From: Christopher Chiu
To: GILC announce
Sent: 31/05/00 17:48
Subject: GILC Alert

GILC Alert
Volume 4, Issue 5
May 31, 2000

Welcome to the Global Internet Liberty Campaign Newsletter.

Welcome to GILC Alert, the newsletter of the Global Internet Liberty
Campaign. We are an international organization of groups working for
cyber-liberties, who are determined to preserve civil liberties and
human
rights on the Internet.
We hope you find this newsletter interesting, and we very much hope that
you
will avail yourselves of the action items in future issues.
If you are a part of an organization that would be interested in joining
GILC, please contact us at <[log in to unmask]>.
If you are aware of threats to cyber-liberties that we may not know
about,
please contact the GILC members in your country, or contact GILC as a
whole.
Please feel free to redistribute this newsletter to appropriate forums.

===============================================
Free Expression
[1] Yahoo sued over web anonymity
[2] Australian censorship system does little
[3] Elian Web parody battle
[4] Chinese online dissidents' uphill fight
[5] DVD Web links case gets ugly
[6] Internet freedom study released
[7] Russia's digital divide
[8] Saudi censorship slows Internet growth
[9] Syria plans Internet expansion
[10] Oxford Net free speech meeting held

Privacy and Encryption
[11] US gov't knocks dot-coms on user privacy
[12] New French anti-anonymity bill
[13] Love Bug virus highlights privacy flaws
[14] G8 plan threatens individual privacy
[15] New Microsoft security woes
[16] New NetRadar Internet spy tool
[17] UK Net privacy under siege
[18] US child online privacy laws take effect
[19] Indian Net search plans deemed invasive
[20] EU to lift crypto restrictions
[21] Euro plan: end Net anonymity

===============================================
[1] Yahoo sued over web anonymity
===============================================
A lawsuit against a popular Internet portal company raises important
questions about the future of free speech in cyberspace.

The controversy centers on message boards maintained by Yahoo about
publicly
traded companies. Under this system, users must register their identity
with
Yahoo in order to participate in the discussion. When registering,
individuals must provide a great deal of personal information about
themselves, including their occupation, industry, interests, postal code
and
gender. Yahoo also saves the Internet address of everyone who posts
messages. The Internet firm also has a privacy policy which generally
promises users that it will not disclose this collected data without
user
notification and consent.

In February 2000, one of the companies being discussed, AnswerThink,
filed a
defamation lawsuit against several unknown people who had posted highly
critical comments on Yahoo's message board. AnswerThink also caused a
subpoena to be served on Yahoo for personal information about those
users.
Yahoo allegedly turned over its files on these individuals without
getting
their approval or giving them notice. One of these users (known by his
pseudonym, Aquacool) turned out to be an AnswerThink employee.
AnswerThink
promptly fired him, denied him compensation, then sued him individually
for
his supposedly libelous remarks.

Aquacool launched his own lawsuit, claiming that his free speech rights
had
been violated. The lawsuit was supported by two GILC member
organizations,
the Electronic Privacy Information Center (EPIC) and the American Civil
Liberties Union (ACLU). The two groups noted that the United States
Constitution protects the rights of individuals to anonymous free
speech, as
well as the right to speak freely online. In the words of EPIC's David
Sobel, Yahoo's policies would render that right "illusory."

To see a joint EPIC and ACLU press release on this case, visit
http://www.epic.org/anonymity/epic_aclu_release.html

To see the complaint (in PDF format), click
http://www.epic.org/anonymity/aquacool_complaint.pdf

===============================================
[2] Australian censorship system does little
===============================================
What if someone built a system to censor the Internet, and nobody came?

That's apparently what has happened Down Under. The Australian
government
had implemented a complaint-based system to block out Internet content.
These plans were in response to presumed public concern over the harmful
effects of the Internet on society. However, the flood of complaints
envisioned by the scheme's creators did not materialize. Out of an
estimated
six million Australian adults who use the Internet, only 124 complaints
were
received between January and March 2000. Stephen Nugent of the
Australian
Broadcasting Authority admitted "[t]here doesn't appear to have been a
huge
pent-up demand to make complaints."

Critics cited the dearth of entries as clear evidence that most
Australians
are satisfied with what's available on the Internet. Robbie Swan of the
Eros
Foundation said that the statistics showed that "there was no need for
legislation. Politicians clearly freaked about something they really
weren't
in a position to comment upon." There are now calls to discard the
entire
system; a formal review by the Australian parliament has already been
scheduled.

See Stewart Taggart, "Content in Australia, Sort Of," Wired News, April
28,
2000 at
http://www.wired.com/news/print/0,1294,35949,00.html

===============================================
[3] Elian Web parody battle
===============================================
Controversy has erupted over an Internet movie that lampoons a famous
photograph of Elian Gonzalez.

