EPIC logo

       @@@@  @@@@  @@@  @@@@      @    @     @@@@  @@@@  @@@@@
       @     @  @   @   @        @ @   @     @     @  @    @
       @@@@  @@@    @   @       @@@@@  @     @@@   @@@     @
       @     @      @   @       @   @  @     @     @  @    @
       @@@@  @     @@@  @@@@    @   @  @@@@  @@@@  @   @   @
   Volume 5.16	                                November 10, 1998
                            Published by the
              Electronic Privacy Information Center (EPIC)
                            Washington, D.C.
Table of Contents
[1] ACTION: Comment on U.S. Privacy Policy
[2] Congress Approves Identity Theft Legislation
[3] Appeals Court Limits Copyright of Legal Documents
[4] Encryption Policy Update
[5] Final Actions in 105th Congress
[6] Nominations Sought for PEN First Amendment Award
[7] Updated and Expanded EPIC Bookstore
[8] Upcoming Conferences and Events
[1] ACTION: Comment on U.S. Privacy Policy
The Department of Commerce has posted a draft policy on privacy.  The
policy proposes the establishment of a "Safe Harbor" regime that would
allow U.S. firms to self-certify compliance with principles
established by the Commerce Department.  The proposal is intended to
address European concerns that privacy protection in the United States
is not "adequate."  But the plan falls short of standard fair
information practices and leaves open the question of when actual
privacy safeguards will be adopted in the United States.
While it remains unclear whether the Commerce Department is genuinely
interested in the views of the American public -- the draft is
addressed to "Industry Representatives" -- EPIC is urging individuals
concerned about privacy to submit comments to the Department.  We
believe that the position espoused by the U.S. government on privacy
issues should reflect more than the trade concerns of U.S. companies.
Here are the points that EPIC will emphasize to the Department of
 - The Safe Harbor proposal falls short of the 1980 OECD Privacy
   Principles that the United States endorsed almost twenty years
   ago and recently pledged to continue to support.
 - The Safe Harbor principles undermine key elements of data
   protection.  "Consent" is redefined as "choice."  There is no
   reference to "use limitation" or "purpose specification," even
   though both principles are found in the 1980 OECD Privacy
 - There is no real means of enforcement for the Safe Harbor
   Principles.  Enforcement by self-regulation has not worked.
   For example, Geocities received a certification from Truste
   even while under investigation for violating the privacy of
   its users.
 - The Safe Harbor principles discriminate against small and
   medium sized companies operating on the Internet that may not
   be able to self-certify.
 - The Safe Harbor principles do not address the need to fix U.S.
   policies on encryption and other privacy enhancing technologies.
 - The U.S. still lacks privacy protection in critical areas, such
   as medical records, and the American public supports
   legislation to protect privacy online.
 - The Safe Harbor principles do not address the need to create a
   permanent privacy agency to represent the interests on privacy
Comments are due by November 19.
The text of the Department of Commerce letter on "Safe Harbor" is
available at:
Submit comments ("U.S. Privacy Policy") to Eric Fredell, Task Force on
Electronic Commerce, International Trade Administration, Department of
Commerce, 14th and Constitution Ave., Washington, DC 20230 or by email
ecommerce@ita.doc.gov (email).
[2] Congress Approves Identity Theft Legislation
In the last days of the legislative session, Congress approved a new
law providing limited legal protections against identity theft.
Support for the Identity Theft and Assumption Deterrence Act of 1998
(H.R. 4151) was led by Rep. John Shadegg (R-AZ).
The law imposes criminal penalties on any person who "knowingly
transfers or uses, without lawful authority, a means of identification
of another person with the intent to commit, or to aid or abet, any
unlawful activity that constitutes a violation of Federal law, or that
constitutes a felony under any applicable State or local law."  The law
penalizes persons who assume others' identities and use them to obtain
car loans, credit cards and other financial obligations.  Violators can
be imprisoned for up to three years and fined a maximum of $250,000.
The bill also directs the Federal Trade Commission to establish a
clearinghouse for receiving complaints about identity theft and
providing information and referrals to identity theft victims.  Efforts
to place limits of the dissemination of personal information that makes
identity theft possible were strongly opposed by businesses and were
not included in the bill.
President Clinton signed the bill into law on October 30.  At the
signing ceremony, Clinton said, "As we enter the Information Age, it is
critical that our newest technologies support our oldest values."
[3] Appeals Court Limits Copyright of Legal Documents
In two cases decided on November 3, the U.S. Court of Appeals for the
2nd Circuit limited the ability of legal publisher West Publishing to
copyright legal decisions.  In the first case, the court ruled that
West does not obtain copyrights to the text of judicial decisions when
it makes minor grammatical and formatting changes to them.  In the
second case, the court ruled that page numbers in West's law books are
not protected by copyright law.
