EPIC logo
       @@@@  @@@@  @@@  @@@@      @    @     @@@@  @@@@  @@@@@
       @     @  @   @   @        @ @   @     @     @  @    @
       @@@@  @@@    @   @       @@@@@  @     @@@   @@@     @
       @     @      @   @       @   @  @     @     @  @    @
       @@@@  @     @@@  @@@@    @   @  @@@@  @@@@  @   @   @
   Volume 4.13	                             September 26, 1997
                            Published by the
              Electronic Privacy Information Center (EPIC)
                            Washington, D.C.
Table of Contents
[1] House Committee Rejects Domestic Crypto Ban
[2] HHS Releases Medical Privacy Recommendations
[3] Employment Eligibility Pilot Programs Begin
[4] White House Commission Urges Scrutiny of Private Employees
[5] ID Cards to Cost $10 Billion
[6] Imagine: FBI Finally Releases John Lennon Files
[7] New Bills in Congress
[8] Upcoming Conferences and Events
[1] House Committee Rejects Domestic Crypto Ban
The House Commerce Committee has rejected an FBI-backed proposal to
impose the first-ever domestic controls on encryption.  In a 35-16
vote on September 24, the committee defeated an amendment to the SAFE
crypto bill offered by Reps. Michael Oxley (R-OH) and Thomas Manton
(D-NY) that would have banned the domestic manufacture and sale of
encryption products that do not provide law enforcement agencies easy
access to encrypted information.  Speaking in opposition to the
amendment, many committee members cited the unprecedented assault on
privacy and civil liberties that would result if the FBI proposal was
While surviving the draconian Oxley-Manton amendment, the SAFE bill,
originally introduced by Rep. Bob Goodlatte (R-VA) to relax U.S.
export controls on encryption products, did not emerge from the
Commerce Committee unscathed.  The committee adopted an amendment
offered by Reps. Ed Markey (D-MA) and Rick White (R-WA) that would
create a new National Electronic Technologies (NET) Center within the
Justice Department.  The NET Center would engage in research and
"examine encryption techniques and methods to facilitate the ability
of law enforcement to gain efficient access to plaintext of
communications and electronic information."  The NET Center would be
authorized to seek the assistance of "any department or agency of the
Federal Government" in support of its mission, thereby providing
explicit statutory authority for National Security Agency involvement
in domestic law enforcement activities.  The Markey-White amendment
also doubles the penalty for the use of encryption in furtherance of a
felony and provides that "No person shall be subject to civil or
criminal liability for providing access to the plaintext of encrypted
communications or electronic information to any law enforcement
official or authorized government entity, pursuant to judicial
In a letter sent to the Commerce Committee prior to the vote, EPIC
joined with the American Civil Liberties Union, Eagle Forum, Americans
for Tax Reform and other groups in urging members to oppose "any
proposal establishing a legal structure for key recovery even if
temporarily 'voluntary,' any so-called 'compromise' provision drawn
from Oxley-Manton . . . , and any new proposal that would limit the
availability and use of strong encryption."
The fate of the SAFE bill is now uncertain.  The original Goodlatte
language has been substantially amended by five House committees, with
contradictory results.  Rep. Gerald Solomon (R-NY), chairman of the
House Rules Committee, has indicated that he will not send the
legislation to the House floor unless it contains the Oxley-Manton
domestic controls.  As such, SAFE may no longer be a viable vehicle
for the reform of encryption policy that it was originally intended to
PDF versions of House Commerce Committee documents on the SAFE bill
are available at:
[2] HHS Releases Medical Privacy Recommendations
Health and Human Services (HHS) Secretary Donna Shalala released the
Department's recommendations for a new medical privacy bill on
September 11, calling for legislation that would generally protect all
medical records.  In addition, HHS says medical records should not be
used by employers and others for making non-medical decisions;
patients would have the right to sue if their records were disclosed
improperly and criminal and civil penalties could be imposed.
On a number of issues, the guidelines fall short.  HHS recommends that
there be no new laws preventing law enforcement access to medical
records, essentially enabling law enforcement and other government
officials to obtain medical records without a court order.  In
addition, on the issue of medical research, the guidelines recommend
that personally identifiable records be used for medical research
without the consent of the patient.  They also ignore the issue of
whether a single unique identifier such as a Social Security number
should be used to link all medical records in a nationwide network of
Importantly, HHS recommends that any new medical privacy law should
not preempt already existing state or federal laws that provide
greater protection.  A major bill introduced last year by Sen. Robert
Bennett (R-UT) would have prevented states from providing more
protection to their citizens.  Many states have enacted laws giving
stronger privacy protection to records on substance abuse, AIDS and
mental health.  Some states, such as Massachusetts, are currently in
the process of enacting comprehensive privacy legislation.
