EPIC logo

       @@@@  @@@@  @@@  @@@@      @    @     @@@@  @@@@  @@@@@
       @     @  @   @   @        @ @   @     @     @  @    @
       @@@@  @@@    @   @       @@@@@  @     @@@   @@@     @
       @     @      @   @       @   @  @     @     @  @    @
       @@@@  @     @@@  @@@@    @   @  @@@@  @@@@  @   @   @
   Volume 8.06                                     March 29, 2001
                            Published by the
              Electronic Privacy Information Center (EPIC)
                            Washington, D.C.
Table of Contents
[1] EU Privacy Leaders: Cybercrime Treaty May Violate Rights
[2] Future of Medical Privacy Regulations Uncertain
[3] Annenberg Releases Report on Kids Privacy Compliance
[4] Bush Administration Criticizes EU Privacy Rules
[5] Public Voice Submits Dot Force Report
[6] EPIC Bill-Track: New Bills in Congress
[7] EPIC Bookstore - The Internet, Law and Society
[8] Upcoming Conferences and Events
[1] EU Privacy Leaders: Cybercrime Treaty May Violate Rights
The controversial Council of Europe (CoE) draft Cybercrime Convention
has encountered new opposition from an important quarter.  In a formal
opinion released on March 22, the European Union's independent
Advisory Body on Data Protection and Privacy criticized the proposed
international treaty as providing inadequate protections for personal
privacy.  The advisory group, also known as the Article 29 Working
Party, includes the national privacy commissioners of the EU member
states.  The group said it wanted to send "a strong message that a
fair balance must be struck between anti-cyber-crime efforts and the
fundamental rights to privacy and personal data protection of
Noting that the CoE proposal makes reference to several international
human rights documents, the Working Party found that "the draft
Convention does not harmonise the safeguards and conditions"
envisioned in those treaties, nor does it "require such safeguards and
conditions effectively being in place."  The Working Party concluded
that the provisions contained in the draft treaty "are not sufficient
to fully safeguard the fundamental rights to privacy and personal data
On one issue, the advisory group noted an improvement over earlier
drafts of the cybercrime treaty.  The Working Party "welcomes" the
fact that the current version of the Convention (Version 25) no longer
includes a "general surveillance obligation consisting in the routine
retention of all traffic data."  But despite that one change, the
group found that the draft's "wording is often too vague and
confusing," a shortcoming that is particularly problemmatic in a
document containing "mandatory measures that are intended to lawfully
limit fundamental rights and freedoms."
The Working Party also criticizes "the very late release of relevant
documents," referring to the fact that no public version of the draft
treaty was released until Version 19 last year.  While the CoE
drafters are seeking to conclude deliberations on the Convention this
spring, the EU advisory group recommends that "the public debate be
prolonged" and that it include "all parties concerned (human rights
organisations, industry, etc.)," and not just the police and law
enforcement officials (including the U.S. Department of Justice) who
have dominated the drafting process.
The Article 29 Working Party opinion is available at:
The current draft of the CoE Convention on Cybercrime is available at:
[2] Future of Medical Privacy Regulations Uncertain
Implementation of the first federal health privacy regulations have
been delayed by the Bush administration and are almost certain to be
weakened by Health and Human Services (HHS) Secretary Tommy Thompson.
Although health care industry lobbyists have pressured lawmakers to
oppose the regulations, there is still significant support in Congress
to implement the rules immediately.  Last week, sixty-one lawmakers
signed a letter urging Thompson to implement the regulations.  The
lack of support for medical privacy protections represents an abrupt
change in the Bush Administration's stance on privacy (see item [4]
In statements reported in the Wall Street Journal and the Bureau of
National Affairs Health Care Daily Report, Thompson promised to
"simplify" the regulations and lessen the financial burden to health
care providers.  It remains unclear how the rules will be
The rules as formulated by the Clinton administration would have given
patients the right to clear notice of privacy practices, the right to
limit disclosures of medical records, the right to access records and
amend inaccurate information, and the right to file complaints with
HHS.  However, the rules did contain significant exemptions that could
have compromised patients' privacy rights.  For instance, health care
information could have been used for marketing purposes, and patients
would have been required to opt-out of such marketing.  In addition,
law enforcement officials could have accessed health information
without judicial review under the rules.
