EPIC logo

       @@@@  @@@@  @@@  @@@@      @    @     @@@@  @@@@  @@@@@
       @     @  @   @   @        @ @   @     @     @  @    @
       @@@@  @@@    @   @       @@@@@  @     @@@   @@@     @
       @     @      @   @       @   @  @     @     @  @    @
       @@@@  @     @@@  @@@@    @   @  @@@@  @@@@  @   @   @
   Volume 5.14	                                 October 13, 1998
                            Published by the
              Electronic Privacy Information Center (EPIC)
                            Washington, D.C.
Table of Contents
[1] Congress Expands Surveillance Authority
[2] Child Protection Bill Includes Privacy Loophole
[3] Digital Millennium Copyright Act Sent to President
[4] GILC Convenes Policy Conference in Ottawa
[5] NGOs Issue Declaration at OECD Conference
[6] National DNA Database Goes Online
[7] New Bills and Actions in Congress
[8] Upcoming Conferences and Events
[1] Congress Expands Surveillance Authority
The House and the Senate last week approved legislation that would
expand wiretapping and the collection of personal information by law
enforcement and intelligence agencies.  The bill, H.R. 3694 -- the
Intelligence Authorization Act for Fiscal Year 1999 -- funds the
operations of the intelligence agencies, which reportedly received a
funding increase to expand signals intelligence and analysis.  The
total budget figures are classified.
The bill authorizes the expansion of the use of roving wiretaps, which
allow law enforcement to wiretap multiple telephones to intercept the
communications of a single person who is using different phones.  Under
the revisions, law enforcement agencies are no longer required to
demonstrate in court that the person is deliberately switching phones
to avoid interception, only that there is "probably cause that the
person's actions could have the effect of thwarting interception."
Under current law, roving taps are uncommon -- there were twelve roving
taps authorized in 1997, three in 1996, and four in 1995.
The bill also authorizes the Attorney General to ask the Foreign
Intelligence Surveillance Court to issue orders placing pen registers
and trap and trace devices on telephones "to gather foreign
intelligence or information concerning international terrorism."  If
Congress declares war on any country, a court order will not be
required.  The number of orders will not be disclosed, except to the
House and Senate Intelligence Committees.
The bill also increases access to records held by businesses in the
name of national security.  Under the new law, the FBI will be able to
obtain information on individuals from travel records,  hotel
information, and storage facilities with an order from the Foreign
Intelligence Surveillance Court.
The bill has been sent to President Clinton for his signature; the
President has expressed his intent to sign the bill into law shortly.
[2] Child Protection Bill Includes Privacy Loophole
Congress has enacted legislation requiring Internet service providers
(ISPs) to report to law enforcement all suspected activities involving
child pornography.  The "Child Protection and Sexual Predator
Punishment Act," which passed the House on October 12 and the Senate on
October 9, carves out a new exception to provisions of the Electronic
Communications Privacy Act (ECPA) protecting the confidentiality of
e-mail.  While ECPA generally requires the government to obtain a
search warrant before obtaining the "contents" of a communication, the
new legislation appears to waive that requirement where the presence of
child pornography is suspected.
Under the "Child Protection Act," whenever an ISP "obtains knowledge of
facts or circumstances from which a violation of [child pornography
laws] is apparent," it must report such information to a law
enforcement agency. The law does not establish any standard of proof
that must be met, and creates substantial disincentives for
under-reporting; ISPs could be fined up to $50,000 for the first
failure to report suspicious activity, and up to $100,000 for each
subsequent failure to contact law enforcement authorities.  While not
requiring ISPs to turn over detailed information on the activities of
subscribers, the legislation clearly permits such disclosures.  It
provides, for example, that an ISP's report "may include additional
information or material developed by [the ISP], except that the Federal
Government may not require the production of such information or
Subscribers will have little recourse if an overzealous ISP improperly
discloses confidential information; the bill provides that no ISP
"shall be held liable on account of any action taken in good faith to
comply" with the reporting requirement.
[3] Digital Millennium Copyright Act Sent to President
On October 12, the House of Representatives approved legislation to
update copyright law for digital media (H.R. 2281).  The bill will now
be sent to the White House where President Clinton is expected to sign
it into law. The Senate approved the bill last week.  The legislation
creates criminal penalties for circumventing copyright protection
systems and also forbids the manufacture, import, sale or distribution
of devices or services used for circumvention.
In response to the concerns of cryptographers and security experts,
limited exemptions for circumventing for the purposes of security
testing or encryption research were included.  However, there still
remain concerns that the exemptions are too limited and will prevent
the development and use of necessary research and security tools.
