============================================================== @@@@ @@@@ @@@ @@@@ @ @ @@@@ @@@@ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @@@ @ @ @@@@@ @ @@@ @@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @ @@@ @@@@ @ @ @@@@ @@@@ @ @ @ ============================================================== Volume 6.13 September 1, 1999 -------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org ======================================================================= Table of Contents ======================================================================= [1] FCC Grants FBI Surveillance Standards Request [2] Administration Proposes Secret Break-ins to Combat Crypto [3] Appeals Court Strikes Down Telephone Privacy Regs [4] Advisory Group Urges Change in Crypto Policy [5] Appellate Brief Challenges Internet Censorship Law [6] New Amazon.com Feature Raises Privacy Concerns [7] EPIC Bookstore - The Tin Drum [8] Upcoming Conferences and Events ======================================================================= [1] FCC Grants FBI Surveillance Standards Request ======================================================================= In a decision released on August 31, the Federal Communications Commission (FCC) largely adopted technical standards proposed by the Federal Bureau of Investigation (FBI) that would re-design the nation's telecommunications networks to facilitate electronic surveillance. The ruling could result in a significant increase in government interception of digital communications. Included is a requirement that cellular telephone networks must provide police the ability to track the physical location of cell phone users. The FCC decision involves the Communications Assistance for Law Enforcement Act (CALEA), a controversial law enacted by Congress in 1994, which requires the telecommunications industry to design its systems in compliance with FBI technical specifications. In negotiations over the last few years, the FBI and industry representatives were unable to agree upon those standards, resulting in the current proceeding before the Commission. EPIC opposed the enactment of CALEA in 1994 and has participated as a party in the FCC proceeding, arguing that many of the FBI standards go beyond the scope of the legislation and threaten communications privacy. Another standard approved by the FCC would allow police investigators to listen in on phone conversations of all parties to a conference call, even if some were put on hold and were no longer talking to the target of the authorized surveillance. The standards would also enable police to determine when someone is using call-forwarding, three-way calling or other features. On an issue of potentially great significance to the Internet, the Commission directed that "packet-mode communications" be made available to law enforcement no later than September 2001. Such communications can contain both voice and data. Noting the privacy problems raised by this requirement, the FCC requested the telecom industry to "study CALEA solutions for packet-mode technology" that will "better address privacy concerns" and report back in one year. EPIC is reviewing the full text of the decision and may challenge the FCC action in federal court. Additional information on CALEA, including the full text of the FCC decision, is available at: http://www.epic.org/privacy/wiretap/ ======================================================================= [2] Administration Proposes Secret Break-ins to Combat Crypto ======================================================================= A new Clinton Administration proposal could result in an unprecedented intrusion into the sanctity of private homes and businesses. The White House plan would enable federal and local law enforcement agents to secretly break into private premises and alter computer equipment to collect e-mail messages and other electronic information. As first disclosed on August 20, the administration is circulating draft legislation known as the Cyberspace Electronic Security Act (CESA), the latest White House effort to address the growing use of encryption technology. As described in an August 4 analysis of the legislation obtained by EPIC, the proposal would amend current law to authorize "the alteration of hardware or software that allows plaintext to be obtained even if attempts were made to protect it through encryption." Courts would, for the first time, be able to approve covert police entries into homes and offices for the purposes of making such alterations. CESA outlines law enforcement's ability to obtain the plaintext version of encrypted information. Under CESA, officials would be allowed to obtain keys that can decipher encrypted information after obtaining a warrant. While CESA provides for the issuance of warrants when keys are in the hands of "recovery agents," it also includes more alarming provisions when there are no such "recovery agents." When there are no third parties that possess keys and it is deemed important not to alert the suspect, law enforcement officials would be given the power to enter homes surreptitiously to install a "recovery device." It is unclear what such a device may entail, but it would modify software or hardware and allow for the recovery of plaintext even if the suspect attempts to encrypt any of his or her computer files. In a letter to Attorney General Janet Reno, Rep. Bob Barr (R-GA) said, "This proposal demonstrates how addicted federal law enforcement has become to electronic surveillance. In my opinion, this addiction threatens both civil liberties and the effectiveness of law enforcement." Barr predicted that CESA would be "dead on arrival" if it is transmitted to Congress. CESA is the latest in a long line of administration efforts to ensure government access to encrypted information. While the Justice Department defends CESA as striking a reasonable balance between civil liberties concerns and the needs of law enforcement, the proposal would give government unprecedented authority to engage in the most invasive techniques. ======================================================================= [3] Appeals Court Strikes Down Telephone Privacy Regs ======================================================================= In a somewhat odd opinion, a federal appeals court has ruled that regulations developed by the FCC to implement the privacy provisions of the 1996 Telecommunications Act violate the First Amendment rights of telephone companies to disclose the detailed calling records of their customers. The challenge, brought by US West, focused on the opt-in provisions that were included in the FCC regulations. Those