EPIC logo

       @@@@  @@@@  @@@  @@@@      @    @     @@@@  @@@@  @@@@@
       @     @  @   @   @        @ @   @     @     @  @    @
       @@@@  @@@    @   @       @@@@@  @     @@@   @@@     @
       @     @      @   @       @   @  @     @     @  @    @
       @@@@  @     @@@  @@@@    @   @  @@@@  @@@@  @   @   @
   Volume 6.11                                      July 15, 1999
                            Published by the
              Electronic Privacy Information Center (EPIC)
                            Washington, D.C.
Table of Contents
[1] FTC Releases Incomplete Privacy Report
[2] EPIC Files Brief in Drivers' Privacy Case
[3] International Relations Committee Approves SAFE Crypto Bill
[4] Settlement Ends Litigation Over Anonymous Internet Messages
[5] House Extends Deadline for Wiretap Law Compliance
[6] New York Court Okays Warrantless Pen Register Surveillance
[7] 1999 Privacy Law Sourcebook Now Available
[8] Upcoming Conferences and Events
[1] FTC Releases Incomplete Privacy Report
This week the Federal Trade Commission released a new report on
privacy. "Self-Regulation and Privacy Online: FTC Report to Congress"
outlines an agenda to address online privacy issues that includes a
number of public workshops, task forces and an online survey, designed
to reassess progress in Web sites' implementation of fair information
The FTC report was noteworthy because the Agency recommended that
Congress not take steps at this point to regulate privacy on the
Internet.  According to the report, "the Commission believes that
legislation to address online privacy is not appropriate at this time.
We also believe that industry faces some substantial challenges.
Specifically, the present challenge is to educate those companies
which still do not understand the importance of consumer privacy and
to create incentives for further progress toward effective, widespread
The Commission put great weight on a recent study which found that
two-thirds of web sites posted a notice concerning privacy.  It didn't
seem to interest the Commission that these notices typically tell
people that personal information is collected without restriction, and
provide no limitation on use, no rights of access, no redress for
harm, nor any of the other basic elements of Fair Information
Privacy advocates and consumer organizations were uniformly
disappointed by the FTC report.  Jason Catlett, president of
Junkbusters, said "Consumers must be given the power to enforce their
privacy rights against those who would violate them."  However, groups
did express support for a concurring opinion by Commissioner Sheila
Anthony who wrote that "the time may be right for federal legislation
to establish at least baseline minimum standards."
The FTC, unlike privacy agencies around the world, also has no formal
mechanisms for reporting on the receipt and disposition of privacy
concerns submitted by consumers.  Thus, the FTC "Report to Congress"
contained no actual data about how the agency is responding to privacy
The following relevant materials are available online:
     FTC Report "Self-Regulation and Privacy Online"
     FTC Press Release on "Self-Regulation and Privacy Online"
     Opinion of Commissioner Sheila Anthony
     Statement of Privacy and Consumer Organizations
     EPIC Report "Surfer Beware: Personal Privacy and the Internet"
[2] EPIC Files Brief in Drivers' Privacy Case
The Electronic Privacy Information Center today filed an amicus
curiae, or "friend of the court," brief in the U.S. Supreme Court,
arguing that the 1994 Driver's Privacy Protection Act (DPPA) is a
constitutional exercise of Congressional authority.  The data
protected against disclosure by the DPPA includes "information that
identifies an individual, including an individual's photograph, social
security number, driver identification number, name, address (but not
the 5-digit zip code), telephone number, and medical or disability
information, but does not include information on vehicular accidents,
driving violations, and driver's status."
EPIC urged the high court to reverse Condon v. Reno, a lower court
opinion which held that the DPPA violated the Tenth Amendment.  EPIC's
brief focused on the vital privacy interests that DPPA addresses,
rather than on the federalism concerns raised by the statute.  EPIC
argued that the state interest in collecting personal information for
internal use does not justify public availability of such data.  EPIC
also noted that unregulated public access to motor vehicle records
burdens the right to travel: "Without adequate protection of personal
information maintained by state DMVs, citizens must essentially choose
between privacy and the right to travel."
