EPIC logo
          @@@@  @@@@  @@@  @@@@      @    @     @@@@  @@@@  @@@@@
          @     @  @   @   @        @ @   @     @     @  @    @
          @@@@  @@@    @   @       @@@@@  @     @@@   @@@     @
          @     @      @   @       @   @  @     @     @  @    @
          @@@@  @     @@@  @@@@    @   @  @@@@  @@@@  @   @   @
      Volume 4.01                                  January 10, 1997
                               Published by the
                 Electronic Privacy Information Center (EPIC)
                               Washington, D.C.
   Table of Contents
   [1] Crypto in the Courts
   [2] Final Export Regulations Released
   [3] New Online Privacy Bill Introduced in Congress
   [4] WIPO Treaties Adopted: Privacy Issues Remain
   [5] Federal Reserve Launches Privacy Study
   [6] Federal Trade Commissions Sidesteps Privacy Concerns
   [7] HHS Seeks Comments on Medical Privacy
   [8] Upcoming Conferences and Events
   [1] Crypto in the Courts
   The legal assault on crypto restrictions continues.  Oral arguments in
   Karn v. Department of State will be held tomorrow morning (Friday,
   January 10) before the U.S. Court of Appeals for the District of
   Columbia Circuit.  The case is a constitutional challenge to U.S.
   controls on the export of encryption technology.  Software engineer
   Philip Karn unsuccessfully sought an export license for a diskette
   containing the source code contained in the book "Applied
   Cryptography" by Bruce Schneier.  Karn's request was denied despite
   the fact that the book itself may be freely exported.
   One of the issues likely to be addressed at the hearing is the effect
   of new encryption export regulations recently promulgated by the
   Clinton Administration.  Among other things, the new regulations
   transfer licensing authority from the State Department (which denied
   the Karn application) to the Commerce Department.
   EPIC is participating in the case as amicus curiae in support of Karn.
   A copy of the brief, which was joined by the American Civil Liberties
   Union, the Internet Society and the U.S. Public Policy Committee for
   the Association for Computing, can be found at:
   The Karn hearing comes in the wake of a favorable decision in a
   related case in California.  In Bernstein v. Department of State, U.S.
   District Judge Marilyn Patel ruled last month that government
   regulations barring the export of encryption software are a "paradigm
   of standardless discretion" and constitute an unconstitutional
   violation of free speech. The effect of the new regulations on the
   Bernstein case is likely to be addressed by the court soon.
   Additional information on both the Karn and Bernstein cases can be
   found at:
   [2]  Final Crypto Export Regulations Released
   The White House on December 30 issued revised regulations on the
   export of cryptography.  The regulations are substantially similar to
   a previous draft released in November (see EPIC Alert 3.20) and went
   effect immediately. The regulations seek to promote the creation of
   key escrow and key recovery products by means of an elaborate
   licensing scheme that will effectively prohibit the availability of
   strong encryption for Internet users and businesses.
   One change from the draft regulations is that restrictions on exports
   of printed books was removed. The regulations now state that printed
   material is not subject to export review. It also states that "the
   Administration continues to review whether and to what extent scanable
   encryption source or object code in printed form should be subject to
   the EAR and reserves the right to impose controls on such software for
   national security and foreign policy reasons."
   The Department of Commerce will receive comments until February 13
   although the Department states that it is not required to follow
   standard administrative procedures for the consideration of public
   More information about export controls and a copy of the new
   regulations is available at:
   [3] New Online Privacy Bill Introduced in Congress
   One of the first bills introduced in the 105th Congress seeks to
   establish privacy safeguards for Internet users. The Consumer Internet
   Privacy Protection Act of 1997 (H.R. 98) introduced by Rep. Bruce
   Vento (D-MN) would create enforceable privacy rights for users of
   on-line services. The new bill requires that an "interactive computer
   service" obtain consent from a subscriber before disclosing personally
   identifiable information to a third party. The subscriber may also
   obtain the identity of third parties that obtain personal information.
   A service must also allow the subscriber access to personally
   identifiable information held by the service and allow the subscriber
   to verify and correct information.