HHS will continue to accept comments on the privacy regulations
through its website until Friday, March 30 at 5 p.m. (ET).
A template letter supporting the medical privacy rules is available
from the Health Privacy Project:
The Department of Health and Human Services (HHS) Electronic Comment
Submission Form is available at:
[3] Annenberg Releases Report on Kids Privacy Compliance
On March 28, the Annenberg Public Policy Center at the University of
Pennsylvania released a report, "Privacy Policies on Children's
Websites: Do They Play By the Rules?," analyzing current levels of
compliance with the Children's Online Privacy Protection Act (COPPA).
COPPA was enacted by Congress in 1998 and its rules became effective a
year ago in April 2000.  The Act is enforced by the Federal Trade
Commission (FTC).
The study reviewed 162 websites that are among the most popular for
Internet users under the age of thirteen.  Of those 162 websites, 114
displayed a privacy policy on the homepage and 90 of those sites
collected personal information from minors.  Fourteen other sites
collecting personal information did not display any privacy policy,
clearly violating COPPA.  In addition, the content of those privacy
policies were often found not to alert parents to all of COPPA's
privacy protections.  Only 55 percent of privacy policies told parents
that websites could not collect more information than what is
"reasonably necessary" and only 62 percent of those statements told
parents that they could review personal information already collected
from their children.  The study did not examine the extent to which
these websites complied with COPPA in practice, apart from privacy
policies. Unlike most websites, sites targeted at minors must provide
the privacy provisions as outlined in COPPA regardless of the content
of their privacy policies.
In the conclusion of the report, the researchers suggest requiring
websites to display a prominent icon that indicates COPPA compliance
and greater efforts to standardize privacy policies.  The study also
notes that the easiest way to comply with COPPA is not to collect any
personal information from minors.
"Privacy Policies on Children's Websites: Do They Play By the Rules?":
More information about the Children's Online Privacy Protection Act
(COPPA) is available at:
[4] Bush Administration Criticizes EU Privacy Rules
On March 23, representatives of the Bush administration sent a letter
to the European Commission Internal Market Directorate criticizing
proposed European standards for protecting the privacy of transborder
data flows.
The letter concerns the model contractual clauses that have been
proposed by the European Commission to govern the exchange of consumer
information between EU and U.S. companies, such as financial
institutions, that are not covered by the previously negotiated "Safe
Harbor" agreement.  As Article 25 of the 1995 EU Data Protection
Directive prohibits European data processors from "exporting" the
personal information of European citizens to countries that do not
have adequate privacy protection laws in place, these contracts are
necessary to ensure the continued flow of information between Europe
and the United States.  The EU Data Protection Directive's protections
only apply to information collected from EU citizens.
According to the letter sent from the Departments of Commerce and
Treasury, the contracts would require U.S. companies to follow higher
standards of privacy protection than are currently required by U.S.
law.  As a result, the officials warn that "there is a serious danger
the adoption of the standard clauses as drafted will create a de facto
standard that would raise the bar for U.S firms."  They continue that
the requirements are "unduly burdensome" and "incompatible with real
world operations" and urge the European Commission to defer further
consideration of them.  Consumer organizations, such as the Trans
Atlantic Consumer Dialogue (TACD), have previously raised questions
about the adequacy of privacy protection in the United States.
