EPIC logo

       @@@@  @@@@  @@@  @@@@      @    @     @@@@  @@@@  @@@@@
       @     @  @   @   @        @ @   @     @     @  @    @
       @@@@  @@@    @   @       @@@@@  @     @@@   @@@     @
       @     @      @   @       @   @  @     @     @  @    @
       @@@@  @     @@@  @@@@    @   @  @@@@  @@@@  @   @   @
   Volume 6.09                                      June 10, 1999
                            Published by the
              Electronic Privacy Information Center (EPIC)
                            Washington, D.C.
Table of Contents
[1] EPIC Survey Finds Few Crypto Controls
[2] Banking Official Cites Growing Privacy Concerns
[3] Minnesota Sues Bank for Customer Data Sales
[4] Safe Harbor Sunk?
[5] Arizona Restricts Use of Student Social Security Numbers
[6] Anti-Abortion Webmaster Sues ISP Over Shut-Down
[7] EPIC Bookstore - "Visions of Privacy"
[8] Upcoming Conferences and Events
[1] EPIC Survey Finds Few Crypto Controls
This week the Electronic Privacy Information Center released the second
annual survey of encryption policies around the globe. "Cryptography
and Liberty 1999" finds that few countries restrict the use,
manufacture, or sale of encryption products and services.  However,
export controls that allow countries to license products before they
may be shipped overseas continue to be a significant obstacle to the
widespread availability of encryption, according to the report.
Encryption technology is considered essential for online privacy and
security.  But law enforcement and intelligence agencies have lobbied
national governments to maintain export controls to prevent the
widespread availability of the product.  According to the EPIC report,
few countries today impose domestic controls on encryption and there is
little interest in techniques, such as "key escrow" or "key recovery,"
that would enable government access to private messages.
EPIC noted that the OECD Cryptography Guidelines, adopted in 1997 by
the Paris-based organization, are encouraging further liberalization of
controls on encryption.  In particular, the French government has
backed off a proposal for key escrow encryption.  However, a recently
adopted agreement on export controls, championed the United States, may
lead to more restrictive policies in some Northern European countries
that previously did not license the export of encryption products.
"Cryptography & Liberty" was conducted with the assistance of members
of the Global Internet Liberty Campaign, an international association
of organizations working to promote free expression and protect privacy
on the Internet.  The survey was released the same week that the U.S.
Congress considered legislation that would relax export controls in the
United States.  On June 9, the House Intelligence Committee held a
hearing on the Security and Freedom through Encryption Act, sponsored
by Rep. Bob Goodlatte (R-VA). The Senate Commerce Committee on June 10
considered encryption legislation sponsored by Sen. John McCain (R-AZ).
A separate survey prepared by Professor Lance Hoffman examines the
foreign availability of encryption products.  The report, "Growing
Development of Foreign Encryption Products in the Face of U.S. Export
Regulations," found that at least 167 foreign cryptographic products
use strong encryption in the form of these algorithms: Triple DES,
IDEA, BLOWFISH, RC5, or CAST-128.  The report also identified 512
foreign companies that either manufacture or distribute foreign
cryptographic products in at least 67 countries outside the United
States.  The report raises further questions about the reasonableness
of U.S. export control policy.
"Cryptography & Liberty 1999" is available online at the EPIC web site.
The bound, paper version of the report can be also purchased on-line
at the EPIC bookstore, which is operated in association with
Cryptography and Liberty 1999 (online) is available at:
Cryptography and Liberty 1999 (paper) is available at:
"Growing Development of Foreign Encryption Products" is available at:
[2] Banking Official Cites Growing Privacy Concerns
Comptroller of the Currency John D. Hawke Jr. warned banks on June 7
to stop what he called the abusive practice of selling customers'
personal data to telemarketing firms or face possible action by
Congress.  Hawke, who oversees nationally chartered banks, said the
practice by a few banks raises "serious legal concerns," which his
office and other federal banking agencies are examining.
"Unfortunately, there's mounting evidence of an increase in banking
practices that are at least seamy, if not downright unfair and
deceptive -- practices that virtually cry out for government scrutiny,"
Hawke told bank lending officers at a meeting in San Francisco.  "One
must be troubled about the implications of this practice for the
preservation of customer confidence in the confidentiality of the
bank-customer relationship."
The Comptroller's comments came as some members of Congress are
promoting legislation that would give consumers the right to stop
affiliated banks, brokerage firms and insurance companies from sharing
personal financial data.  A bill sponsored by Rep. Jay Inslee (D-WA)
would allow consumers to "opt out" of personal data-sharing among
affiliated financial companies.  The legislation follows a proposal
made last month by President Clinton, who urged Congress to strengthen
consumers' rights when banks and other financial companies attempt to
share information about them (see EPIC Alert 6.07).
