EPIC logo
       @@@@  @@@@  @@@  @@@@      @    @     @@@@  @@@@  @@@@@
       @     @  @   @   @        @ @   @     @     @  @    @
       @@@@  @@@    @   @       @@@@@  @     @@@   @@@     @
       @     @      @   @       @   @  @     @     @  @    @
       @@@@  @     @@@  @@@@    @   @  @@@@  @@@@  @   @   @
   Volume 6.16                                   October 12, 1999
                            Published by the
              Electronic Privacy Information Center (EPIC)
                            Washington, D.C.
Table of Contents
[1] EPIC Sues Trade Commission For Privacy Complaints
[2] New Internet Protocol Could Threaten Online Anonymity
[3] Congress Enacts Drivers' Privacy Protections
[4] Appeals Court to Review Bernstein Crypto Decision
[5] FCC Issues New Rule on Phone Customer Data Privacy
[6] Survey Ranks States on Privacy Protection
[7] EPIC Bookstore - The End of Privacy
[8] Upcoming Conferences and Events
[1] EPIC Sues Trade Commission For Privacy Complaints
The Electronic Privacy Information Center (EPIC) filed suit today in
federal district court in Washington seeking the disclosure of records
about privacy complaints received by the Federal Trade Commission.  It
is EPIC's contention that the FTC has failed to take action on
the many privacy complaints that the agency has received from
EPIC Director Marc Rotenberg said, "In order to evaluate the effective-
ness of the current privacy system in the United States, it is critical
to look at how the FTC responds to complaints from the public.  If the
FTC has no effective means to handle these complaints or to respond to
public concerns, then more aggressive steps should be taken."
EPIC filed the initial information request on June 10, 1999.  In a
letter to the Commission , EPIC requested "copies of all records
concerning the FTC's investigation of privacy complaints."  The request
included letters, electronic mail, web submissions, fax transmissions,
and formal complaints.  EPIC told the Commission it was interested in
"records regarding alleged privacy violations by a specific company or
organization and requests for general assistance in a privacy matter,
whether or not a specific company or organization is indicated."
At a Senate hearing in July, Mr. Rotenberg criticized a report from the
FTC on Internet privacy, saying that it failed to provide any actual
information about consumer privacy complaints or the effectiveness of
industry programs to protect privacy.  He noted that EPIC had filed a
Freedom of Information Act (FOIA) request regarding the handling of
complaints and said that information would be provided to the Senate
Committee once a response from the FTC was received.
Today's lawsuit was filed under the FOIA, which requires federal
agencies to comply with requests for disclosure of records within
twenty working days.  A provision in the Act allows agencies to
withhold information about specific individuals if it is necessary to
protect their privacy.
The text of EPIC's lawsuit is available at:
The text of EPIC's Congressional testimony on Consumer Privacy and the
FTC Report is available at:
[2] New Internet Protocol Could Threaten Online Anonymity
A new protocol being developed by the Internet Engineering Task Force
(IETF) has raised privacy concerns.  Internet Protocol Version 6 (IPv6)
is the "next generation" protocol designed by the IETF to replace the
current version Internet Protocol (IPv4), which is now nearly twenty
years old.  IPv6 is intended to fix a number of problems in IPv4, such
as the limited number of available IPv4 addresses.  It would also add
improvements in areas such as routing and network autoconfiguration.
The new addressing structure, however, may mean that every packet can
be traced back to each user's unique network interface card ID.
Whereas IPv4 has a 32-bit address field, IPv6 has 128 bits of address
space.  The IETF has designated 64 bits of the new space to contain
EUI-64 format information, which is used to assign Ethernet addresses.
That information, which is generally not transmitted outside a user's
local area network, forms the basis of the privacy concerns raised by
some observers of the IETF process.
The EUI-64 information identifies the registered manufacturer of a NIC
card and a user's 48-bit Ethernet address.  This has led some critics
to claim that every packet a user sends out onto the Internet using
IPv6 will have the user's "fingerprints" on it.  Unlike IP addresses
under IPv4, which can be changed, IPv6 addresses will be permanently
embedded in hardware.  In that respect, IPv6 raises many of the same
issues that surrounded the launch of the Intel Pentium III, which
contains a "Processor Serial Number" (PSN) that is capable of uniquely
identifying the user of a particular computer.  Both IPv6 and the PSN
present potential challenges to online anonymity, which is a
fundamental guarantee of both privacy and free expression on the
Additional information on IPv6 is available at:
Additional information on the Intel Pentium III PSN is available at:
[3] Congress Enacts Drivers' Privacy Protections
H.R. 2084, the Department of Transportation and Related Agencies
Appropriations Act for FY2000, contains two key privacy protections for
automobile drivers.  The first prevents what could have resulted in the
establishment of a national ID system; the second creates new
protections for drivers' license information.  The bill has been
approved by Congress and is expected to be signed by the President.