provisions require telephone companies to obtain affirmative consent from customers before disclosing "Customer Proprietary Network Information," which includes, for example, monthly billing information. US West contended that the purpose of the Act could be satisfied by means of an opt-out that would require customers to first learn about the disclosure of the personal information and then to object. Judge Deanell Reese Tacha, joined by Circuit Judge David M. Ebel, found that the FCC's CPNI regulations restricted constitutionally protected commercial speech. They further held that although the government has a substantial interest in protecting customer privacy and promoting competition, the FCC didn't show that its CPNI rules would "directly and materially" advance those interests. The majority held that the CPNI rules were not sufficiently narrowly tailored to meet those objectives. Writing in dissent, Judge Mary Beck Briscoe said that "Congress made it abundantly clear it intended for telecommunications carriers to obtain customer 'approval' prior to using, disclosing, or permitting access to individually identifiable CPNI." She concluded that US West's petition for review was "little more than a run-of-the-mill attack on an agency order clothed by ingenious argument in the garb of First and Fifth Amendment issues" and said that the CPNI Order is an entirely reasonable interpretation of section 222 of the 1996 Telecommunications Act. Robert Ellis Smith, publisher of the Privacy Journal, noted that the the U.S. Supreme Court has "held unequivocally that a commercial entity that is not a news publication cannot claim to have full First Amendment protection for the information it includes in a credit report." The reason is that this "ledger" information is for a specialized business purpose, circulated within a narrowly confined community of users; it is not widely circulated public-interest material for which the amendment was intended. The text of US West v. FCC (10th Cir., Aug. 18, 1999) is available at: http://www.kscourts.org/ca10/cases/1999/08/98-9518.htm ======================================================================= [4] Advisory Group Urges Change in Crypto Policy ======================================================================= A White House advisory subcommittee announced on August 25 that it has recommended that the Clinton Administration substantially revise its restrictive stance on the export of encryption products. The President's Export Council Subcommittee on Encryption (PECSENC) was formed earlier this year to provide guidance in the U.S. Government's development of encryption policy, which has been the subject of heated debate. The government has insisted for years that liberalizing encryption export could cause serious national security problems by giving terrorists and criminals access to the technology. Critics of the Administration's policy had expected to find little support in the subcommittee's recommendations. William Crowell, the subcommittee's chairman, previously served as Deputy Director for the National Security Agency. Several committee members also had ties to law enforcement or other government agencies. Despite these ties, however, the subcommittee cited a need for the U.S. government to "recognize market realities" and reverse its course on encryption policy. Among its recommendations: - License-Free Zones: Recognizing that the European Union is planning to drop all cryptographic export rules between member countries, the U.S. should likewise identify a list of countries which do not pose any major terrorist threat, and allow encryption export (hardware and software products) without a license. - On-Line Merchants: On-line merchants based in other countries should be added to the list of businesses permitted to have encryption products exported to them from the United States. Banks and a limited number of other financial institutions currently enjoy this license exception. - Mass-market hardware and software: Mass-market products which utilize up to 128-bit key length triple DES should enjoy a license exception. "The U.S. government should recognize the difficulty of controlling mass-market products once they are allowed to be exported to even limited sectors". The subcommittee also suggests eliminating cumbersome reporting requirements for manufacturers of encryption products, as well as removal of source code, cryptographic Application Programming Interfaces and devices such as encrypting routers from the list of restricted technologies. PECSENC Chair William Crowell has said that the Administration will make further changes to its encryption export policy based on the recommendations sometime in September. ======================================================================= [5] Appellate Brief Challenges Internet Censorship Law ======================================================================= A coalition of cyber-rights groups and Web publishers filed an appellate brief on August 27 supporting a lower court decision enjoining enforcement of the Child Online Protection Act (COPA). The case against COPA -- brought by EPIC, the ACLU and other organizations -- is now pending before the U.S. Court of Appeals for the Third Circuit. The Justice Department initiated the appeals court proceeding in April. The government's appeal challenges the finding of Judge Lowell A. Reed, Jr. that the new Internet censorship law would restrict free speech in the "marketplace of ideas." Judge Reed's February 1 ruling enjoins enforcement of COPA, the statutory successor to the Communications Decency Act (CDA), which the Supreme Court struck down in June 1997. The legal challenge to COPA was filed on behalf of 17 organizations publishing information on the World Wide Web. In granting a preliminary injunction against COPA, the lower court held that the plaintiffs are likely to succeed on their claim that the law "imposes a burden on speech that is protected for adults." The ruling came after a six-day hearing which featured testimony from website operators who provide free information about fine art, news, gay and lesbian issues and sexual health for women and the disabled, and who all fear that COPA would force them to shut down their websites. In his 49-page opinion, Judge Reed listed 68 separate "findings of fact" to support his decision. The judge considered evidence that COPA imposed technological and economic burdens on speakers, but concluded that ultimately the relevant inquiry is the "burden imposed on the protected speech, not the pressure placed on the pocketbooks or bottom lines of the plaintiffs." The full text of the Judge