EPIC logo

       @@@@  @@@@  @@@  @@@@      @    @     @@@@  @@@@  @@@@@
       @     @  @   @   @        @ @   @     @     @  @    @
       @@@@  @@@    @   @       @@@@@  @     @@@   @@@     @
       @     @      @   @       @   @  @     @     @  @    @
       @@@@  @     @@@  @@@@    @   @  @@@@  @@@@  @   @   @
   Volume 6.10                                      June 30, 1999
                            Published by the
              Electronic Privacy Information Center (EPIC)
                            Washington, D.C.
Table of Contents
[1] Senate Committee Approves Mandatory Filtering Bill
[2] Congress Acts on Encryption Legislation
[3] Government Seeks Review of Bernstein Crypto Decision
[4] House to Consider Financial Data Protection
[5] Proposed DoubleClick/Abacus Merger Raises Privacy Concerns
[6] California Supreme Court Upholds Workplace Privacy
[7] Report Notes Benefits of Internet Anonymity
[8] Upcoming Conferences and Events
[1] Senate Committee Approves Mandatory Filtering Bill
Congress' move toward mandatory Internet filtering for schools and
libraries gained momentum on June 23, when the Senate Commerce
Committee approved the Children's Internet Protection Act (S.97).  The
legislation would mandate that public schools and libraries receiving
"E-Rate" universal service funds purchase and use Internet filtering
software to regulate access by minors. The House of Representatives
added a similar provision to the juvenile justice bill on June 17.
The Committee action came over the objections of leading education,
library  and civil liberties groups, which argued that the legislation
would impose a costly unfunded requirement and ignores a variety of
alternative approaches being taken in localities around the country.
Commerce Committee Chairman John McCain (R-AZ) rejected the criticism,
stating that filtering software is inexpensive and necessary to protect
children. "No issue is more important to America than protecting our
children," he said.  Under the language approved by the Senate
committee approach, the thousands of schools that participate in the
federal Internet subsidy program would be required to install software
preventing access to obscene material and child pornography.  Libraries
in the E-Rate program with more than one computer would face a similar
requirement; those with only one computer would have to ensure that
children could not access such material.
Prior to the vote, the Internet Free Expression Alliance (IFEA) sent a
joint letter to the Commerce Committee urging rejection of mandatory
filtering.  The coalition members told the committee, "We believe that
the majority of Americans share our conviction that parents and
teachers -- not the federal government -- should provide children with
guidance about accessing information on the Internet."  They urged the
Senators to consider alternative approaches, including training classes
to help children bring critical skills to the Internet; adult
supervision of Internet use by minors; highlighting recommended sites
to assist parents in navigating the Internet; and establishment of
limited time periods for supervised use of the Internet by young
children.  The groups noted that, "Clumsy and ineffective blocking
programs are nothing more than a 'quick fix' solution to parental
concerns, often providing a false sense of security that children will
not be exposed to material which parents may find inappropriate."
The text of the coalition letter is available at the website of the
Internet Free Expression Alliance:
[2] Congress Acts on Encryption Legislation
On June 23, the House Commerce Committee approved the Security and
Freedom Through Encryption (SAFE) bill (H.R. 850), which would relax
export controls on encryption, with several amendments. One of the
amendments would make it a crime to fail to decrypt encrypted
information when ordered to do so, raising serious privacy and
constitutional concerns.  The new provision would impose criminal
penalties (including up to ten years in prison) on anyone who
     is required by an order of any court to provide to
     the court or any other party any information in such
     person's possession which has been encrypted and who,
     having possession of the key or such other capability
     to decrypt such information into the readable or
     comprehensible format of such information prior to
     its encryption, fails to provide such information in
     accordance with the order in such readable or
     comprehensible form.
House consideration of the SAFE bill will continue for at least
another month; the International Relations Committee has until July 16
to act on the legislation and Intelligence and Armed Services have
until July 23.  The House Armed Services Committee has scheduled a
hearing on the bill for June 30.
