EPIC logo
       @@@@  @@@@  @@@  @@@@      @    @     @@@@  @@@@  @@@@@
       @     @  @   @   @        @ @   @     @     @  @    @
       @@@@  @@@    @   @       @@@@@  @     @@@   @@@     @
       @     @      @   @       @   @  @     @     @  @    @
       @@@@  @     @@@  @@@@    @   @  @@@@  @@@@  @   @   @
   Volume 7.02                                   February 3, 2000
                            Published by the
              Electronic Privacy Information Center (EPIC)
                            Washington, D.C.
Table of Contents
[1] EPIC Calls for Withdrawal of FIDNET at Senate Hearing
[2] DoubleClick Faces Lawsuit Over Change in Privacy Practices
[3] Privacy Groups Challenge Proposed FBI Wiretap Standards
[4] New Crypto Export Regulations: Still Not De-Control
[5] Industry Targets DVD Copying in Digital Copyright Suits
[6] Clinton Proposes Privacy Protections in State of Union Address
[7] EPIC Bookstore -- Critical Infrastructure Report
[8] Upcoming Conferences and Events
[1] EPIC Calls for Withdrawal of FIDNET at Senate Hearing
This week the Senate Judiciary Committee reviewed the Administration's
computer security plan.  Civil liberties organizations have criticized
the National Plan for Information Systems Protection, saying it would
dramatically expand government surveillance of the nation's
communications networks.  They have singled out the Federal Intrusion
Detection Network -- FIDNET -- as raising far-reaching threats to
American citizens.
Testifying before the committee, Marc Rotenberg, Executive Director of
the Electronic Privacy Information Center (EPIC), called the FIDNET
proposal contrary to "the spirit of the federal wiretap statute, the
plain language of the federal Privacy Act, and the history of the
Fourth Amendment."  He said that "the FIDNET proposal, as currently
conceived, must simply be withdrawn.
EPIC also released a government memo at the hearing, obtained under
the Freedom of Information Act, which indicates that the U.S.
Department of Justice is aware that the FIDNET proposal may violate
U.S. law.  Other records obtained by EPIC show that the government
will use credit card records and telephone toll records as part of its
intrusion detection system.  John Tritak, Director of the Critical
Infrastructure Assurance Office, was unable to answer questions put to
him by the committee members regarding what type of personal
information would be collected by FIDNET.
Rotenberg charged that backers of the security plan were "trying to
apply twentieth century notions of national defense to twenty-first
century problems of communications security."
Last year, EPIC warned that a similar "critical infrastructure
protection" proposal posed risks to the civil liberties of Americans.
The revised security plan discusses privacy issues in a number of
places, but civil liberties organizations contend that the plan is
long on rhetoric and short on safeguards.  "The plan lacks the legal
protections and independent oversight that would be necessary to
prevent abuse," said Rotenberg.
Also testifying at the hearing was Frank Cilluffo, Senior Policy
Analyst, Center for Strategic and International Studies.  The Senate
Subcommittee is chaired by Senator John Kyl (R-AZ).  Senator Kyl said
that future hearings will be held on the proposal and that government
witnesses will be called to answer specific legal and technical
questions about the design and operation of FIDNET.
EPIC Testimony on "CyberAttack: The National Protection Plan and its
Privacy Implications":
     http://www.epic.org/security/cip/EPIC_testimony_0200.pdf [PDF]
EPIC Critical Infrastructure Protection Resources Page:
Memo from Ronald D. Lee, Associate Deputy Attorney General, Department
of Justice to Jeffrey Hunker, Director, Critical Infrastructure
Assurance Office regarding the National Information Systems Protection
Plan, March 8, 1999 (obtained by EPIC under the Freedom of Information
Memo from Jeffrey Hunker, CIAO to CICG Members regarding "Offsite
Materials" (obtained by EPIC under the Freedom of Information Act):
White House "National Plan for Information Systems Protection"
(January 7, 2000):
Executive Summary of "National Plan for Information Systems
Protection" (January 7, 2000)
[2] DoubleClick Faces Lawsuit Over Privacy Practices
DoubleClick, one of the largest advertisers on the World Wide Web, has
taken a dramatic new approach in learning about Internet users --
finding out their names and addresses.  The move by the company toward
personally identifying all the information it collects previously drew
fire from privacy advocates and now from private citizens.
