============================================================== @@@@ @@@@ @@@ @@@@ @ @ @@@@ @@@@ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @@@ @ @ @@@@@ @ @@@ @@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @ @@@ @@@@ @ @ @@@@ @@@@ @ @ @ ============================================================== Volume 6.05 March 25, 1999 -------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org --------------------------------------- Register today for the 1999 Computers, Freedom and Privacy Conference April 6-8, 1999, Washington, DC http://www.cfp99.org ======================================================================= Table of Contents ======================================================================= [1] Public Outcry Kills "Know Your Customer" Banking Rules [2] House Judiciary Committee Approves SAFE Crypto Bill [3] EPIC Files Amicus Brief in Encryption Control Challenge [4] Microsoft Tracks Users, But Watchdog is Mute [5] Administration Names Privacy Counselor [6] New Study Gives School Filtering a Failing Grade [7] EPIC Bill-Track: New Bills in Congress [8] Upcoming Conferences and Events ======================================================================= [1] Public Outcry Kills "Know Your Customer" Banking Rules ======================================================================= Following an unprecedented outpouring of public opposition, the federal bank regulatory agencies on March 23 withdrew their controversial "Know Your Customer" proposal. The proposed rules would have required banks to closely monitor their customers' bank accounts and report any "suspicious activity" to the federal government. Donna Tanoue, Chair of the Federal Deposit Insurance Corporation, said in a statement: Privacy is important to Americans, and we have e-mails, letters, and postcards from more than 250,000 individuals to prove it. Virtually all of them say the same thing: "I don't want anyone prying into my personal financial affairs, regardless of the reason." The Federal Deposit Insurance Corporation (FDIC) got that message . . . We need to be more sensitive to privacy in every context. We need to take privacy concerns into account in any regulatory proposal that touches upon the personal finances of bank customers, regardless of our objectives. When bank regulation can excite and unite individuals across the country, and in all walks of life, we have to pay attention. The rules were proposed jointly by the FDIC, the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision in December 1998. They would have required all banks to demand more identification from their customers, determine their usual banking patterns and report any unusual transactions to the federal government in the form of "Suspicious Activity Reports." The rules were widely opposed by privacy, conservative and libertarian groups. The FDIC received 257,000 comments opposing the proposal; only 100 comments supported the rules. A number of banking groups, including the American Bankers Association, also came out against the regulations. Nearly a dozen bills were introduced in Congress that would have prohibited the rules from being adopted, and the Senate approved a resolution last week calling for the proposal to be withdrawn. ======================================================================= [2] House Judiciary Committee Approves SAFE Crypto Bill ======================================================================= The House Judiciary Committee approved the SAFE encryption bill on March 24. The legislation -- the Safety and Freedom through Encryption Act of 1999 -- would substantially relax U.S. export controls on encryption. The bill also contains a controversial provision that creates a new federal crime for the use of encryption to conceal criminal conduct. EPIC and other civil liberties groups have urged lawmakers to reconsider the issue of establishing new criminal offenses involving encryption. The Judiciary Committee did not consider an amendment offered by Rep. Bill McCollum (R-FL) that would have limited export relief to only those encryption products that "include features or functions providing an immediate access to plaintext capability, if there is lawful authority for such immediate access." The McCollum amendment was ruled "non-germane" by Committee Chair Henry Hyde (R-IL). Rep. Zoe Lofgren (D-CA), a co-author of the SAFE bill, characterized the amendment as a resurrection of the discredited "Clipper" key escrow initiative. The SAFE bill will next be considered by the House International Relations Committee, where the McCollum amendment is likely to be considered. More information on the SAFE bill is available at: http://www.epic.org/crypto/ ======================================================================= [3] EPIC Files Amicus Brief in Encryption Control Challenge ======================================================================= Continuing its efforts to support pro-encryption lawsuits, EPIC coordinated the submission of a "friend-of-the-court" brief on March 8 arguing that U.S. export controls on encryption violate the First Amendment. The brief, which was joined by a broad coalition of organizations and several noted security experts, supports the challenge of Prof. Peter Junger, whose case is now pending before the U.S. Court of Appeals for the Sixth Circuit. To communicate ideas and information about cryptography, and to encourage discussion and debate, Prof. Junger unsuccessfully sought a government determination that text written in C, Perl and other high-level programming languages (and relating to encryption) could be freely disseminated over the Internet. That dertermination was upheld by the lower court, resulting in the pending appeal. The following are excerpts from the EPIC brief: Governmental restrictions on the export of encryption software impede the development of the secure global infrastructure that electronic privacy requires. The Regulations substantially constrain communications over the global Internet: Unless both parties to the communication share encryption software that employs the