EPIC logo

       @@@@  @@@@  @@@  @@@@      @    @     @@@@  @@@@  @@@@@
       @     @  @   @   @        @ @   @     @     @  @    @
       @@@@  @@@    @   @       @@@@@  @     @@@   @@@     @
       @     @      @   @       @   @  @     @     @  @    @
       @@@@  @     @@@  @@@@    @   @  @@@@  @@@@  @   @   @
   Volume 6.06	                                   April 22, 1999
                            Published by the
              Electronic Privacy Information Center (EPIC)
                            Washington, D.C.
Table of Contents
[1] FTC Proposes Rules for Kids' Privacy Protection
[2] Encryption Bill Introduced in Senate
[3] Know Your Passenger: FAA Introduces New Screening Rules
[4] Online Anonymity Under Attack in the Courts
[5] Justice Department Appeals Internet Censorship Ruling
[6] "Orwell Awards" Presented to Biggest U.S. Privacy Invaders
[7] EPIC Bill-Track: New Bills in Congress
[8] Upcoming Conferences and Events
[1] FTC Proposes Rules for Kids' Privacy Protection
The Federal Trade Commission issued proposed rules on April 20
designed to protect the privacy of children on the Internet.  The
proposed rules, which would apply to certain commercial websites, is
the FTC's first step in the implementation of the Children's Online
Privacy Protection Act, which Congress enacted last October.  The
intended goal of the statute is to put parents in control of
information collected online from children under 13.
"Protecting kids who surf the Internet has been a top priority of the
Commission's online privacy initiative," said FTC Chairman Robert
Pitofsky.  "This proposed rule aims to achieve that goal by putting
parents in control of personal information that is collected from
their children on the Web.  The proposed rule also provides
flexibility to accommodate varied business practices and the fast pace
of technological change."
The proposed FTC rules, which are subject to public comment, apply to
commercial websites directed to, or that knowingly collect information
from, children under 13.  With certain exceptions, these sites would
have to obtain parental consent before collecting, using, or
disclosing personal information from children.  To inform parents of
their information practices, these sites also would be required to
provide notice on the site and to parents about their policies with
respect to the collection, use and disclosure of children's personal
Under the proposed rules, sites must give parents a choice as to
whether their child's information can be disclosed to third parties,
and give parents a chance to prevent further use or future collection
of personal information from their child.  Parents must also, upon
request, be given access to the personal information collected from
their child and a means of reviewing that information.
Written comments on the proposed rules will be accepted until June 11,
1999.  Comments may be submitted by e-mail to KidsRule@ftc.gov.
More information on children's privacy, including the text of the
proposed FTC rules, is available at:
[2] Encryption Bill Introduced in Senate
Senator John McCain (R-AZ) on April 14 introduced the Promote Reliable
On-Line Transactions to Encourage Commerce and Trade (PROTECT) Act of
1999 (S.798), which is designed to promote international electronic
commerce and limit the power of the federal government to mandate
encryption requirements for the domestic market.  The bill prohibits
mandatory access to encryption keys or key recovery information by the
United States government or the government of any state.  The bill
would also permit the export of unlimited strength encryption to
members of NATO, the Organization for Economic Cooperation and
Development (OECD), and the Association of Southeast Asian Nations
(ASEAN). Exports to other nations would limited to strengths of
The bill would require the National Institute of Standards and
Technology (NIST) to complete work on the Advanced Encryption Standard
(AES) by January 1, 2002.  It further stipulates that products
adhering to the standard will be permitted to be exported "consistent
with the national security requirements of the United States."  The
PROTECT Act also establishes an Encryption Export Advisory Board which
would periodically determine the availability of various encryption
products abroad and make necessary recommendations to the Secretary of
Commerce to amend export regulations on encryption.
Notably, the bill does not include a criminalization provision like
the one included in the SAFE Act currently pending in the House of
Representatives.  That provision would create a new federal crime for
the use of encryption in the commission of a felony.
The introduction of the legislation is also significant because it
appears to signal a change in Sen. McCain's position on the encryption
issue.  As Chairman of the Senate Commerce Committee, Sen. McCain has
in the past opposed any liberalization of existing encryption policy.
