============================================================= @@@@ @@@@ @@@ @@@@ @ @ @@@@ @@@@ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @@@ @ @ @@@@@ @ @@@ @@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @ @@@ @@@@ @ @ @@@@ @@@@ @ @ @ ============================================================== Volume 4.01 January 10, 1997 -------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org/ ======================================================================= Table of Contents ======================================================================= [1] Crypto in the Courts [2] Final Export Regulations Released [3] New Online Privacy Bill Introduced in Congress [4] WIPO Treaties Adopted: Privacy Issues Remain [5] Federal Reserve Launches Privacy Study [6] Federal Trade Commissions Sidesteps Privacy Concerns [7] HHS Seeks Comments on Medical Privacy [8] Upcoming Conferences and Events ======================================================================= [1] Crypto in the Courts ======================================================================= The legal assault on crypto restrictions continues. Oral arguments in Karn v. Department of State will be held tomorrow morning (Friday, January 10) before the U.S. Court of Appeals for the District of Columbia Circuit. The case is a constitutional challenge to U.S. controls on the export of encryption technology. Software engineer Philip Karn unsuccessfully sought an export license for a diskette containing the source code contained in the book "Applied Cryptography" by Bruce Schneier. Karn's request was denied despite the fact that the book itself may be freely exported. One of the issues likely to be addressed at the hearing is the effect of new encryption export regulations recently promulgated by the Clinton Administration. Among other things, the new regulations transfer licensing authority from the State Department (which denied the Karn application) to the Commerce Department. EPIC is participating in the case as amicus curiae in support of Karn. A copy of the brief, which was joined by the American Civil Liberties Union, the Internet Society and the U.S. Public Policy Committee for the Association for Computing, can be found at: http://www.epic.org/crypto/export_controls/amicus_brief.html The Karn hearing comes in the wake of a favorable decision in a related case in California. In Bernstein v. Department of State, U.S. District Judge Marilyn Patel ruled last month that government regulations barring the export of encryption software are a "paradigm of standardless discretion" and constitute an unconstitutional violation of free speech. The effect of the new regulations on the Bernstein case is likely to be addressed by the court soon. Additional information on both the Karn and Bernstein cases can be found at: ftp://ftp.cygnus.com/pub/export/export.html ======================================================================= [2] Final Crypto Export Regulations Released ======================================================================= The White House on December 30 issued revised regulations on the export of cryptography. The regulations are substantially similar to a previous draft released in November (see EPIC Alert 3.20) and went effect immediately. The regulations seek to promote the creation of key escrow and key recovery products by means of an elaborate licensing scheme that will effectively prohibit the availability of strong encryption for Internet users and businesses. One change from the draft regulations is that restrictions on exports of printed books was removed. The regulations now state that printed material is not subject to export review. It also states that "the Administration continues to review whether and to what extent scanable encryption source or object code in printed form should be subject to the EAR and reserves the right to impose controls on such software for national security and foreign policy reasons." The Department of Commerce will receive comments until February 13 although the Department states that it is not required to follow standard administrative procedures for the consideration of public comments. More information about export controls and a copy of the new regulations is available at: http://www.epic.org/crypto/export_controls/ ======================================================================= [3] New Online Privacy Bill Introduced in Congress ======================================================================= One of the first bills introduced in the 105th Congress seeks to establish privacy safeguards for Internet users. The Consumer Internet Privacy Protection Act of 1997 (H.R. 98) introduced by Rep. Bruce Vento (D-MN) would create enforceable privacy rights for users of on-line services. The new bill requires that an "interactive computer service" obtain consent from a subscriber before disclosing personally identifiable information to a third party. The subscriber may also obtain the identity of third parties that obtain personal information. A service must also allow the subscriber access to personally identifiable information held by the service and allow the subscriber to verify and correct information. The Federal Trade Commission is given the authority to examine and investigate providers and to issue cease and desist orders for violations. The bill also allows individuals to seek civil relief in court for violations of the Act Congressman Vento described the bill as "a common sense approach . . . to ensure that citizens of our nation are able to benefit and retain a voice in the use of this technology without involuntarily sacrificing their personal privacy." The Consumer Internet Privacy Protection Act is available at: http://www.epic.org/privacy/internet/hr_98.html ======================================================================= [4] WIPO Treaties Adopted: Privacy Issues Remain ======================================================================= The World Intellectual Property Organization adopted the "WIPO Copyright Treaty" and the "WIPO Performances and Phonograms Treaty" in late December after two weeks of international negotiation in Geneva. Both must be ratified by the U.S. Senate before the U.S. can sign the treaties. Discussion over the more controversial "Database Treaty" was postponed until a later date. Many of