EPIC logo
       @@@@  @@@@  @@@  @@@@      @    @     @@@@  @@@@  @@@@@
       @     @  @   @   @        @ @   @     @     @  @    @
       @@@@  @@@    @   @       @@@@@  @     @@@   @@@     @
       @     @      @   @       @   @  @     @     @  @    @
       @@@@  @     @@@  @@@@    @   @  @@@@  @@@@  @   @   @
   Volume 6.19                                  November 11, 1999
                            Published by the
              Electronic Privacy Information Center (EPIC)
                            Washington, D.C.
Table of Contents
[1] Drivers' Privacy Protection Case Heard by Supreme Court
[2] Privacy Advocates Call on FTC to Halt Online Profiling
[3] Appellate Judges Slam Internet Censorship Law
[4] Intelligence Funding Bill Requires Report on ECHELON
[5] IETF Rejects Proposal on Internet Wiretaps
[6] TRUSTe Fails to Launch Investigation into RealNetworks
[7] EPIC Bookstore -- Genetic Secrets
[8] Upcoming Conferences and Events
[1] Drivers' Privacy Protection Case Heard by Supreme Court
On November 10, the Supreme Court heard oral arguments in Reno v.
Condon.  The case involves the constitutionality of the 1994 Driver's
Privacy Protection Act (DPPA), which prohibited the dissemination of
information contained in state driving records.
In the lower courts, the state of South Carolina had argued that the
DPPA unconstitutionally infringed on state powers, in particular the
Tenth Amendment right of states to regulate commerce within their own
borders.  The Government had argued that the DPPA was a valid exercise
of the 14th Amendment, which has been interpreted as providing some
privacy protections.
In oral argument before the Supreme Court, both sides focused on the
constitutionality of federal efforts to regulate the procedures of a
state agency.  Seth Waxman, Solicitor General of the United States,
argued that Congress can legislate on drivers' records since the
federal government has the authority to regulate interstate commerce as
implicated in the selling of drivers' records to private entities.
Charles Condon, Attorney General of South Carolina, repeatedly asserted
that the law places an undue burden on state agencies and employees.
A recent bill, the Department of Transportation and Related Agencies
Appropriations Act for Fiscal Year 2000, will likely protect the
privacy of state driving records regardless of the Court decides Reno
v. Condon.  The new legislation denies transportation funding to states
that do not obtain explicit opt-in consent before selling or
distributing information contained in driving records.
EPIC submitted a friend-of-the-court brief in the Condon case, arguing
in support of the DPPA.  The brief is available at:
For more information about Reno v. Condon, see:
[2] Privacy Advocates Call on FTC to Halt Online Profiling
At a workshop on "online profiling," panelists from EPIC, Junkbusters,
the Center for Media Education, Privacy Times, and Privacy Journal
called for the Federal Trade Commission (FTC) to immediately halt the
practice of online profiling, launch an investigation into the privacy
and consumer implications of the practice, and provide recommendations
for proper privacy legislation.  The workshop, held jointly by the FTC
and the National Telecommunications and Information Administration
(NTIA) of the Department of Commerce, took place on November 8.
Online profiling is the collection of detailed online behavior from
uniquely identified Internet users.  Online behavior generally refers
to records about pages that were viewed and products or services
purchased.  Many online advertisers use online profiling in order to
target advertisements according this past behavior.
The privacy concerns arise because this information is not collected
with the knowledge or consent of the consumer and is often connected to
personally identifiable information like a name or address.  Online
behavior can potentially reveal information not only about interests or
hobbies, but also medical conditions, sexual preferences, and political
or religious beliefs.  The collection of such information also gives
many businesses an unfair advantage in encouraging customers to buy
At the workshop, a consortium of online advertisers known as the
Network Advertising Initiative (NAI) presented a self-regulatory
proposal to stave off regulation of data collected over the Internet.
The proposal includes notice of what information is collected and how
it is used and an opt-out so that consumers can request to not have
their information collected from them.  EPIC finds the proposal
insufficient due to the lack of enforcement by other similar
self-regulating agencies like TRUSTe (see item 6, below) and the undue
burden that opt-out places on individuals to stop information
collection that often occurs without their awareness.
