EPIC logo

       @@@@  @@@@  @@@  @@@@      @    @     @@@@  @@@@  @@@@@
       @     @  @   @   @        @ @   @     @     @  @    @
       @@@@  @@@    @   @       @@@@@  @     @@@   @@@     @
       @     @      @   @       @   @  @     @     @  @    @
       @@@@  @     @@@  @@@@    @   @  @@@@  @@@@  @   @   @
   Volume 6.07                                       May 12, 1999
                            Published by the
              Electronic Privacy Information Center (EPIC)
                            Washington, D.C.
Table of Contents
[1] Appeals Court Strikes Down Crypto Controls
[2] Top U.S. Officials Tout Internet Filters
[3] Study Finds More Sites Posting Privacy Policies
[4] Commerce Department Seeks Comments on "Safe Harbor"
[5] Clinton Addresses Financial and Medical Privacy
[6] Electronic Surveillance Increased in 1998
[7] EPIC Bill-Track: New Bills in Congress
[8] Upcoming Conferences and Events
[1] Appeals Court Strikes Down Crypto Controls
In an eagerly-awaited decision, the U.S. Court of Appeals for the
Ninth Circuit ruled on May 6 that federal regulations that prohibit
the dissemination of encryption source code violate the First
Amendment.  The court found that the regulations are an
unconstitutional prior restraint on speech because they "grant
boundless discretion to government officials" and have "effectively
chilled [cryptographers] from engaging in valuable scientific
expression."  The case was initiated by researcher Daniel Bernstein,
who sought government permission to export source code he had written.
 EPIC was both co-counsel and coordinator of a "friend-of-the-court"
(amicus) brief in the case, arguing against the government controls on
privacy-enhancing technology.
Civil liberties and privacy organizations have consistently opposed
restrictions on the dissemination of encryption technology, and
welcomed the Bernstein decision as a major breakthrough.  Marc
Rotenberg, Executive Director of EPIC, said, "This is a
forward-looking judgment that touches on many of the issues of
greatest concern to Internet users, including the right to speak
anonymously and the right of informational privacy."  David L. Sobel,
EPIC's General Counsel, called the opinion "one of the most
significant Internet decisions yet issued, one that establishes
important precedents for both free speech and privacy online."
The opinion was notably for its recognition of the threats to privacy
that citizens face today and the role of encryption in protecting
information. The Ninth Circuit wrote:
     Whether we are surveilled by our government, by criminals,
     or by  our neighbors, it is fair to say that never has our
     ability to shield our affairs from prying eyes been at such a
     low ebb. The availability and use of secure encryption may
     offer an opportunity to reclaim some portion of the privacy we
     have lost. Government efforts to control encryption thus may
     well implicate not only the First Amendment rights of
     cryptographers intent on pushing the boundaries of their
     science, but also the constitutional rights of each of us as
     potential recipients of encryption's bounty.  . . . [I]t is
     important to point out that Bernstein's is a suit not merely
     concerning a small group of scientists laboring in an esoteric
     field, but also touches on the public interest broadly defined.
Information on encryption export controls, including the text of the
Bernstein decision and the EPIC amicus brief, is available at the EPIC
Cryptography Archive:
[2] Top U.S. Officials Tout Internet Filters
In the wake of the high school shootings in Colorado, the Clinton
Administration's two leading voices on communications policy recently
promoted Internet filtering software.  Despite the tenuous connection
between the Internet and the tragedy in Littleton, Vice President Al
Gore and Federal Communications Commission Chair William Kennard both
used the incident as a backdrop for a new federal effort to encourage
the use of filters.
In a speech at the Annenberg Public Policy Center "Conference on
Internet and the Family" on May 4, Kennard said, "we need filtering
software for families to use on their PC's.  . . . Today, the FCC is
doing what it can to help parents.  I am pleased to announce that we
have added a 'Parents, Kids, and Communications' information page to
the FCC website."  Although Kennard described the resource as a place
where "parents will be able to learn about [filtering] products, how
they work, and how much they cost," the FCC page currently contains no
information on the demonstrated drawbacks of filtering software.  The
Commission does not explain, for instance, that these programs tend to
block access to some valuable and non-objectionable content.