The change in DoubleClick's strategy was not unexpected by privacy
advocates who have been following their recent acquisitions.  In late
November, DoubleClick completed a merger with market research firm
Abacus Direct.  From the dramatic increase in information, DoubleClick
hopes to find out more about all Internet users in order to provide
targeted one-to-one advertising.  Prior to the merger, DoubleClick had
been learning about Internet users through the use of cookie
technology -- an Internet protocol that allows for unique
identification and tracking.  While DoubleClick had been collecting
personal information before, correlating existing information it has
already accumulated from Internet users with the data in the Abacus
database requires access to personally identifying information such as
a name.  For that reason, DoubleClick formed the Abacus Alliance -- an
unnamed group of Internet websites that will pass on personal
information to the advertiser.
On January 28, attorneys in California filed a lawsuit alleging that
DoubleClick had unlawfully represented that it was only collecting
non-personally identifying information.  Judnick's attorneys are asking
for an injunction against DoubleClick that would prevent any further
collection of personal information without written consent, an easy
way for Internet users to destroy any personal information in
DoubleClick's possession, and the destruction of all personal
information collected without consent in the past.
For more information about DoubleClick and its recent merger with
Abacus Direct, see:
[3] Privacy Groups Challenge Proposed FBI Wiretap Standards
On January 20, EPIC and other Internet privacy advocacy groups asked a
federal appeals court to block new rules that would enable the FBI to
dictate the design of the nation's communication infrastructure.  The
challenged rules would enable the Bureau to track the physical
locations of cellular phone users and potentially monitor Internet
In a brief filed with the U.S. Court of Appeals for the District of
Columbia Circuit, EPIC, the American Civil Liberties Union (ACLU) and
the Electronic Frontier Foundation (EFF) said that the rules --
contained in a Federal Communications Commission (FCC) decision issued
last August -- could result in a significant increase in government
interception of digital communications.
The court challenge involves the Communications Assistance for Law
Enforcement Act (CALEA), a controversial law enacted by Congress in
1994, which requires the telecommunications industry to design its
systems in compliance with FBI technical requirements to facilitate
electronic surveillance.  In negotiations over the last few years, the
FBI and industry representatives were unable to agree upon those
standards, resulting in the recent FCC ruling.  EPIC, ACLU and EFF
participated as parties in the FCC proceeding and argued that the
privacy rights of Americans must be protected.
The groups' court filing asserts that the FCC ruling exceeds the
requirements of CALEA and frustrates the privacy interests protected
by federal statutes and the Fourth Amendment.  Among other things, the
Commission order would require telecommunications providers to
determine the physical locations of cellular phone users and deliver
"packet-mode communications" -- such as those that carry Internet
traffic -- to law enforcement agencies.
The privacy groups are being represented on a pro bono basis by Kurt
Wimmer and Gerard J. Waldron, attorneys at the Washington law firm of
Covington & Burling, and Carlos Perez-Albuerne, an attorney at the
Boston law firm of Choate, Hall & Stewart.  Oral argument in the court
challenge to the CALEA standards is scheduled for May 17, 2000.
In a related development, the Internet Engineering Task Force (IETF)
has published a draft document explaining its decision not to consider
requirements for wiretapping as part of the process for creating and
maintaining IETF standards.  Among other things, the draft notes that
"[a]dding a requirement for wiretapping will make the designs
considerably more complex, thereby jeopardizing the security of
communications …"
Background materials on CALEA, including the brief filed by EPIC, ACLU
and EFF, are available at EPIC's website:
The draft IETF document on wiretapping standards is available at:
[4] New Crypto Export Regulations: Still Not De-Control
The U.S. Commerce Department released its revised encryption export
regulations on January 12.  While the new rules will allow for the
export of a wide variety of "retail" encryption products, they fall
short of the Clinton Administration's promise to deregulate the
privacy-enhancing technology.  Following the release of the new
regulations, EPIC joined the American Civil Liberties Union (ACLU) and
the Electronic Frontier Foundation (EFF) in announcing that the groups
will continue to press pending constitutional litigation challenging
encryption controls.
While recognizing that the Administration has taken a positive and
long-overdue step with its latest revisions, the cyber-liberties
groups believe that the fundamental constitutional defects of the
encryption export regime have not been remedied.  Specifically:
- The new regulations, like the old ones, impose special requirements
on Internet speech, contrary to the Supreme Court's 1997 ruling in
Reno v. ACLU.  The regulations require that the government be notified
of any electronic "export" of publicly available encryption source
code, and prohibit electronic "export" to certain countries.  Yet
people may freely send the same information anywhere on paper.
- The export regulations are still a completely discretionary
licensing scheme.  They continue to require licenses for a large
amount of communication protected by the First Amendment, including
transmitting source code that is not "publicly available," source code
that is "restricted," source code forming an "open cryptographic
interface," and various forms of object code.
