EPIC logo

       @@@@  @@@@  @@@  @@@@      @    @     @@@@  @@@@  @@@@@
       @     @  @   @   @        @ @   @     @     @  @    @
       @@@@  @@@    @   @       @@@@@  @     @@@   @@@     @
       @     @      @   @       @   @  @     @     @  @    @
       @@@@  @     @@@  @@@@    @   @  @@@@  @@@@  @   @   @
   Volume 8.14                                      July 31, 2001
                            Published by the
              Electronic Privacy Information Center (EPIC)
                            Washington, D.C.
Table of Contents
[1] Privacy Groups File FTC Complaint About Windows XP
[2] Court Hears Arguments on Use of Secret Keystroke Monitor
[3] House Adopts Carnivore Reporting Requirements
[4] FBI Nominee Questioned on Computer Privacy Issues
[5] Groups Petition Agencies to Improve Financial Privacy
[6] EPIC Bill-Track: New Bills in Congress
[7] EPIC Bookstore - Striking a Balance: ePrivacy in the Workplace
[8] Upcoming Conferences and Events
[1] Privacy Groups File FTC Complaint About Windows XP
On July 26, EPIC and thirteen other public interest groups filed a
formal complaint with the Federal Trade Commission regarding Windows
XP, Microsoft's new operating system.  The complaint alleges that this
system and associated services such as Hailstorm, Passport, and
E-Wallet, are intended to profile, track, and monitor millions of
Internet users, and therefore Microsoft is engaging in unfair and
deceptive trade practices in violation of Section 5 of the Federal
Trade Commission Act.
The complaint examines in detail the privacy threats of Passport,
Hailstorm, Hotmail, the MSN network of Web sites, and the product
activation and registration procedures for Windows XP.  It examines
how each of these services collects and discloses detailed personal
information about users without sufficient guarantees of privacy or
security, and often without any real knowledge or consent.  It
demonstrates how Passport account information is shared among third
party Web-sites; how Windows XP users are forced to create a Passport
account to use Internet communications features (such as instant
messaging); how Hailstorm essentially strips users of their right to
control their personal information; how Hotmail users are
automatically signed up for a Passport account without notice or even
an opt-out facility; and how Microsoft misleads consumers when it says
that information gathered through product activation will not be
linked to personally identifiable information.  The complaint
concludes that the far-reaching and inter-connected nature of these
Internet business activities, coupled with the extraordinary market
dominance of Microsoft, constitutes a unique threat to the privacy of
computer users.
In terms of relief, the complainants request the FTC to initiate an
investigation into the information collection practices of Windows XP
and other services, and to order Microsoft to revise XP registration
procedures; to block the sharing of Passport information among
Microsoft properties absent explicit consent; to allow users of
Windows XP to gain access to Microsoft web sites without disclosing
their actual identity; and to enable users of Windows XP to easily
integrate services provided by non-Microsoft companies for online
payment, electronic commerce, and other Internet-based commercial
The complaint is available at:
[2] Court Hears Arguments on Use of Secret Keystroke Monitor
In a case that could have a significant impact on the conduct of
high-tech police investigations, a federal judge in Newark, New Jersey
heard arguments on July 30 on a motion to disclose information
concerning the FBI's surreptitious installation of a "key logger" on a
suspect's computer. The mechanism was used to capture the suspect's
PGP encryption passphrase. In the first known case of its kind, the
defense is seeking discovery that would allow analysis of the
technique, which has only been described publicly as "specialized
computer software, firmware and/or hardware."  The government is
vigorously opposing disclosure.
U.S. District Court Judge Nicholas Politan directed attorneys for
defendant Nicodemo Scarfo, Jr. to file a supplemental brief addressing
their need for information describing the secret technique by August
1; the government was ordered to respond by August 3.
The details are important for two reasons.  First, the FBI installed
the logger with a standard search warrant rather than a wiretap
authorization. FBI pen register records, however, indicate that Scarfo
accessed his online account numerous times while his computer was
subject to monitoring.  The defense argues that the logging mechanism
must be evaluated to determine whether it could have captured online
activity (which would have required a wiretap order).
The defense also argues that the technique may have violated the
Fourth Amendment by facilitating a "general search."  While the court
order authorizing the installation specified that Scarfo's encryption
passphrase was the target of the search, it appears that all
information entered into the computer was subject to capture.