   The Federal Trade Commission is given the authority to examine and
   investigate providers and to issue cease and desist orders for
   violations. The bill also allows individuals to seek civil relief in
   court for violations of the Act
   Congressman Vento described the bill as "a common sense approach . . .
   to ensure that citizens of our nation are able to benefit and retain a
   voice in the use of this technology without involuntarily sacrificing
   their personal privacy."
   The Consumer Internet Privacy Protection Act is available at:
   [4] WIPO Treaties Adopted: Privacy Issues Remain
   The World Intellectual Property Organization adopted the "WIPO
   Copyright Treaty" and the "WIPO Performances and Phonograms Treaty" in
   late December after two weeks of international negotiation in Geneva.
   Both must be ratified by the U.S. Senate before the U.S. can sign the
   treaties. Discussion over the more controversial "Database Treaty" was
   postponed until a later date.
   Many of the more controversial provisions of the draft Copyright
   Treaty were eliminated from the final text.  There is no explicit
   right to control browsing or to confer a property right on transient
   copies.  Also diplomatic consensus was reached in favor of the
   extension of traditional exemptions, including fair use, into the
   digital environment.
   Still troubling are the privacy implications of Article 12 of the
   Copyright treaty, the copyright-management provisions, in which the
   "Contracting Parties shall provide adequate and effective legal
   remedies" against individuals who knowingly violate or enable others
   to violate copyright protection systems.  National legislation must be
   adopted to determine how copyright holders will monitor for such
   infractions and who will be held liable.
   More information on the WIPO treaty proposals and the National
   Information Infrastructure legislation introduced in the 105th
   Congress can be found at:
   [5]  Federal Reserve Launches Privacy Study
   The Federal Reserve Board has initiated a study to determine the
   public availability of "sensitive identifying information" about
   consumers (such as Social Security numbers, mothers' maiden names,
   prior addresses, and dates of birth), and to examine the possibility
   that such information could be used for financial fraud.  The study is
   being launched pursuant to a congressional directive, and in response
   the public outcry over the Lexis-Nexis P-TRAK service, which made
   personal identifying information readily available.  The P-TRAK
   offerings were revised after EPIC directed media attention to the
   service last June.
   In a thinly veiled reference to P-TRAK, the Board's notice refers to
   "a widely-publicized incident in which a large database service
   offered personal information for sale -- including  individuals'
   social security numbers -- from one of its electronic databases."
   Echoing concerns raised by EPIC and other privacy advocates, the Board
   recognizes the risks of "identity theft," noting that criminals can
   easily obtain identifying information and then "request and receive
   credit or negotiate checks in the consumer's name, with devastating
   results for the consumer."
   One of the Board's principal areas of inquiry will be to determine
   whether there are organizations "engaged in the business of making
   sensitive consumer identification information ... available to the
   general public." The Board is soliciting public comments, which must
   be submitted no later than January 31.  By March 31, the Board must
   report the results of the study to Congress, including any suggestions
   for legislative change.
   The notice and request for comments is available at:
   [6] Federal Trade Commission Sidesteps Privacy Concerns
   The Federal Trade Commission released a staff report on privacy and
   the Internet earlier this week, but failed to address many of the
   current privacy concerns of Internet users. The report stresses
   "notice, choice, access, and security," but sidesteps major on-line
   issues, such as anonymity, spamming, and the sale of personal data.
   The report "Consumer Privacy on the Global Information Infrastructure"
   is a summary of a public workshop that was held in June 1996. It was
   prepared by the staff of the FTC and released without comment by the
   Perhaps most striking about the FTC report is its failure to answer
   the questions set out in the original workshop agenda.  By way of
   example, the first session "The Use of Consumer Information" set out
   to determine "How is personal information currently used by on-line
   businesses? What do consumers know about the use of consumer
   information in online marketing and commercial transactions? What
   kinds of notice and disclosure might be provided to consumers? What
   choices can or should consumers have in exercising control over uses
   of personal information? How can the security and accuracy of personal
   information used online be assured? Are voluntary standards useful in
   this area?"