An Associated Press (AP) photographer took the original picture when US
government agents raided the home of Elian's relatives to return the
child
to his father. The left side of the image features a Federal agent
holding a
gun. The gun appears to be pointed at Gonzalez, who is shown on the
right
side of the photograph in the arms of the person who rescued him from
the
waters near Florida.

The movie was the brainchild of Sean Bonner and Chris Lathrop, who
doctored
the photo to show all three people saying "WHAZZUP" to each other. The
film
goes on to show United States Attorney General Janet Reno, Cuban
dictator
Fidel Castro, and other famous people linked with the Elian case also
shouting "WHAZZUP." The entire presentation is drawn from a popular
American
television commercial for Budweiser beer, where several people shout
"WHAZZUP" amongst themselves while enjoying their drinks, then say
"True" at
the end. The movie finishes with an image reading "Stormtroopers" and
"True"
in an obvious parody of the Budweiser ad. On April 25, Sean Bonner
posted
this movie on his website, and the film became extremely popular.
Numerous
other individuals, including Tom Fulp, reposted the movie on their
websites.

The film caught the attention of David Tomlin, assistant to the
president of
the Associated Press. Tomlin sent out a curious e-mail message to
Bonner,
Lathrop, Fulp and several other people, threatening a copyright
infringement
suit. The message made no mention of the potential damage such a lawsuit
might have on Internet free speech. Instead, the letter continued,
"We'll go
for whatever it takes to get our material out of your hands. Please
acknowledge immediately that you understand and are taking down the
display
of AP pictures at the address above."

Bonner has since removed the video from his website, but the parody
remains
available from other sources on the Internet. The Associated Press'
current
plans for the case are not known at this time.

See Brad King, "Wazzup? Not Elian Web Parody," Wired News, April 27,
2000 at
http://www.wired.com/news/politics/0,1283,35958,00.html

To see the Bonner film, click
http://www.andyring.com/elian

====================================================
[4] Chinese online dissidents' uphill fight
====================================================
According to recent reports, mainland Chinese online dissenters are
still
struggling to make their voices heard in the face of intense pressure
from
their Communist adversaries.

Chinese government agents have redoubled their efforts to censor
Internet
content. Recently, Communist officials closed down a website in Wuhan,
known
as the China Finance Information Network (CFN), claiming that it
"downloaded
and spread rumors that damaged the government's image." This apparently
occurred after the site's operators posted a Hong Kong newspaper article
detailing the corruption of a provincial leader. Authorities fined CFN
and
halted its operations for 15 days. In addition, the Chinese government
will
issue new Internet censorship regulations within a month or so,
according to
Wang Qincun, who heads China's Internet News Administrative Bureau of
the
State Council Information Office. These regulations apparently will
limit
what news stories may be reported by mainland websites and prevent
commentary on certain news items by agencies other than Communist
publications (such as the People's Daily and the Xinhua News Agency).

Nevertheless, He Depu of the China Democracy Party (CDP) noted that
while
"China's Internet police have invested a lot of money and manpower into
blocking messages from our overseas members their efforts in the end
will be
futile." He noted that because the Internet was so large, "[e]ven if the
police monitored the Internet 24 hours a day, they would not be able to
stop
all the messages getting through."

For more on the Wuhan website shutdown from the Digital Freedom Network
(DFN-a GILC member), click
http://www.dfn.org/Voices/Asia/china/cfinet.htm

See also "China Suspends Site for 'Rumors'," Reuters, May 15, 2000 at
http://www.wired.com/news/print/0,1294,36333,00.html

For more on new Chinese Internet news restrictions, read "China Website
Closure Signals Tighter Grip on Internet Control," Agence France Presse,
May
17, 2000 at
http://www.insidechina.com/news.php3?id=160050

For more on He Depu and the China Democracy Party, read "Democracy Group
Prepares To Win Cyberbattle With Chinese Police," Agence France Presse,
April 24, 2000, at
http://www.insidechina.com/news.php3?id=153879

====================================================
[5] DVD Web links case gets ugly
====================================================
In many respects, the war over Internet links to a DVD-related computer
program has turned into the legal equivalent of a barroom brawl.

The entertainment industry, through the DVD Content Control Association
(DVD
CCA) and the Motion Picture Association of America (MPAA), had sued to
prevent Internet users from linking to websites that have DeCSS. DeCSS
was a
primitive program to help users of the Linux operating system play DVDs
on
their computers. Previously, courts in both New York and California had
issued preliminary injunctions that barred computer users from posting
DeCSS
on their websites. Many experts are concerned that these actions may
stifle
free expression in cyberspace.

In the New York case, the MPAA is trying to disqualify the opposing
attorney, Martin Garbus, on conflict of interest grounds. The alleged
conflict is based on the fact that Garbus had previously represented
Time
Warner (a plaintiff in the DeCSS lawsuit) in another case. Garbus, on
the
other hand, is seeking sanctions against the MPAA's lawyers for
hindering
the discovery of key evidence, including the apparent failure to make
MPAA
President Jack Valenti available for a deposition. A full trial is
scheduled
for December 5, 2000.