In addition, several members of the House Banking Committee have
promised action.  Rep. John J. LaFalce (D-NY) plans to introduce
legislation to restrict the sharing of information about credit card
customers. Rep. Marge Roukema (R-NJ), chair of the House Banking
Subcommittee on Consumer Credit, plans hearings on privacy July 21 and
22. House Banking Committee Chairman Jim Leach (R-IA) said a lawsuit
filed by the Minnesota Attorney General (see below) shows that privacy
is an issue "that demands continued oversight."
The text of the Comptroller General's speech is available at:
[3] Minnesota Sues Bank for Customer Data Sales
Minnesota's Attorney General filed suit on June 8 against U.S. Bank,
charging that the bank violated the Fair Credit Reporting Act and state
consumer protection laws when it sold confidential customer information
to a telemarketing company.  The lawsuit alleges that U.S. Bank sold
customer data from its own and other databases to MemberWorks Inc.,
a Connecticut telemarketing firm.
Customer information that U.S. Bank allegedly shared with MemberWorks
included names, addresses, and telephone numbers of primary and
secondary customers, checking account numbers, credit card numbers,
social security numbers, date of birth, account status and frequency of
use, gender, marital status, homeowner status, occupation, the date the
customer opened a particular account, average account balance,
year-to-date finance charges for credit card accounts, credit insurance
status, and information about the customer's most recent purchase by
credit card.
The suit alleges that the bank also allowed MemberWorks to charge
customer accounts without obtaining written authorization, as required
by rules established by the National Automated Clearing House
Association.  "Minnesota customers who are telemarketed by MemberWorks
and its agents are unaware at the time of the solicitation that their
credit card numbers and/or checking account numbers are already in the
telemarketers' possession," the complaint says.
Minnesota Attorney General Mike Hatch charges that U.S. Bank violated
four specific provisions of the federal Fair Credit Reporting Act.  The
suit also alleges three counts of state law violations -- failing to
prevent consumer fraud, false advertising, and deceptive trade
practices.  "People are appropriately careful about protecting their
Social Security number, checking, and credit card information," Hatch
said in a statement after the suit was filed. "When a bank hands out
this information to the highest bidder, it has to answer to its
customers and to the Attorney General's office."
Additional information on the Minnesota litigation (including the text
of the complaint) is available at:
[4] Safe Harbor Sunk?
Early reports on the day-long meeting at the end of May between top
negotiators for the United States and the European Union suggest that
there will be no agreement on the "Safe Harbor" proposal before the
U.S.-EU summit in Germany later this month.  The Department of Commerce
has been urging officials of the European Union to agree that the U.S.
system of "self-regulation" provides adequate privacy protection and
that no further legislation is necessary to protect the interests of
European citizens whose personal information is processed in the United
European privacy officials participated in extensive meetings with U.S.
trade officials but were unable to resolve key questions about
enforcement, access, and implementation.  A group of experts wrote
     Data protection rules only contribute to the protection of
     individuals to the extent to which they are followed in practice.
     In an entirely voluntary scheme such as this compliance with the
     rules must be at least guaranteed by an independent investigative
     mechanism for complaints and sanctions which must be, on the one
     hand dissuasive and, on the other give individual compensation
     where appropriate.
Consumer and privacy organizations on both sides of the Atlantic also
objected to the Safe Harbor proposal.  The Trans Atlantic Consumer
Dialogue, representing sixty consumer groups in the United States and
Europe, adopted a resolution last month in opposition to the Safe
Harbor proposal.  This week Jim Murray, President of the European
Consumers Organization (BEUC), wrote to Jacques Santer, President of
the European Commission, and EC Members Mario Monti and Emma Bonino to
express further concern about the  Safe Harbor proposal.  Mr. Murray
said that, "Without simple and effective complaint and redress
procedures, the proposed U.S. regime would not have sufficient
deterrents to prevent abuse of consumer rights, even in flagrant
The text of the Safe Harbor Proposal is available at:
The Trans Atlantic Consumer Dialogue resolution is available at:
The European Consumers' Organization website:
[5] Arizona Restricts Use of Student Social Security Numbers
Newly-enacted legislation in Arizona prohibits the use of Social
Security numbers as a student identification numbers in universities.
Wisconsin enacted such a similar law last year.  The Arizona bill (SB
1399) prohibits a university under the jurisdiction of the Arizona
board of regents or a community college district under the jurisdiction
of the state board of directors for community colleges from assigning a
student an identification number which is identical to, or incorporates
any portion of, the student's Social Security number. The restriction
becomes effective on June 30, 2002.
The bill also prohibits universities and community college districts
from displaying a student's Social Security number or any four
consecutive digits of a student's Social Security number on the
Internet or on any publicly accessible document.  The legislation
allows a student to consent to the use of his or her Social Security
number as their ID number and stipulates that community colleges and
universities can electronically transfer data and are not prohibited
from complying with any federal reporting requirements.
More information on the privacy implications of the misuse of Social
Security numbers is available at:
[6] Anti-Abortion Webmaster Sues ISP Over Shut-Down
The operator of a controversial anti-abortion website has filed a $250
million breach of contract suit against his former service provider.
