Volume 3.05 February 29, 1996
 ACLU/EPIC Lawsuit Puts CDA Enforcement on Hold  Draft Crypto Bill Circulating  Personal Crypto Export Allowed  Court Rules Against Email Privacy  Calls Pour into PacBell Over Caller ID  State Legislatures Examine Privacy Issues  Digital Telephony Funding Update  Upcoming Conferences and Events
 ACLU/EPIC Lawsuit Puts CDA Enforcement on Hold
In a stipulation signed on February 23, the Justice Department has agreed not to initiate investigations or prosecutions under the "indecency" or "patently offensive" censorship provisions of the Communications Decency Act (CDA) while a three-judge panel in Philadelphia considers the case. The plaintiffs' attorneys, led by Chris Hansen of the American Civil Liberties Union (ACLU), consider the agreement to be a significant victory because it expands protections for Internet users beyond the temporary restraining order on the "indecency" provision granted by U.S. District Judge Ronald Buckwalter on February 15. Under the stipulated agreement, which protects all Internet users, no one will be investigated or prosecuted for the transmission of "patently offensive" speech. If the law is ultimately upheld, the government has reserved the right to prosecute later for such speech dating from the passage of the CDA. At a scheduling conference held on February 20, the three-judge court set five dates for the hearing on the plaintiffs' preliminary injunction motion in Philadelphia. The plaintiffs, including EPIC and the ACLU, will present their case on March 21 and 22, with April 1 reserved if necessary. The government's case will be presented on April 11 and 12. The complete trial is scheduled to last five days. In a related development, the American Library Association and a coalition of publishers, content providers and commercial access providers have filed a separate lawsuit in Philadelphia challenging the CDA. The new case has been consolidated with the pending litigation. "Things are moving very, very fast and we need to make certain that our society doesn't destroy the potential of our technology even before it comes into its full potential," said Judy Krug, director of the Office of Intellectual Freedom for the American Library Association and a member of the EPIC Advisory Board. Comprehensive information on the CDA lawsuit, including the text of the stipulation signed on February 23, is available at: http://www.epic.org/free_speech/censorship/lawsuit/
 Draft Crypto Bill Circulating
Senator Patrick Leahy (D-VT) is expected to introduce the Encrypted Communications Privacy Act of 1996 within the next week. The bill attempts to answer a number of unresolved issues concerning the use of encryption technology. Among the key features, the bill: - Creates a legal framework for key escrow agents including the obligations to disclose keys and assist law enforcement, and sets penalties for improper disclosure; - Criminalizes the use of encryption which may have the effect of obstructing a felony investigation; - Affirms the freedom to use encryption; and - Relaxes export controls by transferring authority for export decisions to the Secretary of Commerce. The bill reflects a number of the recommendations made by EPIC, EFF, the USACM and various industry and trade groups to relax export control law and affirm the freedom to use all forms of encryption. However, the bill does little to roll back the deployment of Clipper-inspired encryption in the federal government or remove the classification restrictions on encryption policy that currently block public scrutiny of government policy. The bill also brings into sharp focus the problems with key escrow encryption. The bill makes clear that escrow agents could face staggering liability -- criminal prosecution if they fail to comply with what are currently ill-defined obligations to assist law enforcement and civil liability if keys are improperly disclosed or trade secrets improperly released. There is also no indication that Congress has yet considered the risks to network vulnerability or record integrity if key escrow is widely deployed. EPIC will provide a copy of the bill online as soon as it is formally introduced. Check the EPIC crypto page for this and other developments relating to encryption policy: http://www.epic.org/crypto/
 Personal Crypto Export Allowed
After more than two years of delay, the U.S. State Department has finally released new regulations allowing for limited export of cryptography. The new regulations allow American citizens to take encryption software or hardware on overseas trips if they keep maintain of the devices at all times. They are also required to keep records of the trip for five years. More information on the new regulations and other information on export controls is available at: http://www.epic.org/crypto/export_controls/
 Court Rules Against Email Privacy
A U.S. District Court in Pennsylvania ruled on January 18 that even if an employer promises not to intercept email on a company system, there is not an expectation of privacy in the email. The case underscores the question of whether the court system has an adequate understanding of the underlying technology. According to the court, the employer repeatedly told its employees that "all email communications would remain confidential and privileged" and that "e-mail communications could not be used by [the company] against its employees as grounds for termination." Even with that promise, the employer intercepted the communications of Michael Smith and fired him. The court held that: We do not find a reasonable expectation of privacy in e-mail communications voluntarily made by an employee to his supervisor over the company e-mail system notwithstanding any assurances by management. Once plaintiff communicated the alleged unprofessional comments to a second person over an e-mail system which was apparently utilized by the entire company, any reasonable expectation of privacy was lost .... we find no privacy interests in such communications. We do not find that a reasonable person would consider the defendant's interception of these communications to be a substantial and highly offensive invasion of his privacy" A copy of the decision is available at: http://www.epic.org/privacy/internet/smyth_v_pillsbury.html
 Calls Pour into PacBell Over Caller ID
Following the 9th Circuit Court of Appeals' decision on Caller ID (see Alert 3.03), California telephone companies have began a public education campaign concerning the service. The companies were required to provide customer education by the state Public Utilities Commission (PUC) before the June 1 introduction of the service. The PUC rejected the companies' first attempt to turn the education effort into an advertising campaign selling the service. According to news reports, over 100,000 people called the information lines in the first week that the advertisements ran in California newspapers. This included 22,000 people on the first day. Of that group, 13,000 requested that the companies set up permanent (per-line) blocking on their phones. The companies needed to hire more staff to field the calls after the first day. The California PUC has announced that it will appeal the 9th Circuit decision to the U.S. Supreme Court.