The Bush Administration's resistance to strengthening consumer privacy
protection is seemingly inconsistent with many pro-privacy statements
made by, or on behalf, of candidate Bush during the recent
presidential election campaign.  For example, in a May 19 interview
with BusinessWeek, then-Governor Bush stated that "I'm a
privacy-rights person.  The marketplace can function without
sacrificing the privacy of individuals.  Customers should be allowed
to opt in . . . the company has got to ask permission."  Later, in an
October 17 debate sponsored by George Washington University,
then-domestic policy advisor Stephen Goldsmith stated on behalf of
Bush that "There is a role for Congress ... in requiring that there be
provisions for an opt-in on medical and financial information."
The draft version of the European Commission's Model Contract
Provisions and comments of the U.S. Department of Commerce:
March 23 Letter sent from the Departments of Commerce and Treasury to
the European Commission:
[5] Public Voice Submits Digital Divide Report
The Public Voice is a project of EPIC that seeks to promote the
participation of NGOs in international decision-making bodies that
address Internet policy.  As part of that project, EPIC solicited
comments from the public, in cooperation with the Association for
Progressive Communications (APC), on the Digital Divide (see EPIC
Alert 8.02).  "The Public Voice and the Digital Divide: A Report to
the DOT Force" is a compilation of the public's ideas and views on the
Digital Divide and will be submitted to the Digital Opportunities Task
Force (DOT Force), a Digital Divide initiative of the G-8.  The DOT
Force was created by the G-8 in July 2000.
The Public Voice report addresses four different topics: what are the
best approaches to address the digital divide?; what are the current
barriers to greater Internet access?; what organizations are currently
working on the Digital Divide?; how should groups narrow the Digital
Divide?  A wide variety of approaches were recommended such as the use
of free or open-source software, greater emphasis on education and
training and the creation of more local content.  Unlike most policy
papers, the Public Voice report is largely made up of direct
quotations from public comments.
The DOT Force will release its final action plan at the next G-8
meeting to take place in Genoa, Italy this July.  A draft version of
its report is currently available through the DOT Force website.
"The Public Voice and the Digital Divide: A Report to the DOT Force"
is available at:
For more information about the Digital Opportunities Task Force:
[6] EPIC Bill-Track: New Bills in Congress
H.R.972 Parent Act of 2001. To amend the Elementary and Secondary
Education Act of 1965 to strengthen the involvement of parents in the
education of their children, and for other purposes. Sponsor: Rep
Woolsey, Lynn C (D-CA). Latest Major Action: 3/8/2001 Referred to
House committee: House Education and the Workforce.
H.R.1152 Human Rights Information Act. To promote human rights,
democracy, and the rule of law by providing a process for executive
agencies for declassifying on an expedited basis and disclosing
certain documents relating to human rights abuses in countries other
than the United States. Sponsor: Rep Lantos, Tom (D-CA). Latest Major
Action: 3/21/2001 Referred to House Committee on Government Reform.
H.R.1158 National Homeland Security Agency Act. To establish the
National Homeland Security Agency. Sponsor: Rep Thornberry, William
(Mac) (R-TX). Latest Major Action: 3/21/2001 Referred to House
committee Committees: House Government Reform.
H.R.1176 Fair Credit Reporting Act Amendments of 2001. To amend the
Fair Credit Reporting Act to protect consumers from the adverse
consequences of incomplete and inaccurate consumer credit reports, and
for other purposes. Sponsor: Rep Ford, Harold, Jr. (D-TN). Latest
Major Action: 3/22/2001 Referred to House committee: House Financial
H. J. RES. 38. Disapproving the rule submitted by the Department of
Health and Human Services on December 28, 2000, relating to standards
for privacy of individually identifiable health information. Sponsor:
Rep Paul, Ron (R-TX). Referred to House Committees on Education and
the Workforce, Energy and Commerce and Ways and Means.
EPIC Bill Track: Tracking Privacy, Speech, and Cyber-Liberties Bills
in the 107th Congress, is available at:
[7] EPIC Bookstore - The Internet, Law and Society
The Internet, Law and Society.  Edited by Yaman Akdeniz, Clive Walker,
and David Wall.