Additional information on encryption, including the text of the
PROTECT Act, is available at:
[3] Know Your Passenger: FAA Introduces New Screening Rules
The Federal Aviation Administration proposed new rules on April 20 for
increasing airline security by requiring that all airlines conduct
computerized profiling of all passengers on domestic flights.  The new
program, called Computer Assisted Passenger Screening (CAPS), would
use data from airline computers and secret profiling standards to
select passengers for additional questioning and searches.
Under the new rules, airlines would select passengers for increased
scrutiny based on internal profiling standards.  They would also
randomly select some passengers for the "deterrent value that would
increase airline passenger safety."  The FAA funded the program,
paying the carriers over $10 million to develop CAPS.  The new rules'
details on who would be targeted by the automated systems are not
revealed for security reasons.  However, the Department of Justice has
determined that the rules raise no civil liberties concerns.
The rules are based on the recommendations of the White House
Commissioner on Aviation Safety and Security, led by Vice President
Al Gore.  The Gore Commission issued its report in 1997 and was
criticized by a coalition of groups for its intrusive proposals.  The
proposed rules recognize that there have been few actual incidents of
the sort that CAPS seeks to address (the only one reported was in
1979), but links unrelated occurrences such as the World Trade Center
bombing and the accidental crash of TWA Flight 800 as justification
for the stringent new procedures.  The FAA estimates that it will cost
between $50 million and $70 million to implement the program, which
will be paid by the airlines and presumably passed onto passengers.
Comments are due on the proposal by June 18, 1999.  They can be
e-mailed to 9-NPRM-CMTS@faa.gov.  More information on the proposed
rules, airline security and privacy issues is available at:
[4] Online Anonymity Under Attack in the Courts
Several recent court cases around the country highlight an
increasingly popular litigation tactic: the use of civil discovery to
unmask the identities of anonymous Internet posters.  In the last few
months, a growing number of corporations have issued subpoenas to
Internet service providers (ISPs) and operators of online message
boards seeking to identify and locate individuals who posted material
that the companies, for one reason or another, find objectionable.
Brian Payea, a spokesman for Lycos, recently told Salon Magazine that
the firm receives subpoenas on "pretty close to a regular basis."  The
underlying allegations in these cases include defamation, misappropri-
ation of trade secrets and securities law violations.  Many observers
worry, however, that the legal tactic can easily be used to intimidate
potential critics into silence and destroy the anonymity that has
contributed to the Internet's explosive growth.
The recent cases, which include actions filed by Raytheon, Shoney's
and Wade Cooke Financial, raise serious issues concerning the rights
of anonymous Internet users and the procedural protections they should
be entitled to before their identities are disclosed.  At present,
there is no legal guidance in this area.  The federal Electronic
Communications Privacy Act (ECPA) doesn't even require the issuance of
subpoenas when a private party seeks a subscriber's identity from an
ISP; only government agencies are required to present a legal demand
for such information.  While many service providers (such as America
Online) provide in their terms of service that they will not disclose
subscriber information to private parties without a subpoena, most are
not obligated to notify a subscriber that a subpoenas has been
received.  Even when the subscriber is notified of a pending demand
for identifying information, there are no established judicial
procedures that would enable "John Doe" to argue in support of his
While many of the pending cases involve serious charges of alleged
wrongdoing, there is no mechanism currently in place to distinguish
between someone who is hiding behind their anonymity to commit a crime
or other wrongful act, and someone who is, for instance, shielding
their identity for whistle-blowing purposes or to communicate
anonymously in an HIV-support group or on a message board for battered
women.  Until the courts or Congress establish basic ground rules for
these cases, the number of subpoenas -- legitimate and otherwise --
is likely to increase.
[5] Justice Department Appeals Internet Censorship Ruling
The U.S. Department of Justice on April 2 appealed a lower court
decision enjoining enforcement of the Child Online Protection Act
(COPA).  The case against COPA -- brought by EPIC, the ACLU and other
organizations -- now moves to the U.S. Court of Appeals for the Third
Circuit.  Appellate briefs are likely to be filed sometime this
The government appeal will challenge the finding of Judge Lowell A.
