============================================================== @@@@ @@@@ @@@ @@@@ @ @ @@@@ @@@@ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @@@ @ @ @@@@@ @ @@@ @@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @ @@@ @@@@ @ @ @@@@ @@@@ @ @ @ ============================================================== Volume 6.11 July 15, 1999 -------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org ======================================================================= Table of Contents =======================================================================  FTC Releases Incomplete Privacy Report  EPIC Files Brief in Drivers' Privacy Case  International Relations Committee Approves SAFE Crypto Bill  Settlement Ends Litigation Over Anonymous Internet Messages  House Extends Deadline for Wiretap Law Compliance  New York Court Okays Warrantless Pen Register Surveillance  1999 Privacy Law Sourcebook Now Available  Upcoming Conferences and Events =======================================================================  FTC Releases Incomplete Privacy Report ======================================================================= This week the Federal Trade Commission released a new report on privacy. "Self-Regulation and Privacy Online: FTC Report to Congress" outlines an agenda to address online privacy issues that includes a number of public workshops, task forces and an online survey, designed to reassess progress in Web sites' implementation of fair information practices. The FTC report was noteworthy because the Agency recommended that Congress not take steps at this point to regulate privacy on the Internet. According to the report, "the Commission believes that legislation to address online privacy is not appropriate at this time. We also believe that industry faces some substantial challenges. Specifically, the present challenge is to educate those companies which still do not understand the importance of consumer privacy and to create incentives for further progress toward effective, widespread implementation." The Commission put great weight on a recent study which found that two-thirds of web sites posted a notice concerning privacy. It didn't seem to interest the Commission that these notices typically tell people that personal information is collected without restriction, and provide no limitation on use, no rights of access, no redress for harm, nor any of the other basic elements of Fair Information Practices. Privacy advocates and consumer organizations were uniformly disappointed by the FTC report. Jason Catlett, president of Junkbusters, said "Consumers must be given the power to enforce their privacy rights against those who would violate them." However, groups did express support for a concurring opinion by Commissioner Sheila Anthony who wrote that "the time may be right for federal legislation to establish at least baseline minimum standards." The FTC, unlike privacy agencies around the world, also has no formal mechanisms for reporting on the receipt and disposition of privacy concerns submitted by consumers. Thus, the FTC "Report to Congress" contained no actual data about how the agency is responding to privacy concerns. The following relevant materials are available online: FTC Report "Self-Regulation and Privacy Online" http://www.ftc.gov/os/1999/9907/index.htm#13 FTC Press Release on "Self-Regulation and Privacy Online" http://www.ftc.gov/opa/1999/9907/report1999.htm Opinion of Commissioner Sheila Anthony http://www.ftc.gov/os/1999/9907/pt071399anthony.htm Statement of Privacy and Consumer Organizations http://www.junkbusters.com/ht/en/nr23.htm EPIC Report "Surfer Beware: Personal Privacy and the Internet" http://www.epic.org/reports/surfer-beware.html =======================================================================  EPIC Files Brief in Drivers' Privacy Case ======================================================================= The Electronic Privacy Information Center today filed an amicus curiae, or "friend of the court," brief in the U.S. Supreme Court, arguing that the 1994 Driver's Privacy Protection Act (DPPA) is a constitutional exercise of Congressional authority. The data protected against disclosure by the DPPA includes "information that identifies an individual, including an individual's photograph, social security number, driver identification number, name, address (but not the 5-digit zip code), telephone number, and medical or disability information, but does not include information on vehicular accidents, driving violations, and driver's status." EPIC urged the high court to reverse Condon v. Reno, a lower court opinion which held that the DPPA violated the Tenth Amendment. EPIC's brief focused on the vital privacy interests that DPPA addresses, rather than on the federalism concerns raised by the statute. EPIC argued that the state interest in collecting personal information for internal use does not justify public availability of such data. EPIC also noted that unregulated public access to motor vehicle records burdens the right to travel: "Without adequate protection of personal information maintained by state DMVs, citizens must essentially choose between privacy and the right to travel." After receiving opposing briefs, the Court will schedule oral argument in the case, probably for late 1999 or early 2000. The text of the EPIC brief, in PDF format, is available at: http://www.epic.org/privacy/drivers/epic_dppa_brief.pdf =======================================================================  International Relations Committee Approves SAFE Crypto Bill ======================================================================= Despite attempts by the Clinton administration and its congressional allies in both parties to gut the encryption export liberalization features of Rep. Bob Goodlatte's (R-VA) Security and Freedom through Encryption (SAFE) Act, the House International Relations Committee (HIRC) voted on July 13 to approve the bill, with some minor amendments, in a 33-to-5 vote. During a four-hour legislative "mark-up" session, several "killer" amendments to SAFE were introduced by Democratic and Republican legislators seeking to maintain the administration's ability to block or significantly delay exports of encryption for a variety of reasons. The committee's actions followed a morning classified briefing by Deputy Defense John Hamr#233#, in which he tried