same cryptographic methods and standards, they cannot communicate privately at all. The Regulations also have a negative impact on the development and availability of effective encryption software even within the United States. . . . The mechanisms that secured traditional paper-based communications --envelopes and locked filing cabinets -- are being replaced by cryptographic security techniques. To require that electronic communications and records be unencrypted is equivalent to requiring that paper communications be sent by postcards instead of in sealed envelopes. Regulations that impose a significant burden on the dissemination of encryption software have a similar effect. If effective encryption is difficult to obtain, the result will be that private messages and records will be vulnerable to unwilling disclosure. The full text is available at: http://www.epic.org/crypto/export_controls/junger_brief.html ======================================================================= [4] Microsoft Tracks Users, But Watchdog is Mute ======================================================================= Industry privacy watchdog TRUSTe announced on March 21 that it would not sanction Microsoft for secretly creating a unique identifier for each user of Windows and then transferring that information to the software company. The decision has fed the growing doubt that industry self-regulation will adequately protect privacy in the absence of legal protections. In early March, a consultant discovered that Microsoft's "Registration Wizard" created a unique number for each user based on their computer hardware. The ID number was transmitted to Microsoft even when consumers indicated that they did not want hardware information to be transmitted. The number was also included in a cookie and used to identify the user for each visit to the Microsoft web site, which requires that users accept cookies to access the site. The number was imbedded in documents created by Microsoft Word, Excel and other applications. The company claimed that it was unaware of these features and now says it will discard any collected data and fix the bug sometime this summer. Privacy advocate Jason Catlett submitted a complaint to TRUSTe, which was founded by members of the online industry attempting to forestall legislation to enforce privacy protections. Microsoft is a founding member of TRUSTe and provides $100,000 each year to fund its efforts. In declining to act, TRUSTe stated, "While this event does not fall within the boundaries of the TRUSTe License Agreement, it did, in TRUSTe's opinion, compromise consumer trust and privacy." Explaining why it declined to sanction Microsoft for its actions, TRUSTe said it "has determined that Microsoft.com was in compliance with all TRUSTe principles. Had TRUSTe determined that Microsoft.com had violated its stated practices, TRUSTe would have conducted an audit to ascertain that sufficient remedies had been put in place." More information on the complaint against Microsoft is available at: http://www.junkbusters.com/microsoft.html ======================================================================= [5] Administration Names Privacy Counselor ======================================================================= A new player has joined the growing team of US officials managing the privacy issue. Ohio State Professor Peter Swire has been named chief counselor for privacy for the Office of Information and Regulatory Affairs within the Office of Management and Budget. Swire is most well known for a book that he co-authored with Robert Litan titled "None of Your Business: World Data Flows, Electronic Commerce and the European Privacy Directive_. The 1998 publication from the Brookings Institute explored the potential impact of the EU Data Directive on electronic commerce. The authors recommended the development of self-regulatory measures to address the European privacy challenge, but failed to look closely at the question of whether these measures would actually protect the privacy interests of US consumers. The book ignores the history of public concern about privacy in the United States as well as the privacy laws that often resulted. Only a few pages are devoted to the Fair Credit Reporting Act and the Privacy Act. It says nothing about the privacy protections in the Cable Privacy Protection Act, the Video Privacy Protection Act, the Telephone Consumer Protection Act or the current efforts to develop privacy protection for medical records and electronic commerce. The book also provided an alarmist, almost caricature-like, description of privacy protection outside of the United States. Swire and Litan offered up the specter that personal computers would seen be seized at European airports if the Directive is fully enforced. However, there is little in the Directive or the twenty year history of privacy protection in Europe to support this claim and more American cryptographers have been stopped by US Customs officials enforcing US export control laws on privacy tools than European privacy officials. It remains unclear at this point what specific role and responsibility Swire will have in the ever-changing mosaic of US privacy policy. The office falls short of the privacy agency that advocates and experts have long supported, and the focus on the EU Directive seems to miss the much more pressing concerns of US citizens. OMB lacks statutory authority to investigate privacy issues or pursue privacy complaints. Swire also recently traveled to Europe as a consultant to the US Department of Commerce to lobby European officials not to adopt new privacy laws. UCLA Professor Jerry Kang, who served in the early days of the Administration in a role similar to Swire, recently published an article in the Stanford Law Review calling for the enactment of comprehensive privacy legislation for the Internet. It remains to be seen whether Swire's service in Washington will lead to a greater understanding of the pressing need to develop Fair Information Practices to protect the interests of US citizens. ======================================================================= [6] New