============================================================== @@@@ @@@@ @@@ @@@@ @ @ @@@@ @@@@ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @@@ @ @ @@@@@ @ @@@ @@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @ @@@ @@@@ @ @ @@@@ @@@@ @ @ @ ============================================================== Volume 6.07 May 12, 1999 -------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org ======================================================================= Table of Contents =======================================================================  Appeals Court Strikes Down Crypto Controls  Top U.S. Officials Tout Internet Filters  Study Finds More Sites Posting Privacy Policies  Commerce Department Seeks Comments on "Safe Harbor"  Clinton Addresses Financial and Medical Privacy  Electronic Surveillance Increased in 1998  EPIC Bill-Track: New Bills in Congress  Upcoming Conferences and Events =======================================================================  Appeals Court Strikes Down Crypto Controls ======================================================================= In an eagerly-awaited decision, the U.S. Court of Appeals for the Ninth Circuit ruled on May 6 that federal regulations that prohibit the dissemination of encryption source code violate the First Amendment. The court found that the regulations are an unconstitutional prior restraint on speech because they "grant boundless discretion to government officials" and have "effectively chilled [cryptographers] from engaging in valuable scientific expression." The case was initiated by researcher Daniel Bernstein, who sought government permission to export source code he had written. EPIC was both co-counsel and coordinator of a "friend-of-the-court" (amicus) brief in the case, arguing against the government controls on privacy-enhancing technology. Civil liberties and privacy organizations have consistently opposed restrictions on the dissemination of encryption technology, and welcomed the Bernstein decision as a major breakthrough. Marc Rotenberg, Executive Director of EPIC, said, "This is a forward-looking judgment that touches on many of the issues of greatest concern to Internet users, including the right to speak anonymously and the right of informational privacy." David L. Sobel, EPIC's General Counsel, called the opinion "one of the most significant Internet decisions yet issued, one that establishes important precedents for both free speech and privacy online." The opinion was notably for its recognition of the threats to privacy that citizens face today and the role of encryption in protecting information. The Ninth Circuit wrote: Whether we are surveilled by our government, by criminals, or by our neighbors, it is fair to say that never has our ability to shield our affairs from prying eyes been at such a low ebb. The availability and use of secure encryption may offer an opportunity to reclaim some portion of the privacy we have lost. Government efforts to control encryption thus may well implicate not only the First Amendment rights of cryptographers intent on pushing the boundaries of their science, but also the constitutional rights of each of us as potential recipients of encryption's bounty. . . . [I]t is important to point out that Bernstein's is a suit not merely concerning a small group of scientists laboring in an esoteric field, but also touches on the public interest broadly defined. Information on encryption export controls, including the text of the Bernstein decision and the EPIC amicus brief, is available at the EPIC Cryptography Archive: http://www.epic.org/crypto/ =======================================================================  Top U.S. Officials Tout Internet Filters ======================================================================= In the wake of the high school shootings in Colorado, the Clinton Administration's two leading voices on communications policy recently promoted Internet filtering software. Despite the tenuous connection between the Internet and the tragedy in Littleton, Vice President Al Gore and Federal Communications Commission Chair William Kennard both used the incident as a backdrop for a new federal effort to encourage the use of filters. In a speech at the Annenberg Public Policy Center "Conference on Internet and the Family" on May 4, Kennard said, "we need filtering software for families to use on their PC's. . . . Today, the FCC is doing what it can to help parents. I am pleased to announce that we have added a 'Parents, Kids, and Communications' information page to the FCC website." Although Kennard described the resource as a place where "parents will be able to learn about [filtering] products, how they work, and how much they cost," the FCC page currently contains no information on the demonstrated drawbacks of filtering software. The Commission does not explain, for instance, that these programs tend to block access to some valuable and non-objectionable content. Vice President Gore weighed in on the issue on May 5, announcing the creation of the "Parents' Protection Page, which will appear on virtually every Internet starting point automatically by this July." According to Gore, by using the page, "parents will find easy steps to block out inappropriate content. Parents will be told in simple language how they can filter out the good content from content which they, as parents, decide their children are not ready to handle." Some observers noted there was not much that is new in this initiative, with the White House having aligned itself with Internet "protection" as early as June 1997. While endorsing the use of filtering software, the Administration has not yet made a significant commitment to developing Internet education programs for young people. More information on filtering and blocking is available at the Internet Free Expression Alliance website: http://www.ifea.net =======================================================================  Study Finds More Sites Posting Privacy Policies ======================================================================= An industry-funded survey released on May 12 indicates that nearly two-thirds of commercial Web sites display warnings that they collect personal information from visitors, such as names, postal and e-mail addresses and consumer preferences. Some sites admit that they sell the information to third-party advertisers and others. The new study, which was commissioned by the Online