EPIC logo
        @@@@  @@@@  @@@  @@@@      @    @     @@@@  @@@@  @@@@@
        @     @  @   @   @        @ @   @     @     @  @    @
        @@@@  @@@    @   @       @@@@@  @     @@@   @@@     @
        @     @      @   @       @   @  @     @     @  @    @
        @@@@  @     @@@  @@@@    @   @  @@@@  @@@@  @   @   @
    Volume 8.21                                   October 24, 2001
                             Published by the
               Electronic Privacy Information Center (EPIC)
                             Washington, D.C.
Table of Contents
[1] Anti-Terrorism Legislation Nears Final Passage
[2] Groups Urge FTC to Take Action on Microsoft XP
[3] White House Supports "Cyber Security" FOIA Exception
[4] Policy Briefing: Security or Surveillance?
[5] Three Big Online Firms to Use Controversial Rating System
[6] EPIC Bill-Track: New Bills in Congress
[7] EPIC Bookstore - The Dream Machine
[8] Upcoming Conferences and Events
[1] Anti-Terrorism Legislation Nears Final Passage
In a 357-66 vote, the House approved a "compromise" version of
anti-terrorism legislation early on Wednesday, October 24.  The new
version of the bill, which is expected to be taken up by the Senate
later Wednesday or Thursday, was negotiated by a House-Senate
conference committee in a process begun last week to reconcile the
differences between the House and Senate versions of the legislation.
The bill is likely to be on the President's desk by the end of the
The new bill imposes a four-year sunset provision on its electronic
surveillance amendments, whereas provisions of the original House
version expired after five years and the Senate version did not
contain a sunset provision.  In addition, the compromise anti-
terrorism bill contains an amendment included by House Majority Leader
Richard Armey (D-Texas) requiring an audit trail when a device such as
Carnivore is used under pen register/trap and trace authority. This
small victory, which EPIC had earlier advocated, will permit some
judicial oversight of the FBI's controversial Carnivore device.
The House had voted (337-79) on October 15 to substitute a modified
version of the Senate bill, H.R. 3108, in place of its own bipartisan
measure, H.R. 2975, which included more civil liberties protections.
This vote took place one day after the Senate voted 96-1 to approve S.
1510, the Uniting and Strengthening America (USA) Act, which
significantly expanded government surveillance authority, reduced
judicial oversight, and created a wide range of new terrorist crimes,
including computer hacking (see EPIC Alert 8.20).  A House-Senate
conference to reconcile the two versions, originally scheduled to take
place October 17, was concluded this week despite the anthrax-related
shutdown that has frozen much of the activity on Capitol Hill.
The legislation covers an array of terrorism-related issues such as
changes in immigration and detention laws, but the surveillance and
wiretap amendments received the most congressional and public
Text of Senate anti-terrorism bill (S. 1510):
Text of House anti-terrorism bill (H.R. 3108):
EPIC's analysis of the original Justice Department proposal, the
Anti-Terrorism Act (ATA) of 2001:
[2] Groups Urge FTC to Take Action on Microsoft XP
EPIC and a coalition of consumer and privacy organizations have
renewed their calls for Federal Trade Commission action to protect
consumers from the privacy risks associated with Windows XP and
Passport.  In a letter sent to the FTC, the organizations criticized
the Commission for not upholding its statutory duty to protect
consumers in light of the planned release of Windows XP on October 25.
 Since August, when the organizations last submitted information to
the FTC detailing numerous privacy issues associated with XP and
Passport, the Agency has taken no public action to protect consumers.
The letter was addressed to Timothy Muris, the new FTC Chairman, who
recently announced that the agency would no longer advocate that
legislation was necessary to protect consumers' privacy.  However,
under the Federal Trade Commission Act, the agency is charged with
protecting consumer interests, and specifically with preventing unfair
or deceptive practices in commerce.
The letter supplements the earlier FTC filings with a list of major
Microsoft security lapses that have endangered users' privacy and
security.  These security lapses further support the claims made in
earlier filings that Microsoft has misled consumers by making
representations that Passport will increase user privacy and security.
The letter also notes that despite a series of serious security
breaches at Microsoft, the Windows XP operating system will request
that users obtain a Passport for the first six attempts in connecting
to the Internet.