Vice President Gore weighed in on the issue on May 5, announcing the
creation of the "Parents' Protection Page, which will appear on
virtually every Internet starting point automatically by this July."
According to Gore, by using the page, "parents will find easy steps to
block out inappropriate content.  Parents will be told in simple
language how they can filter out the good content from content which
they, as parents, decide their children are not ready to handle."
Some observers noted there was not much that is new in this
initiative, with the White House having aligned itself with Internet
"protection" as early as June 1997.  While endorsing the use of
filtering software, the Administration has not yet made a significant
commitment to developing Internet education programs for young people.
More information on filtering and blocking is available at the
Internet Free Expression Alliance website:
[3] Study Finds More Sites Posting Privacy Policies
An industry-funded survey released on May 12 indicates that nearly
two-thirds of commercial Web sites display warnings that they collect
personal information from visitors, such as names, postal and e-mail
addresses and consumer preferences.  Some sites admit that they sell
the information to third-party advertisers and others.
The new study, which was commissioned by the Online Privacy Alliance
-- an industry group that opposes new legal protections for online
privacy -- examined 364 commercial Internet sites.  It found that
almost 66 percent now post some sort of privacy notice.  More
significantly, less than 10 percent of the surveyed sites had
comprehensive privacy policies that give users the chance not to have
their personal information collected, allow them to review their
information, promise to keep the information confidential or explain
how to contact the site operator to make inquiries.
Federal Trade Commission Chairman Robert Pitofsky said that online
companies "deserve considerable credit for making progress over the
last year.  There is a remarkable increase in the number of Web sites
posting information about their privacy practices."  An FTC survey
last year found that only 14 percent of sites posted policy statements
explaining how they collect and use information about visitors.
EPIC has long maintained that the Internet privacy issue is not merely
a question of posting privacy policies.  EPIC has conducted two
surveys -- "Surfer Beware: Personal Privacy and the Internet" in June
1997, and "Surfer Beware II: Notice Is Not Enough" in June 1998 --
showing that most sites have not yet made a serious effort to address
privacy concerns in a meaningful way.
More information on online privacy, including links to EPIC's reports,
is available at:
[4] Commerce Department Seeks Comments on "Safe Harbor"
The Department of Commerce is seeking comments on the "Safe Harbor"
proposal, a procedure that will allow firms to self-certify privacy
policies in lieu of the United States adopting stronger legal
safeguards for Americans.  The Safe Harbor proposal has come about in
response to the entry into force of the European Union Data Directive,
a comprehensive legal framework that establishes that essential
privacy safeguards for consumers across the European Union.
Many governments, including Canada, Australia, Japan and nations in
Eastern Europe have adopted or in the process of adopting laws that
provide privacy protection comparable to that which will be offered by
the EU Data Directive.  The United Sates government has chosen instead
to rely on industry-developed self-regulatory approach that lacks
basic privacy safeguards and fails to provide trust and assurance for
users of new network services.
The Trans Atlantic Consumer Dialogue, a coalition of sixty consumer
organizations in the United States and Europe, recently urged the
European Commission and the Members of the European Council to reject
the Safe Harbor proposal.  TACD said:
     The Safe Harbor Proposal . . . fails to provide adequate
     privacy protection for consumers in the United States and
     Europe.  It lacks effective means of enforcement and redress
     for privacy violations.  It places unreasonable burdens on
     consumers and unfairly requires European citizens to sacrifice
     their legal rights to pursue privacy complaints through their
     national authorities.  The proposal also fails to ensure
     that individual consumers will be able to access personal
     information obtained by business.
