============================================================== @@@@ @@@@ @@@ @@@@ @ @ @@@@ @@@@ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @@@ @ @ @@@@@ @ @@@ @@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @ @@@ @@@@ @ @ @@@@ @@@@ @ @ @ ============================================================== Volume 4.13 September 26, 1997 -------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org/ ======================================================================= Table of Contents ======================================================================= [1] House Committee Rejects Domestic Crypto Ban [2] HHS Releases Medical Privacy Recommendations [3] Employment Eligibility Pilot Programs Begin [4] White House Commission Urges Scrutiny of Private Employees [5] ID Cards to Cost $10 Billion [6] Imagine: FBI Finally Releases John Lennon Files [7] New Bills in Congress [8] Upcoming Conferences and Events ======================================================================= [1] House Committee Rejects Domestic Crypto Ban ======================================================================= The House Commerce Committee has rejected an FBI-backed proposal to impose the first-ever domestic controls on encryption. In a 35-16 vote on September 24, the committee defeated an amendment to the SAFE crypto bill offered by Reps. Michael Oxley (R-OH) and Thomas Manton (D-NY) that would have banned the domestic manufacture and sale of encryption products that do not provide law enforcement agencies easy access to encrypted information. Speaking in opposition to the amendment, many committee members cited the unprecedented assault on privacy and civil liberties that would result if the FBI proposal was adopted. While surviving the draconian Oxley-Manton amendment, the SAFE bill, originally introduced by Rep. Bob Goodlatte (R-VA) to relax U.S. export controls on encryption products, did not emerge from the Commerce Committee unscathed. The committee adopted an amendment offered by Reps. Ed Markey (D-MA) and Rick White (R-WA) that would create a new National Electronic Technologies (NET) Center within the Justice Department. The NET Center would engage in research and "examine encryption techniques and methods to facilitate the ability of law enforcement to gain efficient access to plaintext of communications and electronic information." The NET Center would be authorized to seek the assistance of "any department or agency of the Federal Government" in support of its mission, thereby providing explicit statutory authority for National Security Agency involvement in domestic law enforcement activities. The Markey-White amendment also doubles the penalty for the use of encryption in furtherance of a felony and provides that "No person shall be subject to civil or criminal liability for providing access to the plaintext of encrypted communications or electronic information to any law enforcement official or authorized government entity, pursuant to judicial process." In a letter sent to the Commerce Committee prior to the vote, EPIC joined with the American Civil Liberties Union, Eagle Forum, Americans for Tax Reform and other groups in urging members to oppose "any proposal establishing a legal structure for key recovery even if temporarily 'voluntary,' any so-called 'compromise' provision drawn from Oxley-Manton . . . , and any new proposal that would limit the availability and use of strong encryption." The fate of the SAFE bill is now uncertain. The original Goodlatte language has been substantially amended by five House committees, with contradictory results. Rep. Gerald Solomon (R-NY), chairman of the House Rules Committee, has indicated that he will not send the legislation to the House floor unless it contains the Oxley-Manton domestic controls. As such, SAFE may no longer be a viable vehicle for the reform of encryption policy that it was originally intended to promote. PDF versions of House Commerce Committee documents on the SAFE bill are available at: http://www.house.gov/commerce/full/092497/markup.htm ======================================================================= [2] HHS Releases Medical Privacy Recommendations ======================================================================= Health and Human Services (HHS) Secretary Donna Shalala released the Department's recommendations for a new medical privacy bill on September 11, calling for legislation that would generally protect all medical records. In addition, HHS says medical records should not be used by employers and others for making non-medical decisions; patients would have the right to sue if their records were disclosed improperly and criminal and civil penalties could be imposed. On a number of issues, the guidelines fall short. HHS recommends that there be no new laws preventing law enforcement access to medical records, essentially enabling law enforcement and other government officials to obtain medical records without a court order. In addition, on the issue of medical research, the guidelines recommend that personally identifiable records be used for medical research without the consent of the patient. They also ignore the issue of whether a single unique identifier such as a Social Security number should be used to link all medical records in a nationwide network of records. Importantly, HHS recommends that any new medical privacy law should not preempt already existing state or federal laws that provide greater protection. A major bill introduced last year by Sen. Robert Bennett (R-UT) would have prevented states from providing more protection to their citizens. Many states have enacted laws giving stronger privacy