Otis O'Neal Horsley filed suit against MindSpring Enterprises Inc. in a
Georgia state court earlier this week, alleging breach of contract for
the shutting down of the "Nuremberg Files" site, which featured
pictures of aborted fetuses and the names of doctors providing abortion
Horsley alleges the Atlanta-based ISP damaged his political campaign to
stop legal abortion and his ability to solicit financial support when
it shut down the site in February.  MindSpring began a review of the
site after an Oregon jury found some of Horsley's colleagues in the
anti-abortion movement in violation of the federal access to abortion
clinic law in January.  Although Horsley was not a defendant in the
case, the Nuremberg Files site was a central element of the trial.
The Web site solicited and posted information such as where abortion
doctors lived, their work habits, vehicle descriptions and tag numbers,
places of worship and details about their families. He listed names of
abortion doctors on the site and crossed out the names of doctors who
had been killed.
[7] EPIC Bookstore - "Visions of Privacy"
A new collection of articles, edited by Colin J. Bennettt and Rebecca
Grant, offers fresh and intriguing perspectives on the timeless problem
of privacy protection.  Available now at the EPIC Bookstore.
"As the world moves into the twenty-first century, cellular systems,
high-density data storage, and the Internet are just a few of the new
technologies that promise great advances in productivity and
improvements in the quality of life. Yet these new technologies also
threaten personal privacy. A surveillance society, in which the
individual has little control over personal information, may be the
logical result of deregulation, globalization, and a mass
data-processing capacity." - From the introduction.
"Visions of Privacy: Policy Choices for the Digital Age"
(University of Toronto Press 1999). List $22.95.
[8] Upcoming Conferences and Events
INET 99.  San Jose, Calif., June 22-25, 1999.  Sponsored by the
Internet Society.  Contact: http://www.isoc.org/inet99/
Privacy Laws & Business 12th Annual International Conference -- "New
Data Protection Law: Issues, Solutions, Action." June 28-30, 1999, St
John's College, Cambridge, United Kingdom.  Contact: Privacy Laws &
Business, Tel: + 44 (0) 181 423 1300, Fax: + 44 (0) 181 423 4536,
e-mail: info@privacylaws.co.uk, or  http://www.privacylaws.co.uk
National Coalition to Protect Political Freedom, 3rd Annual Meeting.
Georgetown University Law Center, Washington, DC.  July 9-10, 1999.
Contact: Kit Gage 301-587-7442, kgage@igc.org
Jurisdiction: Building Confidence in a Borderless Medium. Queen
Elizabeth Hotel, Montreal, Canada, July 26-27, 1999. Sponsored by the
Internet Law and Policy Forum.  Contact:  Marilyn Malenfant
+1.514.744.0408 or malenfant@ilpf.org.
ABA Annual Conference, Section of International Law and Practice.
"Privacy Issues in Electronic Commerce." August 9, 1999. Atlanta,
Georgia. Contact http://www.abanet.org/annual/99/home.html
The 21st International Conference on Privacy and Personal Data
Protection.  Hong Kong, September 13-14, 1999.  A distinguished group
of over 50 speakers/panelists from overseas and Hong Kong will explore
the theme of  "Privacy of Personal Data, Information Technology &
Global Business in the Next Millennium."" Sponsored by the Office of
the Privacy Commissioner for Personal Data in Hong Kong.  Contact:
"A Privacy Agenda for the 21st Century."" Sept 15. Hong Kong Convention
and Exhibition Centre, Hong Kong PRC. Contact: rotenberg@epic.org.
Information Security Solutions Europe 1999. Oct 4-6. Maritim proArte
Hotel, Berlin, Germany. contact http://www.eema.org/isse/
RSA 2000. The ninth annual RSA Data Security Conference and Expo. San
Jose McEnery Convention Center. San Jose, CA.  January 16-20, 2000,
Contact: http://www.rsa.com/rsa2000/
Subscription Information
The EPIC Alert is a free biweekly publication of the Electronic Privacy
Information Center. A Web-based form is available for subscribing or
unsubscribing at:
To subscribe or unsubscribe using email, send email to
epic-news@epic.org with the subject: "subscribe" (no quotes) or
Back issues are available at:
About EPIC
The Electronic Privacy Information Center is a public interest research
center in Washington, DC.  It was established in 1994 to focus public
attention on emerging privacy issues such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale of personal information.  EPIC is sponsored
by the Fund for Constitutional Government, a non-profit organization
established in 1974 to protect civil liberties and constitutional
rights.  EPIC publishes the EPIC Alert, pursues Freedom of Information
Act litigation, and conducts policy research.  For more information,
e-mail info@epic.org, http://www.epic.org or write EPIC, 666
Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544 9240
(tel), +1 202 547 5482 (fax).
If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible.  Checks
should be made out to "The Fund for Constitutional Government" and sent
to EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003.
Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation of encryption and
expanding wiretapping powers.
Thank you for your support.
  ---------------------- END EPIC Alert 6.09 -----------------------

Return to:

Alert Home Page | EPIC Home Page