Meanwhile, in the California case, the Electronic Frontier Foundation
(EFF-a
GILC member) is appealing the preliminary injunction. In the words of
EFF's
executive director, David Greene, "The court's injunction is a prior
restraint on free expression, one of the most severe civil penalties in
our
legal system. Even a momentary deprivation of the right to speak or
publish
causes serious and irreparable harm, far more grave than any monetary
loss."

For more on the New York case, see Patricia Jacobs, "DVD cracking case
heats
up," CNET News.com, May 11, 2000, at
http://news.cnet.com/news/0-1005-200-1856023.html

For more on the California case, see "DeCSS Gag Injunction Appealed,"
Wired
News, May 15, 2000, at
http://www.wired.com/news/print/0,1294,36351,00.html

====================================================
[6] Internet freedom study released
====================================================
"Will the Internet become a censor's web, worldwide?"

That is the question raised by a new survey from Freedom House.
According to
this study, an estimated 45 countries "now restrict Internet access on
the
pretext of protecting the public from subversive ideas or violation of
national security-code words used by censors since the sixteenth
century."
The report goes on to note that the Internet "is the most formidable
challenge to the censor ... [b]ut that has not stopped countries in all
regions from restricting domestic and transnational news flows."

In particular, the group cited Russia, Burma, China and several other
countries for their censorial policies toward cyberspace. The report
documents attempts by the Russian government to force "Internet service
providers (ISPs) to install surveillance equipment," and that Russian
"[s]ecurity services can now monitor Internet communications without a
court
order." Similarly, Burmese computer owners "must report computers to the
government or face a 15-year prison term. The Burmese government's
'cyberspace warfare center' counterattacks against possible dissent by
hacking into computers that receive or send forbidden messages."
Meanwhile,
Chinese "[s]ecurity operatives inspect web sites to make sure they do
not
leak 'state secrets.' These may include references to the arrest and
torture
of practitioners of the banned Falun Gong [spiritual movement]. Based on
such surveillance, Internet sites have been shut down, e-mail censored,
and
web sites overseas attacked by sites based in China."

The Freedom House survey is available via
http://www.freedomhouse.org/pfs2000/sussman.html

====================================================
[7] Russia's digital divide
====================================================
There are growing fears that Russia is falling behind the rest of the
online
world.

Mikhail Khodorkovskiy, the president of a major Russian petroleum firm,
Yukos, aired some of these concerns in a recent speech. Khodorkovskiy
pointed to current estimates that only 3% of all Russians use the
Internet
on a regular basis. This statistic is 10 times lower than in other
developed
nations.

Furthermore, he expressed alarm at the dearth of financial resources
that
could eliminate this apparent digital divide. Khodorkovskiy hypothesized
that at the current rate, only one out of every five Russians would have
Internet access by the year 2050. For these reasons, he argued that
education about the online world was "an absolute must." Towards that
end,
Yukos is working with the Russian government in a national program to
improve Internet awareness and skills among students. Even so,
Khodorkovskiy
urged private industries to contribute more time and money toward
educating
Russian citizens about cyberspace, noting that the "efforts of Yukos
alone
will not be enough."

See "Russia 'losing internet race'," BBC News Online, April 23, 2000, at
http://news.bbc.co.uk/low/english/sci/tech/newsid_723000/723664.stm

====================================================
[8] Saudi censorship slows Internet growth
====================================================
The Saudi Arabian government's attempts to censor the Internet may keep
the
country in a technological Dark Age.

At present, all 30 of the country's Internet service providers (ISPs)
are
linked to a ground-floor room in the King Abdulaziz City of Science and
Technology, located in the capital, Riyadh. Here, filtering programs
scan
through all Internet transmissions and block out any content deemed
offensive or sacrilegious. This center for censorship monitors the
activities of some 130,000 Saudi Internet users.

However, many experts are concerned that the Saudi government is
spending
too much energy on censorship and too little energy	on expanding its
Internet resources. Saudi Arabia joined the online world only 18 months
ago,
and many Saudi Arabian businesses are still unable to conduct
e-commerce.
This comes in stark contrast to counterparts in neighboring countries
(such
as the United Arab Emirates) that have benefited from
government-sponsored
initiatives. Ironically, Saudi computing resources are so meager that
officials had to import the blocking software used in Riyadh, then bring
in
technicians from Finland to run the program.

Additional information is available from Frank Gardner, "Saudis
'defeating'
internet porn," BBC News Online, May 10, 2000, at
http://news.bbc.co.uk/low/english/world/middle_east/newsid_742000/742798
.stm

====================================================
[9] Syria plans Internet expansion
====================================================
Syria is trying to enter the digital age, but it is unclear whether the
government will loosen its tight censorial grip in order to achieve its
goals.