A joint press release issued by the privacy groups to halt online
profiling is at:
Details about the Public Workshop on "On-line Profiling" are available:
[3] Appellate Judges Slam Internet Censorship Law
Two federal appellate judges harshly questioned the constitutionality
of the Child Online Protection Act (COPA) on November 4.  COPA would
prohibit commercial Web site operators from exposing children under 17
to sexually explicit material that is deemed "harmful to minors."  The
judges suggested that COPA may violate the First Amendment by not
specifying which community's standards would apply when assessing
content on the Internet.
Soon after President Clinton signed COPA into law last year, it was
challenged by a coalition of cyber-rights groups and Web publishers,
including EPIC and the ACLU.  In February, U.S. District Judge Reed
issued a preliminary injunction blocking enforcement of COPA, stating
that the law would likely fail to survive judicial scrutiny.  The
government appealed the decision to the U.S. Court of Appeals for the
Third Circuit in Philadelphia.
In court last Thursday, Senior U.S. Circuit Judge Leonard I. Garth
asked the Justice Department's lawyer how the phrase "contemporary
community standards" can be defined, given that the Internet is a
global communications medium.  "It seems to me that in terms of the
World Wide Web, what that statute contemplates is that we would be
remitted to the most severe community standards -- perhaps those in
Iran or Iraq -- where the exposure of a woman's face is deemed to
be improper," Garth said.
Judge Theodore A. McKee expressed concern with the law's provision that
Web site operators could avoid criminal sanctions by instituting age
verification mechanisms, such as credit-card numbers, to restrict
access by minors.  McKee noted that such a screening process could have
a chilling effect on adults who would be forced to reveal personal
information in order to access material on sensitive subjects, such as
Both McKee and Garth openly questioned whether it is possible to
create legislation that satisfies the First Amendment and controls
children's access to harmful content.  Garth said, "I'm not at all sure
that, in light of the Web, one can structure legislation which can
control" access to online content.
For more information on COPA and the full text of Judge Reed's district
court ruling, see:
[4] Intelligence Funding Bill Requires Report on ECHELON
The House of Representatives has approved a provision that would
require the intelligence agencies to jointly provide Congress with a
detailed analysis of the legal standards they apply when conducting
signals intelligence, including electronic surveillance.  The
requirement grows out of the controversy surrounding Project ECHELON, a
global surveillance network coordinated by the National Security
The reporting requirement is contained in the final version of the
Intelligence Authorization Act for Fiscal Year 2000, which is expected
to be approved by the Senate.  The report must be submitted in both
classified and unclassified form to the Intelligence and Judiciary
committees of the House and Senate within 60 days of final passage. It
must disclose the legal standards for interception of communications
when such interception may result in the acquisition of information
from a communication to or from United States persons; for intentional
targeting of the communications to or from United States persons; for
receipt from non-United States sources of information pertaining to
communications to or from United States persons; and for dissemination
of information acquired through the interception of the communications
to or from United States persons.
The reporting requirement was added to the appropriations bill at the
insistence of Rep. Bob Barr (R-GA).  In a statement released after the
House passage of the bill, Barr said, "If American intelligence
agencies are intercepting, receiving or distributing communications
involving our citizens without court orders, or legal authority, they
are doing so outside the bounds of the Constitution.  If Project
ECHELON exists as reported, all Americans who care about the integrity
of our Constitution should be concerned."
Last spring, Rep. Porter Goss (R-FL), chairman of the House
Intelligence Committee, requested access to legal memoranda on
surveillance authority prepared by NSA's General Counsel, but the
agency rebuffed the request citing "attorney-client privilege."  (See
EPIC Alert 6.08).
[5] IETF Rejects Proposal on Internet Wiretaps
In a public, plenary session on November 10, members of the Internet
Engineering Task Force (IETF) decided overwhelmingly not to develop
technical standards that would facilitate wiretapping of Internet
communications.  After an hour-long debate, the IETF members resolved
the question of whether the standards group should build the kind of
surveillance capabilities that are mandated for telephone systems by
the controversial Communications Assistance to Law Enforcement Act
(CALEA).  The Internet Engineering Steering Group and the Internet
Architecture Board will soon publish a formal IETF position paper based
on the consensus of the membership.
