============================================================== @@@@ @@@@ @@@ @@@@ @ @ @@@@ @@@@ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @@@ @ @ @@@@@ @ @@@ @@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @ @@@ @@@@ @ @ @@@@ @@@@ @ @ @ ============================================================== Volume 6.10 June 30, 1999 -------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org ======================================================================= Table of Contents =======================================================================  Senate Committee Approves Mandatory Filtering Bill  Congress Acts on Encryption Legislation  Government Seeks Review of Bernstein Crypto Decision  House to Consider Financial Data Protection  Proposed DoubleClick/Abacus Merger Raises Privacy Concerns  California Supreme Court Upholds Workplace Privacy  Report Notes Benefits of Internet Anonymity  Upcoming Conferences and Events =======================================================================  Senate Committee Approves Mandatory Filtering Bill ======================================================================= Congress' move toward mandatory Internet filtering for schools and libraries gained momentum on June 23, when the Senate Commerce Committee approved the Children's Internet Protection Act (S.97). The legislation would mandate that public schools and libraries receiving "E-Rate" universal service funds purchase and use Internet filtering software to regulate access by minors. The House of Representatives added a similar provision to the juvenile justice bill on June 17. The Committee action came over the objections of leading education, library and civil liberties groups, which argued that the legislation would impose a costly unfunded requirement and ignores a variety of alternative approaches being taken in localities around the country. Commerce Committee Chairman John McCain (R-AZ) rejected the criticism, stating that filtering software is inexpensive and necessary to protect children. "No issue is more important to America than protecting our children," he said. Under the language approved by the Senate committee approach, the thousands of schools that participate in the federal Internet subsidy program would be required to install software preventing access to obscene material and child pornography. Libraries in the E-Rate program with more than one computer would face a similar requirement; those with only one computer would have to ensure that children could not access such material. Prior to the vote, the Internet Free Expression Alliance (IFEA) sent a joint letter to the Commerce Committee urging rejection of mandatory filtering. The coalition members told the committee, "We believe that the majority of Americans share our conviction that parents and teachers -- not the federal government -- should provide children with guidance about accessing information on the Internet." They urged the Senators to consider alternative approaches, including training classes to help children bring critical skills to the Internet; adult supervision of Internet use by minors; highlighting recommended sites to assist parents in navigating the Internet; and establishment of limited time periods for supervised use of the Internet by young children. The groups noted that, "Clumsy and ineffective blocking programs are nothing more than a 'quick fix' solution to parental concerns, often providing a false sense of security that children will not be exposed to material which parents may find inappropriate." The text of the coalition letter is available at the website of the Internet Free Expression Alliance: http://www.ifea.net/s97_letter.html =======================================================================  Congress Acts on Encryption Legislation ======================================================================= On June 23, the House Commerce Committee approved the Security and Freedom Through Encryption (SAFE) bill (H.R. 850), which would relax export controls on encryption, with several amendments. One of the amendments would make it a crime to fail to decrypt encrypted information when ordered to do so, raising serious privacy and constitutional concerns. The new provision would impose criminal penalties (including up to ten years in prison) on anyone who is required by an order of any court to provide to the court or any other party any information in such person's possession which has been encrypted and who, having possession of the key or such other capability to decrypt such information into the readable or comprehensible format of such information prior to its encryption, fails to provide such information in accordance with the order in such readable or comprehensible form. House consideration of the SAFE bill will continue for at least another month; the International Relations Committee has until July 16 to act on the legislation and Intelligence and Armed Services have until July 23. The House Armed Services Committee has scheduled a hearing on the bill for June 30. Also on June 23, the Senate Commerce Committee approved the PROTECT encryption bill (S. 798). The legislation would allow U.S. companies immediately to export medium-strength encryption products (64-bit) and much more powerful products (up to 128-bit) beginning in 2002. Current U.S. policy generally limits exports to 56-bit encryption with some exceptions such as for subsidiaries of U.S. firms and foreign companies in banking, insurance, health-care and electronic commerce. The bill would also establish a committee of government and private sector officials that could vote to allow export of stronger products if similar products are available outside the United States. The committee's decisions could be overturned by the President. Unlike the SAFE bill in the House, the PROTECT Act does not include criminal penalties for the use of encryption in furtherance of a crime. Additional information on encryption policy is available at the Internet Privacy Coalition website: http://www.privacy.org/ipc/ =======================================================================  Government Seeks Review of Bernstein Crypto Decision ======================================================================= While Congress continues to debate encryption policy, the federal courts are also grappling with the issue. On June 21, the Department of Justice filed a petition for rehearing in the Bernstein case, seeking to overturn the Ninth Circuit Court of Appeal's recent opinion holding that encryption source code is