EPIC logo

       @@@@  @@@@  @@@  @@@@      @    @     @@@@  @@@@  @@@@@
       @     @  @   @   @        @ @   @     @     @  @    @
       @@@@  @@@    @   @       @@@@@  @     @@@   @@@     @
       @     @      @   @       @   @  @     @     @  @    @
       @@@@  @     @@@  @@@@    @   @  @@@@  @@@@  @   @   @
   Volume 6.05	                                   March 25, 1999
                            Published by the
              Electronic Privacy Information Center (EPIC)
                            Washington, D.C.
                        Register today for the
            1999 Computers, Freedom and Privacy Conference
                    April 6-8, 1999, Washington, DC
Table of Contents
[1] Public Outcry Kills "Know Your Customer" Banking Rules
[2] House Judiciary Committee Approves SAFE Crypto Bill
[3] EPIC Files Amicus Brief in Encryption Control Challenge
[4] Microsoft Tracks Users, But Watchdog is Mute
[5] Administration Names Privacy Counselor
[6] New Study Gives School Filtering a Failing Grade
[7] EPIC Bill-Track: New Bills in Congress
[8] Upcoming Conferences and Events
[1] Public Outcry Kills "Know Your Customer" Banking Rules
Following an unprecedented outpouring of public opposition, the
federal bank regulatory agencies on March 23 withdrew their
controversial "Know Your Customer" proposal.  The proposed rules would
have required banks to closely monitor their customers' bank accounts
and report any "suspicious activity" to the federal government.
Donna Tanoue, Chair of the Federal Deposit Insurance Corporation, said
in a statement:
     Privacy is important to Americans, and we have e-mails, letters,
     and postcards from more than 250,000 individuals to prove it.
     Virtually all of them say the same thing: "I don't want anyone
     prying into my personal financial affairs, regardless of the
     reason."  The Federal Deposit Insurance Corporation (FDIC) got
     that message . . .  We need to be more sensitive to privacy in
     every context.  We need to take privacy concerns into account
     in any regulatory proposal that touches upon the personal
     finances of bank customers, regardless of our objectives.  When
     bank regulation can excite and unite individuals across the
     country, and in all walks of life, we have to pay attention.
The rules were proposed jointly by the FDIC, the Board of Governors
of the Federal Reserve System, the Office of the Comptroller of the
Currency, and the Office of Thrift Supervision in December 1998.
They would have required all banks to demand more identification from
their customers, determine their usual banking patterns and report
any unusual transactions to the federal government in the form of
"Suspicious Activity Reports."
The rules were widely opposed by privacy, conservative and
libertarian groups.  The FDIC received 257,000 comments opposing the
proposal; only 100 comments supported the rules.  A number of banking
groups, including the American Bankers Association, also came out
against the regulations.  Nearly a dozen bills were introduced in
Congress that would have prohibited the rules from being adopted, and
the Senate approved a resolution last week calling for the proposal
to be withdrawn.
[2] House Judiciary Committee Approves SAFE Crypto Bill
The House Judiciary Committee approved the SAFE encryption bill on March
24.  The legislation -- the Safety and Freedom through Encryption Act of
1999 -- would substantially relax U.S. export controls on encryption.
The bill also contains a controversial provision that creates a new
federal crime for the use of encryption to conceal criminal conduct.
EPIC and other civil liberties groups have urged lawmakers to reconsider
the issue of establishing new criminal offenses involving encryption.
The Judiciary Committee did not consider an amendment offered by Rep.
Bill McCollum (R-FL) that would have limited export relief to only those
encryption products that "include features or functions providing an
immediate access to plaintext capability, if there is lawful authority
for such immediate access."  The McCollum amendment was ruled
"non-germane" by Committee Chair Henry Hyde (R-IL).  Rep. Zoe Lofgren
(D-CA), a co-author of the SAFE bill, characterized the amendment as a
resurrection of the discredited "Clipper" key escrow initiative.
The SAFE bill will next be considered by the House International
Relations Committee, where the McCollum amendment is likely to be
More information on the SAFE bill is available at:
[3] EPIC Files Amicus Brief in Encryption Control Challenge
Continuing its efforts to support pro-encryption lawsuits, EPIC
coordinated the submission of a "friend-of-the-court" brief on March 8
arguing that U.S. export controls on encryption violate the First
Amendment.  The brief, which was joined by a broad coalition of
organizations and several noted security experts, supports the challenge
of Prof. Peter Junger, whose case is now pending before the U.S. Court
of Appeals for the Sixth Circuit.
To communicate ideas and information about cryptography, and to
encourage discussion and debate, Prof. Junger unsuccessfully sought a
government determination that text written in C, Perl and other
high-level programming languages (and relating to encryption) could be
freely disseminated over the Internet.  That dertermination was upheld
by the lower court, resulting in the pending appeal.
The following are excerpts from the EPIC brief:
     Governmental restrictions on the export of encryption software
     impede the development of the secure global infrastructure
     that electronic privacy requires. The Regulations substantially
     constrain communications over the global Internet: Unless both
     parties to the communication share encryption software that
     employs the same cryptographic methods and standards, they
     cannot communicate privately at all. The Regulations also have
     a negative impact on the development and availability of
     effective encryption software even within the United States.
