EPIC logo

       @@@@  @@@@  @@@  @@@@      @    @     @@@@  @@@@  @@@@@
       @     @  @   @   @        @ @   @     @     @  @    @
       @@@@  @@@    @   @       @@@@@  @     @@@   @@@     @
       @     @      @   @       @   @  @     @     @  @    @
       @@@@  @     @@@  @@@@    @   @  @@@@  @@@@  @   @   @
   Volume 6.01	                                 January 20, 1999
                            Published by the
              Electronic Privacy Information Center (EPIC)
                            Washington, D.C.
Table of Contents
[1] Internet Censorship Goes on Trial (Again)
[2] Crypto Update: US Issues New Export Rules, French Drop Restrictions
[3] Supreme Court Rules on Anonymity
[4] EU Releases Report on Privacy Adequacy
[5] GAO Finds IRS Security Lacking
[6] EPIC Bookstore
[7] EPIC Bill-Track: New Bills in Congress
[8] Upcoming Conferences and Events
[1] Internet Censorship Goes on Trial (Again)
In the second challenge to a federal Internet censorship law, a
three-day hearing began today in United States District
Court in Philadelphia.  At issue is the constitutionality of the Child
Online Protection Act (COPA), the statutory successor to the
Communications Decency Act (CDA), which the Supreme Court struck down
in June 1997.  The lawsuit was filed by the American Civil Liberties
Union, the Electronic Privacy Information Center and the Electronic
Frontier Foundation as co-counsel on behalf of 17 individuals and
During the hearing, the plaintiffs will present the testimony of seven
witnesses, including Vanderbilt University Prof. Donna Hoffman; Dan
Farmer, network security director for Earthlink online service;  CNET
Vice President Christopher Barr (representing the Internet Content
Coalition); and Los Angeles Times columnist Larry Magid.
On November 19, a U.S. District Judge Lowell A. Reed issued a
temporary restraining order (TRO) against enforcement of COPA, which
imposes criminal penalties against any "commercial" website that makes
material that is "harmful to minors" available to anyone under 17
years of age.  The TRO remains in effect until February 1, by which
time the court will decide whether to issue a preliminary injunction
against the law.
The COPA lawsuit -- ACLU v. Reno II -- is the latest legal challenge
to Internet censorship laws.  In June 1996, the same federal court in
Philadelphia struck down the CDA, a decision unanimously upheld by the
U.S. Supreme Court.  In enacting COPA, Congressional supporters
claimed that the new law corrected the constitutional defects of the
CDA.  Several federal courts have also found state laws seeking to
regulate online content unconstitutional.
Complete information on the legal challenge, including daily updates
from the courthouse in Philadelphia, will be available at:
[2] Crypto Update: US Issues New Export Rules, French Drop Restrictions
* US Revises Export Controls *
The US Department of Commerce issued new interim regulations on
on encryption export controls on December 31, 1998. The new regulations,
which were announced in September, are targeted towards
large corporations. Restrictions on the exports of strong encryption
used for private, non-commerical reasons is still strictly limited.
The new rules:
    Allow export of software-based 56-bits encryption programs
    including DES. On January 19, a cracking contest sponsored by RSA
    broke DES in 21 hours.
    Allow exports of products of any key length to insurance companies,
    medical end-users, and online merchants (only for buying and selling
    goods) under the current exception available for banks.
    Allows export to US subsidiaries for "internal company proprietary
    use" and provides for favorable rules for exporting to partners
    of American companies.
    Removes some of the licensing requirements on export of key
    escrow/key recovery systems.
Comments on the rules are due March 1, 1998. An copy of the rules is
available at:
* France Announces Major Crypto Liberalization *
French Prime Minister Lionel Jospin announced on January 19 that the
French government is relaxing its current restrictive policy on
encryption. Under the new policy, a key escrow system of "Trusted Third
Parties" will no longer be required for domestic use. The 1996 law
requiring TTPs will not be implemented. Users will be able to use up to
128-bit encryption without restrictions until a new law which
eliminates all restrictions is enacted. However, technical capabilities
for investigations will be expanded.
The announcement is available in French at:
[3] Supreme Court Rules on Anonymity
On January 12, 1999 the Supreme Court held that Colorado's ballot
access regulations unjustifiably inhibited the circulation of
ballot-initiative petitions. Of particular interest to those following
privacy issues, the Supreme Court upheld the ruling of the Tenth
Circuit that the requirement of petition circulators to display their
names on a badge violated the First Amendment.
A lower court had found that compelling circulators to wear
identification badges inhibited participation in the petition process.
The Supreme Court agreed. Writing for the majority, Justice Ginsburg
said "The injury to speech is heightened for the petition circulator
because the badge requirement compels personal identification at the
precise moment when the circulators interest in anonymity is greatest."
The Supreme Court said that the availability of a signed affidavit
satisfied the state's interest in enabling the public to identify and
the state to apprehend petition circulators who engage in misconduct.
The Court's opinion in Buckley v. American Constitutional Law
Foundation follows the 1995 decision in McIntyre v. Ohio Election
Commission in which the Supreme Court held that the state of Ohio could
not ban the distribution of anonymous campaign literature.