The text of the HHS recommendations and more information on medical
privacy is available at:
[3] Employment Eligibility Pilot Programs Begin
The Immigration and Naturalization Service (INS) and the Social
Security Administration (SSA) have announced three pilot programs for
verifying eligibility of employees to work within the United States.
The pilot programs were ordered by the Congress as part of the
Immigration Reform and Immigrant Responsibility Act of 1996 in a
compromise attempt to avoid creation of a national identification
The three programs are the Basic Pilot; the Citizen Attestation Pilot;
and the Machine-Readable Document Pilot.  The Basic Pilot requires
that employers verify the employment eligibility of all new employees
through automated verification checks of SSA and INS databases using a
telephone.  The Citizen Attestation Pilot only checks the status of
new employees who attest they are not U.S. citizens, but is limited to
states where drivers' licenses are acceptable to the INS -- presumably
those having the SSN on the face of the license.  In the Machine
Readable Pilot, the procedures are similar to the Basic Pilot except
in states with machine readable licenses (currently, only Iowa is
Each government department is required to assign a pilot program to at
least one agency within the department.  In addition, companies that
have been found to violate the Immigration Act can be compelled to
join in the program.  The pilot programs will last for four years
unless Congress re-authorizes them.
[4] White House Commission Urges Scrutiny of Private Employees
A special Presidential commission will recommend that certain private
sector employees be subjected to in-depth background checks and
polygraph examinations.  Speaking before The Bankers Roundtable on
September 11, Robert T. Marsh, Chairman of the President's Commission
on Critical Infrastructure Protection, previewed the "core
recommendations" that will be transmitted to the White House.
Addressing "privacy issues in the employer-employee relationship,"
Marsh said:
     Throughout its year-long effort, the Commission has
     struggled to address the competing interests of
     security and privacy and the trade-offs between these
     two interests. . . . We are going to recommend that
     the Administration and Congress study ways to make
     some of the tools that the federal government uses to
     perform background checks and issue security clearances
     more readily available to employers within the critical
     infrastructures, at least in filling certain sensitive
     positions within those infrastructures. These efforts
     may afford you, for example, a greater ability to
     inquire into and make use of criminal history
     information, employment histories, and credit history
     information. Amendments should also be made to federal
     polygraph law to include within the scope of current
     exemptions those who are in the business of providing
     information security services.
The "critical infrastructures," as defined by Executive Order 13010,
include "telecommunications, electrical power systems, gas and oil
storage and transportation, banking and finance, transportation, water
supply systems, emergency services (including medical, police, fire,
and rescue), and continuity of government."
The full text of the Marsh address is available at:
[5] ID Cards to Cost $10 Billion
The Social Security Administration announced on September 22 that it
would cost up to $10 billion to re-issue Social Security cards as
tamper-proof identifiers.
Congress required the SSA to assess the cost as part of the 1996
immigration and welfare bills.  The SSA report reviews the history of
the SSN from its creation in 1935 through the current day.  The report
declines to make any policy recommendations, but recognizes some of
the privacy issues raised by the use of the SSN as a national
identifier.  An appendix to the report includes pending legislation
that would limit the SSN's use.
The report examines the different technologies for ID cards from basic
plain plastic cards to smart cards, including those that would include
a picture or biometric identifier.  It notes that SSA cannot
accurately assess how many actual SSNs are in use -- the agency is
only able to estimate a range between 269 and 327 million.  At least
10 million are estimated to be duplicate numbers.
More information on national identification cards is available at:
[6] Imagine: FBI Finally Releases John Lennon Files
After resisting disclosure for more than 15 years, the Federal Bureau
of Investigation has released almost all of its secret files on John
Lennon.  The documents underscore the sometimes questionable rationale
for FBI surveillance operations and the importance of public oversight
of those activities.
Since being sued under the Freedom of Information Act in 1983, the
Bureau had steadfastly withheld the Lennon files on "national security"
grounds.  Now released, the records document FBI surveillance of the
former Beatle's political activities, under the close supervision of
the Nixon White House.  Significantly, none of the disclosed files
describe Lennon as involved in any illegal act.  In December 1995, U.S.
District Judge Robert Takasugi directed the FBI to disclose whether it
had "used unlawful activities in connection with the Lennon
investigation."  Rather than respond to the questions, the FBI
negotiated a settlement to release the documents.
