EPIC logo
       @@@@  @@@@  @@@  @@@@      @    @     @@@@  @@@@  @@@@@
       @     @  @   @   @        @ @   @     @     @  @    @
       @@@@  @@@    @   @       @@@@@  @     @@@   @@@     @
       @     @      @   @       @   @  @     @     @  @    @
       @@@@  @     @@@  @@@@    @   @  @@@@  @@@@  @   @   @
    Volume 6.15                                  September 23, 1999
                            Published by the
              Electronic Privacy Information Center (EPIC)
                            Washington, D.C.
Table of Contents
[1] Impact of New Encryption Policy Remains Unclear
[2] Privacy Agenda for the 21st Century Announced
[3] Report Slams Privacy Policies; Poll Finds Privacy is Top Concern
[4] Internet Filtering Debate Resumes in Congress
[5] "Public Voice in Electronic Commerce" Conference
[6] Provision Repealing National Driver's Licenses In Final Stages
[7] EPIC Bookstore -  The Code Book and More
[8] Upcoming Conferences and Events
   NOTE TO SUBSCRIBERS: A listserv problem has resulted in duplicate
   copies of recent Alerts being sent to some recipients.  We are
   aware of the problem and apologize for any inconvenience.  Your
   patience is appreciated as we continue to diagnose the listserv.
[1] Impact of New Encryption Policy Remains Unclear
On September 16, the Clinton Administration unveiled a new encryption
policy initiative.  The White House's revised approach seems to
recognize the futility of seeking to prevent the spread of privacy-
enhancing technologies, and shifts the emphasis to monitoring the
exports of encryption products and developing "new tools" to counter
their use.  It remains unclear whether the revised policy will
actually enhance the privacy of most computer users.
On the export control front, the Administration will draft new
encryption export regulations that will "strike a balance" between the
needs of industry and law enforcement.  According to the White House,
the new rules -- due to be released by December 15 -- will constitute
a significant liberalization of the export process.  Any "retail"
encryption commodity or software reportedly will be exportable without
a license (after a "technical review") to commercial firms and other
nongovernment end users in any country except for seven states
designated as supporters of terrorism.  The standards governing the
required technical review have not yet been announced.  The
Administration's policy on export of encryption source code apparently
has not changed, so that academic exchanges such as those at issue in
the pending Bernstein v. Department of Justice litigation (see EPIC
Alert 6.07) would still be subject to government approval prior to
Coupled with the export revisions is new legislation that would
provide a legal framework for law enforcement access to decryption
keys; provide $80 million in funding for an FBI Technical Support
Center; and protect the confidentiality of decryption techniques
developed cooperatively by government and industry.  Under the latter
provision, law enforcement agents presenting "plaintext" evidence
would be exempted from routine requirements of criminal procedure that
permit a defendant to explore the means by which evidence was
obtained.  The proposal would also prohibit the government from
disclosing "trade secrets disclosed to it [presumably by encryption
manufacturers] to assist it in obtaining access to information
protected by encryption."  The legislative vehicle for these
initiatives -- the Cyberspace Electronic Security Act -- will soon be
transmitted to Congress.  It does not include a highly controversial
provision contained in an earlier White House draft that would have
authorized secret police break-ins to alter computer equipment.
EPIC believes that more details of the new encryption policy must be
released before its impact on user privacy can be fully assessed. EPIC
will closely monitor the process of implementing the newly- announced
initiative, particularly the promulgation of the revised export
control regulations and the development of special sensitive
techniques to be used to extract plaintext from encryption products
and services.
The details of the White House announcement, including the text of the
Cyberspace Electronic Security Act and other documents released by the
Administration, are available at:
[2] Privacy Agenda for the 21st Century Announced
Supporters of privacy from around the world recently gathered in Hong
Kong for the 1999 Privacy Agenda Conference.  At the conference,
representatives from an international group of non-governmental
organizations issued a declaration supporting strong privacy
protections and continued vigilance against privacy abuses.
The meeting of NGOs from around the world took place as data
protection commissioners were meeting to review new threats to privacy
and new opportunities for privacy protection.  Earlier in the week,
Consumer International President Pamela Chan said that governments
should conduct research on the potential for abuse in the way Internet
transactions are carried out.  She also urged the adoption of new
safeguards to protect the privacy of individuals.