Currently, Syria's Internet only has several thousand users (out of a
population of 16 million).  Most of these fortunate individuals have
ties to
the government or to big business. However, plans have been hatched to
expand Internet usage on a dramatic scale. This scheme was prepared by
the
Syrian Computer Society, led by Bashar Assad (son of Syrian President
Hafez
Assad). Bashar believes that someday "the Internet is going to enter
every
house" in Syria through these and other programs.

Nevertheless, there are many free expression issues that have yet to be
resolved, including the harsh prison sentences that are given to private
individuals found guilty of unauthorized Internet contact with
foreigners.
Not surprisingly, Reporters Sans Frontieres recently branded Syria as
one of
the Internet's twenty biggest enemies. Indeed, even Bashar admitted his
government may issue new "guidelines" to restrict online access and
content,
similar to the stringent controls on other media (such as government-run
newspapers, radio and television).

For further details, see Howard Schneider, "Syria Advances Cautiously
into
The Online Age," Washington Post, April 27, 2000 at
http://www.washingtonpost.com/wp-dyn/articles/A21443-2000Apr26.html

Reporters Sans Frontieres' homepage is located at
http://www.rsf.fr

====================================================
[10] Oxford Net free speech meeting held
====================================================
The Humanities Computing Unit of Oxford University held a colloquium
about
the future of Internet free speech. Entitled "Beyond Control or Through
the
Looking Glass", the event took place on April 28, 2000 at the Oxford
Union
Debating Chamber. The meeting featured leaders of several GILC member
organizations, including Nadine Strossen of the American Civil Liberties
Union (ACLU), Avedon Carol from Feminists Against Censorship, and Yaman
Akdeniz of Cyber-Rights and Cyber-Liberties (UK), which co-organized the
event.

The central debate, Policing the Net, discussed the motion: "This house
believes that any attempt by government to police the internet is both
unworkable and a severe threat to civil liberties." During this debate,
Akdeniz noted the fact that current proposals to regulate cyberspace
failed
to provide clearly defined standards, did not have broad public support,
and
had yet to show favorable results when evaluated under a cost/benefit
analysis. He referred specifically to a recent British government
proposal,
the Regulation of Investigatory Powers (RIP) Bill, which would expand
the
power of law enforcement officials in cyberspace. Legal experts have
decried
many parts of the RIP plan, including provisions that would force
defendants
to prove their innocence if they fail to provide passwords or encryption
keys when asked by government agents. Akdeniz argued that RIP's
standards
were virtually incomprehensible and warned that such ill-drafted
proposals
would chill freedom online. He also attacked the Internet Watch
Foundation,
which has sought restrictions on Internet content for several years.

Similarly, Strossen suggested that the blocking of Internet content
violated
the precepts delineated in a recent ruling by the United States Supreme
Court. The Court held that Internet speech should be protected to at
least
the same degree as more traditional forms of expression. She cited
efforts
(by the ACLU and other cyber-liberties groups) to strike down
broad-based
laws that would criminalize any Internet speech with any amount of
sexual
content, without any regard to its social value. Strossen further
suggested
that Internet users should not be silenced based on mere speculation
that
their speech may have some anti-social impact.

To hear audio recordings from the Policing the Net debate, and to read
transcripts of the arguments on both sides, click
http://www.guardianunlimited.co.uk/freespeech

==============================================
[11] US gov't knocks dot-coms on user privacy
==============================================
A US regulatory agency has found that many e-commerce sites do a poor
job of
protecting the privacy of their users, and is calling for legislative
action
to correct the problem.

According to a recent study by the US Federal Trade Commission (FTC),
nearly
4 out of 5 e-commerce sites failed to meet the Commission's standards
for
safeguarding user privacy. These standards include the posting of a
privacy
policy, consumer control over how their data is used, users' ability to
view
and correct the files compiled about them, and security measures to stop
cybercriminals. The report did note that nearly 90% of the most heavily
trafficked websites did have privacy policies available online. However,
the
Commission also noted that many web content providers fared poorly in
the
categories of consumer control, security measures and so forth.

As a solution, the FTC is recommending that "Congress enact legislation
to
ensure adequate protection of consumer privacy online." This legislation
"would set out the basic standards of practice governing the collection
of
information online, and provide an implementing agency with the
authority to
promulgate more detailed standards," including powers of enforcement.
Under
this system, "[a]ll consumer-oriented commercial Web sites that collect
personal identifying information from or about consumers online, to the
extent not covered by the COPPA [Children's Online Privacy Protection
Act],
would be required to comply with the four widely-accepted fair
information
practices." These practices include providing consumers with adequate
notice
as to how respective companies handle personal information, giving
consumers
choices as to how their data will be used, allowing users to access
their
own records (including the right to correct or delete information), and
taking "reasonable steps to protect the security of the information they
collect from consumers."

The report has met with mixed reviews. Marc Rotenberg of the Electronic
Privacy Information Center (EPIC-a GILC member) noted that
"[l]egislation to
protect privacy is long overdue." Rotenberg also commented on the FTC's
suggestion that self-regulatory schemes may still play a part, even
though
such efforts have failed to protect user privacy in the past.
Nevertheless,
many observers expect the proponents of this new plan will be forced to
fight an uphill battle.