After receiving opposing briefs, the Court will schedule oral argument
in the case, probably for late 1999 or early 2000.
The text of the EPIC brief, in PDF format, is available at:
[3] International Relations Committee Approves SAFE Crypto Bill
Despite attempts by the Clinton administration and its congressional
allies in both parties to gut the encryption export liberalization
features of Rep. Bob Goodlatte's (R-VA) Security and Freedom through
Encryption (SAFE) Act, the House International Relations Committee
(HIRC) voted on July 13 to approve the bill, with some minor
amendments, in a 33-to-5 vote.  During a four-hour legislative
"mark-up" session, several "killer" amendments to SAFE were introduced
by Democratic and Republican legislators seeking to maintain the
administration's ability to block or significantly delay exports of
encryption for a variety of reasons.  The committee's actions followed
a morning classified briefing by Deputy Defense John Hamr#233#, in which
he tried to persuade the committee to defeat SAFE in its present form
or approve it with the administration's amendments.  At the same time
Hamr#233# was lobbying against SAFE before the International Relations
Committee, Attorney General Janet Reno and FBI Director Louis Freeh
were testifying before the House Armed Services Committee, arguing
that SAFE would severely impact national security and public safety.
Rep. Sam Gejdenson (D-CT), the ranking Democratic member of the
International Relations Committee, derided Hamr#233#'s closed secret
session, saying "most of the information could and should have been
discussed in public."  Rep. Howard Berman (D-CA) rejected Gejdenson's
brush-off of the Department of Defense by suggesting that all members
of Congress should be briefed on the dangers of encryption export
relief by the National Security Agency (NSA).  He suggested that the
NSA could not "brutalize -- whatever -- do a mass assault" on 128-bit
encryption.  Rep. Dana Rohrabacher (R-CA) said, "my NSA briefing was
the same old 'gobbledy-gook' I heard from them when I was a member of
the Reagan administration."
Rep. Berman succeeded in amending SAFE to require a 30-day technical
review period by the Secretary of Commerce for encryption exports.
But his amendment to allow the Administration to continue to restrict
encryption exports under provisions of the Wassenaar Arrangement
failed. Reps. Gejdenson and Manzullo criticized Wassenaar as
ineffective since countries like India and Israel are not bound by it.
The SAFE Act has now been approved, largely intact, by the Judiciary
and International Relations Committees -- the two panels with primary
jurisdiction over the legislation.  The House Rules Committee will
soon decide whether to send those committees' versions of the bill to
the House floor rather than weakened versions approved by other
Additional information on encryption policy is available at:
[4] Settlement Ends Litigation Over Anonymous Internet Messages
A California lawsuit that had the potential to provide the first
judicial guidance on the rights of anonymous Internet posters has been
settled.  The case, which was filed by modem manufacturer Xircom, Inc.
against a "John Doe" defendant who had posted information critical of
the company on a Yahoo! message board, was the first known case in
which an anonymous poster sought to quash a subpoena seeking his
identity.  Xircom alleged that the anonymous poster was a current or
former employee who had violated a confidentiality agreement.  The
settlement of the lawsuit came before the court could address the
privacy and First Amendment issues raised by "John Doe."
Under the terms of the settlement agreement, the identity of the
poster was revealed by his counsel to selected senior executives of
Xircom under strict confidentiality requirements.  "John Doe"
confirmed that he is not now, nor was he at the time of his Yahoo!
postings, a Xircom employee.  He stated his belief that his postings
were expressions of his opinion, and said he did not intend that any
reader should understand his posts to be anything more than his
The Xircom settlement comes in the midst of a flurry of "John Doe"
litigation around the country.  A closely-watched case involving
online anonymity ended abruptly in May after the plaintiff corporation
learned the identities of 21 "John Doe" defendants.  Raytheon Co.
dismissed its lawsuit against a group of people it claimed were
spreading company secrets on an Internet message board after the
defense contractor succeeded in obtaining the individuals' names.