Reed's decision, and complete information on the legal challenge, is available at: http://www.epic.org/free_speech/copa/ ======================================================================= [6] New Amazon.com Feature Raises Privacy Concerns ======================================================================= On August 20, Amazon.com initiated a new feature on its website -- "purchase circles" -- that lists best sellers organized by geographic area, companies, or universities. The firm compiled the lists using aggregate data that it had collected and subsequently displayed without the permission or knowledge of its customers. While Amazon.com intended "purchase circles" to be a fun and innovative feature, many Amazon customers were surprised and upset to see that their buying habits were being collected. Even though none of the displayed information was individually identifiable, the public reaction to "purchase circles" demonstrates that consumers are concerned when information is used without their consent. Furthermore, the incident highlights the absence of any legal protections that individuals may have in preventing information from being collected or disclosed. Despite privacy criticisms, Amazon.com initially defended "purchase circles" and deflected the complaints as an unavoidable result of implementing an inventive feature. However, by August 27, Amazon's director of product development responded to the public concern and announced that "privacy is of utmost importance to our customers and to us." Amazon.com now allows customers to opt-out from having their buying information included in future "purchase circles." ======================================================================= [7] EPIC Bookstore - The Tin Drum ======================================================================= The featured item in the EPIC Bookstore this week is the video of the widely acclaimed Gunter Grass novel "The Tin Drum." The movie depicts the rise and fall of the Third Reich and won the 1979 Oscar for best foreign film. It also contains scenes of a sexual nature involving children. In 1997, police in Oklahoma City, acting without a search warrant or court order, seized the video from local video stores. On October 20, 1998, a federal judge in Oklahoma City ruled that the film does not violate the state's child pornography laws. Last week an Oklahoma man won a $2,500 judgment when a jury found that police violated his civil rights by obtaining his name from a video shop where he rented the movie. Michael Camfield was confronted by police at his home in 1997 and asked to return the copy of the film. The jury found that the police violated the Video Privacy Protection Act by getting his name from the shop. Celebrate freedom of speech, the right of privacy, and intellectual freedom. Purchase the movie today from the EPIC Bookstore. EPIC Bookstore - The Tin Drum (VHS) http://www.amazon.com/exec/obidos/ASIN/6304239297/electronicprivacA EPIC Bookstore - Featured videos http://www.epic.org/bookstore/films.html EPIC Bookstore http://www.epic.org/bookstore ======================================================================= [8] Upcoming Conferences and Events ======================================================================= The 21st International Conference on Privacy and Personal Data Protection. Hong Kong, September 13-14, 1999. A distinguished group of over 50 speakers/panelists from overseas and Hong Kong will explore the theme of "Privacy of Personal Data, Information Technology & Global Business in the Next Millennium."" Sponsored by the Office of the Privacy Commissioner for Personal Data in Hong Kong. Contact: icc@asiaonline.net "A Privacy Agenda for the 21st Century." September 15, 1999. Hong Kong Convention and Exhibition Centre, Hong Kong PRC. Contact: rotenberg@epic.org "Certified Wide Area Road Use Monitoring." September 21-23, 1999. Albuquerque, New Mexico. Sponsored by the New Mexico State Highway and Transportation Department Research Bureau in cooperation with the University of New Mexico Alliance for Transportation Research Institute. An intensive 2 1/2 day educational and developmental symposium on a single rapidly evolving concept in Intelligent Transportation Systems (ITS). For more information: http://www.unm.edu/~nmtrans/CWARUM-1.html Final Call for Papers - Fourth Annual Conference on Financial Cryptography '00. Submissions due by September 24, 1999. For more information: http://www.fc00.cs.uwm.edu/esub.html Information Security Solutions Europe 1999. October 4-6, 1999. Maritim proArte Hotel, Berlin, Germany. For more information: http://www.eema.org/isse/ The Public Voice in Electronic Commerce. October 11, 1999. Organization for Economic Co-operation and Development. Paris, France. Contact: rotenberg@epic.org The Internet Security Conference (TISC). October 11-15, 1999. Boston World Trade Center. Boston, MA. For more information: http://tisc.corecom.com Integrating Government with New Technologies '99 Policy vs Technology: Service Integration in the New Environments - A two-day Seminar and Training Session. December 13-14, 1999. Government Conference Center. Ottawa, Canada. For more information: http://www.rileyis.com/seminars RSA 2000. The ninth annual RSA Data Security Conference and Expo. January 16-20, 2000. San Jose McEnery Convention Center. San Jose, CA. For more information: http://www.rsa.com/rsa2000/ ======================================================================= Subscription Information ======================================================================= The EPIC Alert is a free biweekly publication of the Electronic Privacy Information Center. A Web-based form is available for subscribing or unsubscribing at: http://www.epic.org/alert/subscribe.html To subscribe or unsubscribe using email, send email to epic-news@epic.org with the subject: "subscribe" (no quotes) or "unsubscribe". Back issues are available at: http://www.epic.org/alert/ ======================================================================= About EPIC ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC is sponsored by the Fund for Constitutional Government, a non-profit organization established in 1974 to protect civil liberties and constitutional rights. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, e-mail info@epic.org, http://www.epic.org or write EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544 9240 (tel), +1 202 547 5482 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "The Fund for Constitutional Government" and sent to EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ---------------------- END EPIC Alert 6.13 ----------------------- .