Privacy International Director Simon Davies said, "We plan to go
forward with an aggressive campaign to protect the right of privacy
and to stand against all who would undermine this critical freedom."
Marc Rotenberg, director of the Electronic Privacy Information Center,
said that national government must continue to listen to the "public
voice" as they go forward with policies for the Internet. "Privacy and
the protection of consumer interests remain a central concern for the
Internet economy."
Participants in the Privacy Agenda conference included representatives
from Australia, Canada, Denmark, Italy, Hong Kong SAR, Japan,
Malaysia, the Netherlands, New Zealand, Thailand, the United Kingdom,
and the United States.
     "A Privacy Agenda for the 21st Century"
     1999 Privacy Agenda Conference
     EPIC and PI, "Privacy & Human Rights: An International Survey of
     Privacy Laws and Developments"
[3] Report Slams Privacy Policies; Poll Finds Privacy is Top Concern
According to a recent article in E-Commerce Times, a new report by
Forrester Research, Inc., finds that 90 percent of Web sites fail to
comply with basic privacy principles.  The report strongly contradicts
the findings of the Federal Trade Commission, which recently told
Congress that industry self-policing is working.  "The vast majority
of such policies, like those of the Gap, Macy's and JC Penney, use
vague terms and legalese that serve to protect companies and not
The report also notes that "clever interactive tools such as
Reel.com's Mood Matcher -- which helps customers find movies based on
their moods -- and PlanetRx's personalized prescription filler make it
possible for companies to collect "highly intrusive psychographic data
that individuals would rarely provide on a standard registration
The report suggests that the FTC, rather than producing reassuring
messages to the industry, should push companies to take bigger and
faster strides towards complying with already established privacy
principles.  Forrester also suggests that companies should be required
to make customer profiles available to users, including all parties
with whom data is shared, and provide the ability for customers to
control who the information is shared with and the option to remove
themselves from lists.  Finally, the report says that "because
independent privacy groups like TRUSTe and BBBOnline earn their money
from e-commerce organizations, they become more of a privacy advocate
for the industry -- rather than for consumers.  The FTC should call
for a consumer-based organization to provide principles and redress."
Meanwhile, a Wall Street Journal/NBC News polls finds that the loss of
personal privacy is the Number One concern of Americans as the
twenty-first century approaches.  When asked what concerns them the
most about the next century, twenty-nine percent of respondents
answered the "loss of personal privacy."  Overpopulation and terrorist
acts on U.S. soil followed at twenty-three percent, racial tensions at
seventeen percent, world war at sixteen percent, and global warming at
fourteen percent.
The Wall Street Journal/NBC News poll was based on nationwide
telephone interviews of 2,025 adults, by the polling organizations of
Peter Hart and Robert Teeter.
     "Report Labels Internet Privacy Policies 'A Joke'"
     Forrester Research Inc. http://www.forrester.com/
     Wall Street Journal http://www.wsj.com
[4] Internet Filtering Debate Resumes in Congress
Congress' move towards mandatory Internet filtering for schools and
libraries is likely to resume next week, as Senate and House conferees
on juvenile justice legislation are expected to consider the issue.
The House-approved version of the legislation would mandate that
public schools and libraries receiving "E-Rate" universal service
funds purchase and use Internet filtering software to regulate access
by minors. The Senate did not include such a provision in its version
of the massive juvenile justice bill and the conferees must decide
whether to retain the mandate in the final, consensus measure.
Although not included in the Senate's juvenile justice package, the
issue has been addressed by the Senate Commerce Committee.  On June
23, the committee approved Sen. John McCain's (R-AZ) Children's
Internet Protection Act (S.97).  That action came over the objections
of leading education, library and civil liberties groups, which argued
that the legislation would impose a costly unfunded requirement and
ignore a variety of alternative approaches being taken in localities
around the country.
The juvenile justice conferees will consider language included in the
House bill that would require schools and libraries to certify that
they have selected and installed "a technology for computers with
Internet access to filter or block . . . materials deemed to be
harmful to minors."  It further provides that "the determination of
what material is to be deemed harmful to minors shall be made by the
school, school board, library or other [local] authority," and not the
federal government.  While the latter provision was included to
counter concerns over the creation of a national standard for Internet
content, it amounts to a federal mandate requiring local censorship
decisions.  Such local actions have already been challenged in the
courts, including a case in which the Loudoun County, Virginia
libraries were ordered to remove filtering software from their
computers (see EPIC Alert 5.18).
