EPIC Alert 7.09

 

Volume 7.09 May 15, 2000 

-------------------------------------------------------------- 


Published by the 

Electronic Privacy Information Center (EPIC) 

Washington, D.C. 


http://www.epic.org 


======================================================================= 

Table of Contents 

======================================================================= 


[1] FTC Completes Internet Privacy Sweep and Advisory Committee Report 

[2] Anonymous Message Board Poster Sues Yahoo! for Disclosures 

[3] Court to Hear Challenge to Proposed FBI Wiretap Standards 

[4] Privacy Groups Oppose Financial Privacy Delay 

[5] EPIC Testifies on Use of Social Security Numbers 

[6] New Survey Details Experiences of Identity Theft Victims 

[7] Press Freedom Survey Finds Extensive Censorship 

[8] Upcoming Conferences and Events 


======================================================================= 

[1] FTC Completes Internet Privacy Sweep and Advisory Committee Report 

======================================================================= 


As reported in the Wall Street Journal on May 11, the Federal Trade 

Commission's sweep of Internet privacy policies found that the 

overwhelming majority of websites fail to meet standards for privacy 

protection. According to the coverage, the Federal Trade Commission 

(FTC) found that while almost 90 percent of websites surveyed had 

privacy policies, only roughly 20 percent satisfied the FTC's version 

of Fair Information Practices -- notice, consent, access, and 

security. The report also includes a staff recommendation that the 

FTC ask Congress for the authority to issue rules over Internet 

privacy. 


The results of the FTC's sweep are not surprising considering other 

recent surveys. EPIC's last survey conducted in December 1999, 

"Surfer Beware 3: Privacy Policies Without Privacy Protection," found 

that none of the top 100 e-commerce sites met the standard set out by 

a more robust set of Fair Information Practices. An industry-funded 

survey conducted by Georgetown University in January 1999 found that 

less than 10 percent of websites visited met the FTC's standards. 


Tommorrow, the FTC Advisory Committee on Online Access and Security 

will release its final report. The report brought together 

representatives from industry, academia and privacy groups to 

recommend implementation options for access and security. The report 

discusses access, the ability of the consumer to view and edit their 

personal information, and security, the prevention of unauthorized 

access or use of data. The final version of the report contains a 

consensus recommendation for security and four options for access. 

EPIC Policy Analyst Andrew Shen was a member of the Advisory 

Committee. 


The security recommendation is that Web sites maintain a security 

program detailing their procedures and should be evaluated on the 

basis of whether or not it is "appropriate under the circumstances." 

The access implementation options are "total access" in which a 

consumer to access all their personal information; "default to 

consumer access" in which access would be provided in accordance with 

the "ordinary course of business"; "case-by-case" in which the 

provision of access is not presumed but depends on the types of 

information and costs; "access for correction" in which a limited 

scope of information would be subject to access and available only for 

minor editing. 


The final report of the FTC Advisory Committee, transcripts of public 

meetings, and public comments are available at: 


http://www.ftc.gov/acoas/ 


"Surfer Beware 3: Privacy Policies Without Privacy Protection" is 

available at: 


http://www.epic.org/reports/surfer-beware3.html 

======================================================================= 

[2] Anonymous Message Board Poster Sues Yahoo! for Disclosures 

======================================================================= 


A federal lawsuit filed in California on May 11 could establish 

important protections for Internet privacy, anonymity and free 

expression. The suit, filed against Yahoo! by a user of the service's 

popular financial message boards, challenges the company's practice of 

disclosing a user's personal information to third parties without 

prior notice to the user. It accuses the online portal of violating 

the "constitutional and contractual rights to privacy" of the user, 

who lost his job after posting remarks about his employer on a Yahoo! 

message board. 


Over the past year, Yahoo! has been inundated with subpoenas issued by 

companies seeking the identities of individuals anonymously posting 

information critical of the firms and their executives. Without 

notifying the targeted users, and without assessing the validity of 

the legal claims underlying the subpoenas, Yahoo! has systematically 

disclosed identifying information such as users' names, e-mail 

addresses and Internet protocol addresses. Yahoo! has been unique 

among major online companies in its refusal to notify its users of 

such subpoenas and provide them with an opportunity to challenge the 

information requests. (Since the filing of the lawsuit, Yahoo! has 

claimed that it changed its policy in April and does now notify users. 

However, that change is not yet reflected at the Yahoo! website.) 


