From: EPIC News [mailto:[log in to unmask]] Sent: Wednesday, September 13, 2000 11:13 PM To: EPIC Info Subject: EPIC Alert 7.16 ============================================================== @@@@ @@@@ @@@ @@@@ @ @ @@@@ @@@@ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @@@ @ @ @@@@@ @ @@@ @@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @ @@@ @@@@ @ @ @@@@ @@@@ @ @ @ ============================================================== Volume 7.16 September 13, 2000 -------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org/alert/EPIC_Alert_7.16.html ======================================================================= Table of Contents ======================================================================= [1] EPIC Testifies on Online Privacy Bills before Congress [2] FBI and DOJ Continue to Oppose Disclosure of Carnivore Info [3] GAO Study Finds that Government Websites Fail on Privacy [4] New Polls Show Public Support for Privacy Policies [5] FTC Seeks Public Comment on Security of Financial Data [6] EPIC Bill-Track: New Bills in Congress [7] EPIC Bookstore - The Privacy Law Sourcebook 2000 [8] Upcoming Conferences and Events ======================================================================= [1] EPIC Testifies on Online Privacy Bills before Congress ======================================================================= On September 6, EPIC Executive Director Marc Rotenberg testified before the House Judiciary Committee on three bills now pending in Congress -- the Electronic Communications Privacy Act of 2000, the Digital Privacy Act of 2000, and the Notice of Electronic Monitoring Act of 2000. The first two bills would strengthen the federal wiretap statute. The third bill would require employers to notify employees when they conduct electronic surveillance. Rotenberg said that EPIC favors proposals to strengthen the standards and oversight for wiretapping. "We support the provisions that would extend current reporting requirements, clarify the scope of the exclusionary rule, establish a high standard for the issuance of warrants for pen register and trap and trace devices, as well as access to locational information." Rotenberg noted that EPIC opposed passage of the Communications Assistance for Law Enforcement Act (CALEA) in 1994, relying in part on information contained in the federal wiretap reports that revealed that wiretapping was hardly ever used in cases involving kidnapping or bombings, as the FBI had alleged. Both bills pending in Congress would extend the reporting requirements to new forms of electronic surveillance. Rotenberg also said that strengthening the "pen register" and "trap and trace" provisions in the federal wiretap statute was necessary because of recent concerns about the scope of the FBI's Carnivore monitoring system and ongoing questions about the appropriate standard for access to transactional data. EPIC is currently seeking information describing the Carnivore surveillance system in a widely reported Freedom of Information Act case (see [2] below). On the proposal to require notice of electronic monitoring conducted in the workplace, Rotenberg said that a stronger measure is appropriate and necessary to safeguard privacy. "If the bill remains a notice-only measure, we would strongly urge the Committee to add a provision that would require the notice to be available by means of the World Wide Web. That would prevent intimidation of employees seen reading the notice (a common problem with paper notices) and would also help the labor market function by enabling prospective employees to evaluate the privacy policies of prospective employers." He recommended that workplace privacy legislation incorporate Fair Information Practices and follow provisions in existing privacy U.S. Laws, as well as the International Labour Organization privacy guidelines. EPIC's Testimony before the House Judiciary Committee: http://www.epic.org/privacy/wiretap/testimony_0900.html For more information, visit the EPIC Wiretap Page: http://www.epic.org/privacy/wiretap/ ======================================================================= [2] FBI and DOJ Continue to Oppose Disclosure of Carnivore Info ======================================================================= As Congressional committees convened hearings on the FBI's Carnivore surveillance system, the Bureau and the Department of Justice continue to oppose efforts to publicize important information about the design and capabilities of the invasive technology. The agencies recently moved to dismiss EPIC's lawsuit seeking disclosure of information about Carnivore, and have belatedly indicated that the full results of an "independent review" of the system probably will not be made public. On July 12, one day after the initial media coverage of Carnivore, EPIC filed a Freedom of Information Act (FOIA) request seeking the public release of all FBI records concerning the system, including the source code, other technical details, and legal analyses addressing the potential privacy implications of the technology. On July 18, after Carnivore had become a major issue of public concern, EPIC asked the Justice Department to expedite the processing of its request. When DOJ failed to respond within the statutory deadline, EPIC filed suit in U.S. District Court seeking the immediate release of all information concerning Carnivore. (See EPIC Alert 7.15). At an emergency hearing held on August 2, U.S. District Judge James Robertson ordered the FBI to report back to the court by August 16 and to identify the amount