The letter, which was also sent to key legislative oversight
committees, emphasizes the remedies sought in the original findings
and further requests that the FTC "disgorge any personal information
collected fraudulently and deceptively through XP and Passport."
Letter to Timothy Muris urging action on Windows XP and Passport:
EPIC Page on Microsoft Passport:
[3] White House Supports "Cyber Security" FOIA Exception
President Bush reportedly will support legislative proposals to
withhold "cyber security" information from disclosure under the
Freedom of Information Act (FOIA).  Such protection has long been
sought by private companies that have been unwilling to share with the
government information concerning computer system vulnerabilities. 
Open government advocates have opposed such legislation, noting that
existing FOIA exemptions already protect such material from disclosure
if the affected company considers it confidential.
In a letter to the chairman of the National Security and
Telecommunications Advisory Committee (NSTAC), Bush said he will
"support a narrowly crafted exception ... to protect information about
corporations' and other organizations' vulnerabilities to information
warfare and malicious hacking."  The letter was obtained by the
Associated Press, and appears to be a response to a letter the NSTAC
chair sent to the President in June, lobbying for an FOIA exception
for "critical infrastructure protection" data.  NSTAC, echoing a
frequent industry request, also urged support for a limitation on
"potential legal liabilities" that might result from disclosures of
information revealing vulnerabilities in computer systems.  Bush
apparently has not taken a position on the liability issue.  The June
NSTAC letter was recently obtained by EPIC pursuant to a request under
the Federal Advisory Committee Act.
Administration support for the "cyber security" provision came less
than a week after Attorney General John Ashcroft directed federal
agencies to review more closely decisions to release documents under
the FOIA.  In a memorandum issued on October 12, Ashcroft announced
that the Justice Department will defend in court agency decisions to
withhold information if there is a "sound legal basis" for the
withholding.  Under the previous policy issued by former Attorney
General Reno in 1993, DOJ would only defend agency withholding
decisions if they sought to prevent a "foreseeable harm" that would
result from disclosure.
The NSTAC correspondence to the President on "cyber security" is
available at:
EPIC's Congressional testimony on proposed legislation to exempt
"cyber security" data from the FOIA is available at:
Attorney General Ashcroft's memorandum on FOIA policy is available at:
[4] Policy Briefing: Security or Surveillance?
On Monday, October 22, EPIC and the Privacy Foundation sponsored a
policy briefing at the National Press Club in Washington, D.C. to
explore the implications of new systems for identification and
tracking on personal privacy.  Questions considered included the
reliability of face recognition technology, the limitations of
national ID cards, and the potential for regulating future
identification technology.
John Woodward, a senior policy analyst at the RAND Corporation, spoke
on recent developments in biometrics and facial recognition
technology, noting several difficulties with current face recognition
Richard Smith, Chief Technology Officer of the Privacy Foundation,
focused his comments on a technical evaluation of the leading face
recognition software made by Visionics, called "FaceIt," demonstrating
the weaknesses in the system by showing that it could not correctly
correlate two pictures of a suspected terrorist.
Marc Rotenberg, the event's moderator, played a five-minute audio
track, found on the Oracle website, of Larry Ellison's argument for a
National ID card, placing an image of Mr. Ellison in front of the
speaker's podium.  Ellison said, "We have been so busy protecting
ourselves against our government, we have made it impossible for our
government to protect us . . . . [we must give law enforcement] the
tools -- like databases and ID cards -- and the latitude to protect
us. And if we do, our liberties and our lives will be saved together."
Robert Ellis Smith, editor of the Privacy Journal and an expert on the
history of national ID cards, concentrated his comments on two areas
of concern: the purpose of national ID cards, and the intrusion of a
national ID card requirement on personal privacy.
Whitfield Diffie, Distinguished Engineer at Sun Microsystems, was less
skeptical of the potential for face recognition technology to improve
dramatically.  He predicted that, in the next 10 years, we would
become accustomed to a society with "ubiquitous recognition," where
every storekeeper and government official would have access to a
database with face scans to obtain the identities of individuals with
whom they are interacting.  He was also skeptical about the role of
policy to regulate the multiple private and public uses of such
Jeffery Rosen, law professor at George Washington law school and legal
affairs editor at the New Republic, emphasized the critical role of
regulation in controlling the significant expansion of government
power though technology, referring to his experiences in surveying
England's use of face recognition technology to show the wide
potential for misuse of such a system.
