhanced investigative systems. He also reviews current controversies such as the Clipper Chip and the Digital Telephony law and the relationship between the FBI and the National Security Agency. The book also looks at the Department's enforcement efforts in civil rights cases, national security, and the drug war. Burnham makes extensive use of statistics to evaluate the agency's performance and finds that in most areas, the agency is ill-managed and lacking public accountability. Burnham has published two previous books, "The Rise of the Computer State" (Random House 1983), one of the first books that looked at the threats to privacy in the computer age, and "A Law Unto Itself" (Random House 1989), an expose of the Internal Revenue Service. He is co-director of the Transactional Records Access Clearinghouse and a member of the EPIC Advisory Board. More information about "Above the Law," including exerpts from the chapters on surveillance, the drug war and civil rights enforcement, is available at: http://www.epic.org/epic/board/burnham/book.html
 UK Medical Association Recommends New Security Standards
A new report prepared for the British Medical Association recommends the adoption of strong security and privacy standards to protect the confidentiality of medical information. The author of the report, "Security in Clinical Information Systems," is Dr. Ross J. Anderson of the Computer Laboratory, University of Cambridge. Last year the British Medical Association recommended that doctors boycott the National Health Services data network. The BMA said that "use of the data network violates a doctor's duty of care to patient confidentiality and could subject doctors professional sanctions." (See "British Doctors Boycott Medical Network," EPIC Alert 2.13, October 30, 1995) In the new report, Dr. Anderson writes, "The proposed introduction of a nationwide NHS network has led to concern about security. Doctors and other clinical professionals are worried that making personal health information more widely available may endanger patient confidentiality. The problem is not limited to the NHS; it also concerns clinicians in prisons, immigration services, forensic laboratories and private healthcare. However the NHS network has forced the issues to the fore. "It has been generally agreed that the security of electronic patient records must meet or exceed the standard that should be applied to paper records, yet the absence of clarity on the proper goals of protection has led to confusion. The British Medical Association therefore asked the author to consider the risks, and to prepare a security policy for clinical information systems." The report concludes, "the advice of the British Medical Association to its members is that exposing unprotected patient identifiable clinical information to the NHS-wide network (or indeed to any other insecure network), or even sending it in encrypted form to an untrustworthy system, is imprudent to the point of being unethical." The BMA report is available at: http://www.cl.cam.ac.uk/users/rja14/policy11/policy11.html
 Upcoming Conferences and Events
Security, Privacy and Intellectual Property Protection in the Global Information Infrastructure, Canberra, Australia. February 7-8, 1996. Sponsored by the Australian Government, Attorney-General's Department and the Organization for Economic Cooperation and Development. http://www.nla.gov.au/gii/oecdconf.html Technologies of Freedom: Blueprints for Action, Feb. 29-March 2. Washington, DC. Sponsored by the Alliance for Public Technology. Contact: Ruth Holder email@example.com or http://apt.org/apt/ Computers Freedom and Privacy '96. March 27-30, 1996. Cambridge, Mass. Sponsored by MIT, ACM and WWW Consortium. Contact firstname.lastname@example.org or http://web.mit.edu/cfp96/ Conference on Technological Assaults on Privacy, April 18-20, 1996. Rochester Institute of Technology, Rochester, New York. Papers should be submitted by February 1, 1996. Contact Wade Robison email@example.com, by FAX at (716) 475-7120, or by phone at (716) 475-6643. IEEE Symposium on Security and Privacy, May 6-8, 1996. Oakland, CA. Sponsored by IEEE. Contact: firstname.lastname@example.org or http://www.cs.pdx.edu/SP96. Visions of Privacy for the 21st Century: A Search for Solutions. May 9-11, 1996. Victoria, British Columbia. Sponsored by The Office of Information and Privacy Commissioner for the Province of British Columbia and the University of Victoria. Program at http://www.cafe.net/gvc/foi Australasian Conference on Information Security and Privacy June 24-26, 1996. New South Wales, Australia. Sponsored by Australasian Society for Electronic Security and University of Wollongong. Contact: Jennifer Seberry (email@example.com). Privacy Laws & Business 9th Annual Conference. July 1-3, 1996. St. John's College, Cambridge, England. Contact: Ms. Gill Ehrlich +44 181 423 1300 (tel), +44 181 423 4536 (fax). Advanced Surveillance Technologies II. Sponsored by EPIC and Privacy International. September 16, 1996. Ottawa, Canada. Contact firstname.lastname@example.org or http://www.privacy.org/pi/conference/ 18th International Conference of Data Protection and Privacy Commissioners. September 18-20, 1996. Ottawa, Canada. Sponsored by the Privacy Commissioner of Canada. (Send calendar submissions to Alert@epic.org)
The EPIC Alert is a free biweekly publication of the Electronic Privacy Information Center. To subscribe, send email to email@example.com with the subject: "subscribe" (no quotes). Back issues are available via http://www.epic.org/alert/
The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues relating to the National Information Infrastructure, such as the Clipper Chip, the Digital Telephony proposal, medical record privacy, and the sale of consumer data. EPIC is sponsored by the Fund for Constitutional Government, a non-profit organization established in 1974 to protect civil liberties and constitutional rights. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, email firstname.lastname@example.org, HTTP://www.epic.org or write EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544 9240 (tel), +1 202 547 5482 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "The Fund for Constitutional Government" and sent to EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington DC 20003. Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and funding of the National Wiretap Plan. Thank you for your support.