EPIC logo

       @@@@  @@@@  @@@  @@@@      @    @     @@@@  @@@@  @@@@@
       @     @  @   @   @        @ @   @     @     @  @    @
       @@@@  @@@    @   @       @@@@@  @     @@@   @@@     @
       @     @      @   @       @   @  @     @     @  @    @
       @@@@  @     @@@  @@@@    @   @  @@@@  @@@@  @   @   @
   Volume 8.13                                      July 18, 2001
                            Published by the
              Electronic Privacy Information Center (EPIC)
                            Washington, D.C.
Table of Contents
[1] Appeals Court Decision Protects Anonymous Online Speech
[2] Consumer and Privacy Groups Outline FTC Priorities
[3] HHS Clarifies Privacy Rule, May Change Minors' Rights
[4] EPIC Testifies before Congress on Internet Privacy
[5] Florida Court Blocks Access to Autopsy Photos
[6] EPIC Bill-Track: New Bills in Congress
[7] EPIC Bookstore - Dmitri Sklyarov Reading List
[8] Upcoming Conferences and Events
[1] Appeals Court Decision Protects Anonymous Online Speech
In the first appellate court decision to consider the issue, a New
Jersey court on July 11 rejected a company's attempt to obtain the
identities of anonymous Internet critics.  A three-judge panel of the
New Jersey Superior Court, Appellate Division, ruled that the company,
Dendrite International, failed to meet the stringent legal standards
required to obtain subpoenas for the disclosure of the identities of
people who post comments on Internet message boards.  The decision
affirms a lower court ruling issued last November (see EPIC Alert
Dendrite had sued four people who anonymously posted messages critical
of the company on a Yahoo! message board, alleging that the posters
had made false statements, had violated employment agreements, and/or
had published secret information.  Noting that "[i]t is well-
established that rights afforded by the First Amendment remain
protected even when engaged in anonymously," the appeals court adopted
a four-part test to ensure that the right to speak anonymously can be
lost only if the plaintiff can show that it has a valid case against
the speakers that could not be pursued without identifying the
Under this standard, a court should first require the plaintiff to
attempt to notify the anonymous posters that their identities are
being sought and give the "John Doe" defendants an opportunity to
oppose the request.  Second, the plaintiffs must identify the exact
statements alleged to be unlawful.  Third, the court must then
determine both whether the complaint states a valid claim for relief
and whether the plaintiff has enough evidence to support its claim.
Finally, if the first three criteria are met, the court must balance
the defendant's First Amendment right of anonymous free speech against
the strength of the case and the necessity for identifying the poster.
The appeals court upheld the lower court ruling that Dendrite had not
met this standard, because there was no proof that the messages had
caused its stock price to fall or had otherwise caused it harm.
The procedures adopted by the court had been proposed in an amicus
brief filed by Public Citizen Litigation Group and the American Civil
Liberties Union of New Jersey Foundation.  The decision is likely to
be influential in other cases, which are growing in frequency; Yahoo!
recently told a judge in another case that it has received thousands
of subpoenas like Dendrite's.
The appeals court decision is available at:
The Public Citizen/ACLUNJF amicus brief is available at
[2] Consumer and Privacy Groups Outline FTC Priorities
On July 17, members of the Privacy Coalition, a non-partisan coalition
of consumer, civil liberties, educational, library, labor, and
family-based groups, met with Federal Trade Commission (FTC) Chairman
Timothy Muris.  The Coalition presented a letter to the Chairman with
recommendations for future FTC action on privacy issues.  This is the
second meeting that the Privacy Coalition has had with the Chairman.
Chairman Muris says that he has devoted more time to privacy than any
other issue since taking over at the FTC.
In the meeting, Coalition members stressed that a top priority for
the Commission should be to develop a better complaint handling system
that would make it easier to receive, process and respond to privacy
complaints from individual members of the public.  They also
recommended that the resulting statistics be published in an annual
report similar to that submitted by the Administrative Office of the
U.S. Courts each year on federal and state applications for wiretaps.