Privacy and free speech advocates, including EPIC, have criticized 

Yahoo!'s policy on the ground that Internet users have a right to 

communicate anonymously and usually do so for valid reasons. 

According to David L. Sobel, EPIC's General Counsel, "online anonymity 

plays a critical role in fostering free expression on the Internet, 

and has clearly contributed to the popularity of the medium." He 

said, "The U.S. Supreme Court has ruled that anonymity is a 

constitutional right, but the failure to inform users when subpoenas 

are issued may make that right illusory online." 


The lawsuit was filed in United States District Court in Los Angeles 

by "Aquacool_2000," a pseudonymous Yahoo! user whose personal 

information was disclosed to AnswerThink Consulting Group, Inc., a 

publicly held company. A copy of the lawsuit (in PDF) is available 

at: 


http://www.epic.org/anonymity/aquacool_complaint.pdf 


======================================================================= 

[3] Court to Hear Challenge to Proposed FBI Wiretap Standards 

======================================================================= 


This week, EPIC and other Internet privacy advocacy groups will ask a 

federal appeals court to block new rules that would enable the FBI to 

dictate the design of the nation's communication infrastructure. The 

challenged rules would, among other capabilities, enable the Bureau to 

track the physical locations of cellular phone users and potentially 

monitor Internet traffic. 


In an oral argument to be heard by the U.S. Court of Appeals for the 

District of Columbia Circuit on May 17, EPIC, the American Civil 

Liberties Union (ACLU) and the Electronic Frontier Foundation (EFF) 

will argue that the rules -- contained in a Federal Communications 

Commission (FCC) decision issued last August -- could result in a 

significant increase in government interception of digital 

communications. Also arguing against the proposed technical standards 

will be another group of challengers, comprised of telecommunications 

industry trade associations and the Center for Democracy and 

Technology. 


The court challenge involves the Communications Assistance for Law 

Enforcement Act (CALEA), a controversial law enacted by Congress in 

1994, which requires the telecommunications industry to design its 

systems in compliance with FBI technical requirements to facilitate 

electronic surveillance. In negotiations over the last few years, the 

FBI and industry representatives were unable to agree upon those 

standards, resulting in last year's FCC ruling. EPIC, ACLU and EFF 

participated as parties in the FCC proceeding and argued that the 

privacy rights of Americans must be protected. 


The groups' court briefs asserted that the FCC ruling exceeds the 

requirements of CALEA and frustrates the privacy interests protected 

by federal statutes and the Fourth Amendment. Among other things, the 

Commission order would require telecommunications providers to 

determine the physical locations of cellular phone users and deliver 

"packet-mode communications" -- such as those that carry Internet 

traffic -- to law enforcement agencies. 


Proposed architectural changes to communications networks are also 

being considered this week in Paris, where a Group of Eight (G-8) 

conference is considering "cybercrime" issues. The process, which 

began several years ago at the behest of the United States, may be 

moving toward concrete proposals that could impact online anonymity. 

During the G-8 ministerial conference in Moscow last October, the 

countries committed their experts to organize a dialogue between 

industry and governments about "identifying and locating 

cybercriminals." During the scheduled Okinawa summit in July, the 

results of the discussion will be considered by the Heads of State of 

the G-8. 


Background materials on CALEA, including the briefs filed by EPIC, 

ACLU and EFF, are available at EPIC's website: 


http://www.epic.org/privacy/wiretap/ 


Information on the G-8 conference is available at: 


http://www.g8parishightech.org/en_txt/index.htm 


======================================================================= 

[4] Privacy Groups Oppose Financial Privacy Delay 

======================================================================= 


Despite widespread public support for the protection of personal 

financial information, government agencies have decided to delay the 

effective date of financial privacy protections until July 2001. 


Upon rumors that the agencies in charge of issuing rules protecting 

financial privacy were planning to delay their effective date, a 

coalition of privacy groups issued a joint letter on May 9 insisting 

that the rules goes into effect as planned. The open letter to the 

agencies stated that while the privacy guidelines provided by the 

Gramm-Leach-Bliley Act were inadequate, they still offered more than 

the current lack of protections. Despite these concerns, on May 11, 

the Federal Reserve, the Federal Deposit Insurance Corporation, the 

Office of the Comptroller of the Currency, and the Office of Thrift 

Supervision issued their final financial privacy rules but delayed the 

effective date until July 1 of next year. In a separate announcement 

released today, the Federal Trade Commission also issued its final 

rules with the same delayed effective date. 