The FTC Report "Privacy Online: Fair Information Practices and the
Electronic Marketplace" is available via
http://www.ftc.gov/os/2000/05/index.htm#22

See also John Schwartz, "Republicans Oppose Online Privacy Plans,"
Washington Post, May 21, 2000, page A8, at
http://www.washingtonpost.com/wp-dyn/articles/A42502-2000May21.html

The Final Report of the FTC Online Access Advisory Committee is
available
under
http://www.ftc.gov/acoas/finalreport.htm

=============================================
[12] New French anti-anonymity bill
=============================================
Critics are warning that a new French proposal to end anonymity on the
Internet may create big potholes along the Information Superhighway.

The French Parliament is in the process of reviewing the Liberty of
Communication Act, which generally addresses audiovisual broadcasting
communications. However, special provisions regarding Internet service
provider (ISP) liability have been introduced after a highly publicized
lawsuit against a French ISP. The bill received the blessing of the
French
Senate on May 29th of this year; the National Assmebly will now consider
the
Act within the next few weeks.

In its current form, the Liberty of Communication Act would
essentially require anyone who creates a webpage to provide personal
information about themselves to the public. Under this plan, any
public Internet service (which may include providers of chat rooms,
bulletin boards and e-mail messaging as well as websites) must publicly
disclose the editor's name and postal address.  Private
individuals must at least provide information about their Internet
host provider (including the provider's name and postal address) as
well as their own online names. In turn, host providers would be
required to collect personal information about their users, which
would be turned over upon judicial request.  Violators may go to jail
for three months and pay fines of 25,000 francs (about $3,500 US).

Many observers have lambasted the plan as a serious threat to civil
liberties. Imaginons un Reseau Internet Solidaire (IRIS-a GILC member)
warned that the measure might cause "the death of the Internet in
France."
IRIS feared that the mandatory registration of Internet users would
constitute a serious invasion of individual privacy, although the
the French Senate has recently restricted the divulgation of
individual personal information upon judicial request. Moreover, the
French
cyberliberties group feared that the Act would turn Internet companies
into
agents of the state.

These concerns have been echoed by many leading French firms, including
Libertysurf.com, the nation's biggest free Web hosting company. A
Libertysurf spokesperson suggested that the plan would shift business
overseas, because users would seek webhosts that are more protective of
personal information. Furthermore, the spokesperson expressed anxiety
that
the Act would increase the costs of doing business in France on an
astronomical scale.

Visit IRIS' webpage on French anti-anonymity legislation (in French) at
http://www.iris.sgdg.com/actions/loi-comm

For an English language news item on the subject, read Jason Straziuso,
"Anonymity? Mais Non," Associated Press, May 23, 2000, at
http://www.abcnews.go.com/sections/tech/DailyNews/france_net000523.html

====================================================
[13] Love Bug highlights privacy flaws
====================================================
Experts worldwide are recommending better security software, not
government
regulation, as the proper response to an insidious computer pest.

The so-called "Love Bug" got its name from its carrier messages, which
usually contain "I Love You" in the subject header. The "Love Bug" comes
as
an e-mail attachment that, once opened, destroys JPEG image files and
sends
itself to everyone in a user's e-mail address book. This scourge
attacked
millions of computers worldwide and caused many e-mail systems to
shutdown.
Other similar bugs have since appeared. One of these pests, known as
"NewLove," only has "FW" in the subject line, thus giving less warning
to
its victims. Worse still, the "NewLove" attachment destroys all files on
a
user's hard drive, not just JPEGs. Another version is entitled
"Resume-Janet
Simons", while a third nuisance is written in German and includes an
attachment named "SouthPark.exe".

Scientists have noted that these attacks were helped by the fact that
many
software companies do a poor job of protecting user privacy. David
Stringer-Calvert, senior project manager and research engineer at SRI
International, noted that "[s]ecurity is always a tradeoff against
usability, and currently security is often the poor cousin in this.
Microsoft products do make it exceptionally easy to write very damaging
viruses."

In addition, programming gurus have questioned whether new government
initiatives would solve the problem. Peter Neumann, the principal
scientist
at SRI's Computer Science Laboratory, said that "[t]he government
reaction
... to build more jails and arrest more hackers ... ignores the
fundamental
vulnerabilities in the computer systems. Regulating e-mail does not make
much sense." Stringer-Calvert added, "Regulation is not the answer. The
market needs to become more demanding in the security aspects of
systems."
Instead, computer scientists have suggested a variety of technical
solutions, including encryption and extra firewalls.