Ironically, the Lennon files were released as a senior FBI official
told an international privacy conference that "extreme" privacy
concerns have "handcuffed" law enforcement's ability to investigate
criminal activity.  FBI Counsel Alan McDonald told the International
Conference on Privacy in Montreal that, "Based on a theory of potential
government abuse, important tools commonly used are to be restricted or
More information on the FBI investigation of John Lennon is available
[7] New Bills in Congress
HR 2215, Genetic Nondiscrimination in the Workplace Act. Introduced by
Kennedy (D-MA) on July 22.  Amends Fair Labor Standards Act to restrict
employers in obtaining, disclosing, and using of genetic information.
Referred to the Committee on Education and the Workforce.
HR 2216, Genetic Protection in Insurance Coverage Act.  Introduced by
Kennedy (D-MA) on July 22.  Limits the disclosure and use of genetic
information by life and disability insurers.  Prohibits insurers from
requiring genetic tests, denying coverage, setting rates based on
genetics, using or maintain genetic info.  Referred to the Committee on
HR 2275, Genetic Employment Protection Act of 1997.  Introduced by
Lowery (D-NY) on July 25.  Prohibits employers, unions from
discriminating on basis of genetic information.  Referred to the
Committee on Education and the Workforce.
H.R.2368, Data Privacy Act of 1997.  Introduced by Tauzin (R-LA) on
July 31.  Recommends that businesses create voluntary guidelines to
protect privacy, and stop spamming.  Referred to the Committee on
HR 2369, Wireless Privacy Enhancement Act of 1997.  Introduced by
Tauzin (R-LA) on July 31.  Expands ban and penalties on sale of
scanners that can intercept cellular and digital communications and
interception of communications.  Referred to the Committee on Commerce.
HR 2372, Internet Protection Act of 1997.  Introduced by White (R-WA)
on July 31.  Limits FCC and state ability to regulate Internet.
Referred to the Committee on Commerce.
HR 2404, Stop the Theft of Our Social Security Numbers Act.  Introduced
by Filner (D-CA) on September 4.  Prohibits IRS mailings that include
SSN unless it is inside sealed envelope.  Referred to the Committee on
Ways and Means.
HR 2507, ATM Public Safety and Crime Control Act.  Introduced by Nadler
(R-NY).  Requires banks to install better surveillance cameras in ATMs.
Referred to the Committee on Banking and Financial Services.
S. 1146, Digital Copyright Clarification and Technology Education Act
of 1997.  Introduced by Ashcroft (R-MO).  Sets up new rules for
copyright in digital networks.  Referred to the Committee on the
[8] Upcoming Conferences and Events
Net Worth, Net Work: Technology and Values for the Digital Age. October
4-5. University of Cal, Berkeley. Sponsored by CPSR. Contact:
20th National Information Systems Security Conference. October 7-10.
Baltimore, MD. Sponsored by NIST and NSA. Contact:
EPIC International Privacy Conference. October 20,1997. Georgetown
University Law Center, Washington, DC. Sponsored by EPIC. Contact:
Managing the Privacy Revolution '97. October 21-23, 1997. Washington,
DC. Sponsored by Privacy and American Business. Contact:
RSA'98 -- The 1998 RSA Data Security Conference.  January 12-16, 1998.
San Francisco, CA.  Contact kurt@rsa.com or http://www.rsa.com/conf98/
             (Send calendar submissions to alert@epic.org)
The EPIC Alert is a free biweekly publication of the Electronic Privacy
Information Center.  To subscribe, send email to epic-news@epic.org wih
the subject: "subscribe" (no quotes) or use the subscription form at:
Back issues are available at:
The Electronic Privacy Information Center is a public interest
research center in Washington, DC.  It was established in 1994 to
focus public attention on emerging privacy issues such as the Clipper
Chip, the Digital Telephony proposal, national ID cards, medical
record privacy, and the collection and sale of personal information.
EPIC is sponsored by the Fund for Constitutional Government, a
non-profit organization established in 1974 to protect civil liberties
and constitutional rights.  EPIC publishes the EPIC Alert, pursues
Freedom of Information Act litigation, and conducts policy research.
For more information, e-mail info@epic.org, http://www.epic.org or
write EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC
20003. +1 202 544 9240 (tel), +1 202 547 5482 (fax).
If you'd like to support the work of the Electronic Privacy
Information Center, contributions are welcome and fully
tax-deductible.  Checks should be made out to "The Fund for
Constitutional Government" and sent to EPIC, 666 Pennsylvania Ave.,
SE, Suite 301, Washington DC 20003. Individuals with First Virtual
accounts can donate at http://www.epic.org/epic/support.html
Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the
right of privacy and efforts to oppose government regulation of
encryption and funding of the National Wiretap Plan.
Thank you for your support.
  ---------------------- END EPIC Alert 4.13 -----------------------

Return to:

Alert Home Page | EPIC Home Page