The bill also contains an exemption that allows circumvention if "the
technological measure, or the work it protects, contains the capability
of collecting or disseminating personally identifying information
reflecting the online activities" of a user who seeks to gain access to
the work protected.  The circumvention is only allowed to disable the
information collecting program.  This provision was added after EPIC
testified about the threats to personal privacy presented by the bill.
The EPIC testimony stressed that users needed the ability to remove
cookies, or other information collecting technologies, which also may
be used as copyright protection measures.
EPIC's testimony can be found at:
[4] GILC Convenes Policy Conference in Ottawa
The Global Internet Liberty Campaign (GILC) sponsored a conference on
"The Public Voice in the Development of Internet Policy" in Ottawa,
Canada on October 7.  More than 140 people from a dozen different
countries attended the day-long symposium.  The conference occurred
just prior to an OECD Ministerial conference on electronic commerce.
John Manley, the Canadian Minister of Industry and chair of the OECD
conference on Electronic Commerce, opened the Public Voice conference
and thanked GILC for bringing together NGOs.  Mr. Manley stated that
the GILC conference presented an excellent opportunity to bring diverse
public interest groups together in a structured forum to discuss the
development of global policy for electronic commerce.
According to Mr. Manley, the GILC concerns have been heard by the OECD
ministers and there is a link between the two conferences and the OECD
conference should benefit from a diversity of voices regardless of
frontiers. In his conclusion Mr. Manley emphasized the importance of a
"global village," and showed his desire to have a "cyber marketplace"
which is available to wealthy and poor.  "We gather from many countries
to develop e-commerce in the global village.  Our challenge is much
broader today.  Access to the Internet should be available to all and
at a stage where half of the world population did not make a telephone
call, this remains a very important challenge for consumers and
Mr. Manley was followed by David Johnston, the former Chair of the
Canadian Information Highway Advisory Council and former Provost of
McGill University.  According to Mr. Johnston, "we need to establish an
environment where innovation can thrive, which recognizes that ideas
and innovation are keys to wealth creation and institutional adoption,
where change is not feared and strangled."  Also governments are
challenged to adopt themselves in the information age and better
understanding of the new technologies are needed.
Next was a panel on Consumer Protection, chaired by Karen Coyle of
CPSR, that included Benoit De Bayer (Centre de droit de la
consummation, Belgium), Phillip McKee (National Consumer's League,
USA), Nathalie St. Pierre, (Fédération Nationale des Associations de
Consommateurs du Quebec), Louise Sylvan (Vice President of Consumers'
International and Chief Executive of the Australian Consumers'
Association) and Bjorn Erik Thon (Consumer Council of Norway).
The second panel focused on Free Speech and Access. It was chaired by
Barry Steinhardt of the Electronic Frontier Foundation and featured
Yaman Akdeniz (Cyber-Rights and Cyber-Liberties UK), Pippa Lawson
(Public Interest Advocacy Center), Meryem Marzouki (Imaginons un Reseau
Internet Soldaire), Sid Shniad (BC Telecommunications Workers Union),
Rigo Wenning (Fîrderverein Informationstechnik undGesellschaft), and
James Dempsey (Center for Democracy and Technology).
The luncheon speaker was Stephen Lau, the privacy commissioner for Hong
Kong. Mr. Lau spoke about the need to protect dignity in the on-line
The third panel was chaired by Deborah Hurley, director of the Harvard
University Information Infrastructure Project, and looked at issues
related to Privacy and Encryption.  Speakers on this panel included
David Banisar (Electronic Privacy Information Center), Ulf Bruhan
(European Commission, DG XV), David Jones (Electronic Frontier Canada
and Computer Science Professor, McMaster University), Viktor
Mayer-Schonberger (University of Vienna, Austria and Kennedy School of
Government, Harvard University), and Jim Savary (York University).
The final panel was on Human Rights in the Twenty-First Century and was
chaired by Marc Rotenberg of the Electronic Privacy Information Center.
The speakers were Harry Hochheiser (Computer Professionals for Social
Responsibility), Jagdish Parikh (Human Rights Watch), Edwin Rekosh
(Public Interest Law Initiative in Transitional Societies), Felipe
Rodriguez (Electronic Frontiers Australia) and Laurie Wiseberg (Human
Rights Internet).
The GILC participants and other NGOs representatives produced a
statement that was later forwarded to the OECD Ministers (see below).