For more on these analyses, read "Love Me Not: Experts Discuss the
Problem
of Computer Viruses," ABCNews.com (US), May 5, 2000, at
http://more.abcnews.go.com/sections/tech/DailyNews/000505_lovevirus_expe
rts_
chat.html

For possible solutions to the "Love Bug" problem, read Eamonn Sullivan,
"Next viruses will be silent killers," IT Week, May 11, 2000, at
http://msnbc.com/news/406448.asp?cp1=1

The Killer Resume virus is described in "E-mail virus 'contained'," BBC
News
Online, May 29, 2000 at
http://news.bbc.co.uk/low/english/sci/tech/newsid_768000/768320.stm

To read more on the German "South Park" bug, see "New worm-'South Park'
in
German," Reuters, May 11, 2000 at
http://www.zdnet.co.uk/news/2000/18/ns-15325.html

More on the "FW:" bug is available through Sascha Segan, "Virus: Bold as
Love," ABCNews.com (US), May 19, 2000 at
http://abcnews.go.com/sections/tech/DailyNews/virus_new000519.html

====================================================
[14] G8 plan threatens individual privacy
====================================================
A superpower Internet security summit has recommended measures that many
fear will undermine privacy online.

This recently concluded G8 conference brought together delegates from
eight
major powers, including the United States, the United Kingdom and
Russia.
The meeting focused on ways to prevent Internet crime. Conferees
discussed
22 recommendations for improving Internet security. These particular
proposals came from the Global Internet Project--an association of
computing
companies that includes Microsoft and America Online. Thirteen of these
suggestions were for the private sector, including such ideas as
cooperating
"with law enforcement and other agencies to detect and alleviate
attacks."
One suggestion might turn private companies into de facto government
informants; under this provision, companies would "identify and
disseminate
information" about perceived risks to computer systems, then pass this
information on to so-called "clearing houses" like the United States
Federal
Bureau of Investigation. The group also urged government agencies to
take
action by removing the "remaining controls on civilian encryption
technologies," as well as encouraging and supporting "efforts to teach
youngsters how to behave ethically in cyberspace."

G8 representatives also discussed a "Draft Convention on Cybercrime"
sponsored by the Council of Europe. This proposal would make it illegal
to
link to certain types of software that could interfere with (or allow
unauthorized access to) a computer. The measure would also punish people
who
fail to provide passwords or encryption keys. Furthermore, the
Convention
would require Internet service providers (ISPs) to collect personal
information about their users.

However, many observers fear that these plans will actually diminish
Internet privacy while failing to prevent future cyberattacks. A
spokesperson from the Foundation for Information Policy Research (FIPR)
worried that the G8 nations would waste valuable time discussing
security
solutions. Worse still, the spokesperson believed that as the number and
impact of cyber-crimes grew, governments would go on to choose harsh
standards that would severely impinge on the privacy rights of Internet
users. Indeed, Barry Steinhardt of the American Civil Liberties Union
(ACLU-a GILC member) called the Draft Convention "dangerous" and
believes
"it will interfere with the ability to speak anonymously." He also
suggested
that the proposal would prevent computer scientists from adequately
ensuring
"their own security and the security of others."

Privacy International (a GILC member) has compiled an extensive site to
document these developments at
http://www.privacyinternational.org/issues/cybercrime/

====================================================
[15] New Microsoft security woes
====================================================
Researchers have recently discovered security flaws in two of
Microsoft's
most popular products: Internet Explorer and Hotmail.

Peacefire (a GILC member) has issued a series of articles that
documented
these weaknesses. Both difficulties are based on the common use of
computer
files known as "cookies." Many websites surreptitiously place these
cookies
on users' computers for identification purposes or for storing other
personalized information.

In the case of Internet Explorer, a hole in its security features allows
website operators to secretly scan all of the cookies on an individual
user's computer and discover where that person has been on the Internet.
A
savvy webpage operator can create a special domain name that will fool
Internet Explorer into thinking that particular page is actually from
another site (such as Amazon.com, rather than Peacefire) and divulge the
cookies pertaining to that other site (such as the cookie Amazon.com
placed
on the user's computer). That way, the attacker can check what cookies
are
on the user's machine and discover where that user has been on the World
Wide Web. One way individuals can avoid this loophole is by changing
Explorer's settings to disable all cookies.

The Hotmail flaw enables people to discover other users' passwords and
read
private e-mail messages. This is done through a special HTML program
(attached to an e-mail message) that intercepts the cookies that Hotmail
uses to identify its users and passes them along to the attacker. These
cookies contain special session keys (known individually as "MSPAUTH")
that
can then be used to enter another person's e-mail account, read that
person's messages, and break into still more accounts.

Visit Peacefire's homepage (for analyses of these Microsoft security
holes)
at
http://www.peacefire.org

====================================================
[16] New NetRadar Internet spy tool
====================================================
A new software package will allow businesses and government agencies to
spy
on private Internet users everywhere.