Public support for financial privacy continues to grow despite the 

slow response from the federal government. A recent poll published by 

the National Journal found that 14 percent of registered voters cited 

the protection of financial records as their top priority for Congress 

this year. In comparison, 16 percent of those polled picked tougher 

gun restrictions and seven percent selected the passage of a patients' 

bill of rights as high priority issues. 


The letter opposing the delay of financial privacy protections: 


http://www.pirg.org/consumer/glbdelay.htm 


Press release announcing the delay of the effective date for financial 

privacy rules: 


http://www.bog.frb.fed.us/boarddocs/press/BoardActs/2000/ 

20000510/default.htm 


Separate press release from the Federal Trade Commission also delaying 

the implementation of financial privacy protections: 


http://www.ftc.gov/opa/2000/05/glbpress1.htm 


======================================================================= 

[5] EPIC Testifies on Use of Social Security Numbers 

======================================================================= 


On May 11, EPIC Executive Director Marc Rotenberg testified before the 

House Subcommittee on Social Security on the "Use and Misuse of Social 

Security Numbers." The subcommittee convened the hearing to examine 

the need for legislation to curb the growing misuse of Social Security 

Numbers (SSNs) such as in cases of identity theft. 


EPIC's testimony argues that legislation to limit the collection and 

use of the SSN is appropriate, necessary and fully consistent with 

U.S. law. The history of the SSN demonstrates that it was never 

intended to be used widely as a unique identifier and that there is 

clear judicial and legislative support for further legal restrictions 

on its use. The testimony concluded that strong privacy laws and 

other safeguards are necessary to ensure that the problems associated 

with misuse of the SSN, such as profiling and identity theft, do not 

increase in the future. 


Also testifying on the panel were several members of Congress 

proposing legislation to curb the use of SSNs, the Consumer Program 

Director of U.S. PIRG, and representatives of industries and 

government agencies that regularly use Social Security Numbers in the 

course of their work. 


EPIC's testimony is available at: 


http://www.epic.org/privacy/ssn/testimony_0500.html 


The testimony of other panel members is also online at: 


http://www.house.gov/ways_means/socsec/106cong/ss-17awi.htm 


======================================================================= 

[6] New Survey Details Experiences of Identity Theft Victims 

======================================================================= 


On May 1, the California Public Interest Research Group (CALPIRG) and 

the Privacy Rights Clearinghouse (PRC), released a new report 

highlighting the difficulties that victims of identity theft face in 

clearing their names. The report, entitled "Nowhere to Turn: Victims 

Speak out on Identity Theft", surveys the experiences of identity 

theft victims. The survey found that the victims had spent between 

two and four years removing an average of $18,000 in fraudulent 

charges. 


The report argues that law enforcement, government and credit industry 

procedures fail to address the growing problem of identity theft and 

make it difficult for victims to resolve their cases. The report 

acknowledges that the 1998 law passed by Congress to criminalize 

identity theft is an important "first step" in combating identity 

theft but argues that much more needs to be done. It recommends the 

introduction of state and federal laws to protect consumers and 

forcing bodies such as banks, department stores and credit bureaus to 

take a more responsible approach to the growing problem of identity 

theft. 


"Nowhere to Turn: Victims Speak out on Identity Theft" is at: 

http://www.pirg.org/calpirg/consumer/privacy/idtheft2000/ 


======================================================================= 

[7] Press Freedom Survey Finds Extensive Censorship 

======================================================================= 


In its 22nd annual survey of international press freedom, Freedom 

House recently found that nearly two-thirds of the 186 countries 

reviewed restrict the content of print and electronic news media. 

According to the report, sixty-nine countries (37 percent) have a free 

press, while 51 have a partly free news media and 66 do not provide 

press freedom. Those governments that restrict press freedom often 

claim to do so in the interest of preserving public morality and 

protecting national security. 


Governments employ various tactics to limit Internet access, such as 

mandating special licensing and regulation of Internet use, channeling 

traffic through filtered government servers, and banning access to 

particular Web pages. For example, the official Internet Service 

Provider (ISP) in China restricts access to particular news reports 

generated abroad. The Chinese government also monitors Web sites to 

ensure that no sensitive government information is disclosed and has 

imprisoned dissidents who have posted such material. In Russia, one 

of the successors to the KGB has required ISPs to install surveillance 

devices that allow direct monitoring of Internet activity. 


