EPIC logo
       @@@@  @@@@  @@@  @@@@      @    @     @@@@  @@@@  @@@@@
       @     @  @   @   @        @ @   @     @     @  @    @
       @@@@  @@@    @   @       @@@@@  @     @@@   @@@     @
       @     @      @   @       @   @  @     @     @  @    @
       @@@@  @     @@@  @@@@    @   @  @@@@  @@@@  @   @   @
   Volume 6.20                                   December 6, 1999
                            Published by the
              Electronic Privacy Information Center (EPIC)
                            Washington, D.C.
Table of Contents
[1] EPIC Files Suit for NSA Memos on Surveillance Authority
[2] EPIC, ACLU and EFF Challenge New FBI Wiretap Rules
[3] Consumer Groups Respond to "Safe Harbor" Proposal
[4] Draft Crypto Regulations Fall Short of Earlier Promises
[5] Advocates Call on FTC, Companies to Stop Secret Profiling
[6] AOL Subscriber Privacy Preferences Expiring
[7] Holiday Shopping at the EPIC Bookstore
[8] Upcoming Conferences and Events
[1] EPIC Files Suit for NSA Memos on Surveillance Authority
The Electronic Privacy Information Center asked a federal court on
December 3 to order the release of controversial documents concerning
potential government surveillance of American citizens.  EPIC's
lawsuit seeks the public disclosure of internal National Security
Agency (NSA) documents discussing the legality of the agency's
intelligence activities.
NSA refused to provide the documents to the House Intelligence
Committee earlier this year, resulting in an unusual public reprimand
of the secretive spy agency.  Rep. Porter J. Goss, chairman of the
oversight panel, wrote in a committee report in May that NSA's
rationale for withholding the legal memoranda was "unpersuasive and
dubious."  He noted that if NSA lawyers "construed the Agency's
authorities too permissively, then the privacy interests of the
citizens of the United States could be at risk."  Soon after the
release of the Intelligence Committee report, EPIC submitted a Freedom
of Information Act (FOIA) request to NSA for the documents.  Despite
the FOIA's time limit of 20 working days, the agency has not responded
to EPIC's request.
The surveillance activities of the NSA have recently come under
increased scrutiny, with published reports indicating that the agency
is coordinating a massive global interception initiative known as
ECHELON.  The current issue of the New Yorker magazine reports that it
took NSA only 11 months to fill three years' worth of planned storage
capacity for intercepted Internet traffic.
The legal basis for NSA's interception activities is a critical issue
that EPIC plans to evaluate in a comprehensive study to be released
early next year.  That study will be conducted by Duncan Campbell, a
Scottish investigative journalist and TV producer.  Earlier this year,
Campbell was appointed a consultant to the European Parliament and
prepared a technology assessment report on ECHELON and communications
intelligence which contained the first public documentary evidence of
the global surveillance system.  Campbell will be working with EPIC as
a Senior Research Fellow for several months to produce a report for
presentation at anticipated congressional hearings on the topic of
signals intelligence agencies, the Fourth Amendment and human rights.
More information on ECHELON is available at the EchelonWatch website,
which is administered by the American Civil Liberties Union:
Duncan Campbell's report for the European Parliament is available at:
[2] EPIC, ACLU and EFF Challenge New FBI Wiretap Rules
EPIC joined with the American Civil Liberties Union and the Electronic
Frontier Foundation on November 18 in a court challenge to block new
rules that would enable the FBI to dictate the design of the nation's
communication infrastructure.  The challenged rules would allow the
Bureau to track the physical locations of cellular phone users and
monitor Internet traffic. In petitions to the U.S. Courts of Appeals
for the District of Columbia Circuit and the Ninth Circuit, the groups
say that the rules -- contained in a Federal Communications Commission
(FCC) decision issued in August (see EPIC Alert 6.13) -- could result
in a significant increase in government interception of digital
The court challenge involves the Communications Assistance for Law
Enforcement Act ("CALEA"), a controversial law enacted by Congress in
1994, which requires the telecommunications industry to design its
systems in compliance with FBI technical requirements to facilitate
electronic surveillance. In negotiations over the last few years, the
FBI and industry representatives were unable to agree upon those
standards, resulting in the recent FCC ruling. EPIC, ACLU and EFF
participated as parties in the FCC proceeding.