Prior to the debate, a group of computer security, cryptography, law,
and policy experts sent an open letter to the IETF urging rejection of
wiretap standards.  They said that "such a development would harm
network security, result in more illegal activities, diminish users'
privacy, stifle innovation, and impose significant costs on developers
of communications."
The rejected proposal arose when some IETF members asserted that CALEA
required such Internet standards.  With the emergence of Internet
telephony, some have argued that the law should now be read to cover
the Internet.  That view, however, is countered by the legislative
history of the 1994 law, which clearly stated that CALEA "does not
require reengineering of the Internet, nor does it impose prospectively
functional requirements on the Internet."
The text of the open letter to the IETF is available at:
The legislative history of CALEA is available at:
[6] TRUSTe Fails to Launch Investigation into RealNetworks
On November 1, the New York Times reported on the discovery made by
independent security consultant Richard Smith that online software
distributor RealNetworks was collecting information about the music
tastes of 13.5 million Real product users without their knowledge.
Despite initially indicating that it would launch an investigation into
its licensee RealNetworks, the TRUSTe privacy certification
organization has chosen not to pursue an inquiry, citing a loophole in
the existing license agreement. TRUSTe claims to provide adequate
privacy guidelines and oversight of privacy violations for companies
that it certifies.
RealJukebox (software downloaded through the site of RealNetworks) was
surreptitiously scanning computer hard drives for music files and
transmitting information about the genre of music, the format of the
music files, and the type of connected music player used back to
RealNetworks.  This information was also tied to personal information
previously collected through registration forms.  After the activities
of the RealJukebox software became public, RealNetworks provided a
software "patch" that would prevent the further transmission of
TRUSTe refused to launch an investigation since RealNetworks did not
technically violate any part of its license agreement.  The TRUSTe
license agreement only covers information collected from individuals
over a website.  TRUSTe claimed that since the information collection
and transmission occurred through software downloaded at a site, there
was in fact no violation of the license agreement.  TRUSTe did announce
plans to change its license agreement to include software downloaded
through a website.
This is not the first time that TRUSTe has failed to launch an
investigation into an apparent violation of one of its licensees.  In
March, Microsoft was found to be including Globally Unique Identifiers
(GUIDs) within Microsoft Office 1998 that would allow all documents and
visits to Microsoft operated websites to be tied with personal
information provided through earlier software registrations.  As in the
case of RealNetworks, TRUSTe found that Microsoft did not violate the
TRUSTe license agreement and refused to perform an investigation.
Remedies for Real users may still be available; several class action
lawsuits have been filed alleging that RealNetworks violated various
federal and state laws by secretly collecting data.
For more information on the RealNetworks and Microsoft privacy
Incidents, see:
[7] EPIC Bookstore -- Genetic Secrets
Genetic Secrets: Protecting Privacy and Confidentiality in the Genetic
Era by Mark A. Rothenstein
Twenty-three articles by professionals from law, medicine, bioethics,
public health, science policy, clinical genetics, philosophy, and other
fields grapple with new issues of medical privacy and confidentiality
brought about by recent advances in genetic research. Coverage includes
topics such as genetic information in the schools, laws to regulate the
use of genetic information, environmental population screening, public
health lessons from the HIV experience, European data protection law,
and implications of testing for health and life insurance. The book
concludes with a recommendation of a framework for deciding future
policy written by the editor.
EPIC Publications:
"The Privacy Law Sourcebook: United States Law, International Law, and
Recent Developments," Marc Rotenberg, editor (EPIC 1999). Price: $50.
The "Physicians Desk Reference of the privacy world." An invaluable
resource for students, attorneys, researchers and journalists who need
an up-to-date collection of US and International privacy law, as well
as a comprehensive listing of privacy resources.
"Filters and Freedom - Free Speech Perspectives on Internet Content
Controls," David Sobel, editor (EPIC 1999). Price: $20.
A collection of essays, studies, and critiques of Internet content
filtering. These papers are instrumental in explaining why filtering
threatens free expression.