The technique employed in the case is similar to procedures that would
have been authorized in legislation proposed by the Clinton
Administration in 1999.  The draft legislation, known as the
Cyberspace Electronic Security Act (CESA), would have amended current
law to authorize "the alteration of hardware or software that allows
plaintext to be obtained even if attempts were made to protect it
through encryption."  The CESA proposal, which was dropped in the face
of strong public opposition, would have given law enforcement
officials the power to enter private premises surreptitiously to
install a "recovery device." (See EPIC Alert 6.13).
Selected court documents on the Scarfo case are available at:
[3] House Adopts Carnivore Reporting Requirements
Following a recommendation made by EPIC last year in Congressional
testimony, the House of Representatives has established new reporting
requirements for the use of the Carnivore Internet surveillance device
(also known as DCS 1000) and other similar systems by law enforcement
agents.  These requirements were outlined in an amendment offered by
Rep. Bob Barr (R-GA), which passed as part of the Department of
Justice's annual appropriations bill, H.R. 2215.
The Barr Amendment requires the Attorney General and the Director of
the FBI to submit annual reports to Congress, detailing such
information as the number of times Carnivore was used in the past
fiscal year and the criteria and procedures for submitting, reviewing,
and approving requests to use Carnivore.
Carnivore was developed to monitor e-mail and other online activities
of suspected criminals.  Privacy advocates argue that the system is
too invasive, and fear that it grants the government too much power in
monitoring citizens' private online activities by requiring Internet
service providers to give law enforcement full access to their data
A spokesman for Rep. Dick Armey (R-TX) said that the legislation
"sends a message [to the FBI] that Congress is watching and there will
be accountability if this system is used."
The bill was referred to the Senate Judiciary Committee on July 24. 
If it passes the Senate, the Attorney General and the FBI Director
will be required to submit their first report to Congress no later
than 30 days after the end of Fiscal Year 2001.
For background information on Carnivore, see:
Proposed Carnivore reporting requirements, as specified in H.R. 2215:
[4] FBI Nominee Questioned on Computer Privacy Issues
The Senate Judiciary Committee today concluded the second and final
day of hearings on the nomination of Robert S. Mueller to be the next
Director of the FBI.  Several days prior to the confirmation hearings,
EPIC sent a letter to the Committee, urging it to question the nominee
on his views on privacy and freedom of information issues.  Several of
the issues addressed in the letter were raised during the hearings.
On the first day of the confirmation hearings, in response to a
question from Sen. Orrin Hatch (R-UT), Mr. Mueller laid out a
four-tier hierarchy for the investigation of computer crimes.  In
priority order, Mr. Mueller said he would like to see the FBI focus
most heavily on computer intrusions and denial of service attacks;
theft of intellectual property and corporate espionage; fraud and
child pornography; and finally, the theft of high-tech hardware.
On the second day of the hearings, Sen. Maria Cantwell (D-WA) directly
asked Mr. Mueller about the FBI's high-tech investigative techniques
and the potentially invasive implications of systems such as Carnivore
and the FBI's "key logger" system (specifically referring to the
Scarfo case).  Mr. Mueller stated that the FBI's newest technological
"investigative tools" are "cutting edge" and "second to none."  He
went on to say that the "rapid advances" of these investigative tools
have led to "privacy concerns that we have to address."  Stating that
he is "sensitive to the concerns relating to privacy," Mr. Mueller
noted that he has "already had meetings with privacy groups"
concerning Carnivore and that he hopes that "technology overtakes the
necessity for using" such systems in the future.
Committee Chairman Patrick Leahy (D-VT) picked up where Sen. Cantwell
left off, questioning Mr. Mueller about the recent Supreme Court
decision in Kyllo v. U.S., where the warrantless use of thermal
imaging devices was found to violate the Fourth Amendment (see EPIC
Alert 8.11).  Mr. Mueller said that this was an area where "law
enforcement needed guidance from the Supreme Court," although he
pointed out that the Kyllo decision was "not a unanimous decision." 
Mr. Mueller went on to say that regarding issues "where there is a law
enforcement tool, [and] there are privacy issues implicated . . . we
do have to look at each of those issues and be cognizant of the
privacy interests involved."  The nominee said that in the future, he
would like to be "sit down and get the input from a number of
different people with different concerns . . . [and be] responsive to
those concerns and do so without the necessity of perhaps going to a
court or a third party."
EPIC's letter to the Senate Judiciary Committee is available at:
[5] Groups Petition Agencies to Improve Financial Privacy
EPIC and a coalition of consumer and civil liberties groups have
petitioned federal agencies to improve financial privacy protections
under the Gramm-Leach-Bliley Act (GLBA).  The petition requests that
the agencies begin a new rulemaking to ensure that consumers receive
clear and concise notice and convenient methods of opting-out of
information sharing.