Privacy Alliance -- an industry group that opposes new legal protections for online privacy -- examined 364 commercial Internet sites. It found that almost 66 percent now post some sort of privacy notice. More significantly, less than 10 percent of the surveyed sites had comprehensive privacy policies that give users the chance not to have their personal information collected, allow them to review their information, promise to keep the information confidential or explain how to contact the site operator to make inquiries. Federal Trade Commission Chairman Robert Pitofsky said that online companies "deserve considerable credit for making progress over the last year. There is a remarkable increase in the number of Web sites posting information about their privacy practices." An FTC survey last year found that only 14 percent of sites posted policy statements explaining how they collect and use information about visitors. EPIC has long maintained that the Internet privacy issue is not merely a question of posting privacy policies. EPIC has conducted two surveys -- "Surfer Beware: Personal Privacy and the Internet" in June 1997, and "Surfer Beware II: Notice Is Not Enough" in June 1998 -- showing that most sites have not yet made a serious effort to address privacy concerns in a meaningful way. More information on online privacy, including links to EPIC's reports, is available at: http://www.epic.org/privacy =======================================================================  Commerce Department Seeks Comments on "Safe Harbor" ======================================================================= The Department of Commerce is seeking comments on the "Safe Harbor" proposal, a procedure that will allow firms to self-certify privacy policies in lieu of the United States adopting stronger legal safeguards for Americans. The Safe Harbor proposal has come about in response to the entry into force of the European Union Data Directive, a comprehensive legal framework that establishes that essential privacy safeguards for consumers across the European Union. Many governments, including Canada, Australia, Japan and nations in Eastern Europe have adopted or in the process of adopting laws that provide privacy protection comparable to that which will be offered by the EU Data Directive. The United Sates government has chosen instead to rely on industry-developed self-regulatory approach that lacks basic privacy safeguards and fails to provide trust and assurance for users of new network services. The Trans Atlantic Consumer Dialogue, a coalition of sixty consumer organizations in the United States and Europe, recently urged the European Commission and the Members of the European Council to reject the Safe Harbor proposal. TACD said: The Safe Harbor Proposal . . . fails to provide adequate privacy protection for consumers in the United States and Europe. It lacks effective means of enforcement and redress for privacy violations. It places unreasonable burdens on consumers and unfairly requires European citizens to sacrifice their legal rights to pursue privacy complaints through their national authorities. The proposal also fails to ensure that individual consumers will be able to access personal information obtained by business. TACD has recommended instead the development and adoption of International Convention on Privacy Protection that will help safeguard privacy interests of consumers and citizens in the twenty-first century. U.S.-based privacy and consumer organizations have also criticized the Safe Harbor approach for providing higher levels of protection to European consumers that will be provided for American Consumers. They favor a comprehensive legal framework to protect the interests of consumers in the United States. Ambassador David Aaron leads the Safe Harbor negotiation. Ambassador Aaron was also responsible for the latest round of negotiations for the Wassenaar Arrangement, in which he urged European governments to adopt new controls on the use and export of encryption. EPIC's view of all of this is that the United States foreign policy on privacy is exactly backward: instead of discouraging the adoption of strong privacy laws to protect consumers, we should be promoting them. And instead of promoting new surveillance techniques, such as key escrow encryption, we should be opposing them. Let the Commerce Department know what you think. Comments are due at the Commerce Department by Friday, May 14 and may be submitted electronically in an HTML format to the following email address: Ecommerce@ita.doc.gov. The Safe Harbor Proposal is available at: http://www.ita.doc.gov/ecom The Trans Atlantic Consumer Dialogue resolution is available at: http://www.tacd.org/meeting1/electronic.html#safe =======================================================================  Clinton Addresses Financial and Medical Privacy ======================================================================= At a White House ceremony on May 4, President Clinton announced the Administration's "plan for financial privacy and consumer protection in the 21st century." Noting that current law "to put it mildly, is outdated and should be changed," Clinton endorsed new legislation that would restrict the ability of banks, brokerage firms and insurance companies to share with "affiliated" firms information on what consumers buy with checks and credit cards. The President also discussed the need for greater legal protection of medical records: To enhance financial privacy, we must also protect the sanctity of medical records. With the growing number of mergers between insurance companies and banks, lenders potentially can gain access to the private medical information contained in insurance forms. So we propose to severely restrict the sharing of medical information within financial services conglomerates. You should not have to worry that the results of your latest physical exam will be used to deny you a home mortgage or a credit card. There are many other important protections for medical records that ought to be put in place. Because Congress has given me the authority to act if it does not do so by August, one way or another, we will protect the privacy of medical records this year. Additional information on financial and medical privacy, including the text of President Clinton's recent announcement, is available at: http://www.epic.org/privacy/ =======================================================================  