Reed, Jr. that the new Internet censorship law would restrict free
speech in the "marketplace of ideas."  Judge Reed's February 1 ruling
enjoins enforcement of COPA, the statutory successor to the
Communications Decency Act (CDA), which the Supreme Court struck down
in June 1997.  The legal challenge to COPA was filed on behalf of 17
organizations publishing information on the World Wide Web.  In
granting a preliminary injunction against COPA, the court held that
the plaintiffs are likely to succeed on their claim that the law
"imposes a burden on speech that is protected for adults."  The ruling
came after a six-day hearing which featured testimony from website
operators who provide free information about fine art, news, gay and
lesbian issues and sexual health for women and the disabled, and who
all fear that COPA would force them to shut down their websites.  
In his 49-page opinion, Judge Reed listed 68 separate "findings of
fact" to support his decision.  The judge considered evidence that
COPA imposed technological and economic burdens on speakers, but
concluded that ultimately the relevant inquiry is the "burden imposed
on the protected speech, not the pressure placed on the pocketbooks or
bottom lines of the plaintiffs."  
The full text of the Judge Reed's decision, and complete information
on the legal challenge, is available at:
[6] "Orwell Awards" Presented to Biggest U.S. Privacy Invaders
Privacy International presented its first Orwell Awards on April 7 to
the worst corporate and government privacy invaders in the United
States.  Privacy International's Director, Simon Davies, said the
awards were designed to raise awareness of the erosion of privacy
rights in the U.S.  "Surveillance over our private lives has reached a
dangerous new level. It's time to turn the spotlight around and shine
it on the invaders."  The awards were presented at the Computers,
Freedom and Privacy (CFP99) conference in Washington, DC.
A total of five awards were announced, but most recipients were not on
hand to receive them.  The winner in the "Worst Public Official"
category was Rep. Bill McCollum (R-FL) for his numerous activities in
Congress opposing privacy, including pushing through a law increasing
wiretapping approved last year, several bills promoting the creation
of a national ID card, opposition to efforts to improve financial
privacy, and his recent efforts to amend the SAFE encryption bill to
mandate key escrow.  Runners-up were New York Mayor Rudolph Giuliani
(for his suggestion to take DNA samples of all children at birth) and
Ambassador David Aaron and White House Advisor Ira Magaziner (for
their travels around the world promoting encryption restrictions and
opposing privacy laws).
The Federal Depository Insurance Corporation received the award for
"Most Invasive Proposal" for its "Know Your Customer" proposal (see
EPIC Alert 6.05).  The runners-up were the Communications Assistance
for Law Enforcement Act (CALEA) and the FAA's Airline ID Program.  The
"Greatest Corporate Invader" award went to Elensys Inc., a Woburn,
Massachusetts company that has secretly collected the pharmacy records
of millions of consumers from 15,000 pharmacies nationwide.  The
runners-up were Intel for the Pentium III Processor Serial Number
(designed to identify and track users) and ImageData for its attempts
to create a national database of drivers license photographs.
The "Lifetime Menace" award went to the Federal Bureau of
Investigation for its activities over the past 80 years, including
CALEA, COINTELPRO, and its efforts on information warfare.  Runners-up
were the Direct Marketing Association, the National Security Agency,
and credit bureau TransUnion Corp.  Finally, Microsoft Corp. received
the "People's Choice" award for the Global User ID Number, Open
Profiling System, and the proposed P3P standard.  The other candidates
were Intel, President Clinton and Special Prosecutor Kenneth Starr.
Two "Brandeis" Awards were presented to individuals who have made an
outstanding contribution to the protection of privacy, as well as to
victims of privacy invasion who have successfully fought back.  Phil
Zimmermann, author of the encryption program Pretty Good Privacy, and
Diana Mey, a West Virginia housewife who successfully took on Sears
telemarketers, were the recipients this year.