The dismissal suggested that it may have been the Raytheon's sole
objective to identify the anonymous individuals, without any intention
of litigating the merits of its claims (see EPIC Alert 6.08).
[5] House Extends Deadline for Wiretap Law Compliance
The House of Representatives approved legislation on July 13 that will
make it easier for telecommunications companies to comply with the
Communications Assistance to Law Enforcement Act (CALEA).  The
controversial 1994 "digital telephony" law requires the companies to
design their systems to more easily facilitate electronic sur-
veillance.  The new legislation (H.R. 916) would allow companies to
recoup more of the expenses that they incur to make their networks
compliant with law enforcement requirements.  CALEA authorizes $500
million in federal funds to reimburse telecommunications firms make
the required changes.
The bill approved by the House would change the compliance date for
companies to be in compliance with the CALEA requirements to June 30,
2000.  It would also set June 30, 2000, as the date after which the
companies cannot submit expenses to the government for required
infrastructure changes.  The original cut-off date was Jan. 1, 1995.
Senate Judiciary Committee Chairman Orrin Hatch (R-UT) has introduced
similar language in the Senate.
The Federal Bureau of Investigation, the telecommunications industry
and privacy advocates (including EPIC) are involved in a pending
proceeding before the Federal Communications Commission which will
finalize the technical requirements for CALEA compliance.  The FCC is
likely to announce its decision soon.
Additional information on CALEA is available at:
[6] New York Court Okays Warrantless Pen Register Surveillance
A unanimous opinion issued by the New York Court of Appeals on July 6
marks a significant shift in the wiretapping jurisprudence of New
York's highest court.  Following the decision in People v. Martello,
police may install pen registers -- devices that monitor numbers
dialed from a telephone line -- without obtaining a warrant based on
probable cause.  A "reasonable suspicion" is now sufficient for pen
register surveillance to be initiated.
Most pen registers include a regular wiretapping feature to supplement
the number recording feature.  It was the potential for abuse of these
"dual-feature" pen registers that prompted the New York court's 1993
decision in People v. Bialostok, requiring police to obtain
wiretapping warrants for their use.  The Bialostok decision noted that
"it is the warrant requirement, interposing the magistrate's
oversight, that provides to citizens appropriate protection against
unlawful intrusion."
In its latest ruling, the Court of Appeals drastically limited
Bialostok, holding that it did not apply to investigations conducted
under Article 705 of the state Criminal Procedure Law, a 1988
amendment that allows police to obtain a court order authorizing pen
register surveillance upon a showing of reasonable suspicion.  The
Court also held that Bialostok does not apply retroactively to
investigations completed prior to 1993.  Consequently, the Court
refused to suppress pen register evidence against Martello gathered by
police from 1990 to 1992.
Additional information on electronic surveillance is available at:
[7] 1999 Privacy Law Sourcebook Now Available
The Privacy Law Sourcebook 1999: United States Law, International
Law, and Recent Developments. Marc Rotenberg, Editor (EPIC 1999).
The Privacy Law Sourcebook is the first one-volume resource for
students, attorneys, researchers and journalists who need a
comprehensive collection of both U.S. and International privacy law,
as well as a fully up-to-date section on recent developments.
Includes the full texts of most major privacy laws and directives
including the FCRA, the Privacy Act, FOIA, Family Educational Rights
Act, Right to Financial Privacy Act, Privacy Protection Act, Cable
Communications Policy Act, ECPA, Video Privacy Protection Act, OECD
Privacy Guidelines, OECD Cryptography Guidelines, European Union
Directives for both Data Protection and Telecommunications, and more.