the more controversial provisions of the draft Copyright Treaty were eliminated from the final text. There is no explicit right to control browsing or to confer a property right on transient copies. Also diplomatic consensus was reached in favor of the extension of traditional exemptions, including fair use, into the digital environment. Still troubling are the privacy implications of Article 12 of the Copyright treaty, the copyright-management provisions, in which the "Contracting Parties shall provide adequate and effective legal remedies" against individuals who knowingly violate or enable others to violate copyright protection systems. National legislation must be adopted to determine how copyright holders will monitor for such infractions and who will be held liable. More information on the WIPO treaty proposals and the National Information Infrastructure legislation introduced in the 105th Congress can be found at: http://www.dfc.org/dfc/ ======================================================================= [5] Federal Reserve Launches Privacy Study ======================================================================= The Federal Reserve Board has initiated a study to determine the public availability of "sensitive identifying information" about consumers (such as Social Security numbers, mothers' maiden names, prior addresses, and dates of birth), and to examine the possibility that such information could be used for financial fraud. The study is being launched pursuant to a congressional directive, and in response the public outcry over the Lexis-Nexis P-TRAK service, which made personal identifying information readily available. The P-TRAK offerings were revised after EPIC directed media attention to the service last June. In a thinly veiled reference to P-TRAK, the Board's notice refers to "a widely-publicized incident in which a large database service offered personal information for sale -- including individuals' social security numbers -- from one of its electronic databases." Echoing concerns raised by EPIC and other privacy advocates, the Board recognizes the risks of "identity theft," noting that criminals can easily obtain identifying information and then "request and receive credit or negotiate checks in the consumer's name, with devastating results for the consumer." One of the Board's principal areas of inquiry will be to determine whether there are organizations "engaged in the business of making sensitive consumer identification information ... available to the general public." The Board is soliciting public comments, which must be submitted no later than January 31. By March 31, the Board must report the results of the study to Congress, including any suggestions for legislative change. The notice and request for comments is available at: http://www.epic.org/privacy/ssn/fed_reserve_12_96.html ======================================================================= [6] Federal Trade Commission Sidesteps Privacy Concerns ======================================================================= The Federal Trade Commission released a staff report on privacy and the Internet earlier this week, but failed to address many of the current privacy concerns of Internet users. The report stresses "notice, choice, access, and security," but sidesteps major on-line issues, such as anonymity, spamming, and the sale of personal data. The report "Consumer Privacy on the Global Information Infrastructure" is a summary of a public workshop that was held in June 1996. It was prepared by the staff of the FTC and released without comment by the Commissioners. Perhaps most striking about the FTC report is its failure to answer the questions set out in the original workshop agenda. By way of example, the first session "The Use of Consumer Information" set out to determine "How is personal information currently used by on-line businesses? What do consumers know about the use of consumer information in online marketing and commercial transactions? What kinds of notice and disclosure might be provided to consumers? What choices can or should consumers have in exercising control over uses of personal information? How can the security and accuracy of personal information used online be assured? Are voluntary standards useful in this area?" The staff report of the FTC provided answers to none of these questions, concluding instead "that workshop participants agreed that privacy is a significant concern in the new online environment." The FTC chose also not to explore "unfair or deceptive trade practices" in the marketing industry, a central responsibility set out in the Commission's charter. The report of the FTC may be viewed at: http://www.ftc.gov/bcp/conline/pubs/privacy/privacy1.htm EPIC's December 1995 letter to the FTC, urging the Commission to "investigate the misuse of personal information by the direct marketing industry and to begin a serious and substantive inquiry into the development of appropriate privacy safeguards for consumers in the information age" is at: http://www.epic.org/privacy/internet/ftc/ftc_letter.html A letter from the Senate Commerce Committee urging the FTC to investigate the Lexis/Nexis P-Trak fiasco and other "violations of consumer privacy" is at: http://www.epic.org/privacy/databases/ftc_databases.html ======================================================================= [7] HHS Seeks Comments on Medical Privacy ======================================================================= The Department of Health and Human Services is seeking public comments on medical privacy at a meeting that will take place on January 13-14 in Arlington, Virginia. Interested parties are encouraged to participate. From the agency's notice: Under the administrative simplification subtitle of the Health Insurance Portability and Accountability Act of 1996 (Pub. L. 104-191, section 264) the Secretary of Health and Human Services is required to submit a report to the Congress containing detailed recommendations on standards with respect to the privacy of individually identifiable health information. The report is due in August 1997. The Secretary is required to consult the National Committee on Vital and Health Statistics in preparing these recommendations. As part of the consultation process the Committee will submit recommendations to the Secretary in the Spring of 