The program, known as NetRadar, searches through chat rooms, bulletin
boards, and other areas of cyberspace by using key words chosen by the
user.
NetRadar then provides automatic summaries of its results. Its
properties
are vaguely similar to government systems such as ECHELON, which
reportedly
intercept communications on a global scale, then use special computer
programs (called DICTIONARY) to siphon out pertinent material. NetRadar
was
used to monitor the activities of groups opposed to the World Trade
Organization (WTO) and demonstrated against them in Seattle this past
winter. Its creators now are hoping to sell the software to major
companies
as well as law enforcement agents.

Critics fear that devices like NetRadar will seriously erode the privacy
of
ordinary citizens. Jim Dempsey of the Center for Democracy and
Technology
(CDT-a GILC member) feared that widespread use of NetRadar "could end up
chilling political speech organizing, peaceful advocacy, criticism of
either
government or corporations." Similarly, Professor Jonathan Zittrain
(from
the Berkman Center for Internet and Society at Harvard Law School)
worried
that the current data privacy laws would not prevent abuse of such
programs.
Zittrain noted: "if there's an alcoholics anonymous group, a group to
talk
about depression, even about back pain, those sorts of things could end
up
being surveyed for purposes of insurance fraud or anything else."

For more, see Jack Smith, "Web Spies," ABCNews.com (US), May 16, 2000,
at
http://www.abcnews.go.com/onair/CloserLook/wnt_000516_CL_netsecurity.htm
l

For more on ECHELON, visit
http://www.echelonwatch.org

=======================================
[17] UK Net privacy under siege
=======================================
It may be getting harder for British Internet users to preserve their
privacy.

The British government has proposed several new measures to enhance
their
surveillance powers. One of these proposals would create a Government
Technical Assistance Centre to intercept all e-mail messages in the
United
Kingdom. Similarly, the British Home Office has introduced a Regulation
of
Investigatory Powers (RIP) Bill, which might force Internet service
providers to accommodate more invasive searches by law enforcement
officials. The Bill would also punish people who are unable to provide
"keys" to encrypted computer files and force these individuals to
disprove
their guilt. Cyber-liberties groups, who are concerned that these
measures
will treat innocent Internet users as criminals, have savaged both
proposals. The RIP bill, in particular, has been excoriated because of
its
reversed burden of proof; some experts have suggested that this
particular
provision violates various International human rights accords. The RIP
legislation also has caught flak from software manufacturers, who fear
that
the plan will make it more expensive to conduct e-commerce in Britain.

Meanwhile, a recent survey indicated yet another threat to online
privacy:
big business. A study by the Industrial Relations Services indicated
(among
other things) that over 75% of British companies monitor their employees
in
cyberspace. Many of these companies go so far as to read private e-mail
messages and limit their workers' access to the Internet.

For more on the Government Technical Assistance Centre, read "Brits
Launch
Online Spy Network," Wired News, May 2, 2000, at
http://www.wired.com/news/print/0,1294,36031,00.html

See also Sascha Segan, "Spies Like Us," ABCNews.com (US), May 2, 2000 at
http://www.abcnews.go.com/sections/tech/DailyNews/britishspies_000502.ht
ml

Press coverage of the RIP Bill is available under "Computer crime plan
'bad
for business'," BBC News Online, May 8, 2000 at
http://news.bbc.co.uk/low/english/sci/tech/newsid_740000/740766.stm

For a report on British online monitoring of employees, read "British
companies monitor staff Internet use-study," Reuters, May 15, 2000 at
http://news.ft.com/ft/gx.cgi/ftc?pagename=View&c=Article&cid=FT4J73FC98C
&liv
e=true&tagid=ZZZPB7GUA0C&reuters=true

==============================================
[18] US child online privacy laws take effect
==============================================
The US government has started to enforce a new law designed to protect
the
privacy of children in cyberspace.

The Children's Online Privacy Protection Act (COPPA) restricts operators
of
websites and other Internet services from collecting sensitive
information
from users aged 13 years or under. These rules generally require
websites
that are directed at children to post privacy policies. These sites
cannot
gather personal information from youngsters without parental consent.
Furthermore, mothers and fathers can revoke such consent at any time and
force web companies to expunge information that these firms have already
collected about their kids.

These moves come as a recent survey indicates the apparently predatory
nature many companies have in extracting personal data from kids. A
study by
the Annenberg School for Communication revealed, among other things,
that
nearly two-thirds of children aged 10-17 reveal (online) the names of
their
favorite stores if they received a free gift. Over 50% of children
between
10 and 17 years of age would divulge to website operators the names of
their
parents' favorite places to shop, in exchange for a present.

The full text of COPPA is available at
http://www.ftc.gov/ogc/coppa1.htm

For more press coverage of COPPA, visit "Study: Kids Spill The Beans On
Web," CBS News, May 17, 2000, at
http://cbsnews.cbs.com/now/story/0,1597,195861-412,00.shtml

See also David Ho, "Online Tit for Tat," Associated Press, May 16, 2000,
at
http://www.abcnews.go.com/sections/tech/DailyNews/netprivacy000516.html

=============================================
[19] Indian Net search plans deemed invasive
=============================================
The Indian parliament has passed a law that may increase government
intrusions into cyberspace.