   The staff report of the FTC provided answers to none of these
   questions, concluding instead "that workshop participants agreed that
   privacy is a significant concern in the new online environment."  The
   FTC chose also not to explore "unfair or deceptive trade practices" in
   the marketing industry, a central responsibility set out in the
   Commission's charter.
   The report of the FTC may be viewed at:
   EPIC's December 1995 letter to the FTC, urging the Commission to
   "investigate the misuse of personal information by the direct
   marketing industry and to begin a serious and substantive inquiry into
   the development of appropriate privacy safeguards for consumers in the
   information age" is at:
   A letter from the Senate Commerce Committee urging the FTC to
   investigate the Lexis/Nexis P-Trak fiasco and other "violations of
   consumer privacy" is at:
   [7]  HHS Seeks Comments on Medical Privacy
   The Department of Health and Human Services is seeking public comments
   on medical privacy at a meeting that will take place on January 13-14
   in Arlington, Virginia. Interested parties are encouraged to
   participate. From the agency's notice:
       Under the administrative simplification subtitle of the Health
   Insurance Portability and Accountability Act of 1996 (Pub. L. 104-191,
   section 264) the Secretary of Health and Human Services is required to
   submit a report to the Congress containing detailed recommendations on
   standards with respect to the privacy of individually identifiable
   health information. The report is due in August 1997.
       The Secretary is required to consult the National Committee on
   Vital and Health Statistics in preparing these recommendations. As
   part of the consultation process the Committee will submit
   recommendations to the Secretary in the Spring of 1997. The Committee
   is holding hearings in the course of developing its recommendations.
       The purpose of the hearings is to explore in detail the options,
   choices, and trade-offs that must be a part of any health privacy
   legislation. To the greatest extent possible, the discussion will
   focus on specific alternatives that have been identified in
   legislative proposals, on the consequences for patients and
   institutions of new rules for use and disclosure of health data, and
   on how legislation will operate in the real world. Issues will cover
   the full range of fair information practices, patient rights,
   limitations on use and disclosure of identifiable information, health
   identification number, preemption of state laws, and privacy-enhancing
       Specifically, comment will be sought on policies for the use and
   disclosure of individually-identifiable health information from the
   following types of entities and with respect to the following subject
       A. Public Health Agencies and Health Researchers.
       B. Health System Oversight Activities (Public and Private) and Law
       C. Health Care Providers; Claims Processors and other
       D. Insurers and Employers; Pharmaceutical Industry.
       E. Federal Agencies; Social Welfare Agencies; Technology.
       F. Privacy and Patient Interest Groups.
       The Committee is inviting specific witnesses to address these
       Members of the public who wish to provide comments may do so in
   the form of written statements, to be received by the completion of
   the last meeting, addressed as follows: NCVHS Subcommittee on Privacy
   and Confidentiality, c/o Division of Data Policy, Office of the
   Assistant Secretary for Planning and Evaluation, U.S. Department of
   Health and Human Services, 440D Humphrey Building, 200 Independence
   Avenue, S.W., Washington, DC 20201, (for delivery services, address is
   200 Independence Ave., SW)
   Substantive program information as well as roster of committee members
   may be obtained from John P. Fanning, Office of the Assistant
   Secretary for Planning and Evaluation, DHHS, Room 440D Humphrey
   Building, 200 Independence Avenue S.W., Washington, D.C. 20201,
   telephone (202) 690-7100, e-mail jfanning@osaspe.dhhs.gov; or Marjorie
   S. Greenberg, Acting Executive Secretary, NCVHS, NCHS, CDC, Room 1100,
   Presidential Building, 6525 Belcrest Road, Hyattsville, Maryland
   20782, telephone (301) 436-7050.