The advent of a global information society demands a new understanding
of the complexities of the architecture of that society and its
implications for existing social institutions such as law and
government.  This authoritative and innovative book takes as its theme
the Internet within the settings of law, politics and society.  It
relates and analyses their interactions and draw out the implications
of "cyberspace" for law and society.  It therefore has a wider and
more critical agenda that existing, more technical expositions of
computer or Internet law.  It is about the "law in action" and not
just the "law in books."  It examines Internet activity that takes
place in the shadow of law where there is a fascinating range of
regulatory responses and governance strategies.  The book covers, in
four Parts: the Internet, law and society; governance and the
Internet; legal institutions and professions and the Internet; and,
legal controversies in cyberspace.
For other books recommended by EPIC, browse the EPIC Bookshelf at:
EPIC Publications:
"The Consumer Law Sourcebook 2000: Electronic Commerce and the Global
Economy," Sarah Andrews, editor (EPIC 2000). Price: $40.
The Consumer Law Sourcebook provides a basic set of materials for
consumers, policy makers, practitioners and researchers who are
interested in the emerging field of electronic commerce.  The focus is
on framework legislation that articulates basic rights for consumers
and the basic responsibilities for businesses in the online economy.
"Privacy & Human Rights 2000: An International Survey of Privacy Laws
and Developments," David Banisar, author (EPIC 2000).
Price: $20. http://www.epic.org/phr/
This survey, by EPIC and Privacy International, reviews the state of
privacy in over fifty countries around the world.  The survey examines
a wide range of privacy issues including, data protection, telephone
tapping, genetic databases, ID systems and freedom of information
"The Privacy Law Sourcebook 2000: United States Law, International
Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2000).
Price: $40. http://www.epic.org/pls/
The "Physicians Desk Reference of the privacy world." An invaluable
resource for students, attorneys, researchers and journalists who need
an up-to-date collection of U.S. and International privacy law, as
well as a comprehensive listing of privacy resources.
"Cryptography and Liberty 2000: An International Survey of Encryption
Policy," Wayne Madsen and David Banisar, authors (EPIC 2000).
Price: $20. http://www.epic.org/crypto&/
EPIC's third survey of encryption policies around the world. The
results indicate that the efforts to reduce export controls on strong
encryption products have largely succeeded, although several
governments are gaining new powers to combat the perceived threats of
encryption to law enforcement.
"Filters and Freedom: Free Speech Perspectives on Internet Content
Controls," David Sobel, editor (EPIC 1999). Price: $20.
A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.
Additional titles on privacy, open government, free expression,
computer security, and crypto, as well as films and DVDs can be
ordered through the EPIC Bookstore: http://www.epic.org/bookstore/
[8] Upcoming Conferences and Events
Online, Offshore and Cross-Border: Regulating Global E-Commerce.
Washington College of Law, American University. March 30, 2001.
Washington, DC. For more information: http://www.wcl.american.edu
Call For Papers - March 31, 2001 (prizes available for graduate
student papers). The 29th Research Conference on Communication,
Information and Internet Policy. October 27-29, 2001. Alexandria, VA.
For more information: http://www.tprc.org
BNA Public Policy Forum: Cybersecurity and Privacy. Pike and Fischer,
Inc. April 4, 2001. Washington, DC. For more information:
First International Conference on Human Aspects of the Information
Society. Information Management Research Institute, University of
Northumbria at Newcastle. April 9-11, 2001. Newcastle upon Tyne,
England. For more information: http://is.northumbria.ac.uk/imri
Corporate Privacy Officers Program 2001: Washington Briefing and Peer
Workshop. Privacy and American Business. April 11-12, 2001.
Washington, DC. For more information: http://www.pandab.org/
National Summit on Electronic Privacy. The National Institute for
Government Innovation. April 23-24, 2001. Washington, DC. For more
information: http://www.nigi.org/
The First Annual Privacy and Data Protection Summit. Privacy Officers
Association. May 2-4, 2001. Arlington, VA. For more information:
The 26th Annual AAAS Colloquium on Science and Technology Policy.