Additional panels and briefings on related topics are expected to be
held at the Press Club in the coming weeks.
Details of Richard Smith's tests on facial recognition systems:
"A Cautionary Tale for a New Age of Surveillance." Jeffrey Rosen, New
York Times Magazine, October 7, 2001:
EPIC's face recognition page:
[5] Three Big Online Firms to Use Controversial Rating System
Three of the largest online companies -- America Online, Microsoft's
MSN and Yahoo -- announced on October 23 that they will use a
controversial rating system to label content on their websites.  The
system, developed by the Internet Content Rating Association (ICRA),
encourages content providers to rate their online material using a set
of uniform labels "to allow or disallow access to websites based on
the information declared in the label."  Previous efforts to promote
the system have been unsuccessful, partly due to the fact that a
browser configured to display only sites bearing labels would deny
access to the vast majority of online content (which is not labeled).
Despite ICRA's claim that its rating system enjoys "broad support from
... the First Amendment community," it and similar systems have long
been opposed by free expression advocates.  One of the objections to
rating schemes has been the belief that such systems, although touted
as a means of preventing government regulation of online content, are
in fact likely to facilitate official censorship.  When the
Bertelsmann Foundation in Germany proposed an international rating
system in 1999, members of the Global Internet Liberty Campaign (GILC)
pointed out the danger of such a proposal:
     First, the existence of a standardized rating system for
     Internet content -- with the accompanying technical changes
     to facilitate blocking -- would allow governments to mandate
     the use of such a regime.  By requiring compliance with an
     existing ratings system, a state could avoid the burdensome
     task of creating a new content classification system while
     defending the ratings protocol as voluntarily created and
     approved by private industry. ...
     Second, the imposition of civil or criminal penalties for
     "mis-rating" Internet content is likely to follow any
     widespread deployment of a rating and blocking regime. A
     state-imposed penalty system that effectively deters
     misrepresentations would likely be proposed to facilitate
     effective "self-regulation."
According to ICRA, the "ICRAfilter" (which recognizes labels and
blocks content accordingly) will be released in spring 2002 and will
work on all versions of Windows from '95 upward and will operate
independently of any browser.
ICRA's October 23 press release is available at:
 The GILC statement on Internet rating systems is available at:
EPIC's publication, "Filters & Freedom 2.0: Free Speech Perspectives
on Internet Content Controls," is available at:
[6] EPIC Bill-Track: New Bills in Congress
H.R.3108 USA Act of 2001. To deter and punish terrorist acts in the
United States and around the world, to enhance law enforcement
investigatory tools, and for other purposes. Sponsor: Rep
Sensenbrenner, F. James, Jr. (R-WI). Latest Major Action:10/11/2001
Passed/agreed to in Senate: Passed Senate without amendment by Yea-Nay
Vote. 96 - 1. Record Vote Number: 302.
H.R.3120 Airline Check for Terrorist Act. To provide for a study on
the feasibility of giving airlines access by computer to lists of
suspected terrorists. Sponsor: Rep Keller, Ric (R-FL). Latest Major
Action: 10/12/2001 Referred to House committee: House Judiciary.
H.R.3129 Customs Border Security Act of 2001. To authorize
appropriations for fiscal years 2002 and 2003 for the United States
Customs Service for antiterrorism, drug interdiction, and other
operations, for the Office of the United States Trade Representative,
for the United States International Trade Commission, and for other
purposes. Sponsor: Rep Crane, Philip M. (R-IL). Latest Major Action:
10/16/2001 Referred to House committee: House Ways and Means.
H.R.3146 Netizens Protection Act of 2001. To restrict the transmission
of unsolicited electronic mail messages. Sponsor: Rep Smith,
Christopher H. (R-NJ). Latest Major Action:10/16/2001 Referred to
House committee: House Energy and Commerce.
S.1534 Department of National Homeland Security Act of 2001. A bill to
establish the Department of National Homeland Security. Sponsor: Sen
Lieberman, Joseph I. (D-CT). Latest Major Action: 10/11/2001 Referred
to Senate committee: Senate Governmental Affairs.