Considerable discussion was devoted to the enforcement of existing
privacy laws in the offline sector, such as the Fair Credit Reporting
Act and the Telemarketing Sales Rule, as well as the need for reforms
and increased oversight in the online sector.  The Coalition urged the
FTC to promote the principles of Fair Information Practices, rather
than simply "notice and choice," when investigating companies that
routinely change their privacy policies or when endorsing industry
guidelines such as last year's agreement with the Network Advertising
Initiative on online profiling.
Finally, the Coalition encouraged the Commission to continue to hold
public workshops on privacy and security related issues and to
establish contact with the national data protection commissions that
have been established in many other countries around the world.
A copy of the letter presented to the Chairman is available at:
For more information on the Privacy Coalition, see:
[3] HHS Clarifies Privacy Rule, May Change Minors' Rights
The Department of Health and Human Services (HHS) has released
guidelines clarifying the Privacy Rule, a framework of new protections
for patient information developed pursuant to the Health Insurance
Portability and Accountability Act of 1996 (HIPAA).  The Privacy Rule
sets the first federal standards for protection of individually
identifiable health information.  The new HHS guidelines on the
Privacy Rule indicate that HHS will "reassess" the rights of parents
to access the medical records of their minor children.  The agency
will also change certain rules to accommodate common practices in the
health care industry.
Generally, the Privacy Rule assumes that parents are the "personal
representatives" of their minor children, and that they can receive
protected health information without consent of the child.  The
Privacy Rule contains two exemptions to this assumption.  The first
allows a parent to permit a direct confidential relationship between
the care provider and child for treatment.  The second permits the
provider to withhold information from the parent where the child may
be endangered as a result of the disclosure.  The guidelines specify
that HHS Secretary Thompson will reassess these exemptions.
HHS has indicated that the Privacy Rule will be changed to accommodate
certain common practices in delivery of health care.  For instance,
HHS will modify provisions to allow pharmacists to accept phoned-in
prescription orders without first obtaining written consent from the
patient.  In addition, contrary to arguments made by opponents of the
Privacy Rule, hospitals and other medical facilities will not have to
build soundproof rooms to prevent others from overhearing patient
information.  The HHS clarification specifies that reasonable
safeguards, such as lowering the volume of one's voice, can be used to
prevent inappropriate disclosure of patient information.
Before HHS is able to change aspects of the Privacy Rule, the agency
must first publish a notice in the Federal Register and accept
comments from the public.  EPIC will track these developments as they
Standards for Privacy of Individually Identifiable Health Information:
HHS Fact Sheet describing the Privacy Rule protections:
[4] EPIC Testifies before Congress on Internet Privacy
On July 11, 2001, the Senate Committee on Commerce, Science, and
Transportation held a hearing on the need for privacy legislation.
During the hearing, the Committee examined existing laws protecting
privacy, in the U.S. and abroad, to determine what kind of privacy
legislation might be appropriate for the Internet.
The hearing consisted of two panels.  The first panel included EPIC
Executive Director Marc Rotenberg, Indiana University School of Law
Professor Fred Cate, and Brooklyn Law School Professor Paul Schwartz,
Ph.D.  The second panel included Amazon.com Vice President of Global
Public Policy, Paul Misener, author Hans Peter Brondmo, VP and Chief
Privacy Officer of Earthlink Inc., Les Seagraves, Associate General
Counsel for Microsoft Corporation, Ira Rubinstein, and Jason Catlett,
President of Junkbusters.
Marc Rotenberg of EPIC testified that legislation to protect privacy
on the Internet is necessary for many reasons.  For one, it has been
the legal tradition to introduce new legislation when new electronic
services are provided, whereas privacy on the Internet has heretofore
been self-regulated.  Legislation to protect Internet privacy would
help users bypass the various problems encountered with self-
regulation.  Rotenberg stated that good Internet privacy legislation
would include provisions on such issues as openness and accountability,
meaningful consent, and private right of action, and that weak
legislation that failed to properly safeguard personal information
would merely increase public backlash.