The federal Information Technology Bill allows senior law enforcement
officials to conduct searches of public places (under the pretext of
conducting a cybercrime investigation) without a warrant. Other
provisions
may force Internet users to provide certain types of information about
themselves, and ban them from posting data deemed to be obscene. In
addition, Internet service providers (with over 2MB of bandwidth) may
have
to make their networks wiretap-friendly for India's Central Bureau of
Investigation and other such agencies. Opponents of the bill worry that
it
will subvert individual privacy on the Internet, and will stifle India's
rapidly growing technology sector.

Read "Parliament passes IT bill," IndiaTimes, May 17, 2000 at
http://www.indiatimes.com/17indu2.htm

See also Frederick Noronha, "India Eyes Cyberlaws," Wired News, April
25,
2000, at
http://www.wired.com/news/print/0,1294,35822,00.html

=============================================
[20] EU to lift crypto restrictions
=============================================
The European Union is considering plans to ease restrictions on the use
of
computer cryptography.

The EU is hoping that by reducing its own rules on cryptographic
programs,
it will ensure that European computer companies will be able to compete
on
an equal footing with their American counterparts. Previously, European
firms that wanted to export encryption software had to request
permission
from their respective governments, then wait while officials undertook
arduous investigations to ensure that the buyer did not constitute a
national security threat. Worse still, government agencies often used
these
review powers to pressure companies into weakening the cryptographic
strength of their products.

US officials already had announced plans to end limitations on the
export of
strong encryption, and are now accepting applications from software
manufacturers for export licenses. Oddly enough, an EU spokesperson
confirmed the fact that the US government had urged its European
partners
not to liberalize its rules on crypto. Nevertheless, EU ministers bucked
these concerns, noting that "the European Union does not make their
policies
dependent on the opinion of the United States."

For further information, see Jelle van Buuren, "European Union sets free
export of encryption products," Heise Telepolis, May 22, 2000 at
http://www.heise.de/tp/english/inhalt/te/8179/1.html

See also "EU To Copy US Crypto 'Open Export' Rules," Newsbytes, April
28,
2000, at
http://www.newsalert.com/bin/story?StoryId=CoqKmWc4bmdaWmti&FQ=Crypto&Na
v=na
-search-&StoryTitle=Crypto

=============================================
[21] Euro plan: end Net anonymity
=============================================
End anonymity on the Internet? Not so fast.

That appears to be the message being given by European government
officials.
Previous reports had indicated that the European Parliament's Committee
for
Citizens' Freedoms, Rights, Justice and Home Affairs would recommend a
new
law that would force Internet users to register personal information
with
telecommunications companies. While details of the proposal were sketchy
at
best, the plan apparently followed the suggestions of a recent European
Commission white paper, which called for anonymous remailers to follow a
"code of conduct" that included the collection of personal information
from
individual users and other restrictions. The initiative was bolstered by
concerns that anonymous e-mail messaging would enhance the
organizational
powers of cyber-terrorists.

However, the scheme has run into a number of difficulties. Privacy
advocates
have voiced fears that these plans would curtail individual privacy
online.
In addition, the proposal reportedly suffered from highly unwieldy
provisions that made it hard to enforce. Furthermore, there was
virtually no
public support for the scheme. Against this backdrop, the European
Council
of Ministers is now hinting that it will shelve the proposal for the
time
being.

For more on this story, read Tim Richardson, "Euro anonymous email plans
are
'unworkable'," The Register (UK), May 12, 2000, at
http://www.theregister.co.uk/000512-000008.html

See also Declan McCullagh, "Anonymity Threatened in Europe," Wired News,
April 26, 2000 at
http://www.wired.com/news/print/0,1294,35924,00.html

==========================================================
	ABOUT THE GILC NEWS ALERT:
==========================================================
The GILC News Alert is the newsletter of the Global Internet Liberty
Campaign, an international coalition of organizations working to protect
and
enhance online civil liberties and human rights.  Organizations are
invited
to join GILC by contacting us at
[log in to unmask]

To alert members about threats to cyber liberties, please contact
members
from your country or send a message to the general GILC address.

To submit information about upcoming events, new activist tools and news
stories, contact:

Christopher Chiu
GILC Coordinator
American Civil Liberties Union
125 Broad Street, 17th Floor
New York, New York 10004
USA

Or email:
[log in to unmask]

More information about GILC members and news is available at
http://www.gilc.org

You may re-print or redistribute the GILC NEWS ALERT
freely.

To subscribe to the alert, please send e-mail to
[log in to unmask]

with the following message in the body:
subscribe gilc-announce

========================================================
PUBLICATION OF THIS NEWSLETTER IS MADE POSSIBLE BY A
GRANT FROM THE OPEN SOCIETY INSTITUTE (OSI)
========================================================



%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%