More information on mandatory Internet filtering is available at the
website of the Internet Free Expression Alliance:
[5] "Public Voice in Electronic Commerce" Conference
The 3rd Trade-Union/NGO Public Voice conference, "The Public Voice in
Electronic Commerce," will be held at the Organization for Economic
Cooperation and Development (OECD) in Paris, on October 11th, 1999.
The conference seeks to inject the concerns of consumers and
individuals into the ongoing development of international e-commerce
The conference program includes four panels, on the following topics:
     1. Protecting consumer rights in electronic commerce
     2. Privacy and personal data protection
     3. Access as the key for development
     4. Internet, the Future of Work, and Quality of Life
Two Global Internet Liberty Campaign (GILC) member organizations,
Imaginons un R#233#seau Internet Solidaire (IRIS) and the Electronic
Privacy Information Center (EPIC) are organizing the 3rd Public Voice
conference, in conjunction with the OECD Forum on Electronic Commerce
(October 12-13, 1999).
"The Public Voice in Electronic Commerce" will be hosted by TUAC
(Trade-Union Advisory Committee) and is sponsored by the Global
Internet Liberty Campaign, with the help of TACD (Transatlantic
Consumer Dialogue).
For more detailed information about the program and registration,
please see:
     http://www.thepublicvoice.org or
[6] Provision Repealing National Driver's Licenses In Final Stages
The pending Transportation Appropriations bill contains an amendment
that could repeal a federal law requiring National Driver's Licenses.
National Driver's Licenses, so-called because of a requirement to
include a Social Security number (SSN) on all state-issued driver's
licenses, were initially introduced by Section 656(b) of the Illegal
Immigration Reform and Immigrant Responsibility Act of 1996.  Intended
to weed out illegal immigrants -- who do not possess SSNs -- from
using false driver's licenses as identification, the inclusion of SSNs
on all driver's licenses could undermine privacy and increase fraud.
Social Security numbers, once actually used simply for distribution of
social security benefits, have become a widespread, unalterable
personal identifier.  While someone may change their name, address, or
job, it is impossible to get a new SSN.  For decades, the numbers have
been used by the government to keep track of citizens and their
information.  In the private realm, SSNs are often used as passwords
and/or identification for credit information, school records, and
medical histories.
Any widespread dissemination of SSNs on a commonly displayed
identification such as a driver's license increases the risk of fraud
and invasion of privacy.  Privacy advocates have long argued that the
number's use should be restricted to situations where it is the only
suitable piece of identification. With respect to the identification
of illegal immigrants, there are no less than twenty-six other forms
of documentation that available to the Immigration and Naturalization
Service (INS).
For further comment on implementation of a national driver's license
please see:
[7] EPIC Bookstore - The Code Book and More
The Code Book : The Evolution of Secrecy from Mary, Queen of Scots to
Quantum Cryptography by Simon Singh
	"For millennia, secret writing was the domain of spies, diplomats,
	and generals; with the advent of the Internet, it has become the
	concern of the public and businesses. One cyber-libertarian
	responded with the freeware encryption program Pretty Good Privacy
	(PGP), and Singh similarly meets a sharpening public curiosity
	about how codes work.[. . .] Beginning with such simple ideas as
	monoalphabetic substitution, which can protect the communications
	of a boy's treehouse club but not much more, Singh underscores with
	stories how codemakers and codebreakers have battled each other
	throughout history. A tool called frequency analysis easily defeats
	the monoalphabetic cipher, and encryptors over time have added the
	Vigenere square, cipher disks, one-time pads, and public-key
	cryptography that underlies PGP. But each security strategy, Singh
	explains, contains some vulnerability that the clever code cracker
	can exploit, an opaque process the author splendidly illuminates.
	Instances of successful decipherment, as of Egyptian hieroglyphics
	or the German Enigma cipher system in World War II, combine with
	Singh's sketches of the mathematicians who have advanced the art of
	secrecy, from Julius Caesar to Alan Turing to contemporary
	mathematicians, resulting in a wonderfully understandable survey."
	 	-- Gilbert Taylor, Booklist
Also available from the EPIC Bookstore:
"The Privacy Law Sourcebook: United States Law, International Law, and
Recent Developments," Marc Rotenberg, editor (EPIC 1999). Price: $50.