Justice Ginsburg delivered the opinion of the Court. Justice Thomas
concurred in the judgement. Justice O'Connor, joined by Justice Breyer,
concurred in part and dissented in part. Justice Rehnquist dissented.
Web-accessible at:
[4] EU Releases Report on Privacy Adequacy
The European Union has released a new report on transborder data flows
of personal information and the adequacy of protections in non-EU
countries. The report "Application of a methodology designed to assess
the adequacy of the level of protection of individuals with regard to
processing personal data: test of the method of several categories of
transfer"  was written by four international experts in privacy law:
Charles Raab, Colin Bennett, Robert Gellman, and Nigel Waters. It
reviews the flow of information relating to human resources, airline
reservation systems, medical and epidemiological data, electronic
commerce and sub-contracted data processing in six countries -
Australia, Canada, Hong Kong, Japan, New Zealand and the United
The report found that the US companies in most of those industries do
not meet fair information practices. There is almost no applicable
laws in the US that govern privacy protections in those areas.
What few protections are generally available are based on
internal practices of companies or industry guidelines based on
self-regulation which may not be fully applied. Enforcement is also a
major problem, because the US lacks any official body which can provide
The report highlights the problems US residents continue to have in
protecting their privacy.  While the US Department of Commerce
continues to lobby the EU not to enforce its Privacy Directive
requirements, privacy protection in the US languishes. The EU is likely
to take this is consideration in its talks with the US.
The full report in PDF format (218 pages) is available at:
[5] GAO Finds IRS Security Lacking
The General Accounting Office (GAO) issued a report on January 14
finding that the IRS has made progress but has not yet fully
implemented effective security controls on its systems that contain
sensitive taxpayer information.
The GAO report on IRS Systems Security was sent on December 14
1998 to Senator Fred Thompson, chairman of the Senate Government
Affairs Committee. The watchdog congressional agency concluded that
security weaknesses at the "expose taxpayers to an increased risk of
loss and damages due to identity theft and other financial crimes
resulting from the unauthorized disclosure and use of information they
provide to IRS." The GAO audit of the IRS was prompted by revelations
that the tax collection agency failed to protect sensitive personal
tax information from the prying eyes of private investigators,
unscrupulous IRS employees, and plain curiosity seekers.
The GAO cited cases in which unauthorized IRS employees could change,
alter, or delete taxpayer data. Also, tapes and diskettes containing
sensitive taxpayer information were not overwritten prior to reuse or
disposal and several hundred are missing. This weakness could allow
unauthorized access to information remaining on the magnetic media. The
GAO also hit IRS for failing to encrypt links transmitting sensitive
taxpayer information. This has been a common problem for tax payers
wishing to electronically file tax data with the IRS but have been
stymied by government attempts to mandate the use of unpopular key
escrow/recovery programs within civilian agencies like the IRS.
The full report "IRS System Security: Although Significant
Improvements Made, Tax Processing Operations and Data Still at
Serious Risk" is available at:
[6] EPIC Bookstore
In light of the COPA hearing in Philadelphia this week, in this Alert,
the EPIC Bookstore focuses on free speech. Browse our cyber shelves
for the titles below, and many other great books on free speech,
privacy, and civil liberties at the Internet's only bookstore devoted
to online freedom. Shipping, discounts, and gift-wrapping provided.
** Books **
The Irony of Free Speech by Owen M. Fiss
While lawmakers, both liberal and conservative, argue that the state's
attempts to limit everything from hate speech to indecency on the
Internet and contributions to political campaigns confines individual
freedom, Owen M. Fiss, a Sterling Professor at Yale Law School
believes that censorship, to some degree, enhances freedom by
broadening "the terms of public discussion." Victims of hate speech
and pornography, he contends, are often silenced out of fear or low
self-worth, inhibiting their full participation not only in
deliberation but also in life. Silencing the voices of some in order
to hear the voices of others, he maintains, is often the only way to
reinforce public debate.
Fighting Words: Individuals, Communities, and Liberties of Speech by
Kent Greenawalt
Should "hate speech" be made a criminal offense, or does the First
Amendment oblige Americans to permit the use of epithets directed
against a person's race, religion, ethnic origin, gender, or sexual
preference? Does a campus speech code enhance or degrade democratic
values? When the American flag is burned in protest, what rights of
free speech are involved? In a lucid and balanced analysis of
contemporary court cases dealing with these problems, as well as those
of obscenity and workplace harassment, acclaimed First Amendment
scholar Kent Greenawalt now addresses a broad general audience of
readers interested in the most current free speech issues.
These and other titles are available for purchase online at the EPIC
[7] EPIC Bill-Track: New Bills in Congress
H.R.10. Financial Services Act of 1999. Major bank, securities etc.
merger bill. Requires FTC to issue interim reports on consumer
privacy. Sponsor: Leach (R-IO). Referred to the Committee on Banking
and Financial Services, and in addition to the Committee on Commerce.
H.R.30. Financial Information Privacy Act of 1999. To protect
consumers and financial institutions by preventing personal financial
information from being obtained from financial institutions under
false pretenses. Sponsor: Leach (R-IO). Referred to the Committee on
Banking and Financial Services.