scientific expression protected by the First Amendment. The federal appeals court in San Francisco ruled on May 6 that federal regulations that prohibit the dissemination of encryption source code violate the First Amendment. The court found that the regulations are an unconstitutional prior restraint on speech because they "grant boundless discretion to government officials" and have "effectively chilled [cryptographers] from engaging in valuable scientific expression." The case was initiated by researcher Daniel Bernstein, who sought government permission to export source code he had written. EPIC was both co-counsel and coordinator of a "friend-of-the-court" (amicus) brief in the case, arguing against the government controls on privacy-enhancing technology. Civil liberties and privacy organizations have consistently opposed restrictions on the dissemination of encryption technology, and welcomed the Bernstein decision as a major breakthrough. The opinion was notably for its recognition of the threats to privacy that citizens face today and the role of encryption in protecting information. In seeking the Ninth Circuit's reconsideration of the case, the Justice Department argues that the May 6 decision rests on fundamental errors regarding First Amendment and severability law. As a result of those errors, the panel has placed the entire encryption export regime in jeopardy. The potential consequences of repudiating the President's decisions regarding encryption export controls are grave and far-reaching. Before the views of the panel majority become the law of this Circuit, and unrestricted export of encryption products receives this Court's imprimatur, further review is imperative. Information on encryption export controls, including the text of the Bernstein decision and the EPIC amicus brief, is available at the EPIC Cryptography Archive: http://www.epic.org/crypto/ =======================================================================  House to Consider Financial Data Protection ======================================================================= The House of Representatives is expected this week to take up a bill, H.R. 10, that will make it easier for banks to merge with other financial firms such as health insurance companies and stock brokerages. These bigger banks are already sharing confidential customer information with their subsidiaries, and with unrelated third parties. When the House Commerce Committee considered the bill, Rep. Ed Markey (D-MA) won what major newspapers called a "stunning" victory when the committee approved an amendment that would require banks to give customers a chance to opt-out before they share or sell confidential customer records. Unfortunately, some of the biggest banks and financial firms in the country, including Citibank and Bank One (First USA credit cards) are waging a fierce campaign to defeat the Markey financial privacy amendment and substitute an unacceptable disclosure alternative. This spring, citizens convinced the bank regulatory agencies to withdraw plans requiring banks to compile detailed "Know Your Customer" profiles. Consumer and privacy groups are now encouraging similar citizen action to enact the Markey privacy amendment. The Markey amendment is supported by the nation's leading consumer groups, including Consumers Union, Consumer Federation of America and the U.S. Public Interest Research Group (PIRG). Additional information on the Markey financial privacy amendment is available at: http://www.pirg.org/consumer/banks/action/privacy.htm =======================================================================  Proposed DoubleClick/Abacus Merger Raises Privacy Concerns ======================================================================= Privacy groups have raised concerns over the potential violation of international privacy protection laws involved in the proposed merger Internet advertiser DoubleClick and market research firm Abacus Direct. When the two firms merge, the DoubleClick database containing data on Internet usage habits will be cross-referenced with the Abacus Direct database containing real names and addresses, as well as detailed information on customer buying habits. The proposed deal has been trumpeted as the key to targeting niche markets more effectively, but the synthesizing of information could create a super-database of personal information without consumers' previous consent. EPIC, along with other privacy advocates, issued an open letter to Abacus Direct shareholders on June 29, asking them to derail the one billion dollar merger. The groups urged shareholders to consider whether the companies understood the privacy implications of the proposed merger, or whether they had considered international laws that could restrict their data trades. Specifically, the letter cites the European Union privacy directive, which bars data transfers from EU countries to third parties it believes don't adequately protect personal data or fail to obtain proper consent before sharing it. The letter also raised the possibility of legal action in Europe. The location of Abacus' subsidiary in Teddington, England leaves an opening for the challenging the merger under the EU data directive, arguing that the U.K. arm of the company shouldn't be able to exchange data with companies in the DoubleClick network -- as well as Abacus's US locations -- that don't comply with the EU directive. Consumer advocates are also drafting a petition to the Federal Trade Commission questioning the merger. More information on the DoubleClick/Abacus merger, including the text of the privacy groups' open letter, is available at: http://www.junkbusters.com/doubleclick.html =======================================================================  California Supreme Court Upholds Workplace Privacy ======================================================================= On June 24, California's highest court handed down a unanimous decision describing the privacy rights enjoyed by employees in the workplace: In an office or other workplace to which the general public does not have unfettered access, employees may enjoy a limited, but legitimate, expectation that their conversations and other interactions will not be secretly videotaped by undercover television reporters, even though those conversations may not have been completely private from the participants' coworkers. The case, Sanders v. American Broadcasting Companies, arose after the broadcast of an investigative report on ABC's PrimeTime Live that included behind the scenes footage of the