Also on June 23, the Senate Commerce Committee approved the PROTECT
encryption bill (S. 798).  The legislation would allow U.S. companies
immediately to export medium-strength encryption products (64-bit) and
much more powerful products (up to 128-bit) beginning in 2002.  Current
U.S. policy generally limits exports to 56-bit encryption with some
exceptions such as for subsidiaries of U.S. firms and foreign companies
in  banking, insurance, health-care and electronic commerce.  The bill
would also establish a committee of government and private sector
officials that could vote to allow export of stronger products if
similar products are available outside the United States.  The
committee's decisions could be overturned by the President. Unlike the
SAFE bill in the House, the PROTECT Act does not include criminal
penalties for the use of encryption in furtherance of a crime.
Additional information on encryption policy is available at the
Internet Privacy Coalition website:
[3] Government Seeks Review of Bernstein Crypto Decision
While Congress continues to debate encryption policy, the federal
courts are also grappling with the issue.  On June 21, the Department
of Justice filed a petition for rehearing in the Bernstein case,
seeking to overturn the Ninth Circuit Court of Appeal's recent opinion
holding that encryption source code is scientific expression protected
by the First Amendment.
The federal appeals court in San Francisco ruled on May 6 that federal
regulations that prohibit the dissemination of encryption source code
violate the First Amendment.  The court found that the regulations are
an unconstitutional prior restraint on speech because they "grant
boundless discretion to government officials" and have "effectively
chilled [cryptographers] from engaging in valuable scientific
expression."  The case was initiated by researcher Daniel Bernstein,
who sought government permission to export source code he had written.
EPIC was both co-counsel and coordinator of a "friend-of-the-court"
(amicus) brief in the case, arguing against the government controls on
privacy-enhancing technology.  Civil liberties and privacy
organizations have consistently opposed restrictions on the
dissemination of encryption technology, and welcomed the Bernstein
decision as a major breakthrough.  The opinion was notably for its
recognition of the threats to privacy that citizens face today and the
role of encryption in protecting information.
In seeking the Ninth Circuit's reconsideration of the case, the Justice
Department argues that the May 6 decision
     rests on fundamental errors regarding First Amendment
     and severability law.  As a result of those errors,
     the panel has placed the entire encryption export
     regime in jeopardy.  The potential consequences of
     repudiating the President's decisions regarding
     encryption export controls are grave and far-reaching.
     Before the views of the panel majority become the law
     of this Circuit, and unrestricted export of encryption
     products receives this Court's imprimatur, further
     review is imperative.
Information on encryption export controls, including the text of the
Bernstein decision and the EPIC amicus brief, is available at the EPIC
Cryptography Archive:
[4] House to Consider Financial Data Protection
The House of Representatives is expected this week to take up a bill,
H.R. 10, that will make it easier for banks to merge with other
financial firms such as health insurance companies and stock
brokerages.  These bigger banks are already sharing confidential
customer information with their subsidiaries, and with unrelated third
parties.  When the House Commerce Committee considered the bill, Rep.
Ed Markey (D-MA) won what major newspapers called a "stunning" victory
when the committee approved an amendment that would require banks to
give customers a chance to opt-out before they share or sell
confidential customer records.  Unfortunately, some of the biggest
banks and financial firms in the country, including Citibank and Bank
One (First USA credit cards) are waging a fierce campaign to defeat the
Markey financial privacy amendment and substitute an unacceptable
disclosure alternative.
This spring, citizens convinced the bank regulatory agencies to
withdraw plans requiring banks to compile detailed "Know Your Customer"
profiles.  Consumer and privacy groups are now encouraging similar
citizen action to enact the Markey privacy amendment.  The Markey
amendment is supported by the nation's leading consumer groups,
including Consumers Union, Consumer Federation of America and the U.S.
Public Interest Research Group (PIRG).
