EPIC logo




EPIC ALERT


                    Volume 3.11               May 29, 1996


Published by the
Electronic Privacy Information Center
Washington, D.C.
http://www.epic.org/


Table of Contents

[1] Children's Privacy Bill Introduced
[2] Recent Problems in Direct Marketing Industry
[3] New Medical Privacy Bill Introduced
[4] Canadian NII Panel Calls for Privacy Law
[5] Supreme Court Rejects California Caller ID Case
[6] NRC to Release Crypto Report
[7] FTC To Examine Privacy Issues
[8] Upcoming Conferences and Events       


[1] Children's Privacy Bill Introduced


On May 22, 1996, Representative Bob Franks (R-NJ) and Senator Dianne Feinstein (D-CA) introduced the Children's Privacy Protection and Parental Empowerment Act (HR 3508, S. not yet available). The bill establishes fair information practices for personal information about kids and is intended to curb recent abuses by the direct marketing industry. At a Capitol Hill press conference, Representative Franks said "commercial list companies are using that information to develop an elaborate data base on virtually every child in America. They're gathering children's complete names, ages, addresses and phone numbers -- and often even their personal likes and dislikes." As with other privacy laws in the United States, the CPPPEA focuses on a particular industry sector, in this case list brokers who collect and sell personal information on children. The Children's Privacy Protection and Parental Empowerment Act would: -- Prohibit the sale or purchase of personal information about children without parental consent; -- Require list brokers and solicitors to disclose to parents, upon request, the source and content of personal information on file about their children; -- Require list brokers to disclose to parents, upon request, the names of persons or entities to whom they have distributed personal information on that parent's child; -- Prohibit prisoners and convicted sex criminals from processing the personal information of children; -- Prohibit any exchange of children's personal information that one has a reason to believe will be used to harm or abuse a child; -- Preserve all common law privileges, and statutory and Constitutional privacy rights; and -- Establish civil remedies and criminal penalties for violations of the Act. More information about the CPPPEA is available at: http://www.epic.org/privacy/kids/


[2] Recent Problems in Direct Marketing Industry


The Children's Privacy bill grows out of reports on recent abuses in the marketing industry. In one case, a news reporter for KCBS-TV in Los Angeles ordered a list of the names, addresses and phone numbers of 5,000 Los Angeles children from the nation's largest distributor of lists, Metromail. It placed the order in the name of Richard Allen Davis, the man currently on trial for kidnapping 12-year-old Polly Klaas from her Sausalito home and murdering her. After providing a fake name, mailing address and a disconnected phone number, the list arrived the next day. The cost -- just $277, cash on delivery. In another case, the direct marketing firm Metromail faces a class action suit in Texas where the company used prison inmates to process personal data gathered from consumers. Beverly Dennis, a 47-year-old Ohio woman, received threatening and highly offensive telephone calls from a convicted sex offender. Dennis v. Metromail Corporation, Texas District Court, No. 96-04451, April 18, 1996). A report from the Center for Media Education also found that one data-gathering company adds 67,000 children's names each week. Other firms sell segmented lists on grade school children and pre-school children. Opinion polls also reveal strong public opposition to the unregulated sale of personal data: -- A 1991 Time/CNN poll found that 93% of American consumers believe "companies that sell information to others should be required by law to ask permission from individuals before making the information available;" -- In the same poll, 90% said that "companies that collect and sell personal information should be prohibited by law from selling information about household income," and 68% said that companies "should be prohibited by law from selling information about product purchases." It is not hard to guess what the poll numbers would say about the sale of data on children. In a related matter, Ram Avrahami's case is scheduled to be heard by a Virginia judge on June 6. For more information on the case, see: http://www.epic.org/privacy/junk_mail/


[3] New Medical Privacy Bill Introduced


On May 16, 1996, Rep. Jim McDermott (D-WA) introduced the "Medical Privacy in the Age of New Technology Act of 1996." The bill is designed to "ensure strong protections for the confidentiality of patient health care information and take into account the threats to privacy created by emerging technologies and the computerization of medical records." The new bill covers all types of medical information including genetic information. It requires informed consent before a patient's personal information can be transferred to any other party, except in very limited circumstances. Patients would be allowed to examine and correct their records. Guidelines are set to ensure the security of records. Unlike previously introduced legislation, S. 1360, under the new bill states are not prevented from enacting stronger laws. The bill was introduced after the House of Representatives approved a bill providing for "administrative simplification" of medical records. (See EPIC Alert 3.08, "House Passes Health Care Bill") and the Senate debated S. 1360, introduced by Senator Bennett. The new bill provides for a much higher level of privacy protection than either of those two measures. The bill has been embraced by consumer groups such as the Coalition for Patient Rights, which describes it as the strongest medical privacy bill introduced to date. It was referred to the Commerce Committee for review. More information on the McDermott bill and medical privacy is available at: http://www.epic.org/privacy/medical/