1997. The Committee is holding hearings in the course of developing its recommendations. The purpose of the hearings is to explore in detail the options, choices, and trade-offs that must be a part of any health privacy legislation. To the greatest extent possible, the discussion will focus on specific alternatives that have been identified in legislative proposals, on the consequences for patients and institutions of new rules for use and disclosure of health data, and on how legislation will operate in the real world. Issues will cover the full range of fair information practices, patient rights, limitations on use and disclosure of identifiable information, health identification number, preemption of state laws, and privacy-enhancing technology. Specifically, comment will be sought on policies for the use and disclosure of individually-identifiable health information from the following types of entities and with respect to the following subject areas: A. Public Health Agencies and Health Researchers. B. Health System Oversight Activities (Public and Private) and Law Enforcement. C. Health Care Providers; Claims Processors and other Intermediaries. D. Insurers and Employers; Pharmaceutical Industry. E. Federal Agencies; Social Welfare Agencies; Technology. F. Privacy and Patient Interest Groups. The Committee is inviting specific witnesses to address these issues. Members of the public who wish to provide comments may do so in the form of written statements, to be received by the completion of the last meeting, addressed as follows: NCVHS Subcommittee on Privacy and Confidentiality, c/o Division of Data Policy, Office of the Assistant Secretary for Planning and Evaluation, U.S. Department of Health and Human Services, 440D Humphrey Building, 200 Independence Avenue, S.W., Washington, DC 20201, (for delivery services, address is 200 Independence Ave., SW) Substantive program information as well as roster of committee members may be obtained from John P. Fanning, Office of the Assistant Secretary for Planning and Evaluation, DHHS, Room 440D Humphrey Building, 200 Independence Avenue S.W., Washington, D.C. 20201, telephone (202) 690-7100, e-mail jfanning@osaspe.dhhs.gov; or Marjorie S. Greenberg, Acting Executive Secretary, NCVHS, NCHS, CDC, Room 1100, Presidential Building, 6525 Belcrest Road, Hyattsville, Maryland 20782, telephone (301) 436-7050. ======================================================================= [8] Upcoming Conferences and Events ======================================================================= 1997 RSA Data Security Conference. January 28-31, 1997. San Francisco, CA. Contact: http://www.rsa.com Shaping the Future: Law, Electronic Commerce and the [Superhigh]way Ahead. February 1, 1997. San Francisco, California. Sponsored by Hastings Communications and Entertainment Law Journal, Hewlett-Packard, and Wilson Sonsini Goodrich & Rosati. Contact: Curtis RauFinancial Cryptography 1997 (FC97). February 24-28, 1997. Anguilla, BWI. Sponsored by the International Association for Cryptologic Research. http://www.cwi.nl/conferences/FC97 DIAC- Community Space and CyberSpace- What's the Connection? March 1-2, 1997. Seattle, WA. Sponsored by CPSR. Contact: http://www.scn.org/tech/diac-97/index.html ACM'97 -- The Next 50 Years of Computing. March 3-5, 1997, San Jose, CA. Sponsored by the Association for Computing. Contact: http://www.acm.org/acm97. CFP97: Commerce & Community. March 11-14, 1997. Burlingame, California. Sponsored by the Association for Computing Machinery. Contact: cfp97@cfp.org or http://www.cfp.org Eurosec'97: the Seventh Annual Forum on Information Systems Quality and Security. March 17-19, 1997. Paris, France. Sponsored by XP Conseil. Contact: http://ourworld.compuserve.com/homepages/eurosec/ CYBER://CON.97: Rules for Cyberspace?:Governance, Standards and Control June 4-7, 1997. Chicago, Illinois. Sponsored by the John Marshall Law School. Contact: cyber97@jmls.edu. Ethics in the Computer Society: The Second Annual Ethics and Technology Conference. June 6-7, 1997. Chicago, Ill. Sponsored by Loyola University Chicago. http://www.math.luc.edu/ethics97 INET 97 -- The Internet: The Global Frontiers. June 24-27, 1997. Kuala Lumpur, Malaysia. Sponsored by the Internet Society. Contact: inet97@isoc.org or http://www.isoc.org/inet97 Privacy laws & Business 10th Anniversary Conference. July 1-3, 1997. St. John's College, Cambridge, England. Contact: info@privacylaws.co.uk. AST3: Cryptography and Privacy. September 15, 1997. Brussels, Belgium. Sponsored by Privacy International and EPIC. Contact: pi@privacy.org. 19th Annual International Privacy and Data Protection Conference. Sept 17-18, 1997. Brussels, Belgium. Sponsored by Belgium Data Protection Commission. International Conference on Privacy. September 23-26, 1997. Montreal, Canada. Sponsored by the Commission d'Acces a l'information du Quebec. (Send calendar submissions to alert@epic.org) ======================================================================= The EPIC Alert is a free biweekly publication of the Electronic Privacy Information Center. To subscribe, send email to epic-news@epic.org with the subject: "subscribe" (no quotes) or use the subscription form at: http://www.epic.org/alert/subscribe.html Back issues are available via http://www.epic.org/alert/ ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national id cards, medical record privacy, and the collection and sale of personal information. EPIC is sponsored by the Fund for Constitutional Government, a non-profit organization established in 1974 to protect civil liberties and constitutional rights. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, email info@epic.org, HTTP://www.epic.org or write EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544 9240 (tel), +1 202 547 5482 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "The Fund for Constitutional Government" and sent to EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington DC 20003. Individuals with First Virtual accounts can donate at http://www.epic.org/epic/support.html Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocay for the right of privacy and efforts to oppose government regulation of encryption and funding of the National Wiretap Plan. Thank you for your support. ---------------------- END EPIC Alert 4.01 -----------------------