protection to records on substance abuse, AIDS and mental health. Some states, such as Massachusetts, are currently in the process of enacting comprehensive privacy legislation. The text of the HHS recommendations and more information on medical privacy is available at: http://www.epic.org/privacy/medical/ ======================================================================= [3] Employment Eligibility Pilot Programs Begin ======================================================================= The Immigration and Naturalization Service (INS) and the Social Security Administration (SSA) have announced three pilot programs for verifying eligibility of employees to work within the United States. The pilot programs were ordered by the Congress as part of the Immigration Reform and Immigrant Responsibility Act of 1996 in a compromise attempt to avoid creation of a national identification system. The three programs are the Basic Pilot; the Citizen Attestation Pilot; and the Machine-Readable Document Pilot. The Basic Pilot requires that employers verify the employment eligibility of all new employees through automated verification checks of SSA and INS databases using a telephone. The Citizen Attestation Pilot only checks the status of new employees who attest they are not U.S. citizens, but is limited to states where drivers' licenses are acceptable to the INS -- presumably those having the SSN on the face of the license. In the Machine Readable Pilot, the procedures are similar to the Basic Pilot except in states with machine readable licenses (currently, only Iowa is eligible). Each government department is required to assign a pilot program to at least one agency within the department. In addition, companies that have been found to violate the Immigration Act can be compelled to join in the program. The pilot programs will last for four years unless Congress re-authorizes them. ======================================================================= [4] White House Commission Urges Scrutiny of Private Employees ======================================================================= A special Presidential commission will recommend that certain private sector employees be subjected to in-depth background checks and polygraph examinations. Speaking before The Bankers Roundtable on September 11, Robert T. Marsh, Chairman of the President's Commission on Critical Infrastructure Protection, previewed the "core recommendations" that will be transmitted to the White House. Addressing "privacy issues in the employer-employee relationship," Marsh said: Throughout its year-long effort, the Commission has struggled to address the competing interests of security and privacy and the trade-offs between these two interests. . . . We are going to recommend that the Administration and Congress study ways to make some of the tools that the federal government uses to perform background checks and issue security clearances more readily available to employers within the critical infrastructures, at least in filling certain sensitive positions within those infrastructures. These efforts may afford you, for example, a greater ability to inquire into and make use of criminal history information, employment histories, and credit history information. Amendments should also be made to federal polygraph law to include within the scope of current exemptions those who are in the business of providing information security services. The "critical infrastructures," as defined by Executive Order 13010, include "telecommunications, electrical power systems, gas and oil storage and transportation, banking and finance, transportation, water supply systems, emergency services (including medical, police, fire, and rescue), and continuity of government." The full text of the Marsh address is available at: http://www.pccip.gov/marsh_banker.html ======================================================================= [5] ID Cards to Cost $10 Billion ======================================================================= The Social Security Administration announced on September 22 that it would cost up to $10 billion to re-issue Social Security cards as tamper-proof identifiers. Congress required the SSA to assess the cost as part of the 1996 immigration and welfare bills. The SSA report reviews the history of the SSN from its creation in 1935 through the current day. The report declines to make any policy recommendations, but recognizes some of the privacy issues raised by the use of the SSN as a national identifier. An appendix to the report includes pending legislation that would limit the SSN's use. The report examines the different technologies for ID cards from basic plain plastic cards to smart cards, including those that would include a picture or biometric identifier. It notes that SSA cannot accurately assess how many actual SSNs are in use -- the agency is only able to estimate a range between 269 and 327 million. At least 10 million are estimated to be duplicate numbers. More information on national identification cards is available at: http://www.epic.org/privacy/id_cards/ ======================================================================= [6] Imagine: FBI Finally Releases John Lennon Files ======================================================================= After resisting disclosure for more than 15 years, the Federal Bureau of Investigation has released almost all of its secret files on John Lennon. The documents underscore the sometimes questionable rationale for FBI surveillance operations and the importance of public oversight of those activities. Since being sued under the Freedom of Information Act in 1983, the Bureau had