to persuade the committee to defeat SAFE in its present form or approve it with the administration's amendments. At the same time Hamr#233# was lobbying against SAFE before the International Relations Committee, Attorney General Janet Reno and FBI Director Louis Freeh were testifying before the House Armed Services Committee, arguing that SAFE would severely impact national security and public safety. Rep. Sam Gejdenson (D-CT), the ranking Democratic member of the International Relations Committee, derided Hamr#233#'s closed secret session, saying "most of the information could and should have been discussed in public." Rep. Howard Berman (D-CA) rejected Gejdenson's brush-off of the Department of Defense by suggesting that all members of Congress should be briefed on the dangers of encryption export relief by the National Security Agency (NSA). He suggested that the NSA could not "brutalize -- whatever -- do a mass assault" on 128-bit encryption. Rep. Dana Rohrabacher (R-CA) said, "my NSA briefing was the same old 'gobbledy-gook' I heard from them when I was a member of the Reagan administration." Rep. Berman succeeded in amending SAFE to require a 30-day technical review period by the Secretary of Commerce for encryption exports. But his amendment to allow the Administration to continue to restrict encryption exports under provisions of the Wassenaar Arrangement failed. Reps. Gejdenson and Manzullo criticized Wassenaar as ineffective since countries like India and Israel are not bound by it. The SAFE Act has now been approved, largely intact, by the Judiciary and International Relations Committees -- the two panels with primary jurisdiction over the legislation. The House Rules Committee will soon decide whether to send those committees' versions of the bill to the House floor rather than weakened versions approved by other committees. Additional information on encryption policy is available at: http://www.epic.org/crypto/ =======================================================================  Settlement Ends Litigation Over Anonymous Internet Messages ======================================================================= A California lawsuit that had the potential to provide the first judicial guidance on the rights of anonymous Internet posters has been settled. The case, which was filed by modem manufacturer Xircom, Inc. against a "John Doe" defendant who had posted information critical of the company on a Yahoo! message board, was the first known case in which an anonymous poster sought to quash a subpoena seeking his identity. Xircom alleged that the anonymous poster was a current or former employee who had violated a confidentiality agreement. The settlement of the lawsuit came before the court could address the privacy and First Amendment issues raised by "John Doe." Under the terms of the settlement agreement, the identity of the poster was revealed by his counsel to selected senior executives of Xircom under strict confidentiality requirements. "John Doe" confirmed that he is not now, nor was he at the time of his Yahoo! postings, a Xircom employee. He stated his belief that his postings were expressions of his opinion, and said he did not intend that any reader should understand his posts to be anything more than his opinion. The Xircom settlement comes in the midst of a flurry of "John Doe" litigation around the country. A closely-watched case involving online anonymity ended abruptly in May after the plaintiff corporation learned the identities of 21 "John Doe" defendants. Raytheon Co. dismissed its lawsuit against a group of people it claimed were spreading company secrets on an Internet message board after the defense contractor succeeded in obtaining the individuals' names. The dismissal suggested that it may have been the Raytheon's sole objective to identify the anonymous individuals, without any intention of litigating the merits of its claims (see EPIC Alert 6.08). =======================================================================  House Extends Deadline for Wiretap Law Compliance ======================================================================= The House of Representatives approved legislation on July 13 that will make it easier for telecommunications companies to comply with the Communications Assistance to Law Enforcement Act (CALEA). The controversial 1994 "digital telephony" law requires the companies to design their systems to more easily facilitate electronic sur- veillance. The new legislation (H.R. 916) would allow companies to recoup more of the expenses that they incur to make their networks compliant with law enforcement requirements. CALEA authorizes $500 million in federal funds to reimburse telecommunications firms make the required changes. The bill approved by the House would change the compliance date for companies to be in compliance with the CALEA requirements to June 30, 2000. It would also set June 30, 2000, as the date after which the companies cannot submit expenses to the government for required infrastructure changes. The original cut-off date was Jan. 1, 1995. Senate Judiciary Committee Chairman Orrin Hatch (R-UT) has introduced similar language in the Senate. The Federal Bureau of Investigation, the telecommunications industry and privacy advocates (including EPIC) are involved in a pending proceeding before the Federal Communications Commission which will finalize the technical requirements for CALEA compliance. The FCC is likely to announce its decision soon. Additional information on CALEA is available at: http://www.epic.org/privacy/wiretap/#DT =======================================================================  New York Court Okays Warrantless Pen Register Surveillance ======================================================================= A unanimous opinion issued by the New York Court of Appeals on July 6 marks a significant shift in the wiretapping jurisprudence of New York's highest court. Following the decision in People v. Martello, police may install pen registers -- devices that monitor numbers dialed from a telephone line -- without obtaining a warrant based on probable cause. A "reasonable suspicion" is now sufficient for pen register surveillance to be initiated. Most pen registers include a regular wiretapping feature to supplement the number recording feature. It was the potential for abuse of these "dual-feature" pen registers