Complete conference reports are available at the conference report page:
[5] NGOs Issue Declaration at OECD Conference
Consumer, labor, civil liberties, and research organizations joined
together last week in support of a letter addressed to Organization for
Economic Co-operation and Development (OECD) Ministers on the future of
Internet policy.  Representatives of more than twenty non-governmental
organizations (NGOs) from eight countries signed the statement.
The NGOs urged the establishment of a permanent Public Interest
Advisory Committee (PIAC), similar in type and function to business and
labor groups that currently advise the OECD.  The group said that the
Committee should include representatives of public interest groups in
the fields of human rights and democracy, privacy and data protection,
consumer protection, and access. The group said that the promotion of
electronic commerce "must be considered within the broader framework of
protection of human rights, the promotion and strengthening of
democratic institutions, and the provision of affordable access to
advanced communication services."
The group made the following recommendations to the OECD:
- Authentication and certification: All OECD member countries should
implement and enforce the 1992 OECD Guidelines for the Security of
Information Systems, particularly the Principles on Democracy, Ethics,
and Proportionality.  The OECD should also consider issues of
authentication and certification within the context of consumer
protection and privacy protection.  Policies and practices that
disregard consumer and privacy concerns will ultimately undermine
public trust.
- Cryptography: The OECD should promote implementation of the
Cryptography Guidelines of 1997 and urge the removal of all controls on
the use and export of encryption and other privacy enhancing
techniques.  Trust requires the widespread availability of the
strongest means to protect privacy and security.
- Protection of privacy: The OECD should urge member states to
implement fully and develop means to enforce the Privacy Guidelines of
1980.  The OECD Guidelines provide an essential framework to establish
consumer trust in online transactions.  Self-regulation has failed to
provide adequate assurance. The group further recommended efforts to
promote anonymity and minimize the collection of personal information
so as to promote consumer confidence.
- Consumer protection: The OECD should support the establishment of
minimum standards for consumer protection, including the simplification
of contracts, means for cancellation, effective complaint mechanisms,
limits on consumer liability, non-enforceability of unreasonable
contract provisions, recourse at least to the laws and courts of their
home country, and cooperation among governments in support of legal
redress. Such minimal standards should provide a functional equivalence
to current safeguards, offering at least the same levels of protection
that would be afforded in the off-line world.
- Intellectual property: The framework for intellectual property
protection should be based upon mechanisms that are least intrusive to
personal privacy, and least restrictive for the development of new
- Internet governance: Governments should foster Internet governance
structures that reflect democratic values and are transparent and
publicly accountable to users.  Standards processes should be open and
should foster competition.
- Taxation: At the Ottawa ministerial Conference, Charles Rossotti,
Commissioner of the United States Internal Revenue Service, spoke of
the creation of a Tax Advisory Group, in which government and
businesses will participate.  Similarly, the public interest groups
should be invited to participate in this advisory group.
- Employment: Impacts on employment must be evaluated and taken fully
into account in all discussions and negotiations.
Finally, the group recommended continued support for the OECD Committee
for Consumer Policy.
The following versions of the NGO letter are available:
http://www.gilc.org/speech/oecd/ngo-oecd-letter-1098.html (English)
http://www.gilc.org/speech/oecd/ong-lettre-ocde-1098.html (French)
[6] National DNA Database Goes Online
An FBI database of the DNA of up to a million convicted criminals
>from all fifty states will be activated on October 13, according to
published reports.  States will provide data to the National DNA
Identification System and share the DNA information.  Investigators
will be able to upload DNA crime scene samples to the nationwide
system and locate matches.
The federal DNA Identification Act of 1994 limits the database to DNA
>from convicted criminals.  Access will be restricted to law
enforcement agencies and court orders will be required to use the
information in judicial proceedings.  For security reasons, the
physical location of the database will not be disclosed.
DNA collection has been controversial, as it singles out individuals
based upon past criminal activity.  The practice varies from state to
state; every state collects DNA of sex offenders, while they differ
on whether they collect the DNA of other criminals, including
murderers, robbers and those who commit crimes against children.
White-collar criminals are universally excluded from collection.
In recent years, millions of dollars have been set aside in the
federal budget for "DNA Identification State Grants."  The grants
were made contingent on the state databases being networked with
federal computer systems.
In an August ruling that invalidated the Massachusetts "DNA Seizure
and Dissemination Act," the State Superior Court held that the
involuntary seizure of DNA samples from prisoners, parolees, and
probationers without probable cause violates both the Fourth
Amendment of the U.S. Constitution and Article 14 of the
Massachusetts Constitution.