     . . .
     The mechanisms that secured traditional paper-based
     communications --envelopes and locked filing cabinets -- are
     being replaced by cryptographic security techniques. To require
     that electronic communications and records be unencrypted is
     equivalent to requiring that paper communications be sent by
     postcards instead of in sealed envelopes. Regulations that
     impose a significant burden on the dissemination of encryption
     software have a similar effect. If effective encryption is
     difficult to obtain, the result will be that private messages
     and records will be vulnerable to unwilling disclosure.
The full text is available at:
[4] Microsoft Tracks Users, But Watchdog is Mute
Industry privacy watchdog TRUSTe announced on March 21 that it would not
sanction Microsoft for secretly creating a unique identifier for each
user of Windows and then transferring that information to the software
company.  The decision has fed the growing doubt that industry
self-regulation will adequately protect privacy in the absence of legal
In early March, a consultant discovered that Microsoft's "Registration
Wizard" created a unique number for each user based on their computer
hardware.  The ID number was transmitted to Microsoft even when
consumers indicated that they did not want hardware information to be
transmitted.  The number was also included in a cookie and used to
identify the user for each visit to the Microsoft web site, which
requires that users accept cookies to access the site.  The number was
imbedded in documents created by Microsoft Word, Excel and other
applications.  The company claimed that it was unaware of these features
and now says it will discard any collected data and fix the bug sometime
this summer.
Privacy advocate Jason Catlett submitted a complaint to TRUSTe, which
was founded by members of the online industry attempting to forestall
legislation to enforce privacy protections.  Microsoft is a founding
member of TRUSTe and provides $100,000 each year to fund its efforts.
In declining to act, TRUSTe stated, "While this event does not fall
within the boundaries of the TRUSTe License Agreement, it did, in
TRUSTe's opinion, compromise consumer trust and privacy." Explaining why
it declined to sanction Microsoft for its actions, TRUSTe said it "has
determined that Microsoft.com was in compliance with all TRUSTe
principles.  Had TRUSTe determined that Microsoft.com had violated its
stated practices, TRUSTe would have conducted an audit to ascertain that
sufficient remedies had been put in place."
More information on the complaint against Microsoft is available at:
[5] Administration Names Privacy Counselor
A new player has joined the growing team of US officials managing the
privacy issue. Ohio State Professor Peter Swire has been named chief
counselor for privacy for the Office of Information and Regulatory
Affairs within the Office of Management and Budget.
Swire is most well known for a book that he co-authored with Robert
Litan titled "None of Your Business: World Data Flows, Electronic
Commerce and the European Privacy Directive_. The 1998 publication from
the Brookings Institute explored the potential impact of the EU Data
Directive on electronic commerce. The authors recommended the
development of self-regulatory measures to address the European privacy
challenge, but failed to look closely at the question of whether these
measures would actually protect the privacy interests of US consumers.
The book ignores the history of public concern about privacy in the
United States as well as the privacy laws that often resulted. Only a
few pages are devoted to the Fair Credit Reporting Act and the Privacy
Act. It says nothing about the privacy protections in the Cable Privacy
Protection Act, the Video Privacy Protection Act, the Telephone Consumer
Protection Act or the current efforts to develop privacy protection for
medical records and electronic commerce.
The book also provided an alarmist, almost caricature-like, description
of privacy protection outside of the United States. Swire and Litan
offered up the specter that personal computers would seen be seized at
European airports if the Directive is fully enforced. However, there is
little in the Directive or the twenty year history of privacy protection
in Europe to support this claim and more American cryptographers have
been stopped by US Customs officials enforcing US export control laws on
privacy tools than European privacy officials.
It remains unclear at this point what specific role and responsibility
Swire will have in the ever-changing mosaic of US privacy policy. The
office falls short of the privacy agency that advocates and experts have
long supported, and the focus on the EU Directive seems to miss the much
more pressing concerns of US citizens. OMB lacks statutory authority to
investigate privacy issues or pursue privacy complaints. Swire also
recently traveled to Europe as a consultant to the US Department of
Commerce to lobby European officials not to adopt new privacy laws.
UCLA Professor Jerry Kang, who served in the early days of the
Administration in a role similar to Swire, recently published an article
in the Stanford Law Review calling for the enactment of comprehensive
privacy legislation for the Internet. It remains to be seen whether
Swire's service in Washington will lead to a greater understanding of
the pressing need to develop Fair Information Practices to protect the
interests of US citizens.
[6] New Study Gives School Filtering a Failing Grade
A new report, detailing the use of Internet filtering software in Utah
public schools and libraries, offers a revealing glimpse into the
real-world effects of blocking programs.  Produced by the Censorware
Project, the report analyzes approximately 53 million lines of actual
use data obtained from the Utah Education Network (UEN) under the state
freedom of information law.  UEN maintains eleven proxy servers which
provide statewide "filtered" Internet access to all of Utah's public
schools and some of its public libraries.  The product used to screen
out objectionable content is SmartFilter, a software package produced by
Secure Computing.