of material at issue and the Bureau's schedule for releasing it. The FBI subsequently reported that 3000 pages of responsive material were located, but refused to commit to a date for the completion of processing. EPIC immediately sought a court order requiring the FBI to release the material by December 1, 2000 -- when the Justice Department plans to release the results of an "independent review" of the Carnivore system. In response to EPIC's motion for a disclosure deadline, the Justice Department and the FBI on August 24 moved to dismiss the lawsuit, claiming that the court has no authority to order the release of Carnivore documents by any particular date. EPIC responded to the government motion on September 1. As it was moving to dismiss the FOIA suit, the Justice Department finally revealed the details of its proposed independent review of the Carnivore system. In the request for proposals released on August 24, DOJ acknowledged that the complete report of the reviewers probably will not be made available to the public: The contractor will document the results of the technical review into a draft and final report that the Department will *make public to the maximum extent that is consistent with otherwise applicable law or contractual obligations and with preserving the effectiveness of Carnivore* as a tool for effectuating court-ordered interceptions of electronic communications or related information. (emphasis added). USA Today has reported that most of the universities that had initially expressed an interest in performing the review are unwilling to do so under the conditions imposed by DOJ. Regardless of its outcome, EPIC continues to believe that the proposed independent review is no substitute for the public disclosure of information concerning Carnivore, consistent with the requirements of the FOIA. More information on EPIC's FOIA litigation, and the DOJ independent review, is available at: http://www.epic.org/privacy/carnivore/ ======================================================================= [3] GAO Study Finds that Government Websites Fail on Privacy Policies ======================================================================= On September 12, the General Accounting Office (GAO) released its study of government website privacy policies and how they conform to Fair Information Practices as formulated by the Federal Trade Commission (FTC). The results of the study found that ninety-seven percent of government websites failed to address the FTC Fair Information Practices of notice, choice, access, and security. Earlier this year, a group of House Republicans asked for the study in response to the FTC's own recommendation to Congress for legislation over private sector websites. Of the sixty-five government agency websites surveyed, eighty-five percent posted a privacy policy. In addition, fourteen percent of the notices stated that the website allowed cookies to be placed by third-parties. Third-party cookies, often used for online profiling by Internet advertising companies, have been the focus of recent privacy controversies. While some, on the basis of the GAO's study, have concluded that the results are evidence that Congress should not be looking into regulating Internet privacy in the private sector, others have pointed out that citizens already have rights and protections under the Privacy Act of 1974. The Privacy Act requires government agencies to provide the full range of Fair Information Practices including access, purpose specification, use limitation, and data integrity principles not fully provided in the FTC's formulation. Also, unlike commercial websites, the privacy protections available to visitors to government web pages do not depend on the website operator's own stated practices. The GAO Study (1500K PDF) is available online at: http://www.epic.org/privacy/internet/armey_gao_study.pdf An online version of the Privacy Act of 1974: http://www.epic.org/privacy/laws/privacy_act.html ======================================================================= [4] New Polls Show Public Support for Privacy ======================================================================= On August 20, the Pew Internet & American Life Project released a report, "Trust and Privacy Online: Why Americans Want to Rewrite the Rules," examining the public's attitudes towards privacy and the Internet. The survey of over 2,000 adults found that the majority of interviewed online users want the presumption of privacy on the Internet but do not possess the necessary technical knowledge about how their privacy may be invaded or how to protect themselves. The report also documented that 86 percent of Internet users support an opt-in standard for privacy protection, diverging from the opt-out favored by the Federal Trade Commission and industry-sponsored self-regulatory groups. The survey also found that 84 percent of those surveyed were concerned about unknown third parties accessing their personal information, while 68 percent were concerned about hackers obtaining their credit card numbers. In addition, while 62 percent of those have been online for a short amount of time are concerned about privacy online, 50 percent of those who have been online for more than three years continue to share those sentiments. A separate survey conducted by Yankelovich Partners found a similar widespread concern about privacy on the Internet. The survey of over 1,000 adults found that 90 percent of respondents felt that privacy was the most pressing concern when shopping online, rating higher than