The Freedom House survey is available at: 


http://www.freedomhouse.org/pfs2000/ 


======================================================================= 

[8] Upcoming Conferences and Events 

======================================================================= 


Electronic Government: New Challenges for Public Administration and 

Law. May 18, 2000. Center for Law, Public Administration, and 

Informatization of Tilburg University, Netherlands. For more 

information: http://schoordijk.kub.nl/crbi/egov/ 


Securing Linux or BSD Novice Users' Personal Computers. GNU/Linux 

Beginners SIG. May 19, 2000. New School Computer Instruction Center. 

New York, NY. For more information: [log in to unmask] 


Shaping the Network: The Future of the Public Sphere in Cyberspace. 

Computer Professionals for Social Responsibility (CPSR). May 20-23, 

2000. Seattle, WA. For more information: 

http://www.scn.org/cpsr/diac-00 


New Millennium, New Horizons: Marketing and Public Policy Conference 

2000. American Marketing Association. June 1-3, 2000. Marriott Metro 

Center. Washington, DC. For more information: 

http://www.ama.org/events/ 


Data Sharing: Initiatives and Challenges Among Benefit and Loan 

Programs. United States General Accounting Office. June 7-8, 2000. 

Library of Congress, Jefferson Building. Washington, DC. For more 

information: [log in to unmask] 


First Annual Institute on Privacy Law: Strategies for Legal Compliance 

in a High Tech and Changing Regulatory Environment. Practicing Law 

Institute. June 22-23, 2000. PLI Conference Center. New York, NY. 

For more information: http://www.pli.edu 


Telecommunications: The Bridge to Globalization in the Information 

Society. Biennial Conference of the International Telecommunications 

Society. July 2-5, 2000. For more information: 

http://www.its2000.org.ar 


INET 2000: Internet Global Summit. Internet Society. July 18-20, 2000. 

Yokohama, Japan. For more information: http://www.isoc.org/inet2000 


First International Hackers Forum. The Green Planet. August 18-20, 

2000. Zaporozhye, Ukraine. For more information: 

http://www.geocities.com/hack_forum 


Surveillance Expo 2000. August 28-30, 2000. Arlington, VA. For more 

information: http://www.surveillance-expo.com 


KnowRight 2000 - InfoEthics Europe. Austrian Computer Society and 

UNESCO. September 26-29, 2000. Vienna, Austria. For more information: 

http://www.ocg.at/KR-IE2000.html 


Privacy: A Social Research Conference. New School University. October 

5-7, 2000. New York, NY. For more information: 

http://www.newschool.edu/centers/socres/privacy/ 


Privacy2000: Information and Security in the Digital Age. October 31- 

November 1, 2000. Adam's Mark Hotel. Columbus, Ohio. For more 

information: http://www.privacy2000.org 


======================================================================= 

Subscription Information 

======================================================================= 


The EPIC Alert is a free biweekly publication of the Electronic 

Privacy Information Center. A Web-based form is available for 

subscribing or unsubscribing at: 


http://www.epic.org/alert/subscribe.html 


To subscribe or unsubscribe using email, send email to 

[log in to unmask] with the subject: "subscribe" (no quotes) or 

"unsubscribe". 


Back issues are available at: 


http://www.epic.org/alert/ 


======================================================================= 

About EPIC 

======================================================================= 


The Electronic Privacy Information Center is a public interest 

research center in Washington, DC. It was established in 1994 to 

focus public attention on emerging privacy issues such as the Clipper 

Chip, the Digital Telephony proposal, national ID cards, medical 

record privacy, and the collection and sale of personal information. 

EPIC is sponsored by the Fund for Constitutional Government, a 

non-profit organization established in 1974 to protect civil liberties 

and constitutional rights. EPIC publishes the EPIC Alert, pursues 

Freedom of Information Act litigation, and conducts policy research. 

For more information, e-mail [log in to unmask], http://www.epic.org or 

write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 

20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). 


If you'd like to support the work of the Electronic Privacy 

Information Center, contributions are welcome and fully 

tax-deductible. Checks should be made out to "The Fund for 

Constitutional Government" and sent to EPIC, 1718 Connecticut 

Ave., NW, Suite 200, Washington, DC 20009. 


Your contributions will help support Freedom of Information Act and 

First Amendment litigation, strong and effective advocacy for the 

right of privacy and efforts to oppose government regulation of 

encryption and expanding wiretapping powers. 


Thank you for your support. 


---------------------- END EPIC Alert 7.09 ----------------------- 



. 



%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%