Rotenberg also argued that current public opinion shows the majority
of Internet users want the ability to control the collection and use
of personal data and users would like data collection and usage to be
regulated by legislation.  In a recent Gallup Poll, 66% of e-mail
users said that the federal government should pass laws to protect
privacy online.  The poll found that support for legislation increased
as the level of experience increased.  Frequent Internet users (those
who spend 15 hours or more online each week) are more likely to favor
the passage of new laws (75%) than infrequent users (63%).
In related news, on July 12, the House Subcommittee on Courts, the
Internet, and Intellectual Property held a hearing on "The Whois
Database: Privacy and Intellectual Property Issues."  At the hearing,
the Electronic Privacy Information Center (EPIC) issued a letter to
the Subcommittee outlining the free speech and anonymity arguments for
supporting only voluntary submission of information to the Whois
database.  The Internet Corporation for Assigned Names and Numbers
(ICANN) is currently conducting a survey of the Internet community's
attitudes on proper requirements and uses of the Whois database (see
EPIC Alert 8.11).  ICANN will be accepting responses until the end of
EPIC's Testimony on Internet Privacy is available at:
Written testimony from the witnesses is available at:
EPIC Letter to the House Subcommittee on Courts, the Internet, and
Intellectual Property on the Whois database:
[5] Florida Court Blocks Access to Autopsy Photos
Applying a recently-enacted state law sealing autopsy photographs
absent judicial authorization, a Florida judge has blocked media
access to autopsy images of racecar driver Dale Earnhardt, who was
killed in a last-lap crash during the Daytona 500 in February.  Citing
the family's privacy interest, Earnhardt's widow filed a lawsuit
seeking to block access to the autopsy records on February 22, just
four days after the racing legend died.  Initially, access was sought
by the Orlando Sentinel to confirm NASCAR statements that a broken
seatbelt contributed to Earnhardt's death, an assertion hotly
contested by both paramedics on the scene and the seatbelt's
manufacturer.  These allegations were ultimately refuted after a
settlement between Teresa Earnhardt and the Sentinel, in which an
independent medical examiner was appointed to examine the autopsy
photographs and issue a report as to the cause of death.
However, in the subsequent four-month legal battle, attorneys for the
Independent Florida Alligator, a student-run newspaper at the
University of Florida, and websitecity.com (neither parties to the
settlement) argued that public review of the photographs was necessary
to prevent future racing fatalities and to ensure that the county
coroner did an adequate job assessing the cause of death.  Teresa
Earnhardt urged the judge to personally examine the photographs, so
that he could better understand their graphic nature.  She vehemently
opposed access to the pictures, stating that the photographs were
"humiliating, disgusting, and negative," and that dissemination would
cause the family extreme emotional distress.
In a final order issued July 9, following months of heated arguments
between attorneys for all parties, Circuit Judge Joseph Will ruled
that the new statute is constitutional.  Although Judge Will did not
rule, as urged by the family's attorney, that Teresa Earnhardt had a
protected constitutional right to privacy in the photographs under the
U.S. Constitution, his opinion contains language defending such a
right.  "Modern times have witnessed an erosion of the individual
expectation of privacy to a pathetic point . . . Nosiness has become
the order of the day -- so long as it is amusing or entertaining."
Judge Will's opinion states that he was tempted to expand his ruling
beyond the state law, but felt that this would overreach his judicial
The constitutionality of the law is currently under challenge by news
media organizations in a separate case.  In a related development, an
opinion issued by Florida Attorney General Bob Butterworth on July 11
says that medical examiners can use autopsy photographs in training
for public agencies but cannot show them to private parties without a
court order.
The court opinion denying access to the Earnhardt autopsy
photographs is available at:
The Florida Attorney General's opinion is available at:
[6] EPIC Bill-Track: New Bills in Congress
H.R.2336 To make permanent the authority to redact financial
disclosure statements of judicial employees and judicial officers.