The "Physicians Desk Reference of the privacy world." An invaluable
resource for students, attorneys, researchers and journalists who need
an up-to-date collection of US and International privacy law, as well
as a comprehensive listing of privacy resources.
"Filters and Freedom - Free Speech Perspectives on Internet Content
Controls," David Sobel, editor (EPIC 1999). Price: $20.
A collection of essays, studies, and critiques of Internet content
filtering. These papers are instrumental in explaining why filtering
threatens free expression.
"Cryptography and Liberty: An International Survey of Cryptography
Policy" Wayne Madsen and David Banisar, editors, (EPIC 1999). Price:
An international survey of encryption policies around the world.
Survey results show that in the vast majority of countries,
cryptography may be freely used, manufactured, and sold without
restriction, with the U.S. being a notable exception.
"Privacy and Human Rights 1999: An International Survey of Privacy
Laws and Developments" David Banisar, Simon Davies, editors, (EPIC
1999). Price: $15.
An international survey of the privacy and data protection laws found
in 50 countries around the globe. This report outlines the
constitutional and legal conditions of privacy protection, and
summarizes important issues and events relating to privacy and
Additional titles on privacy, open government, free expression,
computer security, and crypto, as well as films and DVDs can be
ordered through the EPIC Bookstore:
[8] Upcoming Conferences and Events
Information Security Solutions Europe 1999. October 4-6, 1999. Maritim
proArte Hotel. Berlin, Germany. For more information:
The Public Voice in Electronic Commerce. October 11, 1999.
Organization for Economic Co-operation and Development. Paris, France.
For more information: http://www.thepublicvoice.org
The Internet Security Conference (TISC). October 11-15, 1999. Boston
World Trade Center. Boston, MA. For more information:
Public Workshop on "Online Profiling" -- November 8, 1999. National
Telecommunications and Information Administration, Commerce and Federal
Trade Commission. Submissions and requests to participate due October
18, 1999. For more information:
The 1999 BNA Public Policy Forum: E-Commerce and Internet Regulation.
November 15, 1999. Mayflower Hotel. Washington, D.C. For more
information: http://internetconference.pf.com/
Annual Computer Security Applications Conference: Practical Solutions
to Real Security Problems. December 6-10, 1999. Radisson Resort
Scottsdale. Phoenix, Arizona. For more information:
Integrating Government with New Technologies '99 Policy vs Technology:
Service Integration in the New Environments - A two-day Seminar and
Training Session. December 13-14, 1999. Government Conference Center.
Ottawa, Canada. For more information: http://www.rileyis.com/seminars
Surveillance Expo '99. December 13-15, 1999. Doubletree Hotel. Crystal
City, Virginia. For more information: http://www.rosseng.com
PEN/Newman's Own Eighth Annual First Amendment Award. Nominations due
December 31, 1999. For more information: http://www.pen.org
RSA 2000. The ninth annual RSA Data Security Conference and Expo.
January 16-20, 2000. San Jose McEnery Convention Center. San Jose, CA.
For more information: http://www.rsa.com/rsa2000/
Subscription Information
The EPIC Alert is a free biweekly publication of the Electronic
Privacy Information Center. A Web-based form is available for
subscribing or unsubscribing at:
To subscribe or unsubscribe using email, send email to
epic-news@epic.org with the subject: "subscribe" (no quotes) or
Back issues are available at:
About EPIC
The Electronic Privacy Information Center is a public interest
research center in Washington, DC.  It was established in 1994 to focus
public attention on emerging privacy issues such as the Clipper Chip,
the Digital Telephony proposal, national ID cards, medical record
privacy, and the collection and sale of personal information. EPIC is
sponsored by the Fund for Constitutional Government, a non-profit
organization established in 1974 to protect civil liberties and
constitutional rights.  EPIC publishes the EPIC Alert, pursues Freedom
of Information Act litigation, and conducts policy research. For more
information, e-mail info@epic.org, http://www.epic.org or write EPIC,
666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544
9240 (tel), +1 202 547 5482 (fax).
If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible.  Checks
should be made out to "The Fund for Constitutional Government" and sent
to EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003.
Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation of encryption
and expanding wiretapping powers.
Thank you for your support.
  ---------------------- END EPIC Alert 6.15 -----------------------
Return to:

Alert Home Page | EPIC Home Page