prices and return policies. The survey also found that 79 percent of respondents leave websites when required to provide personal information to proceed. "Trust and Privacy Online: Why American Want to Rewrite the Rules" is available at: http://www.pewinternet.org/reports/toc.asp?Report=19 An archive of surveys of public attitudes towards Internet privacy is available at: http://www.epic.org/privacy/survey/default.html ======================================================================= [5] FTC Seeks Public Comment on Security of Financial Data ======================================================================= On August 31, the Federal Trade Commission (FTC) began soliciting public comments on the portion of Gramm-Leach-Bliley, the Financial Services Modernization Act, addressing safeguards and security for nonpublic financial data. Section 501(b) of Gramm-Leach-Bliley required the FTC and other agencies with jurisdiction over financial institutions to establish rules setting security standards for personal financial information. The notice from the FTC does not propose a rule for security, but instead requests comment on the scope and specificity of such a rule, as well as how it should work with guidelines produced by other government agencies with jurisdiction over financial institutions. In related news, the comment period for the Department of Justice study on bankruptcy and privacy has been extended to September 22 (see EPIC Alert 7.15). The study will examine both the privacy of personal data submitted in the course of bankruptcy filings as well as whether such data can be declared as an asset in bankruptcy proceedings. For more information about the Gramm-Leach-Bliley Safeguards Rule: http://www.ftc.gov/opa/2000/08/fyi0048.htm For more information on the DOJ Privacy and Bankruptcy study: http://www.usdoj.gov/ust/privacy/privacy-study.htm ======================================================================= [6] EPIC Bill-Track: New Bills in Congress ======================================================================= *House* H.R.4987. Digital Privacy Act of 2000. Updates wiretap statute to include greater reporting requirements, higher standards for use of pen registers, and restrictions on government access to cellular phone location information. Sponsor: Rep. Barr, Bob (R-GA). Referred to House Committee on the Judiciary. H.R.5018. Electronic Communications Privacy Act of 2000. Updates wiretap statute to include stored electronic communication. Also expands reporting requirements and raises the legal standard for use of pen registers. Sponsor: Rep. Canady, Charles T. (R-FL). Referred to House Committee on the Judiciary, Subcommittee on the Constitution. *Senate* S.2360. Freedom From Behavioral Profiling Act of 2000. Amends Gramm-Leach-Bliley (Financial Services Modernization Act) to require consent before financial institutions can disclose information about a customer's purchasing habits or financial practices. Sponsor: Sen. Shelby, Richard C. (R-AL). Read twice and referred to the Committee on Banking, Housing, and Urban Affairs. S.2857. Privacy Policy Enforcement in Bankruptcy Act of 2000. Prevents personal data such as a name, address, or credit card number to claimed as an asset in bankruptcy proceedings. Sponsor: Sen. Leahy, Patrick J. (D-VT). Read twice and referred to the Committee on the Judiciary. S.2928. Consumer Internet Privacy Enhancement Act. Requires commercial websites to provide notice and opt-out when collecting personal information. Notably, also pre-empts state laws regarding Internet privacy. Sponsor: Sen. McCain, John (R-AZ). Referred to Senate Committee on Commerce, Science, and Transportation. EPIC Bill Track: Tracking Privacy, Speech, and Cyber-Liberties Bills in the 106th Congress, is available at: http://www.epic.org/privacy/bill_track.html ======================================================================= [7] EPIC Bookstore - The Privacy Law Sourcebook 2000 ======================================================================= **NEW** The Privacy Law Sourcebook 2000: United States Law, International Law, and Recent Developments edited by Marc Rotenberg http://www.epic.org/pls/ The Privacy Law Sourcebook is the first one-volume resource for students, attorneys, researchers and journalists who need a comprehensive collection of US and International privacy law, as well as a fully up-to-date section on recent developments. Includes the full texts of most major privacy laws and directives such as the FCRA, the Privacy Act, FOIA, Family Education Rights and Privacy Act, Right to Financial Privacy Act, Privacy Protection Act, Cable Communications Policy Act, ECPA, Video Privacy Protection Act, OECD Privacy Guidelines, OECD Crytpography Guidelines, European Union Directives for both Data Protection and Telecommunications, and more. The Privacy Law Sourcebook is updated and expanded for 2000 to include the new Canadian privacy law, the final documents for the Safe Harbor arrangement, and recent opinions from the European Commission on compliance with the EU Data Directive. Also included is an extensive section on privacy resources with useful web sites and contact information for privacy agencies, organizations, and publications. ================================ EPIC Publications: "Cryptography and Liberty 2000: An International Survey of Encryption Policy," Wayne Madsen and David Banisar, editors, (EPIC 2000). Price: $20. http://www.epic.org/crypto&/ EPIC's third survey of encryption policies around the world. The results indicate that the