The Privacy Law Sourcebook is updated and expanded for 1999 to include
the Children's Online Privacy Protection Act, materials on the "Safe
Harbor" proposal, and new legislation introduced to comply with the EU
Data Directive.  Also included is an extensive new section on privacy
resources with useful web sites and contact information for privacy
agencies, organizations, and publications. 572 pages, paper, $50.00,
ISBN 1-893044-04-1.
"The 'Physicians Desk Reference' of the privacy world."
          - Evan Hendricks, Privacy Times
"This is a handy compilation of privacy law instruments and a 'must'
for anyone seeking guidance about the location and content of the key
statutes, treaties, and recent developments."
          - American Society of International Law
"I recommend the book to anyone who has to deal with privacy issues
and needs a handy and complete resource.  It is just wonderful to
have everything together in one place."
          - Bob Gellman, Information and Privacy Consultant
The Privacy Law Sourcebook is available from Amazon.com at:
Check for other titles at the EPIC Bookstore:
[8] Upcoming Conferences and Events
Jurisdiction: Building Confidence in a Borderless Medium. Queen
Elizabeth Hotel, Montreal, Canada, July 26-27, 1999. Sponsored by the
Internet Law and Policy Forum.  Contact:  Marilyn Malenfant
+1.514.744.0408 or malenfant@ilpf.org.
ABA Annual Conference, Section of International Law and Practice.
"Privacy Issues in Electronic Commerce." August 9, 1999. Atlanta,
Georgia. Contact http://www.abanet.org/annual/99/home.html
The 21st International Conference on Privacy and Personal Data
Protection.  Hong Kong, September 13-14, 1999.  A distinguished group
of over 50 speakers/panelists from overseas and Hong Kong will explore
the theme of  "Privacy of Personal Data, Information Technology &
Global Business in the Next Millennium."" Sponsored by the Office of
the Privacy Commissioner for Personal Data in Hong Kong.  Contact:
"A Privacy Agenda for the 21st Century." September 15, 1999. Hong Kong
Convention and Exhibition Centre, Hong Kong PRC. Contact:
"Certified Wide Area Road Use Monitoring." September 21-23, 1999.
Albuquerque, New Mexico.  Sponsored by the New Mexico State Highway
and Transportation Department Research Bureau in cooperation with the
University of New Mexico Alliance for Transportation Research
Institute An intensive 2 1/2 day educational and developmental
symposium on a single rapidly evolving concept in Intelligent
Transportation Systems (ITS).  For more information:
Information Security Solutions Europe 1999. October 4-6, 1999. Maritim
proArte Hotel, Berlin, Germany. contact http://www.eema.org/isse/
RSA 2000. The ninth annual RSA Data Security Conference and Expo. San
Jose McEnery Convention Center. San Jose, CA.  January 16-20, 2000,
Contact: http://www.rsa.com/rsa2000/
Subscription Information
The EPIC Alert is a free biweekly publication of the Electronic Privacy
Information Center. A Web-based form is available for subscribing or
unsubscribing at:
To subscribe or unsubscribe using email, send email to
epic-news@epic.org with the subject: "subscribe" (no quotes) or
Back issues are available at:
About EPIC
The Electronic Privacy Information Center is a public interest research
center in Washington, DC.  It was established in 1994 to focus public
attention on emerging privacy issues such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale of personal information.  EPIC is sponsored
by the Fund for Constitutional Government, a non-profit organization
established in 1974 to protect civil liberties and constitutional
rights.  EPIC publishes the EPIC Alert, pursues Freedom of Information
Act litigation, and conducts policy research.  For more information,
e-mail info@epic.org, http://www.epic.org or write EPIC, 666
Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544 9240
(tel), +1 202 547 5482 (fax).
If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible.  Checks
should be made out to "The Fund for Constitutional Government" and sent
to EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003.
Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation of encryption and
expanding wiretapping powers.
Thank you for your support.
  ---------------------- END EPIC Alert 6.11 -----------------------

Return to:

Alert Home Page | EPIC Home Page