The court filings assert that the FCC ruling exceeds the requirements
of CALEA and frustrates the privacy interests protected by federal
statutes and the Fourth Amendment. The groups assert that the FBI is
seeking surveillance capabilities that far exceed the powers law
enforcement has had in the past and is entitled to under the law. The
case will likely define the privacy standards for the nation's
telecommunication networks, including the cellular systems and the
The privacy groups are being represented on a pro bono basis by Kurt
Wimmer and Gerard J. Waldron, partners at the Washington law firm of
Covington & Burling.  Separate challenges to the FCC CALEA rules have
been filed by the U.S. Telecom Association, the Cellular
Telecommunications Industry Association and the Center for Democracy
and Technology.  All of the petitions have been consolidated for
further proceedings.
Background materials on CALEA, including documents filed by EFF, ACLU
and EFF with the Federal Communications Commission, are available at
EPIC's website:
[3] Consumer Groups Respond to "Safe Harbor" Proposal
U.S. and European Consumer organizations have submitted comments to
the Department of Commerce regarding the "Safe Harbor" proposal that
would allow U.S. firms to self-certify privacy practices when
processing data on European citizens.  The TransAtlantic Consumer
Dialogue (TACD) said that the Safe Harbor proposal "still fails to
provide adequate data protection for the transfer of personal
information from citizens in EU countries to companies in the United
States."  The groups urged the adoption of stronger measures to ensure
that "the loss of consumer privacy is not the cost of the information
The organizations said that "little progress has been made in the
effort to ensure consumer access to their personal information held by
businesses and there is still no significant mechanism to enforce
privacy principles in the United States."  The consumer organizations
urged negotiators to view privacy as a fundamental human right, not
simply a commercial matter.  They said that the Safe Harbor process
should extend principles of data protection and further urged
comprehensive coverage for citizens outside of Europe.  They added
that further steps should be taken to ensure that the Safe Harbor
principle complies with Fair Information Practices, particularly in
the areas of notice, consent, purpose specification, access,
enforcement and non-discrimination.
The statement was endorsed by the European Consumer Association
(BEUC), the Consumer Federation of America, the Center for Media
Education, the Consumer Project on Technology, the Electronic Privacy
Information Center, the National Consumers League, and USPIRG for the
Trans Atlantic Consumer Dialogue (TACD).
The TransAtlantic Consumer Dialogue is a forum of U.S. and EU consumer
organizations which develops joint consumer policy recommendations for
the U.S. government and European Union to promote the consumer
interest in EU and U.S. policy making.  It includes more than sixty
consumer organizations from the United States and Europe.
The following materials are available:
Department of Commerce, International Safe Harbor Privacy Principles
(15 November 1999)
TACD Comments on Safe Harbor (3 December 1999)
TACD Resolution on Safe Harbor (April 1999)
Trans Atlantic Consumer Dialogue
[4] Draft Crypto Regulations Fall Short of Earlier Promises
When the Clinton Administration announced a new encryption policy in
September (see EPIC Alert 6.15), some observers were quick to conclude
that the end of the controversial U.S. export controls was finally at
hand.  Others (including EPIC) took a "wait and see" approach pending
the release of final regulations implementing the new policy.  A draft
is now being circulated by the Administration, and the proposal is
receiving largely negative reviews.
Contrary to the claims made in September, the draft regulations would
impose a complex and confusing classification and licensing scheme on
exports of encryption hardware and software.  Many products would be
subject to a "technical review" by export officials.  The standards
for such reviews are not spelled out in the regulations, leaving
officials with almost complete discretion and export applicants with
little legal recourse.
Another confusing aspect of the draft is its use of the term "retail"
to describe those products that would be entitled to liberal export
conditions.  The effect on freeware encryption products and open
source development projects is not clear.
One positive surprise is contained in the draft regulations.