efforts to reduce export controls on strong encryption products have largely succeeded, although several governments are gaining new powers to combat the perceived threats of encryption to law enforcement. ================================ "Filters and Freedom - Free Speech Perspectives on Internet Content Controls," David Sobel, editor (EPIC 1999). Price: $20. http://www.epic.org/filters&freedom/ A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ "Privacy and Human Rights 1999: An International Survey of Privacy Laws and Developments," David Banisar, Simon Davies, editors, (EPIC 1999). Price: $15. http://www.epic.org/privacy&humanrights99/ An international survey of the privacy and data protection laws found in 50 countries around the globe. This report outlines the constitutional and legal conditions of privacy protection, and summarizes important issues and events relating to privacy and surveillance. ================================ Additional titles on privacy, open government, free expression, computer security, and crypto, as well as films and DVDs can be ordered through the EPIC Bookstore: http://www.epic.org/bookstore/ ======================================================================= [8] Upcoming Conferences and Events ======================================================================= Panel on Online Privacy. DC Internet Society. September 13, 2000. Library of Congress, Madison Building. Washington, DC. For more information: [log in to unmask] Online Privacy Technologies Workshop. National Telecommunications and Information Administration, Department of Commerce. September 19, 2000. Washington, DC. For more information: http://www.ntia.doc.gov/ntiahome/privacy/index.html Health Information Privacy: A Dialogue with the Stakeholders. September 21, 2000. Ottawa, Canada. For more information: http://www.rileyis.com/seminars International Forum on Surveillance by Design. Organized by Privacy International, the American Civil Liberties Union, and Quintessenz. September 22, 2000. London, England. For more information: http://www.cs.ucl.ac.uk/staff/I.Brown/ifsd.html KnowRight 2000 - InfoEthics Europe. Austrian Computer Society and UNESCO. September 26-29, 2000. Vienna, Austria. For more information: http://www.ocg.at/KR-IE2000.html The Public Voice in Privacy Policy. EPIC and Privacy International. September 27, 2000. Venice, Italy. For more information: http://www.epic.org/events/publicvoice_venice/ Media, Democracy & The Constitution. The Fund for Constitutional Government. September 27, 2000. National Press Club. Washington, DC. For more information: [log in to unmask] One World, One Privacy: 22nd Annual International Conference on Privacy and Personal Data Protection. September 28-30, 2000. Venice, Italy. For more information: http://www.dataprotection.org/ Drawing the Blinds: Reconstructing Privacy in the Information Age. CPSR's Annual Conference and Wiener Award Dinner. October 14, 2000. Philadelphia, PA. For more information: http://www.cpsr.org. Privacy: A Social Research Conference. New School University. October 5-7, 2000. New York, NY. For more information: http://www.newschool.edu/centers/socres/privacy/ Call for Papers. Online, Offshore and Cross-Border: Regulating Global E-Commerce. Washington College of Law, American University. October 15, 2000. For more information: [log in to unmask] Measuring & Analyzing Online Customer Behavior. International Quality and Productivity Center. October 23-24, 2000. Chicago, IL. For more information: http://www.iqpc.com Privacy2000: Information and Security in the Digital Age. October 31- November 1, 2000. Columbus, Ohio. For more information: http://www.privacy2000.org Mealey's Internet Law 101 Conference. November 1-2, 2000. Tysons Corner, VA. For more information: [log in to unmask] 2000 BNA Public Policy Forum: e-commerce and internet regulation. November 15-16, 2000. Tysons Corner, VA. For more information: http://internetconference.pf.com ======================================================================= Subscription Information ======================================================================= The EPIC Alert is a free biweekly publication of the Electronic Privacy Information Center. A Web-based form is available for subscribing or unsubscribing at: http://www.epic.org/alert/subscribe.html To subscribe or unsubscribe using email, send email to [log in to unmask] with the subject: "subscribe" (no quotes) or "unsubscribe". Back issues are available at: http://www.epic.org/alert/ ======================================================================= Privacy Policy ======================================================================= The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your email address from this list, please follow the above instructions under "subscription information". Please contact [log in to unmask] if you have any other questions. ======================================================================= About EPIC ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC is sponsored by the Fund for Constitutional Government, a non-profit organization established in 1974 to protect civil liberties and constitutional rights. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, e-mail [log in to unmask], http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "The Fund for Constitutional Government" and sent to EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ---------------------- END EPIC Alert 7.16 ----------------------- . %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%