Additional information on the Markey financial privacy amendment is
available at:
[5] Proposed DoubleClick/Abacus Merger Raises Privacy Concerns
Privacy groups have raised concerns over the potential violation of
international privacy protection laws involved in the proposed merger
Internet advertiser DoubleClick and market research firm Abacus
Direct.  When the two firms merge, the DoubleClick database containing
data on Internet usage habits will be cross-referenced with the Abacus
Direct database containing real names and addresses, as well as
detailed information on customer buying habits.  The proposed deal has
been trumpeted as the key to targeting niche markets more effectively,
but the synthesizing of information could create a super-database of
personal information without consumers' previous consent.
EPIC, along with other privacy advocates, issued an open letter to
Abacus Direct shareholders on June 29, asking them to derail the one
billion dollar merger.  The groups urged shareholders to consider
whether the companies understood the privacy implications of the
proposed merger, or whether they had considered international laws
that could restrict their data trades.
Specifically, the letter cites the European Union privacy directive,
which bars data transfers from EU countries to third parties it
believes don't adequately protect personal data or fail to obtain
proper consent before sharing it.  The letter also raised the
possibility of legal action in Europe.  The location of Abacus'
subsidiary in Teddington, England leaves an opening for the
challenging the merger under the EU data directive, arguing that the
U.K. arm of the company shouldn't be able to exchange data with
companies in the DoubleClick network -- as well as Abacus's US
locations -- that don't comply with the EU directive.  Consumer
advocates are also drafting a petition to the Federal Trade Commission
questioning the merger.
More information on the DoubleClick/Abacus merger, including the text
of the privacy groups' open letter, is available at:
[6] California Supreme Court Upholds Workplace Privacy
On June 24, California's highest court handed down a unanimous
decision describing the privacy rights enjoyed by employees in the
     In an office or other workplace to which the general public
     does not have unfettered access, employees may enjoy a
     limited, but legitimate, expectation that their conversations
     and other interactions will not be secretly videotaped by
     undercover television reporters, even though those conversations
     may not have been completely private from the participants'
The case, Sanders v. American Broadcasting Companies, arose after the
broadcast of an investigative report on ABC's PrimeTime Live that
included behind the scenes footage of the telephone psychic industry.
The footage had been obtained by an undercover reporter working as a
telephone psychic.  A camera concealed in the reporter's hat provided
video images, while a hidden microphone captured sound data.
One of the psychics whose image and voice appeared briefly during the
segment, sued for invasion of privacy and violation of a state
anti-surveillance statute. After winning over $600,000 at trial, the
plaintiff's judgment was overturned on appeal.  The appellate court
reasoned that the employee could not have a reasonable expectation of
privacy regarding a conversation carried on in an open workspace,
within earshot of other employees.
The California Supreme Court reversed this decision, adopting instead
a more flexible standard.  "Privacy," the Court noted, "is not a
binary, all-or-nothing characteristic."   The Court discussed several
factors to be considered when evaluating the reasonableness of privacy
claims: "the identity of the claimed intruder and the means of
intrusion," as well as "who might have been able to observe the
subject interaction."  Applying this reasoning, the Court found that
Sanders could have a reasonable expectation that his conversations
with co-workers would not be secretly recorded by undercover
The case was remanded to the appellate court, which must still decide
several procedural and evidentiary questions, including the
appropriateness of the jury award.
[7] Report Notes Benefits of Internet Anonymity
The American Association for the Advancement of Science has released a
report titled "Anonymous Communication Policies for the Internet."
The report grows out of a conference on anonymity sponsored by AAAS in
November 1997.  The paper acknowledges that anonymous communication
can be misused, but concludes that the benefits from its positive uses
far outweigh the risks.