S.1568. A bill to prevent cyberterrorism. Sponsor: Sen Hatch, Orrin G.
(R-UT). Latest Major Action: 10/18/2001 Referred to Senate committee:
Senate Judiciary.
EPIC Bill Track: Tracking Privacy, Speech, and Cyber-Liberties Bills
in the 107th Congress, is available at:
[7] EPIC Bookstore - The Dream Machine
The Dream Machine: J.C.R. Licklider and the Revolution That Made
Computing Personal, by M. Mitchell Waldrop.
The Dream Machine is the first in-depth portrait of J.C.R. Licklider
and his dream of a "human-computer symbiosis," which forever changed
the course of culture and science.  This 2001 book tells the story of
technological advancement, from World War II to the present.  J.C.R.
Licklider, an MIT psychologist working in the Pentagon in the 1960s,
was determined to show the world that computers did not have to be
large, frightening mainframes that processed punch cards.  Instead, he
saw an exciting new device with the potential to revolutionize our
Well-written and researched, the Dream Machine is an exciting and
intellectual story, capturing the passion of the great technological
adventure that is the history of the computer and the people who made
it all possible.
M. Mitchell Waldrop recently spoke at the New America Foundation on
the topic, "The Roots of the Computer Revolution: What Information
Technology Today Owes to Government Investment and the Vision of J. C.
R. Licklider."
EPIC Publications:
"Privacy & Human Rights 2001: An International Survey of Privacy Laws
and Developments," (EPIC 2001). Price: $20.
This survey, by EPIC and Privacy International, reviews the state of
privacy in over fifty countries around the world.  The survey examines
a wide range of privacy issues including, data protection, telephone
tapping, genetic databases, ID systems and freedom of information
"The Privacy Law Sourcebook 2001: United States Law, International
Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2001).
Price: $40. http://www.epic.org/bookstore/pls2001/
The "Physicians Desk Reference of the privacy world." An invaluable
resource for students, attorneys, researchers and journalists who need
an up-to-date collection of U.S. and International privacy law, as
well as a comprehensive listing of privacy resources.
"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.
A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.
"The Consumer Law Sourcebook 2000: Electronic Commerce and the Global
Economy," Sarah Andrews, editor (EPIC 2000). Price: $40.
The Consumer Law Sourcebook provides a basic set of materials for
consumers, policy makers, practitioners and researchers who are
interested in the emerging field of electronic commerce.  The focus is
on framework legislation that articulates basic rights for consumers
and the basic responsibilities for businesses in the online economy.
"Cryptography and Liberty 2000: An International Survey of Encryption
Policy," Wayne Madsen and David Banisar, authors (EPIC 2000).
Price: $20. http://www.epic.org/crypto&/
EPIC's third survey of encryption policies around the world. The
results indicate that the efforts to reduce export controls on strong
encryption products have largely succeeded, although several
governments are gaining new powers to combat the perceived threats of
encryption to law enforcement.
EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:
     EPIC Bookstore
     "EPIC Bookshelf" at Powell's Books
[8] Upcoming Conferences and Events
The Third National HIPAA Summit: From Theory to Practice - From
Planning to Implementation. October 24-26, 2001. Washington, DC. For
more information: http://www.hipaasummit.com/
The 29th Research Conference on Communication, Information and
Internet Policy. Telecommunications Policy Research Conference.
October 27-29, 2001. Alexandria, VA. For more information:
The 8th Annual Centre for Applied Cryptographic Research (CACR)
Information Security Workshop: The Human Face of Privacy Technology.
University of Waterloo and Information and Privacy Commission/Ontario.
November 1-2, 2001. Toronto, Ontario. For more information:
Symposium on Privacy and Security 2001. Foundation for Data Protection
and Information Security. November 1-2, 2001. Zurich, Switzerland. For
more information: http://www.privacy-security.ch/
Workshop on Security and Privacy in Digital Rights Management 2001.