H.R.97. Personal Privacy Protection Act. Stalkerazzi bill. Prohibits
physical intrusion into privacy for commercial purposes (aka press).
Exempts law enforcement. Sponsor: Rep Conyers, John, Jr. (D-MI)
(introduced 01/06/99). Referred to the Committee on the Judiciary.
H.R.180. Integrity in Voter Registration Act of 1999. A bill to amend
the National Voter Registration Act of 1993 to require each individual
registering to vote in elections for Federal office to provide the
individual's Social Security number. Sponsor: Rep McCollum, Bill .
(R-FL). Referred to the Committee on House Administration
H.R.191.  Creates tamperproof Social Security Card (aka National ID
Card) used for employment verification. Sponsor: Rep McCollum, Bill .
(R-FL). Referred to the Committee on the Judiciary, and in addition to
the Committee on Ways and Means.
H.R.279.  Federal Employment Applicant Drug Testing Act. Requires drug
testing of all applicants for federal jobs. Sponsor: Rep Sweeney, John
E. Referred to the Committee on Government Reform.
H.R.306. Genetic Information Nondiscrimination in Health Insurance Act
of 1999. A bill to prohibit discrimination against individuals and
their family members on the basis of genetic information or a request
for genetic services. Referred to the Committee on Commerce, and in
addition to the Committees on Ways and Means, and Education and the
H.R.307.  A bill to amend section 552a of title 5, United States Code,
to provide for the maintenance of certain health information in cases
where a health care facility has closed or a health benefit plan
sponsor has ceases to do business. Sponsor: Rep Towns, Edolphus.
Referred to the Committee on Government Reform.
H.R.313. Consumer Internet Privacy Protection Act of 1999. A bill to
regulate the use by interactive computer services of personally
identifiable information provided by subscribers to such services.
Sponsor: Rep Vento, Bruce F. (D-MN). Referred to the Committee on
H.R.318. Drug-Free Ports Act. A bill to provide for access by State
and local authorities to information of the Department of Justice for
the purpose of conducting criminal background checks on port employees
and prospective employees. Sponsor: Rep Shaw, E. Clay, Jr. Referred to
the Committee on the Judiciary.
More information is available at:
[8] Upcoming Conferences and Events
Encryption Controls Workshop. February 8, 1998. San Jose, CA.
Sponsored by the US Dept of Commerce. Contact: (202) 482-6031
FC '99  Third Annual Conference on Financial Cryptography. February
22-25, 1999. Anguilla, B.W.I. Contact: http://fc99.ai/
Electronic Commerce and Privacy Legislation -- Building Trust and
Confidence. February 23, 1999.  Ottawa, Canada. Sponsored by Riley
Information Services. http://www.rileyis.com/seminars/Feb99/
Communitarian Summit. February 27-28, 1999. Arlington, Virginia.
Contact: http://www.gwu.edu/~ccps
1999 ASAP Western Regional Training Conference. February 28 - March 3,
1999. Portland, Oregon. Contact: http://www.podi.com/asap/
"CYBERSPACE 1999: Crime, Criminal Justice and the Internet". 29 & 30
March 1999. York, UK. Sponsored by the British and Irish Legal
Education Technology Association (BILETA). http://www.bileta.ac.uk/
Computers, Freedom and Privacy (CFP) '99. April 6-8, 1999. Washington,
DC. Sponsored by ACM. Call for proposals available. Contact:
Encryption Controls Workshop. May 13, 1998. Raleigh, NC.
Sponsored by the US Dept of Commerce. Contact: (202) 482-6031
1999 EPIC Cryptography and Privacy Conference. June 14, 1999.
Washington, DC. Sponsored by EPIC. Contact: info@epic.org
Cryptography & International Protection of Human Rights  (CIPHR'99).
9-13 August 1999. Lake Balaton, Hungary. Contact:
Subscription Information
The EPIC Alert is a free biweekly publication of the Electronic
Privacy Information Center.  To subscribe or unsubscribe, send email
to epic-news@epic.org with the subject: "subscribe" (no quotes) or
"unsubscribe". A Web-based form is available at:
Back issues are available at:
About EPIC
The Electronic Privacy Information Center is a public interest research
center in Washington, DC.  It was established in 1994 to focus public
attention on emerging privacy issues such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale of personal information.  EPIC is sponsored
by the Fund for Constitutional Government, a non-profit organization
established in 1974 to protect civil liberties and constitutional
rights.  EPIC publishes the EPIC Alert, pursues Freedom of Information
Act litigation, and conducts policy research.  For more information,
e-mail info@epic.org, http://www.epic.org or write EPIC, 666
Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544 9240
(tel), +1 202 547 5482 (fax).
If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax- deductible.  Checks
should be made out to "The Fund for Constitutional Government" and sent
to EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington DC 20003.
Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation of encryption
and expanding wiretapping powers.
Thank you for your support.
  ---------------------- END EPIC Alert 6.01 -----------------------

Return to:

Alert Home Page | EPIC Home Page