Sponsor: Rep Coble, Howard (R-NC). Latest Major Action: 6/27/2001
Referred to House committee: House Judiciary.
H.R.2360 Campaign Reform and Citizen Participation Act of 2001. To
amend the Federal Election Campaign Act of 1971 to restrict the use of
non-Federal funds by national political parties, to revise the
limitations on the amount of certain contributions which may be made
under such Act, to promote the availability of information on
communications made with respect to campaigns for Federal elections,
and for other purposes. Sponsor: Rep Ney, Robert W. (R-OH). Latest
Major Action: 6/28/2001 House committee/subcommittee actions
Committees: House Administration.
H.R.2417 Dot Kids Domain Name Act of 2001. To facilitate the creation
of a new global top-level Internet domain that will be a haven for
material that will promote positive experiences of children and
families using the Internet, to provide a safe online environment for
children, and to help prevent children from being exposed to harmful
material on the Internet, and for other purposes. Sponsor: Rep
Shimkus, John (R-IL). Latest Major Action: 6/28/2001 Referred to House
committee: House Energy and Commerce.
H.R.2435 Cyber Security Information Act. To encourage the secure
disclosure and protected exchange of information about cyber security
problems, solutions, test practices and test results, and related
matters in connection with critical infrastructure protection.
Sponsor: Rep Davis, Tom (R-VA). Latest Major Action: 7/10/2001
Referred to House committee: House Government Reform; House Judiciary.
H.R.2458 E-Government Act of 2001 . To enhance the management and
promotion of electronic Government services and processes by
establishing a Federal Chief Information Officer within the Office of
Management and Budget, and by establishing a broad framework of
measures that require using Internet-based information technology to
enhance citizen access to Government information and services, and for
other purposes. Sponsor: Rep Turner, Jim (D-TX). Latest Major Action:
7/11/2001 Referred to House committee: House Government Reform.
H.R.2472 Protect Children From E-Mail Smut Act of 2001. To protect
children from unsolicited e-mail smut containing sexually oriented
advertisements offensive to minors. Sponsor: Rep Lofgren, Zoe (D-CA).
Latest Major Action: 7/11/2001 Referred to House committee: House
Energy and Commerce; House Judiciary; House Science.
H.R.2500 Making appropriations for the Departments of Commerce,
Justice, and State, the Judiciary, and related agencies for the fiscal
year ending September 30, 2002, and for other purposes. Sponsor: Rep
Wolf, Frank R. (R-VA). Latest Major Action: 7/16/2001 House
preparation for floor Committees: House Appropriations Departments of
Commerce, Justice, and State, the Judiciary, and Related Agencies
Appropriations Act, 2002 (Reported in the House).
S.1014 Social Security Number Privacy and Identity Theft Prevention
Act of 2001. A bill to amend the Social Security Act to enhance
privacy protections for individuals, to prevent fraudulent misuse of
the Social Security account number, and for other purposes. Sponsor:
Sen Bunning, Jim (R-KY). Latest Major Action: 6/12/2001 Referred to
Senate committee: Senate Finance.
S.1065 Inspector General for the Federal Bureau of Investigation Act
of 2001. A bill to amend the Inspector General Act of 1978 (5 U.S.C.
App.) to establish an Inspector General for the Federal Bureau of
Investigation, and for other purposes. Sponsor: Sen Durbin, Richard J.
(D-IL). Latest Major Action: 6/20/2001 Referred to Senate committee:
Senate Judiciary.
S.1074 FBI Reform Commission Act of 2001. A bill to establish a
commission to review the Federal Bureau of Investigation. Sponsor: Sen
Schumer, Charles E. (D-NY). Latest Major Action: 6/20/2001 Referred to
Senate committee: Senate Judiciary.