Encryption source code would be eligible for export under certain
conditions.  Current restrictions on source code have been the subject
of great controversy over the last few years, leading to litigation
challenging the export rules as a "prior restraint" on academic and
scientific expression.  The U.S. Court of Appeals for the Ninth
Circuit ruled earlier this year in the Bernstein case that the source
code restrictions do, indeed, violate the First Amendment (see EPIC
Alert 6.07).  That ruling is now being reviewed "en banc" by the Ninth
A final version of the new rules is expected to be issued around
December 15.  The text of the draft is available at:
[5] Advocates Call on FTC, Companies to Stop Secret Profiling
Privacy and consumers groups and a leading security expert have asked
the Federal Trade Commission to require software makers to close a
loophole in many popular email systems that allows senders of bulk
commercial email to track the surfing behavior of people who merely
read the email.
Security expert Richard M. Smith said, "Web browser cookies and email
messages don't mix.  Web surfing is supposed to be anonymous, but with
the cookie leak security hole, companies can easily match our Email
addresses to the Web sites we visit.  I hope that Netscape, Microsoft
and other software makers will quickly patch this hole."
Many email readers display email messages using a Web browser.  If the
message contains graphics retrieved from the Web when the mail is
opened, the loophole allows the recipient to be assigned a unique
serial number in a "cookie," which will later be silently transmitted
as the recipient surfs the Web.  Many companies encode the recipient's
email address in the URL (web address) of the graphic, so that their
servers can match the cookie to the email address.
Jason Catlett, President of Junkbusters Corp. said, "Cookie leaks are
the bug from spammers that keeps on bugging.  It's intolerable that
email can be used to silently zap a nametag onto you that might be
scanned by a site you visit later.  It's like secretly bar-coding
people with invisible ink."
At the FTC's hearings on online profiling last month, privacy groups
called for an immediate halt to online profiling, warning that in the
absence of effective legal safeguards personal information would be
gathered secretly by marketing companies.  Andrew Shen, Policy Analyst
at EPIC, said that "The lack of government action continues to place
the average user -- unaware of the tracking and surveillance
technologies at work -- at the mercy of companies that often abuse
their privacy."
The organizations that urged an investigation of the "cookie leak"
included Junkbusters, the Center for Media Education, the Privacy
Rights Clearinghouse, the Consumer Project on Technology, the
Commercial Alert, the Private Citizen Inc., the Electronic Frontier
Foundation, and the Electronic Privacy Information Center.
The groups' press release on the "Cookie Leak" announcement is
available at:
Richard Smith's paper, "The Cookie Leak Security Hole in HTML Email
Messages," is available at:
[6] AOL Subscriber Privacy Preferences Expiring
America Online (AOL) recently sent a message to its twenty million
subscribers advising them that their declared privacy preferences will
expire in early December.  In what will become an annual chore, all
AOL users will have to opt-out -- take it upon themselves to make
specific requests -- not to receive advertisements via mail, email, or
pop-up messages.
While AOL spokesmen said that their privacy policy has always been
upfront about the need for annual revisions, EPIC expects most AOL
subscribers will be surprised that they have to reiterate their
privacy preferences.  AOL's action underscores the problems with
"opt-out" procedures, which unfairly place the burden of privacy
protection on individuals.  "Opt-out" has become the preferred
industry means of addressing privacy concerns, and forms the basis of
many of the "self-regulatory" initiatives advanced as alternatives to
legal privacy protections.
AOL also rents subscriber lists with personal account information to
marketers, but AOL subscribers who have already opted-out of that
practice will not have to renew that part of their preferences.
[7] Holiday Shopping at the EPIC Bookstore
Planning to buy a book, video, or DVD this holiday season?  Visit the
EPIC Bookstore for all the greatest books on privacy, free speech and
online liberty.  And just in time for the holidays, we've updated our
video section to include a new selection of top films.
This holiday season EPIC features on DVD the blockbuster hit "The
Matrix" with all-time cyberstar Keanu Reeves, Gene Hackman's reprise
as a surveillance specialist in "Enemy of the State," and the
captivating "Dark City."
The Matrix
Amazon reviewers: 4.5
" . . .one of the most exhilarating sci-fi/action movies of the 1990s.
Set in the not too distant future, we find a young man named Neo
(Keanu Reeves). A software techie by day and a computer hacker by
night, he sits alone at home by his monitor, waiting for a sign, until
one night a mysterious woman named Trinity (Carrie-Anne Moss)
introduces him to Morpheus (Laurence Fishburne). A messiah of sorts,
Morpheus presents Neo with the truth about his world by shedding light
on the dark secrets that have troubled him for so long: "You've felt
it your entire life, that there's something wrong with the world. You
don't know what it is, but it's there, like a splinter in your mind,
driving you mad."  Morpheus shows Neo what the Matrix is -- a reality
beyond reality that controls all of their lives in a way that Neo can
barely comprehend."