The court ruled in Matthew Bender v. West Publishing that minor
editorial changes made by West are not sufficiently original to warrant
additional legal protection:
     All of West's alterations to judicial opinions involve the
     addition and arrangement of facts, or the  rearrangement of data
     already included in the opinions, and therefore any creativity
     in these elements of West's case reports lies in West's selection
     and arrangement of this information.  In light of accepted legal
     conventions and other external constraining factors, West's
     choices on selection and arrangement can reasonably be viewed as
     obvious, typical, and lacking even minimal creativity.
In the second case, the court ruled that CD-ROM publishers could
include in the text of decisions the page numbers used by West in it
printed volumes.  This is important since West holds a de facto
monopoly over printed legal decisions and competing publishers need to
refer to West page numbers to ensure that courts and attorneys can
locate cited cases.
The case may have important implications when the 106th Congress
convenes next year.  Several members of the Senate have announced plans
to seek adoption of a bill to provide legal protections for databases
of non-copyrighted facts. 
Additional information is available at:
[4] Encryption Policy Update
- The Finnish government announced a new encryption policy on November
9.  It calls for no domestic restrictions on the development and use
of encryption products and relaxed policies on exports: "Finland
supports free trade and use of cryptographic products.  In Finland,
the use of strong encryption should not be restricted by legislation
or international agreements ... Finland's aims are to examine the
restrictions on cryptographic products so that control lists
correspond to technical development, and to ensure that the necessary
restrictions will not unreasonably impede normal foreign trade of
industry and businesses."
The text of the Finnish policy is available at:
- The 6th Circuit U.S. Court of Appeals has indicated that it will
delay consideration of a closely followed encryption case. The court 
will delay proceedings in Junger v. Daley for at least 45 days, possibly
anticipating that the 9th Circuit will soon announce a ruling in the
Bernstein case, which raises similar issues.  On July 7, Judge James
Gwin of the U.S. District Court for the Northern District of Ohio ruled
that law professor Peter Junger cannot challenge encryption export
restrictions on the ground that they abridge his right to free speech
on the Internet.  In his decision, Judge Gwin stated that "...
exporting source code is conduct that can occasionally have
communicative elements. Nevertheless, merely because conduct is
occasionally expressive does not necessarily extend First Amendment
protection to it."  Professor Junger appealed that decision to the 6th
- The Bureau of Export Administration (BXA) has approved Private
Doorbell, a product proposal presented by a coalition of 10 U.S.
technology companies lead by Cisco Systems, Inc.  The system consists
of secure routers which would allow interception of plaintext before
the router encrypts the communication.  The system doesn't account for
end-to-end encryption systems; if internet users encrypt e-mail at
their PCs, the system does not help law enforcement recover the
plaintext of the message.
Additional information on encryption policy is available at:
[5] Final Actions in 105th Congress
The following measures were enacted in the closing days of the 105th
Digital Millennium Copyright Act (Public Law 105-304). Expands
copyrights for electronic media.  Criminalizes possession and use of
tools that remove copyright protection.  Limited exceptions for privacy
protection, security and encryption research.  Does not include
provisions providing legal protections for databases.
Consumer Reporting Employment Clarification Act of 1998 (Public Law
105-347).  Amends Fair Credit Report Act to allow oral consent for
employers in trucking industry to obtain credit report. Expands
exemptions of FCRA in use for national security investigations.
The Omnibus Consolidated and Emergency Supplemental Appropriations Act,
1999 (H.R. 4328).  Included the Child Online Protection Act (see EPIC
Alert 5.15) and the following provisions:
Children's Online Privacy Protection Act (Title XIII).  Limits
collection and dissemination of personal information about children
under age of 13.  Allows access by parents to information collected.
Gives Federal Trade Commission and states enforcement power.
Identity Cards (Sec. 362).  Prohibits Department of Transportation from
spending money in the current fiscal year to issue final standards on
DOT's national ID card proposal.
Government Paperwork Elimination Act (Title XVII).  Requires agencies
to disclose electronic records instead of physical records and use and
accept digital signatures within five years. Requires OMB and NTIA to
conduct study of digital signatures.
Drug Free Workplace Act of 1998 (Title IX).  Encourages small
businesses to test for drug use.  Creates pilot program with
incentives.  Requires privacy protections for drug testing program.
Prison guard privacy (Sec. 127).  Prohibits disclosure of financial or
personal information of a person employed by a state or federal prison
without a court order or consent.
The text of all laws enacted in the 105th Congress is available at:
[6] Nominations Sought for PEN First Amendment Award
Nominations are encouraged for the PEN/Newman's Own First Amendment
Award.  The award, $25,000 and a limited-edition artwork, is presented
each spring to a U.S. resident who has fought courageously, despite
adversity, to safeguard the First Amendment right to freedom of
expression as it applies to the written word.
Previous winners have included a journalist, playwright, bookstore
owner and school teachers.
The judges for last year's award were PEN members Bette Bao Lord, Kurt
Vonnegut and Sean Wilentz and First Amendment experts Joan E. Bertin
and Leon Friedman.