that prompted the New York court's 1993 decision in People v. Bialostok, requiring police to obtain wiretapping warrants for their use. The Bialostok decision noted that "it is the warrant requirement, interposing the magistrate's oversight, that provides to citizens appropriate protection against unlawful intrusion." In its latest ruling, the Court of Appeals drastically limited Bialostok, holding that it did not apply to investigations conducted under Article 705 of the state Criminal Procedure Law, a 1988 amendment that allows police to obtain a court order authorizing pen register surveillance upon a showing of reasonable suspicion. The Court also held that Bialostok does not apply retroactively to investigations completed prior to 1993. Consequently, the Court refused to suppress pen register evidence against Martello gathered by police from 1990 to 1992. Additional information on electronic surveillance is available at: http://www.epic.org/privacy/wiretap/ =======================================================================  1999 Privacy Law Sourcebook Now Available ======================================================================= The Privacy Law Sourcebook 1999: United States Law, International Law, and Recent Developments. Marc Rotenberg, Editor (EPIC 1999). The Privacy Law Sourcebook is the first one-volume resource for students, attorneys, researchers and journalists who need a comprehensive collection of both U.S. and International privacy law, as well as a fully up-to-date section on recent developments. Includes the full texts of most major privacy laws and directives including the FCRA, the Privacy Act, FOIA, Family Educational Rights Act, Right to Financial Privacy Act, Privacy Protection Act, Cable Communications Policy Act, ECPA, Video Privacy Protection Act, OECD Privacy Guidelines, OECD Cryptography Guidelines, European Union Directives for both Data Protection and Telecommunications, and more. The Privacy Law Sourcebook is updated and expanded for 1999 to include the Children's Online Privacy Protection Act, materials on the "Safe Harbor" proposal, and new legislation introduced to comply with the EU Data Directive. Also included is an extensive new section on privacy resources with useful web sites and contact information for privacy agencies, organizations, and publications. 572 pages, paper, $50.00, ISBN 1-893044-04-1. "The 'Physicians Desk Reference' of the privacy world." - Evan Hendricks, Privacy Times "This is a handy compilation of privacy law instruments and a 'must' for anyone seeking guidance about the location and content of the key statutes, treaties, and recent developments." - American Society of International Law "I recommend the book to anyone who has to deal with privacy issues and needs a handy and complete resource. It is just wonderful to have everything together in one place." - Bob Gellman, Information and Privacy Consultant The Privacy Law Sourcebook is available from Amazon.com at: http://www.amazon.com/exec/obidos/ISBN=1893044041/electronicprivacA Check for other titles at the EPIC Bookstore: http://www.epic.org/bookstore/ =======================================================================  Upcoming Conferences and Events ======================================================================= Jurisdiction: Building Confidence in a Borderless Medium. Queen Elizabeth Hotel, Montreal, Canada, July 26-27, 1999. Sponsored by the Internet Law and Policy Forum. Contact: Marilyn Malenfant +1.514.744.0408 or email@example.com. ABA Annual Conference, Section of International Law and Practice. "Privacy Issues in Electronic Commerce." August 9, 1999. Atlanta, Georgia. Contact http://www.abanet.org/annual/99/home.html The 21st International Conference on Privacy and Personal Data Protection. Hong Kong, September 13-14, 1999. A distinguished group of over 50 speakers/panelists from overseas and Hong Kong will explore the theme of "Privacy of Personal Data, Information Technology & Global Business in the Next Millennium."" Sponsored by the Office of the Privacy Commissioner for Personal Data in Hong Kong. Contact: firstname.lastname@example.org "A Privacy Agenda for the 21st Century." September 15, 1999. Hong Kong Convention and Exhibition Centre, Hong Kong PRC. Contact: email@example.com. "Certified Wide Area Road Use Monitoring." September 21-23, 1999. Albuquerque, New Mexico. Sponsored by the New Mexico State Highway and Transportation Department Research Bureau in cooperation with the University of New Mexico Alliance for Transportation Research Institute An intensive 2 1/2 day educational and developmental symposium on a single rapidly evolving concept in Intelligent Transportation Systems (ITS). For more information: http://www.unm.edu/~nmtrans/CWARUM-1.html Information Security Solutions Europe 1999. October 4-6, 1999. Maritim proArte Hotel, Berlin, Germany. contact http://www.eema.org/isse/ RSA 2000. The ninth annual RSA Data Security Conference and Expo. San Jose McEnery Convention Center. San Jose, CA. January 16-20, 2000, Contact: http://www.rsa.com/rsa2000/ ======================================================================= Subscription Information ======================================================================= The EPIC Alert is a free biweekly publication of the Electronic Privacy Information Center. A Web-based form is available for subscribing or unsubscribing at: http://www.epic.org/alert/subscribe.html To subscribe or unsubscribe using email, send email to firstname.lastname@example.org with the subject: "subscribe" (no quotes) or "unsubscribe". Back issues are available at: http://www.epic.org/alert/ ======================================================================= About EPIC ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC is sponsored by the Fund for Constitutional Government, a non-profit organization established in 1974 to protect civil liberties and constitutional rights. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, e-mail email@example.com, http://www.epic.org or write EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544 9240 (tel), +1 202 547 5482 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "The Fund for Constitutional Government" and sent to EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ---------------------- END EPIC Alert 6.11 ----------------------- .
Alert Home Page | EPIC Home Page