In recent months, consumers received GLBA privacy notices that
contained information describing the opt-out process.  However, the
notices were often lengthy and difficult to read.  Many employed
language rife with double-negatives and confusing sentence structure.
A study conducted by a readability expert concluded that most policies
were written at a third or fourth-year college reading level.  As a
result of confusing privacy notices and the burden placed on consumers
by opt-out mechanisms, the American Banking Association has estimated
that less than one percent of consumers have opted-out under the GLBA.
In order to inform consumers fully of their rights and to encourage
opting-out, the petition suggests specific language to clarify rights
and mechanisms that will facilitate opting out.  EPIC will continue to
follow developments surrounding the GLBA and financial privacy, and
advocate the adoption of an opt-in standard for privacy.
Coalition Petition to Federal Agencies to Improve GLBA Privacy
[6] EPIC Bill-Track: New Bills in Congress
H.R.2215 21st Century Department of Justice Appropriations
Authorization Act. To authorize appropriations for the Department of
Justice for fiscal year 2002, and for other purposes. Sponsor: Rep
Sensenbrenner, F. James, Jr. (R-WI). Latest Major Action: 7/24/2001
Referred to Senate committee: House Judiciary; Senate Judiciary
S.1215 Dpartments of Commerce, Justice, and State, the Judiciary, and
Related Agencies Appropriations Act, 2002. An original bill making
appropriations for the Departments of Commerce, Justice, and State,
the Judiciary, and related agencies for the fiscal year ending
September 30, 2002, and for other purposes. Sponsor: Sen Hollings,
Ernest F. (D-SC). Latest Major Action: 7/20/2001 Placed on Senate
Legislative Calendar under General Orders. Calendar No. 95.
Committees: Senate Appropriations.
S.1234. A bill to amend title 18, United States Code, to provide that
certain sexual crimes against children are predicate crimes for the
interception of communications, and for other purposes. Sponsor: Sen
Hatch, Orrin G. (R-UT). Latest Major Action: 7/25/2001 Referred to
Senate committee: Senate Judiciary.
S.1242. A bill to amend the Fair Credit Reporting Act to provide for
disclosure of credit-scoring information by creditors and consumer
reporting agencies. Sponsor: Sen Schumer, Charles E. (D-NY). Latest
Major Action: 7/25/2001 Referred to Senate committee: Senate Banking,
Housing, and Urban Affairs.
EPIC Bill Track: Tracking Privacy, Speech, and Cyber-Liberties Bills
in the 107th Congress, is available at:
[7] EPIC Bookstore - Striking a Balance: e-Privacy in the Workplace
Striking a Balance: e-Privacy in the Workplace by the Business for
Social Responsibility Education Fund
With the American Management Association finding that nearly 3/4 of
major businesses monitor their employees, the Business for Social
Responsibility Education Fund has released a report arguing that
employers should accommodate workers' privacy. The report finds that
not accommodating privacy in the workplace can result in a lack of
employee trust, creativity, and health. Accordingly, the study
recommends that employers accommodate some fundamental privacy rights
for their employees. These include notice, employee participation in
drafting a monitoring policy, and employee access to information
collected under the policy.
EPIC Publications:
"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls," (EPIC 2001). Price: $20.
A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.
"The Consumer Law Sourcebook 2000: Electronic Commerce and the Global
Economy," Sarah Andrews, editor (EPIC 2000). Price: $40.
The Consumer Law Sourcebook provides a basic set of materials for
consumers, policy makers, practitioners and researchers who are
interested in the emerging field of electronic commerce.  The focus is
on framework legislation that articulates basic rights for consumers
and the basic responsibilities for businesses in the online economy.
"Privacy & Human Rights 2000: An International Survey of Privacy Laws
and Developments," David Banisar, author (EPIC 2000).
Price: $20. http://www.epic.org/phr/
This survey, by EPIC and Privacy International, reviews the state of
privacy in over fifty countries around the world.  The survey examines
a wide range of privacy issues including, data protection, telephone
tapping, genetic databases, ID systems and freedom of information
"The Privacy Law Sourcebook 2000: United States Law, International
Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2000).
Price: $40. http://www.epic.org/pls/
The "Physicians Desk Reference of the privacy world." An invaluable
resource for students, attorneys, researchers and journalists who need
an up-to-date collection of U.S. and International privacy law, as
well as a comprehensive listing of privacy resources.
"Cryptography and Liberty 2000: An International Survey of Encryption
Policy," Wayne Madsen and David Banisar, authors (EPIC 2000).