S.1164 Location Privacy Protection Act of 2001. A bill to provide for
the enhanced protection of the privacy of location information of
users of location-based services and applications, and for other
purposes. Sponsor: Sen Edwards, John (D-NC). Latest Major Action:
7/11/2001 Referred to Senate committee: Senate Commerce, Science, and
S.1165 Juvenile Crime Prevention and Control Act of 2001. A bill to
prevent juvenile crime, promote accountability by and rehabilitation
of juvenile crime, punish and deter violent gang crime, and for other
purposes. Sponsor: Sen Biden Jr., Joseph R. (D-DE) Latest Major
Action: 7/11/2001 Referred to Senate committee: Senate Judiciary.
EPIC Bill Track: Tracking Privacy, Speech, and Cyber-Liberties Bills
in the 107th Congress, is available at:
[7] EPIC Bookstore - Dmitri Sklyarov Reading List
On July 17, Dmitri Sklyarov, a Russian graduate student, was arrested
by the U.S. Attorney's Office of Northern California after presenting
a paper on encryption, as used in electronic books, at the DefCon
conference in Las Vegas.  He was charged with trafficking in software
that circumvents copyright protection and aiding and abetting such
trafficking.  The charges are being brought under the criminal
provisions of the Digital Millenium Copyright Act (DMCA) and could
result in up to five years in jail and a $500,000 fine.  Dmitri
Sklyarov is twenty-seven years old and has two children.
The First Amendment by Peter H. Irons
This sequel to the bestselling "May it Please the Court" focuses on
sixteen key First Amendment cases illustrating the most controversial
debates over issues of free speech, freedom of the press, and the
right to assemble.  Includes actual oral arguments made before the
Supreme Court by well-known attorneys, along with transcripts placing
speakers and cases in context.
Digital Copyright by Jessica Litman
In this enlightening book, law professor Litman questions whether
copyright laws really make sense for the majority of people.  Should
every interaction between consumers and copyright-protected works be
restricted by law? Here she argues for reforms that reflect common
sense and the way people behave in their daily digital interactions.
Crypto by Steven Levy
>From the author who made "hacker" a household word comes a ground-
breaking book about the most hotly debated subject of the digital age.
"Crypto" concerns privacy in the information age and about the nerds
and visionaries who, nearly 20 years ago, predicted that the
Internet's greatest virtue - free access to information - was also its
most perilous drawback: a possible end to privacy.
EPIC Publications:
"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls," (EPIC 2001). Price: $20.
A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.
"The Consumer Law Sourcebook 2000: Electronic Commerce and the Global
Economy," Sarah Andrews, editor (EPIC 2000). Price: $40.
The Consumer Law Sourcebook provides a basic set of materials for
consumers, policy makers, practitioners and researchers who are
interested in the emerging field of electronic commerce.  The focus is
on framework legislation that articulates basic rights for consumers
and the basic responsibilities for businesses in the online economy.
"Privacy & Human Rights 2000: An International Survey of Privacy Laws
and Developments," David Banisar, author (EPIC 2000).
Price: $20. http://www.epic.org/phr/
This survey, by EPIC and Privacy International, reviews the state of
privacy in over fifty countries around the world.  The survey examines
a wide range of privacy issues including, data protection, telephone
tapping, genetic databases, ID systems and freedom of information
"The Privacy Law Sourcebook 2000: United States Law, International
Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2000).
Price: $40. http://www.epic.org/pls/
The "Physicians Desk Reference of the privacy world." An invaluable
resource for students, attorneys, researchers and journalists who need
an up-to-date collection of U.S. and International privacy law, as
well as a comprehensive listing of privacy resources.
"Cryptography and Liberty 2000: An International Survey of Encryption
Policy," Wayne Madsen and David Banisar, authors (EPIC 2000).
Price: $20. http://www.epic.org/crypto&/
EPIC's third survey of encryption policies around the world. The
results indicate that the efforts to reduce export controls on strong
encryption products have largely succeeded, although several
governments are gaining new powers to combat the perceived threats of
encryption to law enforcement.