TACD has recommended instead the development and adoption of
International Convention on Privacy Protection that will help
safeguard privacy interests of consumers and citizens in the
twenty-first century.  U.S.-based privacy and consumer organizations
have also criticized the Safe Harbor approach for providing higher
levels of protection to European consumers that will be provided for
American Consumers.  They favor a comprehensive legal framework to
protect the interests of consumers in the United States.
Ambassador David Aaron leads the Safe Harbor negotiation.  Ambassador
Aaron was also responsible for the latest round of negotiations for
the Wassenaar Arrangement, in which he urged European governments to
adopt new controls on the use and export of encryption.
EPIC's view of all of this is that the United States foreign policy on
privacy is exactly backward: instead of discouraging the adoption of
strong privacy laws to protect consumers, we should be promoting them.
 And instead of promoting new surveillance techniques, such as key
escrow encryption, we should be opposing them.
Let the Commerce Department know what you think.  Comments are due at
the Commerce Department by Friday, May 14 and may be submitted
electronically in an HTML format to the following email address:
The Safe Harbor Proposal is available at:
The Trans Atlantic Consumer Dialogue resolution is available at:
[5] Clinton Addresses Financial and Medical Privacy
At a White House ceremony on May 4, President Clinton announced the
Administration's "plan for financial privacy and consumer protection
in the 21st century."  Noting that current law "to put it mildly, is
outdated and should be changed," Clinton endorsed new legislation that
would restrict the ability of banks, brokerage firms and insurance
companies to share with "affiliated" firms information on what
consumers buy with checks and credit cards.
The President also discussed the need for greater legal protection of
medical records:
     To enhance financial privacy, we must also protect the
     sanctity of medical records. With the growing number of
     mergers between insurance companies and banks, lenders
     potentially can gain access to the private medical information
     contained in insurance forms. So we propose to severely restrict
     the sharing of medical information within financial services
     You should not have to worry that the results of your latest
     physical exam will be used to deny you a home mortgage or a
     credit card. There are many other important protections for
     medical records that ought to be put in place. Because Congress
     has given me the authority to act if it does not do so by
     August, one way or another, we will protect the privacy of
     medical records this year.
Additional information on financial and medical privacy, including the
text of President Clinton's recent announcement, is available at:
[6] Electronic Surveillance Increased in 1998
Fueled by a 24 percent jump in state requests, the number of court
orders for wiretaps and other forms of electronic eavesdropping rose
twelve percent in 1998, to a total of 1,327.  Only two surveillance
requests were denied by judges during the year.  There was also a
large increase in the interception of electronic communications and
roving wiretaps.  The statistics are contained in a new report by the
Administrative Office of the U.S. Courts.
In 1998, federal requests declined slightly from 569 in 1997 to 566 in
1998.  This still represents over a 500 percent increase in
surveillance requests since 1980.
For the first time, the number of interceptions of wireless phones and
pagers exceeded traditional phone calls.  In 1998, 576 of the orders
were for intercepting "electronic" communications, including computer,
cellular, and digital pagers.  Five of the cases involved interception
of computer communications. In 1997, only 206 of the interception
orders involved electronic communications.  There were also 23
"roving" wiretaps in 1998, nearly doubling the twelve reported in
Most requests involved drug investigations.  Seventy-two percent of
the requests (955 total) were made in drug cases.  Twelve percent
listed racketeering, and seven percent listed gambling as the
rationale for the taps.  Since 1980, the number of non-drug related
wiretaps has remained fairly constant, at between 300-400 cases each
year, while the number of taps for drug cases has increased nearly 400
More information on wiretapping, including the text of the new report,
is available at:
[7] EPIC Bill-Track: New Bills in Congress
H.R.1657. Children's Environmental Protection and Right to Know Act of
1999.  A bill to disclose environmental risks to children's health and
expand the public's right to know about toxic chemical use and
release, and for other purposes.  Sponsored by Rep. Henry A. Waxman,
referred to the House Committee on Commerce.