- While the new regulations appear to permit free posting of
encryption source code to Internet discussion lists, such posting may
be illegal if the poster has 'reason to know' that it will be read by
a person in one of the seven regulated countries (such as Cuba).
- The new regulations still ban providing information on how to create
or use some encryption technology as prohibited "technical
assistance."  Software publishers can be fined or imprisoned for
helping people to use their code.  These same limitations do not apply
to non-encryption source code.
In a highly-publicized court case, mathematician Daniel Bernstein has
challenged the export control laws on First Amendment grounds.
Professor Bernstein claims that his right to publish his own
encryption software and share his research results with others over
the Internet is being unconstitutionally restricted by the
government's controls.  Bernstein won his case at the trial level, and
last year won an appeal in the Ninth Circuit Court of Appeals.  Prior
to the release of the new regulations, the court had granted the
government's request that the appeal be reconsidered by a larger "en
banc" panel of eleven judges, but recently sent the case back to the
three-judge panel that originally heard it for further consideration
in light of the new regulations.
A similar case challenging the constitutionality of the export rules
was brought by the ACLU of Ohio on behalf of Ohio law professor Peter
Junger, who wished to publish an electronic version of an encryption
program he wrote.  The case is pending in the Sixth Circuit Federal
Court of Appeals.  EPIC has participated as a "friend-of-the-court" in
both the Bernstein and Junger cases.
The text of the revised encryption regulations is available at:
[5] Industry Targets DVD Copying in Digital Copyright Suits
The movie industry has filed lawsuits in California, New York, and
Connecticut to prevent Internet sites from distributing information
about the DVD Content Scrambling System.  A federal judge in a
district court in New York granted a preliminary injunction January 20
against three defendants who provided the decoding software on their
Web sites.  A judge in a California state court granted a preliminary
injunction the following day against 21 defendants.  The contended
program, DeCSS, created by a Norwegian programmer, allows users to
decode the encryption used on DVDs.
The California case was filed by the DVD Copy Control Association, an
industry trade group, after Christmas against 72 Web sites and
individuals who had either published information about DeCSS or
provided a link to the information from their sites.  The DVD-CCA
claims that the defendants are violating their trade secrets by
discussing the source code used to bypass the DVD encryption scheme
through reverse engineering.  The defendants, however, assert that the
purpose of the DeCSS is not to engage in illegal duplication of DVDs
but rather to allow DVDs to operate on computers using the Linux
operating system.  The Global Internet Liberty Campaign, a coalition
of more than 50 civil liberties groups worldwide, issued a statement
claiming that the DVD-CCA's assault could have a severe impact on free
expression: "We believe that intellectual property owners should not
be allowed to expand their property rights at the expense of free
speech -- particularly when the speech in question explains how
companies have prevented the dissemination of new scientific ideas."
The New York case and a companion case in a Connecticut federal court
were filed on Jan. 15 and center upon the Digital Millennium Copyright
Act, a 1998 law that prohibits the distribution of products that can
circumvent copy protection schemes.  The Motion Picture Association of
America, as well as six other movie studios, are plaintiffs.  Critics
assert that the decoding of encryption schemes is crucial to
researching, developing, and testing information processing systems.
The Electronic Frontier Foundation is providing legal counsel to
defendants both in California and New York.
The Global Internet Liberty Campaign statement is available at:
Testimony of EPIC Executive Director Marc Rotenberg on the Digital
Millennium Copyright Act (June 5, 1998) is available at:
The Electronic Frontier Foundation maintains an archive of court
material relating to the DVD-CCA case at:
EFF also maintains an archive of court material relating to the MPAA
DVD cases at:
[6] Clinton Proposes Privacy Protections in State of Union Address
In President Clinton's State of the Union speech on January 27, he
brought attention to the growing need to protect personal information
in the next century.
After referring to the recent growth of information technology, he
reminded his audience that technology has to be carefully directed in
order to assure that its reach does not compromise societal values.
Additionally, he said, "First and foremost, we have to safeguard our
citizens' privacy."
Specifically, he mentioned the ongoing rule-making process over
medical privacy regulations, the need for stronger protections over
financial records, and more work on preventing genetic discrimination
from insurers and employers.
The full text of the President's speech is available at:
[7] EPIC Bookstore -- Critical Infrastructure Report
Critical Infrastructure Protection and the Endangerment of Civil
Liberties: An Assessment of the President's Commission on Critical
Infrastructure Protection (PCCIP) by Wayne Madsen.
Excerpt from the Executive Summary:
On July 15, 1997, President Clinton signed Executive Order 13010,
which established the President's Commission on Critical
Infrastructure Protection (PPCIP).  The Executive Order listed eight
sectors that the PCCIP was to examine for security vulnerabilities.