[4] Canadian NII Panel Calls for Privacy Law


A report from the Canadian Information Highway Advisory Counsel (IHAC) calls for the establishment of legal standards to protect privacy on the information highway. The report, "Building the Information Society: Moving Canada into the 21st Century," states that "the right to privacy must be recognized in law, especially in an electronic world of private databases where it is all too easy to collect and exploit information about individual citizens." The report follows a lengthy consultation process that began in 1994 with the early policy development for the Canadian Information Infrastructure (See EPIC Alert 1.07, "Canadian Gov't Releases Discussion Paper on NII Privacy"). The IHAC recommends building on a standard developed by the Canadian Standards Association that has won praise from privacy advocates, consumer groups, business and the health care industry. The CSA Model Code is based on ten principles that could apply to all technologies and types of businesses. Canadian Privacy Commissioner Bruce Phillips commended the report and said that national standards would protect the privacy rights of Canadians, give clear guidance to business, and promote commerce with trading partners that have also established strong privacy safeguards. The report of the Canadian Information Highway Advisory Counsel is available at: http://info.ic.gc.ca/info-highway/society/toc_e.html The Office of the Privacy Commissioner of Canada has a web page at: http://infoweb.magi.com/~privcan/


[5] Supreme Court Rejects California Caller ID Case


The Supreme Court has declined to review an appeals court ruling that held that lax FCC Caller ID privacy safeguards could preempt stronger state protections. (See EPIC Alert 3.07, "California PUC Files Supreme Court Appeal on Caller ID Decision"). But Pacific Bell and the California Public Utility Commission both report that millions of California telephone subscribers are taking matters into their own hands, and selecting permanent call blocking for their lines. According to Pacific Bell, at least three million customers have selected the complete blocking option and that number is expected to rise. California has the highest percentage of unlisted phone subscribers in the country. (See EPIC Alert 3.05, "Calls Pour into PacBell Over Caller ID"). It will be interesting to see if the blocking technology works as promised. Several states encountered serious problems when Caller ID was first introduced. (See EPIC Alert 2.04, "Caller ID Privacy Protection Fails in Two More States", EPIC Alert 2.05, "Caller ID Snafus Continue: FCC Delays Implementation"). The FCC Caller ID rule is available at: http://www.epic.org/privacy/caller_id/fcc_final.html


[6] NRC to Release Crypto Report


The long-awaited report of the National Research Council on encryption policy is expected to be released tomorrow. "Cryptography's Role in Securing the Information Society" will be released at a public briefing at the National Press Club, 14th and F Streets, N.W., Washington, D.C., at 1:00 pm, on Thursday, May 30. Committee members will respond to questions from attendees, and a limited number of pre-publication copies of the report will be available at that time. The committee also intends to conduct a second public briefing on the report in Menlo Park, California at SRI International. The briefing will be held in the Auditorium of the International Building from 10:00 to 11:00 am on Wednesday, June 5. The address is 333 Ravenswood Avenue, Menlo Park, California, 94025. For more information about the briefing at SRI, contact Alice Galloway at 415-859-2711. EPIC commends the NRC for its efforts to make the report widely available to the public. We hope the report will offer a new direction for national cryptography policy. More information about the NRC report is available at: http://www2.nas.edu/cstbweb/