The conference participants conducted a benefit/burden analysis of
online anonymity in attempting to formulate a policy on the issue.  In
the end, they devised four principles: 1) that anonymous communication
online is morally neutral; 2) that anonymous communication should be
regarded as a strong human right (and a constitutional right in the
United States); 3) that online communities should be allowed to set
their own policies regarding the use of anonymous communication; and
4) that individuals should be informed about the extent to which their
identities are disclosed offline.
Finally, it was suggested that abuses of online anonymity should not
be tolerated and that those posting defamatory messages must be
responsible for any harm associated with them.  The conference members
also took a stance against key-escrow encryption and liability for
operators of anonymous remailers.  They also stressed the importance
of education and public awareness and the possible development of
codes of conduct.
The full text of the AAAS report is available at:
[8] Upcoming Conferences and Events
National Coalition to Protect Political Freedom, 3rd Annual Meeting.
Georgetown University Law Center, Washington, DC.  July 9-10, 1999.
Contact: Kit Gage 301-587-7442, kgage@igc.org
Jurisdiction: Building Confidence in a Borderless Medium. Queen
Elizabeth Hotel, Montreal, Canada, July 26-27, 1999. Sponsored by the
Internet Law and Policy Forum.  Contact:  Marilyn Malenfant
+1.514.744.0408 or malenfant@ilpf.org.
ABA Annual Conference, Section of International Law and Practice.
"Privacy Issues in Electronic Commerce." August 9, 1999. Atlanta,
Georgia. Contact http://www.abanet.org/annual/99/home.html
The 21st International Conference on Privacy and Personal Data
Protection.  Hong Kong, September 13-14, 1999.  A distinguished group
of over 50 speakers/panelists from overseas and Hong Kong will explore
the theme of  "Privacy of Personal Data, Information Technology &
Global Business in the Next Millennium."" Sponsored by the Office of
the Privacy Commissioner for Personal Data in Hong Kong.  Contact:
"A Privacy Agenda for the 21st Century." September 15, 1999. Hong Kong
Convention and Exhibition Centre, Hong Kong PRC. Contact:
"Certified Wide Area Road Use Monitoring." September 21-23, 1999.
Albuquerque, New Mexico.  Sponsored by the New Mexico State Highway and
Transportation Department Research Bureau in cooperation with the
University of New Mexico Alliance for Transportation Research Institute
An intensive 2 1/2 day educational and developmental symposium on a
single rapidly evolving concept in Intelligent Transportation Systems
(ITS).  For more information: http://www.unm.edu/~nmtrans/CWARUM-1.html
Information Security Solutions Europe 1999. October 4-6, 1999. Maritim
proArte Hotel, Berlin, Germany. contact http://www.eema.org/isse/
RSA 2000. The ninth annual RSA Data Security Conference and Expo. San
Jose McEnery Convention Center. San Jose, CA.  January 16-20, 2000,
Contact: http://www.rsa.com/rsa2000/
Subscription Information
The EPIC Alert is a free biweekly publication of the Electronic Privacy
Information Center. A Web-based form is available for subscribing or
unsubscribing at:
To subscribe or unsubscribe using email, send email to
epic-news@epic.org with the subject: "subscribe" (no quotes) or
Back issues are available at:
About EPIC
The Electronic Privacy Information Center is a public interest research
center in Washington, DC.  It was established in 1994 to focus public
attention on emerging privacy issues such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale of personal information.  EPIC is sponsored
by the Fund for Constitutional Government, a non-profit organization
established in 1974 to protect civil liberties and constitutional
rights.  EPIC publishes the EPIC Alert, pursues Freedom of Information
Act litigation, and conducts policy research.  For more information,
e-mail info@epic.org, http://www.epic.org or write EPIC, 666
Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544 9240
(tel), +1 202 547 5482 (fax).
If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible.  Checks
should be made out to "The Fund for Constitutional Government" and sent
to EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003.
Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation of encryption and
expanding wiretapping powers.
Thank you for your support.
  ---------------------- END EPIC Alert 6.10 -----------------------

Return to:

Alert Home Page | EPIC Home Page