[7] New Bills and Actions in Congress
* NOTE: Several important measures, including the "CDA II" Internet
censorship legislation, remain pending in Congress.  Final
Congressional action will be reported in the next issue of the Alert.
H.R. 4651. Federal Criminal Law Improvements Act of 1998. Allows
wiretapping for money laundering offenses, disclosure of illegally
obtained wiretap information. Introduced by McCullum (R-FL) on
September 28. Referred to the Committee on the Judiciary.
H.R. 4667. Electronic Privacy Bill of Rights Act of 1998. Limits
collection of personal information of children under 13. Gives FTC
enforcement power. Orders FTC and FCC to hold proceedings on
electronic privacy. Introduced by Markey (D-MA) on October 1.
Referred to the Committee on Commerce. Text included in H.R. 3783 and
approved by the House.
S.2529. The Patients' Bill of Rights Act of 1998. Sets limited rules
on patient records privacy. Introduced by Daschle (D-SD) on September
29. Placed on Senate Calendar October 2.
S.2536. International Crime and Anti-Terrorism Amendments of 1998.
Allows for wiretaps in computer crime cases. Introduced by Hatch
(R-UT). Placed on the Calendar On October 1.
[8] Upcoming Conferences and Events
Privacy Pandemonium: What the EU's Privacy Directive Means for the
United States. October 16. Washington, DC. Sponsored by the Cato
Instutute. Contact: jenyep@cato.org.
1998 UK Big Brother Awards. October 26. London School of Economics,
London, UK. Sponsored by Privacy International. Contact:
Symposium on Infowar and Civil Liberties. October 26. National Press
Club, Washington, D.C. Sponsored by EPIC and FCG. Contact:
Encryption Controls Workshop. Bedford, MA, October 29. Sponsored by
U.S. Department of Commerce. Contact: (202) 482-6031.
PDC 98 - the Participatory Design Conference, "Broadening
Participation" November 12-14. Seattle, WA.  Sponsored by Computer
Professionals for Social Responsibility in cooperation with ACM and
CSCW 98. Contact: http://www.cpsr.org/conferences/pdc98
Data Privacy in the Global Age.  November 13.  Milwaukee, WI. Sponsored
by ACLU of Wisconsin Data Privacy Project. Contact: Carole Doeppers
Computer Ethics. Philosophical Enquiry 98 (CEPE'98). December 14-15.
London, UK. Sponsored by ACMSIGCAS and London School of Economics.
1999 RSA Data Security Conference. January 18-21, 1999. San Jose, CA.
Sponsored by RSA. Contact: http://www.rsa.com/conf99/
FC '99  Third Annual Conference on Financial Cryptography. February
22-25, 1999 Anguilla, B.W.I. Contact: http://fc99.ai.
Computers, Freedom and Privacy (CFP) '99. April 6-8, 1999. Washington,
DC. Sponsored by ACM. Contact: info@cfp99.org.
1999 EPIC Cryptography and Privacy Conference. June 7, 1999.
Washington, DC. Sponsored by EPIC. Contact: info@epic.org.
Subscription Information
The EPIC Alert is a free biweekly publication of the Electronic
Privacy Information Center.  To subscribe or unsubscribe, send email
to epic-news@epic.org with the subject: "subscribe" (no quotes) or
"unsubscribe". A Web-based form is available at:
Back issues are available at:
About EPIC
The Electronic Privacy Information Center is a public interest
research center in Washington, DC.  It was established in 1994 to
focus public attention on emerging privacy issues such as the Clipper
Chip, the Digital Telephony proposal, national ID cards, medical
record privacy, and the collection and sale of personal information.
EPIC is sponsored by the Fund for Constitutional Government, a
non-profit organization established in 1974 to protect civil liberties
and constitutional rights.  EPIC publishes the EPIC Alert, pursues
Freedom of Information Act litigation, and conducts policy research.
For more information, e-mail info@epic.org, http://www.epic.org or
write EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC
20003. +1 202 544 9240 (tel), +1 202 547 5482 (fax).
If you'd like to support the work of the Electronic Privacy
Information Center, contributions are welcome and fully tax-
deductible.  Checks should be made out to "The Fund for
Constitutional Government" and sent to EPIC, 666 Pennsylvania Ave.,
SE, Suite 301, Washington DC 20003. Individuals with First Virtual
accounts can donate at http://www.epic.org/epic/support.html
Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the
right of privacy and efforts to oppose government regulation of
encryption and funding of the digital wiretap law.
Thank you for your support.
  ---------------------- END EPIC Alert 5.14 -----------------------

Return to:

Alert Home Page | EPIC Home Page