Electronic Surveillance Increased in 1998 ======================================================================= Fueled by a 24 percent jump in state requests, the number of court orders for wiretaps and other forms of electronic eavesdropping rose twelve percent in 1998, to a total of 1,327. Only two surveillance requests were denied by judges during the year. There was also a large increase in the interception of electronic communications and roving wiretaps. The statistics are contained in a new report by the Administrative Office of the U.S. Courts. In 1998, federal requests declined slightly from 569 in 1997 to 566 in 1998. This still represents over a 500 percent increase in surveillance requests since 1980. For the first time, the number of interceptions of wireless phones and pagers exceeded traditional phone calls. In 1998, 576 of the orders were for intercepting "electronic" communications, including computer, cellular, and digital pagers. Five of the cases involved interception of computer communications. In 1997, only 206 of the interception orders involved electronic communications. There were also 23 "roving" wiretaps in 1998, nearly doubling the twelve reported in 1997. Most requests involved drug investigations. Seventy-two percent of the requests (955 total) were made in drug cases. Twelve percent listed racketeering, and seven percent listed gambling as the rationale for the taps. Since 1980, the number of non-drug related wiretaps has remained fairly constant, at between 300-400 cases each year, while the number of taps for drug cases has increased nearly 400 percent. More information on wiretapping, including the text of the new report, is available at: http://www.epic.org/privacy/wiretap/ =======================================================================  EPIC Bill-Track: New Bills in Congress ======================================================================= *House* H.R.1657. Children's Environmental Protection and Right to Know Act of 1999. A bill to disclose environmental risks to children's health and expand the public's right to know about toxic chemical use and release, and for other purposes. Sponsored by Rep. Henry A. Waxman, referred to the House Committee on Commerce. *Senate* S. 854. Electronic Rights for the 21st Century Act. A bill to protect the privacy and constitutional rights of Americans, to establish standards and procedures regarding law enforcement access to location information, decryption assistance for encrypted communications and stored electronic information, and other private information, to affirm the rights of Americans to use and sell encryption products as a tool for protecting their online privacy, and for other purposes. Sponsored by Sen. Patrick J. Leahy, referred to the Committee on Judiciary. S.898. Taxpayer Privacy Protection Improvement Act of 1999. A bill to amend the Internal Revenue Code of 1986 to provide taxpayers with greater notice of any unlawful inspection or disclosure of their return or return information. Sponsored by Sen. Paul Coverdell, referred to the Committee on Finance. S.899. 21st Century Justice Act of 1999. A bill to reduce crime and protect the public in the 21st Century by strengthening Federal assistance to State and local law enforcement, combating illegal drugs and preventing drug use, attacking the criminal use of guns, promoting accountability and rehabilitation of juvenile criminals, protecting the rights of victims in the criminal justice system, and improving criminal justice rules and procedures, and for other purposes. Section 1303 requires the DNA samples of violent offenders. Sponsored by Sen. Orrin G. Hatch, referred to the Committee on Judiciary. S.900. Financial Services Modernization Act of 1999. An original bill to enhance competition in the financial services industry by providing a prudential framework for the affiliation of banks, securities firms, insurance companies, and other financial service providers, and for other purposes. Title X deals with Financial Information Privacy Protection. Sponsored by Sen. Phil Gramm, passed Senate with amendments by vote of 54-44. S.903. Violent Offender DNA Identification Act of 1999. A bill to facilitate the exchange by law enforcement agencies of DNA identification information relating to violent offenders, and for other purposes. Sponsored by Sen. Herb Kohl, referred to the Committee on Judiciary. =======================================================================  Upcoming Conferences and Events ======================================================================= Encryption Controls Workshop. May 13, 1999. Raleigh, NC. Sponsored by the U.S. Dep't of Commerce. Contact: (202) 482-6031 INET 99. San Jose, Calif., June 22-25, 1999. Sponsored by the Internet Society. Contact: http://www.isoc.org/inet99/ Privacy Laws & Business 12th Annual International Conference -- "New Data Protection Law: Issues, Solutions, Action." June 28-30th 1999, St John's College, Cambridge, United Kingdom. Contact: Privacy Laws & Business, Tel: + 44 (0) 181 423 1300, Fax: + 44 (0) 181 423 4536, e-mail: firstname.lastname@example.org, or http://www.privacylaws.co.uk ======================================================================= Subscription Information ======================================================================= The EPIC Alert is a free biweekly publication of the Electronic Privacy Information Center. A Web-based form is available for subscribing or unsubscribing at: http://www.epic.org/alert/subscribe.html To subscribe or unsubscribe using email, send email to email@example.com with the subject: "subscribe" (no quotes) or "unsubscribe". Back issues are available at: http://www.epic.org/alert/ ======================================================================= About EPIC ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC is sponsored by the Fund for Constitutional Government, a non-profit organization established in 1974 to protect civil liberties and constitutional rights. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, e-mail firstname.lastname@example.org, http://www.epic.org or write EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544 9240 (tel), +1 202 547 5482 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "The Fund for Constitutional Government" and sent to EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ---------------------- END EPIC Alert 6.07 ----------------------- .
Alert Home Page | EPIC Home Page