The data shows that less than 0.4% of all access attempts on the UEN
system were blocked by SmartFilter, despite the overbreadth of the
program's filtering criteria.  "Very few people used the Internet to
access sexually explicit material, and students were less likely to do
so," says the report. "The problem of minors accessing sexually explicit
material is considerably less than some organizations would have the
public and Congress believe."
The report also finds that SmartFilter, like other filtering products,
blocks access to a large amount of socially useful content.  Users in
Utah were denied access to the Declaration of Independence, the United
States Constitution. the Bible, the Koran, all of Shakespeare's plays
and the Adventures of Sherlock Holmes.
Sen. John McCain (R-AZ) and Rep. Bob Franks (R-NJ) have introduced bills
in Congress (S. 97 and H.R. 543) that would require libraries and
schools to install filtering software as a condition of receiving
federal Internet funds.
The report -- "Censored Internet Access in Utah Public Schools and
Libraries" -- is available at:
[7] EPIC Bill-Track: New Bills in Congress
EPIC Bill Track: Tracking Privacy, Speech, and Cyber-Liberties Bills in
the 106th Congress
* House of Representatives *
H.R. 1015. Consumer Credit Report Accuracy and Privacy Act of 1999.
Requires credit agencies to provide one free credit report each year to
all consumers. Sponsor: Rep. Lucille Roybal-Allard. Referred to the
House Committee on Banking and Financial Services.
H.R.1057. Medical Information Privacy and Security Act.  Sets general
rules on use and disclosure of medical records. Sponsor:  Rep. Edward J.
Markey (D-MA). Referred to the Committee on Commerce, and in addition to
the Committee on the Judiciary.
H.R. 1131. ATM Public Safety and Crime Control Act. Requires banks to
put enhanced surveillance cameras in ATM machines to facilitate crime
investigations based on FBI recommendations. Sponsor: Rep. Jerrold
Nadler (D-NY). Referred to the Committee on Banking and Financial
Services, and in addition to the Committee on the Judiciary.
H.R. 1159. Protection of Children From On-Line Predators and
Exploitation Act of 1999. Creates new Child Cybersmuggling Center in the
Customs Service, expands use of wiretapping.  Sponsor: Rep. Nancy L.
Johnson (R-CT). Referred to the Committee on Ways and Means, and in
addition to the Committee on the Judiciary.
* Senate *
S. 543. Genetic Information Nondiscrimination in Health Insurance Act of
1999. Prohibits workplace, insurance discrimination based on genetic
information. Sponsor: Sen. Olympia J. Snowe (R-ME).
S.573. Medical Information Privacy and Security Act. Comprehensive
medical privacy bill.  Sponsor: Sen. Patrick J. Leahy (D-VT).
S.578. Health Care PIN Act. Weaker comprehensive medical privacy act.
Provides for limited protections on medical records, easy access to
records by industry. Sponsor: Sen. James M. Jeffords (R-VT).
[8] Upcoming Conferences and Events
CYBERSPACE 1999: Crime, Criminal Justice and the Internet. March 29 &
30, 1999. York, UK. Sponsored by the British and Irish Legal Education
Technology Association (BILETA). http://www.bileta.ac.uk/
"Computers, Freedom and Privacy: The Global Internet," April 6-8, 1999.
Washington, DC. Sponsored by ACM. Early registration deadline: March 15.
Online registration: http://www.cfp99.org/
Implementation Strategies for the New Canadian Privacy Law. April 14-15.
Toronto, CA. Sponsored by Centrium Information and Conferencing.
Contact: Centrium@lefca.org.
Encryption Controls Workshop. May 13, 1999. Raleigh, NC. Sponsored by
the U.S. Dep't of Commerce. Contact: (202) 482-6031
Subscription Information
The EPIC Alert is a free biweekly publication of the Electronic Privacy
Information Center. A Web-based form is available for subscribing or
unsubscribing at:
To subscribe or unsubscribe using email, send email to
epic-news@epic.org with the subject: "subscribe" (no quotes) or
Back issues are available at:
About EPIC
The Electronic Privacy Information Center is a public interest research
center in Washington, DC.  It was established in 1994 to focus public
attention on emerging privacy issues such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale of personal information.  EPIC is sponsored
by the Fund for Constitutional Government, a non-profit organization
established in 1974 to protect civil liberties and constitutional
rights.  EPIC publishes the EPIC Alert, pursues Freedom of Information
Act litigation, and conducts policy research.  For more information,
e-mail info@epic.org, http://www.epic.org or write EPIC, 666
Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544 9240
(tel), +1 202 547 5482 (fax).
If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible.  Checks
should be made out to "The Fund for Constitutional Government" and sent
to EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003.
Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation of encryption and
expanding wiretapping powers.
Thank you for your support.
  ---------------------- END EPIC Alert 6.05 -----------------------

Return to:

Alert Home Page | EPIC Home Page