They are: telecommunications, electrical power systems, gas and oil
storage and transportation, banking and finance, transportation, water
supply systems, emergency services, and continuity of government.
President Clinton appointed retired Air Force General Robert T. Marsh
to chair the PCCIP.  Although the commission, its Steering Committee,
and its Advisory Committee were composed of members of government and
industry, the membership of the three bodies consisted of a majority
of military and intelligence representatives.
PCCIP's report, issued in October 1997, contained many recommendations
that have the potential to curtail a number of important civil
liberties, including freedom of speech and freedom of information.
Although the report concluded there was no evidence of an "impending
cyber attack which could have a debilitating effect on the nation's
critical infrastructure," it did recommend a new bureaucratic security
establishment with expansive authority.  If not properly monitored and
controlled, these new national security structures and
intelligence-sharing networks, in addition to those that already
exist, may, instead of protecting the national infrastructure, be used
by the government and private corporations to further erode the
privacy of U.S. and foreign citizens.
Additional titles on privacy, open government, free expression,
computer security, and crypto, as well as films and DVDs can be
ordered through the EPIC Bookstore: http://www.epic.org/bookstore/
[8] Upcoming Conferences and Events
Privacy, Security & Confidentiality of Medical Records 2000: Complying
With New HIPAA Regulations. NonProfit Management. One Day Seminars.
Various Locations and Times. For more information:
Federal Trade Commission Advisory Committee on Online Privacy and
Security. Series of Meetings. Federal Trade Commission Headquarters.
Washington, D.C. For more information: http://www.ftc.gov/acoas/
Cyberspace and Privacy: A New Legal Paradigm? February 7, 2000.
Stanford Law School. Stanford, CA. For more information:
http://lawreview.stanford.edu or http://stlr.stanford.edu
Santa Clara University Computer and High Technology Journal Symposium
on Internet Privacy. February 11-12, 2000. For more information:
Government Technology Conference 2000. February 14-18, 2000. Austin
Convention Center. Austin, TX. For more information:
E-Commerce and Privacy: Implementing the New Law. Riley Information
Services. February 21, 2000. Westin Hotel, Ottawa. For more
information: http://www.rileyis.com/seminars/
Financial Cryptography '00. International Financial Cryptography
Association. February 21-24, 2000. InterIsland Hotel. Anguilla, British
West Indies. For more information: http://fc00.ai/
The New Wave of Privacy Protection in Canada. BC Freedom of Information
and Privacy Association and Riley Information Services. March 9-10,
2000. Hotel Vancouver. Vancouver, British Columbia. For more
information: http://www.rileyis.com
HIPAA Security and Privacy Requirements: A How To Blueprint for
Compliance. MIS Training Institute. Two-day Seminars. Various Locations
and Times. For more information: http://www.misti.com
Entrust SecureSummit 2000. May 1-4, 2000. Hyatt Regency Dallas at
Reunion. Dallas, Texas. For more information:
Shaping the Network: The Future of the Public Sphere in Cyberspace.
Computer Professionals for Social Responsibility (CPSR). Call for
Papers -- Abstracts Due February 15. May 20-23, 2000. Seattle,
Washington. For more information: http://www.scn.org/cpsr/diac-00
Telecommunications: The Bridge to Globalization in the Information
Society. Biennial Conference of the International Telecommunications
Society. July 2-5, 2000. For more information:
Subscription Information
The EPIC Alert is a free biweekly publication of the Electronic Privacy
Information Center. A Web-based form is available for subscribing or
unsubscribing at:
To subscribe or unsubscribe using email, send email to
epic-news@epic.org with the subject: "subscribe" (no quotes) or
Back issues are available at:
About EPIC
The Electronic Privacy Information Center is a public interest research
center in Washington, DC.  It was established in 1994 to focus public
attention on emerging privacy issues such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale of personal information. EPIC is sponsored
by the Fund for Constitutional Government, a non-profit organization
established in 1974 to protect civil liberties and constitutional
rights.  EPIC publishes the EPIC Alert, pursues Freedom of Information
Act litigation, and conducts policy research. For more information,
e-mail info@epic.org, http://www.epic.org or write EPIC, 666
Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544 9240
(tel), +1 202 547 5482 (fax).
If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible.  Checks
should be made out to "The Fund for Constitutional Government" and sent
to EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003.
Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation of encryption
and expanding wiretapping powers.
Thank you for your support.
  ---------------------- END EPIC Alert 7.02 -----------------------
Return to:

Alert Home Page | EPIC Home Page