telephone psychic industry. The footage had been obtained by an undercover reporter working as a telephone psychic. A camera concealed in the reporter's hat provided video images, while a hidden microphone captured sound data. One of the psychics whose image and voice appeared briefly during the segment, sued for invasion of privacy and violation of a state anti-surveillance statute. After winning over $600,000 at trial, the plaintiff's judgment was overturned on appeal. The appellate court reasoned that the employee could not have a reasonable expectation of privacy regarding a conversation carried on in an open workspace, within earshot of other employees. The California Supreme Court reversed this decision, adopting instead a more flexible standard. "Privacy," the Court noted, "is not a binary, all-or-nothing characteristic." The Court discussed several factors to be considered when evaluating the reasonableness of privacy claims: "the identity of the claimed intruder and the means of intrusion," as well as "who might have been able to observe the subject interaction." Applying this reasoning, the Court found that Sanders could have a reasonable expectation that his conversations with co-workers would not be secretly recorded by undercover reporters. The case was remanded to the appellate court, which must still decide several procedural and evidentiary questions, including the appropriateness of the jury award. =======================================================================  Report Notes Benefits of Internet Anonymity ======================================================================= The American Association for the Advancement of Science has released a report titled "Anonymous Communication Policies for the Internet." The report grows out of a conference on anonymity sponsored by AAAS in November 1997. The paper acknowledges that anonymous communication can be misused, but concludes that the benefits from its positive uses far outweigh the risks. The conference participants conducted a benefit/burden analysis of online anonymity in attempting to formulate a policy on the issue. In the end, they devised four principles: 1) that anonymous communication online is morally neutral; 2) that anonymous communication should be regarded as a strong human right (and a constitutional right in the United States); 3) that online communities should be allowed to set their own policies regarding the use of anonymous communication; and 4) that individuals should be informed about the extent to which their identities are disclosed offline. Finally, it was suggested that abuses of online anonymity should not be tolerated and that those posting defamatory messages must be responsible for any harm associated with them. The conference members also took a stance against key-escrow encryption and liability for operators of anonymous remailers. They also stressed the importance of education and public awareness and the possible development of codes of conduct. The full text of the AAAS report is available at: http://www.slis.indiana.edu/TIS/abstracts/ab15-2/teich.html =======================================================================  Upcoming Conferences and Events ======================================================================= National Coalition to Protect Political Freedom, 3rd Annual Meeting. Georgetown University Law Center, Washington, DC. July 9-10, 1999. Contact: Kit Gage 301-587-7442, email@example.com Jurisdiction: Building Confidence in a Borderless Medium. Queen Elizabeth Hotel, Montreal, Canada, July 26-27, 1999. Sponsored by the Internet Law and Policy Forum. Contact: Marilyn Malenfant +1.514.744.0408 or firstname.lastname@example.org. ABA Annual Conference, Section of International Law and Practice. "Privacy Issues in Electronic Commerce." August 9, 1999. Atlanta, Georgia. Contact http://www.abanet.org/annual/99/home.html The 21st International Conference on Privacy and Personal Data Protection. Hong Kong, September 13-14, 1999. A distinguished group of over 50 speakers/panelists from overseas and Hong Kong will explore the theme of "Privacy of Personal Data, Information Technology & Global Business in the Next Millennium."" Sponsored by the Office of the Privacy Commissioner for Personal Data in Hong Kong. Contact: email@example.com "A Privacy Agenda for the 21st Century." September 15, 1999. Hong Kong Convention and Exhibition Centre, Hong Kong PRC. Contact: firstname.lastname@example.org. "Certified Wide Area Road Use Monitoring." September 21-23, 1999. Albuquerque, New Mexico. Sponsored by the New Mexico State Highway and Transportation Department Research Bureau in cooperation with the University of New Mexico Alliance for Transportation Research Institute An intensive 2 1/2 day educational and developmental symposium on a single rapidly evolving concept in Intelligent Transportation Systems (ITS). For more information: http://www.unm.edu/~nmtrans/CWARUM-1.html Information Security Solutions Europe 1999. October 4-6, 1999. Maritim proArte Hotel, Berlin, Germany. contact http://www.eema.org/isse/ RSA 2000. The ninth annual RSA Data Security Conference and Expo. San Jose McEnery Convention Center. San Jose, CA. January 16-20, 2000, Contact: http://www.rsa.com/rsa2000/ ======================================================================= Subscription Information ======================================================================= The EPIC Alert is a free biweekly publication of the Electronic Privacy Information Center. A Web-based form is available for subscribing or unsubscribing at: http://www.epic.org/alert/subscribe.html To subscribe or unsubscribe using email, send email to email@example.com with the subject: "subscribe" (no quotes) or "unsubscribe". Back issues are available at: http://www.epic.org/alert/ ======================================================================= About EPIC ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC is sponsored by the Fund for Constitutional Government, a non-profit organization established in 1974 to protect civil liberties and constitutional rights. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, e-mail firstname.lastname@example.org, http://www.epic.org or write EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544 9240 (tel), +1 202 547 5482 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "The Fund for Constitutional Government" and sent to EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ---------------------- END EPIC Alert 6.10 ----------------------- .
Alert Home Page | EPIC Home Page