Study Gives School Filtering a Failing Grade ======================================================================= A new report, detailing the use of Internet filtering software in Utah public schools and libraries, offers a revealing glimpse into the real-world effects of blocking programs. Produced by the Censorware Project, the report analyzes approximately 53 million lines of actual use data obtained from the Utah Education Network (UEN) under the state freedom of information law. UEN maintains eleven proxy servers which provide statewide "filtered" Internet access to all of Utah's public schools and some of its public libraries. The product used to screen out objectionable content is SmartFilter, a software package produced by Secure Computing. The data shows that less than 0.4% of all access attempts on the UEN system were blocked by SmartFilter, despite the overbreadth of the program's filtering criteria. "Very few people used the Internet to access sexually explicit material, and students were less likely to do so," says the report. "The problem of minors accessing sexually explicit material is considerably less than some organizations would have the public and Congress believe." The report also finds that SmartFilter, like other filtering products, blocks access to a large amount of socially useful content. Users in Utah were denied access to the Declaration of Independence, the United States Constitution. the Bible, the Koran, all of Shakespeare's plays and the Adventures of Sherlock Holmes. Sen. John McCain (R-AZ) and Rep. Bob Franks (R-NJ) have introduced bills in Congress (S. 97 and H.R. 543) that would require libraries and schools to install filtering software as a condition of receiving federal Internet funds. The report -- "Censored Internet Access in Utah Public Schools and Libraries" -- is available at: http://censorware.org/reports/utah/ ======================================================================= [7] EPIC Bill-Track: New Bills in Congress ======================================================================= EPIC Bill Track: Tracking Privacy, Speech, and Cyber-Liberties Bills in the 106th Congress http://www.epic.org/privacy/bill_track.html * House of Representatives * H.R. 1015. Consumer Credit Report Accuracy and Privacy Act of 1999. Requires credit agencies to provide one free credit report each year to all consumers. Sponsor: Rep. Lucille Roybal-Allard. Referred to the House Committee on Banking and Financial Services. H.R.1057. Medical Information Privacy and Security Act. Sets general rules on use and disclosure of medical records. Sponsor: Rep. Edward J. Markey (D-MA). Referred to the Committee on Commerce, and in addition to the Committee on the Judiciary. H.R. 1131. ATM Public Safety and Crime Control Act. Requires banks to put enhanced surveillance cameras in ATM machines to facilitate crime investigations based on FBI recommendations. Sponsor: Rep. Jerrold Nadler (D-NY). Referred to the Committee on Banking and Financial Services, and in addition to the Committee on the Judiciary. H.R. 1159. Protection of Children From On-Line Predators and Exploitation Act of 1999. Creates new Child Cybersmuggling Center in the Customs Service, expands use of wiretapping. Sponsor: Rep. Nancy L. Johnson (R-CT). Referred to the Committee on Ways and Means, and in addition to the Committee on the Judiciary. * Senate * S. 543. Genetic Information Nondiscrimination in Health Insurance Act of 1999. Prohibits workplace, insurance discrimination based on genetic information. Sponsor: Sen. Olympia J. Snowe (R-ME). S.573. Medical Information Privacy and Security Act. Comprehensive medical privacy bill. Sponsor: Sen. Patrick J. Leahy (D-VT). S.578. Health Care PIN Act. Weaker comprehensive medical privacy act. Provides for limited protections on medical records, easy access to records by industry. Sponsor: Sen. James M. Jeffords (R-VT). ======================================================================= [8] Upcoming Conferences and Events ======================================================================= CYBERSPACE 1999: Crime, Criminal Justice and the Internet. March 29 & 30, 1999. York, UK. Sponsored by the British and Irish Legal Education Technology Association (BILETA). http://www.bileta.ac.uk/ "Computers, Freedom and Privacy: The Global Internet," April 6-8, 1999. Washington, DC. Sponsored by ACM. Early registration deadline: March 15. Online registration: http://www.cfp99.org/ Implementation Strategies for the New Canadian Privacy Law. April 14-15. Toronto, CA. Sponsored by Centrium Information and Conferencing. Contact: Centrium@lefca.org. Encryption Controls Workshop. May 13, 1999. Raleigh, NC. Sponsored by the U.S. Dep't of Commerce. Contact: (202) 482-6031 ======================================================================= Subscription Information ======================================================================= The EPIC Alert is a free biweekly publication of the Electronic Privacy Information Center. A Web-based form is available for subscribing or unsubscribing at: http://www.epic.org/alert/subscribe.html To subscribe or unsubscribe using email, send email to epic-news@epic.org with the subject: "subscribe" (no quotes) or "unsubscribe". Back issues are available at: http://www.epic.org/alert/ ======================================================================= About EPIC ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC is sponsored by the Fund for Constitutional Government, a non-profit organization established in 1974 to protect civil liberties and constitutional rights. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, e-mail info@epic.org, http://www.epic.org or write EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544 9240 (tel), +1 202 547 5482 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "The Fund for Constitutional Government" and sent to EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ---------------------- END EPIC Alert 6.05 ----------------------- .
Return to:
Alert Home Page | EPIC Home Page