American Association for the Advancement of Science. May 3-4, 2001.
Washington, DC. For more information:
Future of the Internet: Preserving the Internet's Openness, Freedom,
and Diversity. Center for Media Education and Center for Digital
Democracy. May 9, 2001. Washington, DC. For more information:
The Internet and State Security Forum (ISSF). Cambridge Review of
International Affairs. May 19, 2001. Cambridge, England. For more
information: http://www.cria.org.uk/
Communication Research and Policy Workshop. Ford Foundation and
Computer Professionals for Social Responsibility (CPSR). May 24, 2001.
Washington, DC. For more information: http://www.cpsr.org/ICA_workshop
The Internet Security Conference (TISC) 2001. Core Competence, Inc.
June 4-8, 2001. Los Angeles, CA. For more information:
INET 2001: A Net Odyssey, Mobility and the Internet. The 11th Annual
Internet Society Conference. June 5-8, 2001. Stockholm, Sweden. For
more information: http://www.isoc.org/inet2001/
ETHICOMP 2001: Systems of the Information Society. Telecommunications
and Informatics Technical University of Gdansk, Poland. June 18-20,
2001. Gdansk, Poland. For more information:
Democracy Forum 2001: Democracy and the Information Revolution.
International Institute for Democracy and Electoral Assistance. June
27-29, 2001. Stockholm, Sweden. For more information:
Call for Papers - June 30, 20001. CEPE2001: Computer Ethics,
Philosophical Enquiries. Lancaster University (UK). Centre for Study
of Technology in Organizations, Institute for Environment, Philosophy
and Public Policy. December 14-16, 2001. For more information:
Call For Submissions - August 3, 2001. Workshop on Security and
Privacy in Digital Rights Management 2001. Eighth Association for
Computing Machinery (ACM) Conference on Computer and Communications
Security. November 5, 2001. For more information:
ICSC 2001: International Conference on Social Computing. University of
Bremen. October 1-3, 2001. Bremen, Germany. For more information:
Privacy2001: Information, Security & Ethics for the New Century.
Technology Policy Group. October 3-4, 2001. Cleveland, Ohio. For more
information: http://www.privacy2000.org/
Learning for the Future. Business for Social Responsibility's Ninth
Annual Conference. November 7-9, 2001. Seattle, WA. For more
information: http://www.bsr.org/events/2001.asp
Subscription Information
The EPIC Alert is a free biweekly publication of the Electronic
Privacy Information Center. A Web-based form is available for
subscribing or unsubscribing at:
To subscribe or unsubscribe using email, send email to
epic-news@epic.org with the subject: "subscribe" (no quotes) or
Back issues are available at:
Privacy Policy
The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities.  We do not sell, rent or share our
mailing list.  We also intend to challenge any subpoena or other legal
process seeking access to our mailing list.  We do not enhance (link
to other databases) our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe your email address
from this list, please follow the above instructions under
"subscription information".  Please contact info@epic.org if you have
any other questions.
About EPIC
The Electronic Privacy Information Center is a public interest
research center in Washington, DC.  It was established in 1994 to
focus public attention on emerging privacy issues such as the Clipper
Chip, the Digital Telephony proposal, national ID cards, medical
record privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Act
litigation, and conducts policy research.  For more information,
e-mail info@epic.org, http://www.epic.org or write EPIC, 1718
Connecticut Ave., NW, Suite 200, Washington, DC 20009.
+1 202 483 1140 (tel), +1 202 483 1248 (fax).
If you'd like to support the work of the Electronic Privacy
Information Center, contributions are welcome and fully
tax-deductible.  Checks should be made out to "EPIC" and sent to
1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009.
Or you can contribute online at
Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the
right of privacy and efforts to oppose government regulation of
encryption and expanding wiretapping powers.
Thank you for your support.
  ---------------------- END EPIC Alert 8.06 -----------------------