Enemy of the State
Amazon reviewers: 4.5
"Robert Clayton Dean (Will Smith) is a lawyer with a wife and family
whose happily normal life is turned upside down after a chance meeting
with a college buddy (Jason Lee) at a lingerie shop. Unbeknownst to
the lawyer, he's just been burdened with a videotape of a
congressman's assassination. Hot on the tail of this tape is a
ruthless group of National Security Agents commanded by a
belligerently ambitious fed named Reynolds (Jon Voight). Using
surveillance from satellites, bugs, and other sophisticated snooping
devices, the NSA infiltrates every facet of Dean's existence, tracing
each physical and digital footprint he leaves. Driven by acute
paranoia, Dean enlists the help of a clandestine former NSA operative
named Brill (Gene Hackman), and Enemy of the State kicks into
high-intensity hyperdrive."
Dark City
Amazon reviewers: 4.5
In a city where it is always night, aliens conduct secret experiments
to learn what makes us human. Meanwhile, his memory mostly gone,
Sewell is suspected of being a serial killer, and finds he now has
telekinetic powers. Richly plotted sci-fi has striking set design and
excellent use of special effects; complex, with a new surprise every
few minutes. - Leonard Maltin's Movie & Video Guide
EPIC Books - "Our Favorites"
EPIC Videos
EPIC Publications
[8] Upcoming Conferences and Events
Annual Computer Security Applications Conference: Practical Solutions
to Real Security Problems. December 6-10, 1999. Radisson Resort
Scottsdale. Phoenix, Arizona. For more information:
Integrating Government with New Technologies '99 Policy vs Technology:
Service Integration in the New Environments - A two-day Seminar and
Training Session. December 13-14, 1999. Government Conference Center.
Ottawa, Canada. For more information: http://www.rileyis.com/seminars
Surveillance Expo '99. December 13-15, 1999. Doubletree Hotel. Crystal
City, Virginia. For more information: http://www.rosseng.com
PEN/Newman's Own Eighth Annual First Amendment Award. Nominations due
December 31, 1999. For more information: http://www.pen.org
RSA 2000. The ninth annual RSA Data Security Conference and Expo.
January 16-20, 2000. San Jose McEnery Convention Center. San Jose, CA.
For more information: http://www.rsa.com/rsa2000/
Cyberspace and Privacy: A New Legal Paradigm? February 7, 2000.
Stanford Law School. Stanford, CA. For more information:
http://lawreview.stanford.edu or http://stlr.stanford.edu
Santa Clara University Computer and High Technology Journal Symposium
on Internet Privacy. February 11-12, 2000. For more information:
Telecommunications: The Bridge to Globalization in the Information
Society. Biennial Conference of the International Telecommunications
Society. July 2-5, 2000. For more information:
Subscription Information
The EPIC Alert is a free biweekly publication of the Electronic Privacy
Information Center. A Web-based form is available for subscribing or
unsubscribing at:
To subscribe or unsubscribe using email, send email to
epic-news@epic.org with the subject: "subscribe" (no quotes) or
Back issues are available at:
About EPIC
The Electronic Privacy Information Center is a public interest research
center in Washington, DC.  It was established in 1994 to focus public
attention on emerging privacy issues such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale of personal information. EPIC is sponsored
by the Fund for Constitutional Government, a non-profit organization
established in 1974 to protect civil liberties and constitutional
rights.  EPIC publishes the EPIC Alert, pursues Freedom of Information
Act litigation, and conducts policy research. For more information,
e-mail info@epic.org, http://www.epic.org or write EPIC, 666
Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544 9240
(tel), +1 202 547 5482 (fax).
If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible.  Checks
should be made out to "The Fund for Constitutional Government" and sent
to EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003.
Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation of encryption
and expanding wiretapping powers.
Thank you for your support.
  ---------------------- END EPIC Alert 6.20 -----------------------
Return to:

Alert Home Page | EPIC Home Page