[7] FTC To Examine Privacy Issues


The Federal Trade Commission's Bureau of Consumer Protection will hold a public workshop on Consumer Privacy on the Global Information Infrastructure on June 4-5, 1996. Topics to be discussed include: -- The Use of Consumer Information -- Electronic Regimes for Protecting Consumer Privacy Online -- Consumer and Business Education in Online Privacy Issues -- The Use of Medical and Financial Information Online -- The Impact of the European Commission's Council Directive on the Protection of Personal Data -- The Collection and Use of Information about Children The workshop will be held on June 4, 1996, from 9:00 am to 5:00 pm (Room 432) and on June 5, 1996, from 9:00 am to 12:30 pm (Room 332), at the Federal Trade Commission, Sixth Street and Pennsylvania Avenue, N.W., Washington, DC 20580. Requests to participate in the workshop should be mailed, on or before May 26, 1996, to Martha Landesberg. EPIC wrote to the FTC in December 1995 and urged the Commission to investigate the misuse of personal data by the direct marketing industry, particularly the sale of data about children. EPIC recommended that the FTC examine several issues including: -- The collection and sale of personal data within the marketing industry and whether current trade practices violate federal or state law; -- Whether the Mail Preference Service actually protects the privacy interests of consumers or whether there are there better and simpler methods for consumers to control personal data; -- The sale of direct marketing lists to federal and state investigative agencies and whether these practices violate privacy rights and should be regulated or prohibited; and -- Whether new technologies for anonymous and pseudo-anonymous payment schemes coupled with enforceable legal rights could help ensure the development of on-line commerce that promotes business opportunity and protects personal privacy. The Federal Register Notice Announcing the Workshop Agenda is available at: http://www.ftc.gov/bcp/privacy/frdoc.htm The complete EPIC letter to the FTC is available at: http://www.epic.org/privacy/internet/ftc/ftc_letter.html


[8] Upcoming Conferences and Events


Consumer Privacy on the Global Information Infrastructure. June 4-5, 1996. Washington, DC. The Federal Trade Commission's Bureau of Consumer Protection. Contact Martha Landesberg (202) 326-2825 or mlandesberg@ftc.gov. Privacy Issues Forum 1996. June 13, 1996. Privacy Commissioner of New Zealand. Christchurch, New Zealand. Email privacy@conventionmgmt.co.nz Practicing Law Institute's 16th Annual Institute on Computer Law: Understanding the Business and Legal Aspects of the Internet, June 17-18, 1996, San Francisco. info@pli.edu for info--or call 800/477 0300. Personal Information - Security, Engineering and Ethics. June 21-22 , 1996. Isaac Newton Institute, Cambridge. Sponsored by Cambridge University and British Medical Association. Paper submission due 10 May 1996. Contact: Ross Anderson (rja14@newton.cam.ac.uk). Australasian Conference on Information Security and Privacy. June 24-26, 1996. New South Wales, Australia. Sponsored by Australasian Society for Electronic Security and University of Wollongong. Contact: Jennifer Seberry (jennie@cs.uow.edu.au). The Internet: Transforming our Society Now. June 25-28, 1996. Montreal Convention Center, Montreal (Quebec), Canada. The Internet Society. http://info.isoc.org:80/conferences/inet96/. Email: tdeliduka@conference.com Privacy Laws & Business 9th Annual Conference. July 1-3, 1996. St. John's College, Cambridge, England. Contact: Ms. Gill Ehrlich +44 181 423 1300 (tel), +44 181 423 4536 (fax). DEF CON IV. July 26-28. Los Vegas, NV. Annual Hacker Convention. Contact: dtangent@defcon.org or http://www.defcon.org/. Surveillance Expo 96. August 19-21. McLean, Virginia. Sponsored by Ross Associates. Contact: Marilyn Roseberry 703-450-2200. Fifth International Information Warfare Conference, "Dominating the Battlefields of Business and War", September 5-6, 1996. Washington, DC. Sponsored by Interpact, NCSA, OSS. Contact: infowar96@ncsa.com Advanced Surveillance Technologies II. Sponsored by EPIC and Privacy International. September 16, 1996. Ottawa, Canada. Contact: http://www.privacy.org/pi/conference/ottawa/ or email pi@privacy.org. 18th International Conference of Data Protection and Privacy Commissioners. September 18-20, 1996. Ottawa, Canada. Sponsored by the Privacy Commissioner of Canada (Send calendar submissions to Alert@epic.org)
The EPIC Alert is a free biweekly publication of the Electronic Privacy Information Center. To subscribe, send email to epic-news@epic.org with the subject: "subscribe" (no quotes). Back issues are available via http://www.epic.org/alert/
The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues relating to the National Information Infrastructure, such as the Clipper Chip, the Digital Telephony proposal, medical record privacy, and the sale of consumer data. EPIC is sponsored by the Fund for Constitutional Government, a non-profit organization established in 1974 to protect civil liberties and constitutional rights. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, email info@epic.org, HTTP://www.epic.org or write EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544 9240 (tel), +1 202 547 5482 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "The Fund for Constitutional Government" and sent to EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington DC 20003. Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and funding of the National Wiretap Plan. Thank you for your support.