Eighth Association for Computing Machinery (ACM) Conference on
Computer and Communications Security. November 5, 2001. Philadelphia,
PA. For more information: http://www.star-lab.com/sander/spdrm/
Privacy: The New Management Imperative - Chief Privacy Officer
Training Program. Cambridge University and Privacy Council. November
5-8, 2001. Cambridge, England. For more information:
Learning for the Future. Business for Social Responsibility's Ninth
Annual Conference. November 7-9, 2001. Seattle, WA. For more
information: http://www.bsr.org/events/2001.asp
Privacy and Security in the Digital Age: The Global Summit 2001.
November 13-14, 2001. New York, NY. For more information:
Information Operations: Applying Power in the Information Age. Jane's
Information Group. November 14-15, 2001. Washington, DC. For more
Information Gathering in the 21st Century. Seton Hall Law School.
November 16, 2001. South Orange, NJ. For more information:
Managing Privacy of Health Information. The Canadian Institute.
November 19-20, 2001. Vancouver, British Columbia. For more
information: http://www.CanadianInstitute.com/
CPO and Privacy Practitioners Workshop. Privacy & American Business
and Privacy Council. November 27, 2001. Washington, DC. For more
information: info@pandab.org
First Privacy Expo 2001. Privacy & American Business and Privacy
Council. November 27-29, 2001. Washington, DC. For more information:
Eighth Annual National "Managing the NEW Privacy Revolution"
Conference. Privacy & American Business and Privacy Council. November
28-29, 2001. Washington, DC. For more information: info@pandab.org
Call for Papers - December 1, 2001. 11th Annual EICAR & 3rd European
Anti-Malware Conference. European Institute for Computer Anti-Virus
Research (EICAR). June 8-11, 2002. Berlin, Germany. For more
information: http://conference.eicar.org/
Privacy By Design 2001: Building Privacy for Better Business.
ZeroKnowledge. December 3-5, 2001. Montreal, Canada. For more
information: http://www.zeroknowledge.com/privacybydesign2001/
Get Noticed: Effective Financial Privacy Notices. Federal Trade
Commission. December 4, 2001. Washington, DC. For more information:
Call for Papers - December 10, 2001. Workshop on Privacy Enhancing
Technologies 2002. April 14-15, 2002. San Francisco, CA. For more
information: http://www.pet2002.org/
17th Annual Computer Security Applications Conference (ACSAC). Applied
Computer Security Associates. December 10-14, 2001. New Orleans, LA.
For more information: http://www.acsac.org/
Chief Privacy Officer Skills Development Workshop. PRIVA-C and Select
Knowledge. January 14-16, 2002 and February 18-20, 2002. Dallas, TX.
For more information: http://www.priva-c.com/cpoworkshop/
CFP 2002: The Twelfth Conference on Computers, Freedom & Privacy.
April 16-19, 2002. San Francisco, CA. For more information:
Subscription Information
Subscribe/unsubscribe via Web interface:
Subscribe/unsubscribe via email:
     To: info@epic.org
     Subject line: "unsubscribe EPIC_NEWS"
     Body text: [email address at which you are subscribed]
Back issues are available at:
The EPIC Alert displays best in a fixed-width font, such as Courier.
Privacy Policy
The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities.  We do not sell, rent or share our
mailing list.  We also intend to challenge any subpoena or other legal
process seeking access to our mailing list.  We do not enhance (link
to other databases) our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe your email address
from this list, please follow the above instructions under
"subscription information".  Please contact info@epic.org if you would
like to change your subscription email address, or if you have any
other questions.
About EPIC
The Electronic Privacy Information Center is a public interest
research center in Washington, DC.  It was established in 1994 to
focus public attention on emerging privacy issues such as the Clipper
Chip, the Digital Telephony proposal, national ID cards, medical
record privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Act
litigation, and conducts policy research.  For more information,
e-mail info@epic.org, http://www.epic.org or write EPIC, 1718
Connecticut Ave., NW, Suite 200, Washington, DC 20009.
+1 202 483 1140 (tel), +1 202 483 1248 (fax).
If you'd like to support the work of the Electronic Privacy
Information Center, contributions are welcome and fully
tax-deductible.  Checks should be made out to "EPIC" and sent to
1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009.
Or you can contribute online at
Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the
right of privacy and efforts to oppose government regulation of
encryption and expanding wiretapping powers.
Thank you for your support.
   ---------------------- END EPIC Alert 8.21 -----------------------