Additional titles on privacy, open government, free expression,
computer security, and crypto, as well as films and DVDs can be
ordered through the EPIC Bookstore: http://www.epic.org/bookstore/
[8] Upcoming Conferences and Events
Healthcare Transactions and Code Sets, Privacy, Data Security and
HIPAA/GLB Compliance: The Future of Technology, the Internet and EDI
in Healthcare. The Health Colloquium at Harvard and the HIPAA Summit
Conference Series. August 19-22, 2001. Cambridge, MA. For more
information: http://www.ehc-info.com/
Health Information Privacy: Dialogue with the Stakeholders. Riley
Information Services, Inc. September 28, 2001. Ottawa, Canada. For
more information: http://www.rileyis.com/seminars/
Call For Submissions - August 3, 2001. Workshop on Security and
Privacy in Digital Rights Management 2001. Eighth Association for
Computing Machinery (ACM) Conference on Computer and Communications
Security. November 5, 2001. Philadelphia, PA. For more information:
Privacy2001: Information, Security & Ethics for the New Century.
Technology Policy Group. October 3-4, 2001. Cleveland, OH. For more
information: http://www.privacy2000.org/
Privacy: The New Management Imperative - Chief Privacy Officer
Training Program. Southern Methodist University and Privacy Council.
October 15-17, 2001. Dallas, TX. For more information:
Nurturing the Cybercommons, 1981-2001. Computer Professionals for
Social Responsibility (CPSR) 20th Annual Meeting. October 19-21, 2001.
Ann Arbor, MI. For more information:
The Third National HIPAA Summit: From Theory to Practice - From
Planning to Implementation. October 24-26, 2001. Washington, DC. For
more information: http://www.hipaasummit.com/
The 29th Research Conference on Communication, Information and
Internet Policy. Telecommunications Policy Research Conference.
October 27-29, 2001. Alexandria, VA. For more information:
The 8th Annual Centre for Applied Cryptographic Research (CACR) 
Information Security Workshop: The Human Face of Privacy Technology. 
University of Waterloo and Information and Privacy Commission/Ontario. 
November 1-2, 2001. Toronto, Ontario. For more information: 
Privacy: The New Management Imperative - Chief Privacy Officer
Training Program. Cambridge University and Privacy Council.
November 5-8, 2001. Cambridge, England. For more information:
Learning for the Future. Business for Social Responsibility's Ninth
Annual Conference. November 7-9, 2001. Seattle, WA. For more
information: http://www.bsr.org/events/2001.asp
Subscription Information
The EPIC Alert is a free biweekly publication of the Electronic
Privacy Information Center. A Web-based form is available for
subscribing or unsubscribing at:
To subscribe or unsubscribe using email, send email to
epic-news@epic.org with the subject: "subscribe" (no quotes) or
Back issues are available at:
Privacy Policy
The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities.  We do not sell, rent or share our
mailing list.  We also intend to challenge any subpoena or other legal
process seeking access to our mailing list.  We do not enhance (link
to other databases) our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe your email address
from this list, please follow the above instructions under
"subscription information".  Please contact info@epic.org if you have
any other questions.
About EPIC
The Electronic Privacy Information Center is a public interest
research center in Washington, DC.  It was established in 1994 to
focus public attention on emerging privacy issues such as the Clipper
Chip, the Digital Telephony proposal, national ID cards, medical
record privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Act
litigation, and conducts policy research.  For more information,
e-mail info@epic.org, http://www.epic.org or write EPIC, 1718
Connecticut Ave., NW, Suite 200, Washington, DC 20009.
+1 202 483 1140 (tel), +1 202 483 1248 (fax).
If you'd like to support the work of the Electronic Privacy
Information Center, contributions are welcome and fully
tax-deductible.  Checks should be made out to "EPIC" and sent to
1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009.
Or you can contribute online at
Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the
right of privacy and efforts to oppose government regulation of
encryption and expanding wiretapping powers.
Thank you for your support.
  ---------------------- END EPIC Alert 8.13 -----------------------