Price: $20. http://www.epic.org/crypto&/
EPIC's third survey of encryption policies around the world. The
results indicate that the efforts to reduce export controls on strong
encryption products have largely succeeded, although several
governments are gaining new powers to combat the perceived threats of
encryption to law enforcement.
Additional titles on privacy, open government, free expression,
computer security, and crypto, as well as films and DVDs can be
ordered through the EPIC Bookstore: http://www.epic.org/bookstore/
[8] Upcoming Conferences and Events
Healthcare Transactions and Code Sets, Privacy, Data Security and
HIPAA/GLB Compliance: The Future of Technology, the Internet and EDI
in Healthcare. The Health Colloquium at Harvard and the HIPAA Summit
Conference Series. August 19-22, 2001. Cambridge, MA. For more
information: http://www.ehc-info.com/
The Broadband Economy: The Emerging Market System in Bandwidth.
Columbia Institute for Tele-Information (CITI). September 14, 2001.
New York, NY. For more information: http://www.citi.columbia.edu/
Key Drivers for 3G Wireless: Will 3G Deliver its Promise? Columbia
Institute for Tele-Information (CITI). September 20, 2001. New York,
NY. For more information: http://www.citi.columbia.edu/
Health Information Privacy: Dialogue with the Stakeholders. Riley
Information Services, Inc. September 28, 2001. Ottawa, Canada. For
more information: http://www.rileyis.com/seminars/
Call For Submissions - August 3, 2001. Workshop on Security and
Privacy in Digital Rights Management 2001. Eighth Association for
Computing Machinery (ACM) Conference on Computer and Communications
Security. November 5, 2001. Philadelphia, PA. For more information:
Privacy2001: Information, Security & Ethics for the New Century.
Technology Policy Group. October 3-4, 2001. Cleveland, OH. For more
information: http://www.privacy2000.org/
Privacy: The New Management Imperative - Chief Privacy Officer
Training Program. Southern Methodist University and Privacy Council.
October 15-17, 2001. Dallas, TX. For more information:
Nurturing the Cybercommons, 1981-2001. Computer Professionals for
Social Responsibility (CPSR) 20th Annual Meeting. October 19-21, 2001.
Ann Arbor, MI. For more information:
The Third National HIPAA Summit: From Theory to Practice - From
Planning to Implementation. October 24-26, 2001. Washington, DC. For
more information: http://www.hipaasummit.com/
The 29th Research Conference on Communication, Information and
Internet Policy. Telecommunications Policy Research Conference.
October 27-29, 2001. Alexandria, VA. For more information:
The 8th Annual Centre for Applied Cryptographic Research (CACR)
Information Security Workshop: The Human Face of Privacy Technology.
University of Waterloo and Information and Privacy Commission/Ontario.
November 1-2, 2001. Toronto, Ontario. For more information:
Privacy: The New Management Imperative - Chief Privacy Officer
Training Program. Cambridge University and Privacy Council. November
5-8, 2001. Cambridge, England. For more information:
Learning for the Future. Business for Social Responsibility's Ninth
Annual Conference. November 7-9, 2001. Seattle, WA. For more
information: http://www.bsr.org/events/2001.asp
Subscription Information
The EPIC Alert is a free biweekly publication of the Electronic
Privacy Information Center. A Web-based form is available for
subscribing or unsubscribing at:
To subscribe or unsubscribe using email, send email to
epic-news@epic.org with the subject: "subscribe" (no quotes) or
Back issues are available at:
Privacy Policy
The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities.  We do not sell, rent or share our
mailing list.  We also intend to challenge any subpoena or other legal
process seeking access to our mailing list.  We do not enhance (link
to other databases) our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe your email address
from this list, please follow the above instructions under
"subscription information".  Please contact info@epic.org if you have
any other questions.
About EPIC
The Electronic Privacy Information Center is a public interest
research center in Washington, DC.  It was established in 1994 to
focus public attention on emerging privacy issues such as the Clipper
Chip, the Digital Telephony proposal, national ID cards, medical
record privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Act
litigation, and conducts policy research.  For more information,
e-mail info@epic.org, http://www.epic.org or write EPIC, 1718
Connecticut Ave., NW, Suite 200, Washington, DC 20009.
+1 202 483 1140 (tel), +1 202 483 1248 (fax).
If you'd like to support the work of the Electronic Privacy
Information Center, contributions are welcome and fully
tax-deductible.  Checks should be made out to "EPIC" and sent to
1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009.
Or you can contribute online at
Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the
right of privacy and efforts to oppose government regulation of
encryption and expanding wiretapping powers.
Thank you for your support.
  ---------------------- END EPIC Alert 8.14 -----------------------