More information on the awards can be found at:
[7] EPIC Bill-Track: New Bills in Congress
H.R. 1345. Eliminates requirement that states collect SSNs for
recreational licenses. Introduced by Obey (D-WI). Referred to the
Committee on Ways and Means.
H.R. 1426. Money Laundering Prevention Act of 1999. Expands rules on
money laundering. Requires banks to better identify account holders.
Introduced by Waters (D-CA). Referred to the Committee on Banking and
Financial Services.
H.R. 1450. Personal Information Privacy Act of 1999. Limits sale of
credit information, SSNs, drivers photographs. Introduced by Rep
Kleczka, Gerald D. (D-WI). Referred to the Committee on Ways and
Means, and in addition to the Committees on Banking and Financial
Services, and the Judiciary.
H.R. 1471. Money Laundering Prevention Act of 1999. Expands rules on
money laundering. Requires banks to better identify account holders.
Introduced by Waters (D-CA). Referred to the Committee on Banking and
Financial Services.
S. 753. Financial Services Act of 1999. Prohibits obtaining financial
information under false pretenses. Requires FTC to issue interim
report on consumer privacy. Exempts law enforcement & financial
institutions. Sponsor Sen Daschle, Thomas A. (D-ND). Referred to the
Committee on Banking.
S. 759. Inbox Privacy Act of 1999. Anti-spam bill. Sponsor Sen
Murkowski, Frank H. (R-AS). Referred to the Committee on Commerce.
S. 781. Telephone Privacy Act of 1999. Requires 2 party consent for
recording telephone calls. Sponsor: Sen Feinstein, Dianne (D-CA).
Referred to the Committee on the Judiciary.
S. 782. Patients' Telephone Privacy Act of 1999.  Limits health care
providers recording of patients phone calls. Sponsor: Sen Feinstein,
Dianne (D-CA). Referred to the Committee on the Judiciary.
S. 798. Promote Reliable On-Line Transactions to Encourage Commerce
and Trade (PROTECT) Act of 1999. Slightly relaxes export controls on
cryptography. Sponsor Sen McCain, John (R-AZ). Referred to the
Committee on Commerce.
S. 800. Wireless Communications and Public Safety Act of 1999. Limits
use of cellular location information for non-safety emergency uses.
Sponsor: Sen Burns, Conrad R (R-MT). Referred to the Committee on
Commerce, Science, and Transportation.
S. 809. Online Privacy Protection Act of 1999. Requires FTC to set
rules on collection of personal information by online services and web
pages. Creates broad safe harbor protections for industry. Sponsor:
Sen Burns, Conrad R. (R-MT). Referred to the Committee on Commerce,
Science, and Transportation .
[8] Upcoming Conferences and Events
Encryption Controls Workshop. May 13, 1999. Raleigh, NC. Sponsored by
the U.S. Dep't of Commerce. Contact: (202) 482-6031
INET 99.  San Jose, Calif., June 22-25, 1999.  Sponsored by the
Internet Society.  Contact: http://www.isoc.org/inet99/
Subscription Information
The EPIC Alert is a free biweekly publication of the Electronic Privacy
Information Center. A Web-based form is available for subscribing or
unsubscribing at:
To subscribe or unsubscribe using email, send email to
epic-news@epic.org with the subject: "subscribe" (no quotes) or
Back issues are available at:
About EPIC
The Electronic Privacy Information Center is a public interest research
center in Washington, DC.  It was established in 1994 to focus public
attention on emerging privacy issues such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale of personal information.  EPIC is sponsored
by the Fund for Constitutional Government, a non-profit organization
established in 1974 to protect civil liberties and constitutional
rights.  EPIC publishes the EPIC Alert, pursues Freedom of Information
Act litigation, and conducts policy research.  For more information,
e-mail info@epic.org, http://www.epic.org or write EPIC, 666
Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544 9240
(tel), +1 202 547 5482 (fax).
If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible.  Checks
should be made out to "The Fund for Constitutional Government" and sent
to EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003.
Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation of encryption and
expanding wiretapping powers.
Thank you for your support.
  ---------------------- END EPIC Alert 6.06 -----------------------

Return to:

Alert Home Page | EPIC Home Page