   [8] Upcoming Conferences and Events
   1997 RSA Data Security Conference. January 28-31, 1997. San Francisco,
   CA. Contact: http://www.rsa.com
   Shaping the Future: Law, Electronic Commerce and the [Superhigh]way
   Ahead. February 1, 1997. San Francisco, California. Sponsored by
   Hastings Communications and Entertainment Law Journal,
   Hewlett-Packard, and Wilson Sonsini Goodrich & Rosati. Contact: Curtis
   Financial Cryptography 1997 (FC97). February 24-28, 1997. Anguilla,
   BWI. Sponsored by the International Association for Cryptologic
   Research. http://www.cwi.nl/conferences/FC97
   DIAC- Community Space and CyberSpace- What's the Connection? March
   1-2, 1997. Seattle, WA. Sponsored by CPSR. Contact:
   ACM'97 -- The Next 50 Years of Computing.  March 3-5, 1997, San Jose,
   CA. Sponsored by the Association for Computing. Contact:
   CFP97: Commerce & Community. March 11-14, 1997. Burlingame,
   California. Sponsored by the Association for Computing Machinery.
   Contact: cfp97@cfp.org or http://www.cfp.org
   Eurosec'97: the Seventh Annual Forum on Information Systems Quality
   and Security. March 17-19, 1997. Paris, France. Sponsored by XP
   Conseil. Contact: http://ourworld.compuserve.com/homepages/eurosec/
   CYBER://CON.97: Rules for Cyberspace?:Governance, Standards and
   Control June 4-7, 1997. Chicago, Illinois. Sponsored by the John
   Marshall Law School. Contact: cyber97@jmls.edu.
   Ethics in the Computer Society: The Second Annual Ethics and
   Technology Conference. June 6-7, 1997. Chicago, Ill. Sponsored by
   Loyola University Chicago.  http://www.math.luc.edu/ethics97
   INET 97 -- The Internet: The Global Frontiers. June 24-27, 1997. Kuala
   Lumpur, Malaysia. Sponsored by the Internet Society. Contact:
   inet97@isoc.org or http://www.isoc.org/inet97
   Privacy laws & Business 10th Anniversary Conference. July 1-3, 1997.
   St. John's College, Cambridge, England. Contact:
   AST3: Cryptography and Privacy. September 15, 1997. Brussels, Belgium.
   Sponsored by Privacy International and EPIC. Contact: pi@privacy.org.
   19th Annual International Privacy and Data Protection Conference. Sept
   17-18, 1997. Brussels, Belgium. Sponsored by Belgium Data Protection
   International Conference on Privacy. September 23-26, 1997. Montreal,
   Canada. Sponsored by the Commission d'Acces a l'information du Quebec.
               (Send calendar submissions to alert@epic.org)
   The EPIC Alert is a free biweekly publication of the Electronic
   Privacy Information Center. To subscribe, send email to
   epic-news@epic.org with the subject: "subscribe" (no quotes)
   or use the subscription form at:
   Back issues are available via http://www.epic.org/alert/
   The Electronic Privacy Information Center is a public interest
   research center in Washington, DC. It was established in 1994 to focus
   public attention on emerging privacy issues such as the Clipper Chip,
   the Digital Telephony proposal, national id cards, medical record
   privacy, and the collection and sale of personal information. EPIC is
   sponsored by the Fund for Constitutional Government, a non-profit
   organization established in 1974 to protect civil liberties and
   constitutional rights. EPIC publishes the EPIC Alert, pursues Freedom
   of Information Act litigation, and conducts policy research. For more
   information, email info@epic.org, HTTP://www.epic.org or write EPIC,
   666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544
   9240 (tel), +1 202 547 5482 (fax).
   If you'd like to support the work of the Electronic Privacy
   Information Center, contributions are welcome and fully
   tax-deductible. Checks should be made out to "The Fund for
   Constitutional Government" and sent to EPIC, 666 Pennsylvania Ave.,
   SE, Suite 301, Washington DC 20003. Individuals with First Virtual
   accounts can donate at http://www.epic.org/epic/support.html
   Your contributions will help support Freedom of Information Act and
   First Amendment litigation, strong and effective advocay for the
   right of privacy and efforts to oppose government regulation of
   encryption and funding of the National Wiretap Plan.
   Thank you for your support.
    ---------------------- END EPIC Alert 4.01 -----------------------

Return to:

Alert Home Page | EPIC Home Page