steadfastly withheld the Lennon files on "national security" grounds. Now released, the records document FBI surveillance of the former Beatle's political activities, under the close supervision of the Nixon White House. Significantly, none of the disclosed files describe Lennon as involved in any illegal act. In December 1995, U.S. District Judge Robert Takasugi directed the FBI to disclose whether it had "used unlawful activities in connection with the Lennon investigation." Rather than respond to the questions, the FBI negotiated a settlement to release the documents. Ironically, the Lennon files were released as a senior FBI official told an international privacy conference that "extreme" privacy concerns have "handcuffed" law enforcement's ability to investigate criminal activity. FBI Counsel Alan McDonald told the International Conference on Privacy in Montreal that, "Based on a theory of potential government abuse, important tools commonly used are to be restricted or embargoed." More information on the FBI investigation of John Lennon is available at: http://www.bagism.com/library/fbi-rock-criticism.html ======================================================================= [7] New Bills in Congress ======================================================================= HR 2215, Genetic Nondiscrimination in the Workplace Act. Introduced by Kennedy (D-MA) on July 22. Amends Fair Labor Standards Act to restrict employers in obtaining, disclosing, and using of genetic information. Referred to the Committee on Education and the Workforce. HR 2216, Genetic Protection in Insurance Coverage Act. Introduced by Kennedy (D-MA) on July 22. Limits the disclosure and use of genetic information by life and disability insurers. Prohibits insurers from requiring genetic tests, denying coverage, setting rates based on genetics, using or maintain genetic info. Referred to the Committee on Commerce. HR 2275, Genetic Employment Protection Act of 1997. Introduced by Lowery (D-NY) on July 25. Prohibits employers, unions from discriminating on basis of genetic information. Referred to the Committee on Education and the Workforce. H.R.2368, Data Privacy Act of 1997. Introduced by Tauzin (R-LA) on July 31. Recommends that businesses create voluntary guidelines to protect privacy, and stop spamming. Referred to the Committee on Commerce. HR 2369, Wireless Privacy Enhancement Act of 1997. Introduced by Tauzin (R-LA) on July 31. Expands ban and penalties on sale of scanners that can intercept cellular and digital communications and interception of communications. Referred to the Committee on Commerce. HR 2372, Internet Protection Act of 1997. Introduced by White (R-WA) on July 31. Limits FCC and state ability to regulate Internet. Referred to the Committee on Commerce. HR 2404, Stop the Theft of Our Social Security Numbers Act. Introduced by Filner (D-CA) on September 4. Prohibits IRS mailings that include SSN unless it is inside sealed envelope. Referred to the Committee on Ways and Means. HR 2507, ATM Public Safety and Crime Control Act. Introduced by Nadler (R-NY). Requires banks to install better surveillance cameras in ATMs. Referred to the Committee on Banking and Financial Services. S. 1146, Digital Copyright Clarification and Technology Education Act of 1997. Introduced by Ashcroft (R-MO). Sets up new rules for copyright in digital networks. Referred to the Committee on the Judiciary. ======================================================================= [8] Upcoming Conferences and Events ======================================================================= Net Worth, Net Work: Technology and Values for the Digital Age. October 4-5. University of Cal, Berkeley. Sponsored by CPSR. Contact: http://www.cpsr.org/dox/home.html 20th National Information Systems Security Conference. October 7-10. Baltimore, MD. Sponsored by NIST and NSA. Contact: http://csrc.nist.gov/nissc/ EPIC International Privacy Conference. October 20,1997. Georgetown University Law Center, Washington, DC. Sponsored by EPIC. Contact: shauna@epic.org. Managing the Privacy Revolution '97. October 21-23, 1997. Washington, DC. Sponsored by Privacy and American Business. Contact: http://shell.idt.net/~pab/conf97.html RSA'98 -- The 1998 RSA Data Security Conference. January 12-16, 1998. San Francisco, CA. Contact kurt@rsa.com or http://www.rsa.com/conf98/ (Send calendar submissions to alert@epic.org) ======================================================================= The EPIC Alert is a free biweekly publication of the Electronic Privacy Information Center. To subscribe, send email to epic-news@epic.org wih the subject: "subscribe" (no quotes) or use the subscription form at: http://www.epic.org/alert/subscribe.html Back issues are available at: http://www.epic.org/alert/ ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC is sponsored by the Fund for Constitutional Government, a non-profit organization established in 1974 to protect civil liberties and constitutional rights. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, e-mail info@epic.org, http://www.epic.org or write EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544 9240 (tel), +1 202 547 5482 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "The Fund for Constitutional Government" and sent to EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington DC 20003. Individuals with First Virtual accounts can donate at http://www.epic.org/epic/support.html Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and funding of the National Wiretap Plan. Thank you for your support. ---------------------- END EPIC Alert 4.13 -----------------------
Alert Home Page | EPIC Home Page