 State Legislatures Examine Privacy Issues
While Congress has failed to review privacy issues in recent sessions, many state legislatures are considering enacting bills to enhance personal privacy. These include: Video Surveillance - After several controversial cases, Maryland (HB 273) and California (AB2051) are considering bills that would prohibit videotaping in private places without the consent of the subject. Motor Vehicle Records - In response to the Federal DMV Privacy Act passed in 1993, Maryland (SB 538) and West Virginia are considering bills to limit access to motor vehicle records without the permission of the driver. Personal Information -- In the wake of the Avrahami case, California is considering a bill (SB1659) to prevent companies from using or distributing personal information without the consent of the individual. Email Privacy -- Colorado is considering a bill that would require private employers to notify employees about their privacy policies for electronic mail. It would also limit the availability of email that can be obtained under the state open records law (HB1199). Medical Privacy -- Maryland is considering a bill that would limit the state government's ability to collect and maintain in a single database information concerning all medical treatment in Maryland.
 Digital Telephony Funding Update
The House of Representatives will consider an amendment by Rep. Charles Schumer (D-NY) as it takes up H.R. 1710, the Comprehensive Anti-Terrorism Act of 1996. The vote on the bill is expected to take place during the week of March 11. The amendment would create a "Department of Justice Telecommunications Carrier Compliance Fund" to be used to reimburse telephone companies and manufacturers for the cost of modifying their equipment to facilitate wiretapping. Such changes are mandated by the Commun- ications Assistance for Law Enforcement Act (also known as the "digital telephony bill") enacted by Congress in late 1994. The fund would be created by imposing a 40 percent surcharge on all civil monetary penalties (except for those imposed in cases involving the IRS) assessed after the enactment of the bill. Thus, any individual, small business or corporation fined for violating any federal regulation or law (from environmental to banking to health and safety rules) would automatically have their fines increased by 40 percent. The funds would be disbursed as follows: $100 million in FY 1996; $305 million in FY1997; and $80 million in FY 1998. More information on digital telephony and the terrorism bill is available at: http://www.epic.org/privacy/wiretap/ http://www.epic.org/privacy/terrorism/
 Upcoming Conferences and Events
Technologies of Freedom: Blueprints for Action, Feb. 29-March 2, 1996. Washington, DC. Sponsored by the Alliance for Public Technology. Contact: Ruth Holder, email@example.com or http://apt.org/apt/ The Impact of Cybercommunication on Telecommunications, March 8, 1996. New York, NY. Sponsored Columbia University Institute for Tele-Information. Contact: firstname.lastname@example.org or http://www.ctr.columbia.edu/citi/register.html C|NET's Electronic Commerce Conference, March 20-22, 1996. Four Seasons Hotel, Newport Beach, California. Contact: (415) 395-7805 x. 165; email@example.com or http://www.cnet.com/Community/Econference/ Computers Freedom and Privacy '96. March 27-30, 1996. Cambridge, Mass. Sponsored by MIT, ACM and WWW Consortium. Contact firstname.lastname@example.org or http://web.mit.edu/cfp96/ Conference on Technological Assaults on Privacy, April 18-20, 1996. Rochester Institute of Technology, Rochester, New York. Papers should be submitted by February 1, 1996. Contact: Wade Robison, email@example.com, by FAX at (716) 475-7120, or by phone at (716) 475-6643. IEEE Symposium on Security and Privacy, May 6-8, 1996. Oakland, CA. Sponsored by IEEE. Contact: firstname.lastname@example.org or http://www.cs.pdx.edu/SP96. Visions of Privacy for the 21st Century: A Search for Solutions. May 9-11, 1996. Victoria, British Columbia. Sponsored by The Office of Information and Privacy Commissioner for the Province of British Columbia and the University of Victoria. Program at http://www.cafe.net/gvc/foi Australasian Conference on Information Security and Privacy June 24-26, 1996. New South Wales, Australia. Sponsored by Australasian Society for Electronic Security and University of Wollongong. Contact: Jennifer Seberry (email@example.com). Privacy Laws & Business 9th Annual Conference. July 1-3, 1996. St. John's College, Cambridge, England. Contact: Ms. Gill Ehrlich +44 181 423 1300 (tel), +44 181 423 4536 (fax). Advanced Surveillance Technologies II. Sponsored by EPIC and Privacy International. September 16, 1996. Ottawa, Canada. Contact: firstname.lastname@example.org or http://www.privacy.org/pi/conference/ 18th International Conference of Data Protection and Privacy Commissioners. September 18-20, 1996. Ottawa, Canada. Sponsored by the Privacy Commissioner of Canada. (Send calendar submissions to Alert@epic.org)
The EPIC Alert is a free biweekly publication of the Electronic Privacy Information Center. To subscribe, send email to email@example.com with the subject: "subscribe" (no quotes). Back issues are available via http://www.epic.org/alert/
The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues relating to the National Information Infrastructure, such as the Clipper Chip, the Digital Telephony proposal, medical record privacy, and the sale of consumer data. EPIC is sponsored by the Fund for Constitutional Government, a non-profit organization established in 1974 to protect civil liberties and constitutional rights. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, email firstname.lastname@example.org, HTTP://www.epic.org or write EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544 9240 (tel), +1 202 547 5482 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "The Fund for Constitutional Government" and sent to EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington DC 20003. Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and funding of the National Wiretap Plan. Thank you for your support.