S. 854. Electronic Rights for the 21st Century Act.  A bill to protect
the privacy and constitutional rights of Americans, to establish
standards and procedures regarding law enforcement access to location
information, decryption assistance for encrypted communications and
stored electronic information, and other private information, to
affirm the rights of Americans to use and sell encryption products as
a tool for protecting their online privacy, and for other purposes.
Sponsored by Sen. Patrick J. Leahy, referred to the Committee on
S.898. Taxpayer Privacy Protection Improvement Act of 1999. A bill to
amend the Internal Revenue Code of 1986 to provide taxpayers with
greater notice of any unlawful inspection or disclosure of their
return or return information.  Sponsored by Sen. Paul Coverdell,
referred to the Committee on Finance.
S.899. 21st Century Justice Act of 1999. A bill to reduce crime and
protect the public in the 21st Century by strengthening Federal
assistance to State and local law enforcement, combating illegal drugs
and preventing drug use, attacking the criminal use of guns, promoting
accountability and rehabilitation of juvenile criminals, protecting
the rights of victims in the criminal justice system, and improving
criminal justice rules and procedures, and for other purposes.
Section 1303 requires the DNA samples of violent offenders.  Sponsored
by Sen. Orrin G. Hatch, referred to the Committee on Judiciary.
S.900. Financial Services Modernization Act of 1999. An original bill
to enhance competition in the financial services industry by providing
a prudential framework for the affiliation of banks, securities firms,
insurance companies, and other financial service providers, and for
other purposes.  Title X deals with Financial Information Privacy
Protection.  Sponsored by Sen. Phil Gramm,  passed Senate with
amendments by vote of 54-44.
S.903. Violent Offender DNA Identification Act of 1999. A bill to
facilitate the exchange by law enforcement agencies of DNA
identification information relating to violent offenders, and for
other purposes.  Sponsored by Sen. Herb Kohl, referred to the
Committee on Judiciary.
[8] Upcoming Conferences and Events
Encryption Controls Workshop. May 13, 1999. Raleigh, NC. Sponsored by
the U.S. Dep't of Commerce. Contact: (202) 482-6031
INET 99.  San Jose, Calif., June 22-25, 1999.  Sponsored by the
Internet Society.  Contact: http://www.isoc.org/inet99/
Privacy Laws & Business 12th Annual International Conference -- "New
Data Protection Law: Issues, Solutions, Action."  June 28-30th 1999,
St John's College, Cambridge, United Kingdom.  Contact: Privacy Laws &
Business, Tel: + 44 (0) 181 423 1300, Fax: + 44 (0) 181 423 4536,
e-mail: info@privacylaws.co.uk, or http://www.privacylaws.co.uk
Subscription Information
The EPIC Alert is a free biweekly publication of the Electronic Privacy
Information Center. A Web-based form is available for subscribing or
unsubscribing at:
To subscribe or unsubscribe using email, send email to
epic-news@epic.org with the subject: "subscribe" (no quotes) or
Back issues are available at:
About EPIC
The Electronic Privacy Information Center is a public interest research
center in Washington, DC.  It was established in 1994 to focus public
attention on emerging privacy issues such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale of personal information.  EPIC is sponsored
by the Fund for Constitutional Government, a non-profit organization
established in 1974 to protect civil liberties and constitutional
rights.  EPIC publishes the EPIC Alert, pursues Freedom of Information
Act litigation, and conducts policy research.  For more information,
e-mail info@epic.org, http://www.epic.org or write EPIC, 666
Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544 9240
(tel), +1 202 547 5482 (fax).
If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible.  Checks
should be made out to "The Fund for Constitutional Government" and sent
to EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003.
Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation of encryption and
expanding wiretapping powers.
Thank you for your support.
  ---------------------- END EPIC Alert 6.07 -----------------------

Return to:

Alert Home Page | EPIC Home Page