For further information and an application form, please write: Elham
Kalantar, PEN/Newman's Own First Amendment Award, PEN American Center,
568 Broadway, Suite 401, New York, NY  10012
Deadline for application: December 31, 1998
Additional information, including the application form, is available
Information on Internet censorship is available at the Internet Free
Expression Alliance website:
[7] Updated and Expanded EPIC Bookstore
EPIC is pleased to announce its newly updated and expanded online
bookstore.  This month, the following books are among those featured at
the site:
The Shadow University: The Betrayal of Liberty on America's Campuses by
Alan Charles Kors and Harvey A. Silverglate (Free Press, 320 pages,
     The authors "deliver the unexpected. Refreshingly, they
     seem to believe that even if professors teach what they
     wish, Western civilization will survive.... The abuses
     they describe need fixing, and this cogent book should
     help."  - The New York Times Book Review
Secrecy : The American Experience by Daniel Patrick Moynihan, Richard
Gid Powers (Introduction) (Hardcover, 320 pages, Yale University Press,
     A Senator and historian looks at the history of secrecy
     in America and weighs its costs for democratic government,
     national security, and agency accountability. His conclusion:
     more secrecy not less is the key to protecting the nation.
The Privacy Law Sourcebook: United States Law, International Law, and
Recent Developments. Marc Rotenberg, Editor (EPIC 1998).
     The Privacy Law Sourcebook is the first one-volume resource
     for students, attorneys, researchers and journalists who need
     a comprehensive collection of both US and International privacy
     law, as well as a fully up-to-date section on recent developments.
     Includes the full texts of most major privacy laws and directives
     including the FCRA, the Privacy Act, FOIA, Family Educational
     Rights Act, Right to FInancial Privacy Act, Privacy Protection
     Act, Cable Communications Policy Act, ECPA, Video Privacy
     Protection Act, OECD Privacy Guidelines, OECD Cryptography
     Guidelines, European Union Directives for both Data Protection
     and Telecommunications, and more.
Order these and other titles at the EPIC Bookstore:
[8] Upcoming Conferences and Events
PDC 98 - the Participatory Design Conference, "Broadening
Participation." November 12-14. Seattle, WA.  Sponsored by Computer
Professionals for Social Responsibility in cooperation with ACM and
CSCW 98. Contact: http://www.cpsr.org/conferences/pdc98
Data Privacy in the Global Age.  November 13.  Milwaukee, WI.
Sponsored by ACLU of Wisconsin Data Privacy Project. Contact: Carole
Doeppers <acluwicmd@aol.com>.
Computer Ethics. Philosophical Enquiry 98 (CEPE'98). December 14-15.
London, UK. Sponsored by ACMSIGCAS and London School of Economics.
1999 RSA Data Security Conference. January 18-21, 1999. San Jose, CA.
Sponsored by RSA. Contact: http://www.rsa.com/conf99/
FC '99  Third Annual Conference on Financial Cryptography. February
22-25, 1999 Anguilla, B.W.I. Contact: http://fc99.ai.
Computers, Freedom and Privacy (CFP) '99. April 6-8, 1999. Washington,
DC. Sponsored by ACM. Contact: info@cfp99.org.
1999 EPIC Cryptography and Privacy Conference. June 7, 1999.
Washington, DC. Sponsored by EPIC. Contact: info@epic.org.
Subscription Information
The EPIC Alert is a free biweekly publication of the Electronic
Privacy Information Center.  To subscribe or unsubscribe, send email
to epic-news@epic.org with the subject: "subscribe" (no quotes) or
"unsubscribe". A Web-based form is available at:
Back issues are available at:
About EPIC
The Electronic Privacy Information Center is a public interest
research center in Washington, DC.  It was established in 1994 to
focus public attention on emerging privacy issues such as the Clipper
Chip, the Digital Telephony proposal, national ID cards, medical
record privacy, and the collection and sale of personal information.
EPIC is sponsored by the Fund for Constitutional Government, a
non-profit organization established in 1974 to protect civil liberties
and constitutional rights.  EPIC publishes the EPIC Alert, pursues
Freedom of Information Act litigation, and conducts policy research.
For more information, e-mail info@epic.org, http://www.epic.org or
write EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC
20003. +1 202 544 9240 (tel), +1 202 547 5482 (fax).
If you'd like to support the work of the Electronic Privacy
Information Center, contributions are welcome and fully tax-
deductible.  Checks should be made out to "The Fund for Constitutional
Government" and sent to EPIC, 666 Pennsylvania Ave., SE, Suite 301,
Washington DC 20003.
Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the
right of privacy and efforts to oppose government regulation of
encryption and funding of the digital wiretap law.
Thank you for your support.
  ---------------------- END EPIC Alert 5.16 -----------------------

Return to:

Alert Home Page | EPIC Home Page