"Cryptography and Liberty: An International Survey of Cryptography
Policy" Wayne Madsen and David Banisar, editors, (EPIC 1999). Price:
$15. http://www.epic.org/cryptobook99/
An international survey of encryption policies around the world. Survey
results show that in the vast majority of countries, cryptography may
be freely used, manufactured, and sold without restriction, with the
U.S. being a notable exception.
"Privacy and Human Rights 1999: An International Survey of Privacy Laws
and Developments" David Banisar, Simon Davies, editors, (EPIC 1999).
Price: $15. http://www.epic.org/privacy&humanrights99/
An international survey of the privacy and data protection laws found
in 50 countries around the globe. This report outlines the
constitutional and legal conditions of privacy protection, and
summarizes important issues and events relating to privacy and
Additional titles on privacy, open government, free expression,
computer security, and crypto, as well as films and DVDs can be ordered
through the EPIC Bookstore: http://www.epic.org/bookstore/
[8] Upcoming Conferences and Events
Washington, D.C., USA Internet Engineering Task Force (IETF) Meeting.
November 7-12, 1999. Omni Shoreham Hotel. Washington, D.C. For more
information: http://www.ietf.org/meetings/IETF-46.html
The 1999 BNA Public Policy Forum: E-Commerce and Internet Regulation.
November 15, 1999. Mayflower Hotel. Washington, D.C. For more
information: http://internetconference.pf.com/
Call for Papers -- Impacts of Economic Liberalization on IT Production
and Use. The Information Society. Manuscripts due November 15, 1999.
For more information: http://www.slis.indiana.edu/TIS
Call for Papers -- Telecommunications: The Bridge to Globalization in
the Information Society. International Telecommunications Society.
Abstracts due November 15, 1999. For more information:
PDD-63 Congressional Research Service Seminar. November 19, 1999.
James Madison Building, Library of Congress. For more information:
Annual Computer Security Applications Conference: Practical Solutions
to Real Security Problems. December 6-10, 1999. Radisson Resort
Scottsdale. Phoenix, Arizona. For more information:
Integrating Government with New Technologies '99 Policy vs Technology:
Service Integration in the New Environments - A two-day Seminar and
Training Session. December 13-14, 1999. Government Conference Center.
Ottawa, Canada. For more information: http://www.rileyis.com/seminars
Surveillance Expo '99. December 13-15, 1999. Doubletree Hotel. Crystal
City, Virginia. For more information: http://www.rosseng.com
PEN/Newman's Own Eighth Annual First Amendment Award. Nominations due
December 31, 1999. For more information: http://www.pen.org
RSA 2000. The ninth annual RSA Data Security Conference and Expo.
January 16-20, 2000. San Jose McEnery Convention Center. San Jose, CA.
For more information: http://www.rsa.com/rsa2000/
Santa Clara University Computer and High Technology Journal Symposium
on Internet Privacy. February 11-12, 2000. For more information:
Telecommunications: The Bridge to Globalization in the Information
Society. Biennial Conference of the International Telecommunications
Society. July 2-5, 2000. For more information:
Subscription Information
The EPIC Alert is a free biweekly publication of the Electronic Privacy
Information Center. A Web-based form is available for subscribing or
unsubscribing at:
To subscribe or unsubscribe using email, send email to
epic-news@epic.org with the subject: "subscribe" (no quotes) or
Back issues are available at:
About EPIC
The Electronic Privacy Information Center is a public interest research
center in Washington, DC.  It was established in 1994 to focus public
attention on emerging privacy issues such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale of personal information. EPIC is sponsored
by the Fund for Constitutional Government, a non-profit organization
established in 1974 to protect civil liberties and constitutional
rights.  EPIC publishes the EPIC Alert, pursues Freedom of Information
Act litigation, and conducts policy research. For more information,
e-mail info@epic.org, http://www.epic.org or write EPIC, 666
Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544 9240
(tel), +1 202 547 5482 (fax).
If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible.  Checks
should be made out to "The Fund for Constitutional Government" and sent
to EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003.
Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation of encryption
and expanding wiretapping powers.
Thank you for your support.
  ---------------------- END EPIC Alert 6.19 -----------------------
Return to:

Alert Home Page | EPIC Home Page