The first key provision in the bill repeals Section 656(b) of the
Illegal Immigration Reform and Immigrant Responsibility Act of 1996,
which required Social Security numbers to be displayed electronically
or through other means on all drivers' licenses.  While the statute was
intended to prevent illegal immigrants (who do not legally possess
Social Security numbers) from using false drivers' licenses as
identification, including Social Security numbers on all licenses could
undermine privacy and actually increase fraud.  Even considering the
substantial risks of including SSNs on drivers' licenses, the National
Highway Traffic Safety Administration (NHTSA) chose to expand on 656(b)
by mandating national format standards for drivers' licenses -- in
effect, creating a national ID system.  The new legislation is intended
to prevent such a result.
The second provision in the bill places new restrictions on the ability
of state motor vehicle administrations to sell drivers' license
information.  In a significant advance for privacy, state DMVs, before
receiving any of the federal funds provided in the bill, would have to
receive the explicit permission from a driver to distribute or sell any
of his or her information.  The information includes drivers' license
photographs, Social Security numbers, and medical or disability
Congress' new approach to protecting drivers' license information
presents an alternative to the Drivers Privacy Protection Act (DPPA),
which will be reviewed in an upcoming Supreme Court case, Reno v.
Condon (see EPIC Alert 6.11).  Unlike the DPPA -- which prohibits the
release of all information contained in drivers' records -- H.R. 2084
merely prohibits any federal transportation funding for states that
release personal data without prior consent.
More information about the risks of widespread use of Social Security
numbers, is available at:
EPIC's response to NHTSA's expansion of 656(b) can be found at:
[4] Appeals Court to Review Bernstein Crypto Decision
The U.S. Court of Appeals for the Ninth Circuit has granted the Justice
Department's motion for rehearing in the closely watched encryption
case Bernstein v. DOJ.  The case will be re-argued before an 11-judge
"en banc" panel of the court on December 16 in San Francisco.  On June
21, the Department filed its petition, seeking to overturn the recent
opinion of a Ninth Circuit panel holding that encryption source code is
scientific expression protected by the First Amendment.
The federal appeals court ruled on May 6 that federal regulations that
prohibit the dissemination of encryption source code violate the First
Amendment.  The court found that the regulations are an
unconstitutional prior restraint on speech because they "grant
boundless discretion to government officials" and have "effectively
chilled [cryptographers] from engaging in valuable scientific
expression."  The case was initiated by researcher Daniel Bernstein,
who sought government permission to export source code he had written.
EPIC was both co-counsel and coordinator of a "friend-of-the-court"
(amicus) brief in the case, arguing against the government controls on
privacy-enhancing technology.  Civil liberties and privacy
organizations have consistently opposed restrictions on the
dissemination of encryption technology, and welcomed the Bernstein
decision as a major breakthrough.  The opinion was notable for its
recognition of the threats to privacy that citizens face today and the
role of encryption in protecting information.
In seeking the Ninth Circuit's reconsideration of the case, the Justice
Department argued that the May 6 decision
     rests on fundamental errors regarding First Amendment
     and severability law.  As a result of those errors,
     the panel has placed the entire encryption export
     regime in jeopardy.  The potential consequences of
     repudiating the President's decisions regarding
     encryption export controls are grave and far-reaching.
     Before the views of the panel majority become the law
     of this Circuit, and unrestricted export of encryption
     products receives this Court's imprimatur, further
     review is imperative.
The Clinton Administration has announced that it will release revised
regulations on encryption exports by December 15 -- one day before the
scheduled re-argument in the Bernstein case (see EPIC Alert 6.15).  It
is unclear what effect those revisions might have on the Bernstein
Information on encryption export controls, including the text of the
Bernstein decision and the EPIC amicus brief, is available at the EPIC
Cryptography Archive:
[5] FCC Issues New Rule on Phone Customer Data Privacy
The Federal Communications Commission has issued a new rule on
"customer proprietary network information," or CPNI.  The 1996
Telecommunications Act defines CPNI to include such personal data as
when, where and for how long telephone calls are placed. Section 222 of
the Act prohibits telephone companies from accessing this information
(except for reasons such as billing or to detect fraud) or disclosing
this data to third parties, without customer approval.
The new rule, issued on October 1, exempts personal information
collected from the sale of telephone equipment and "information
services" from CPNI restrictions.  This would allow telephone companies
to use and distribute records collected from the sale of telephones,
answering machines and telephone wiring and directory assistance calls.
 The new rule would also permit telephone companies to separate their
solicitation of customer approval from notice of customer rights under
section 222.  This provision would allow companies to send
solicitations for approval months after a customer has received an
explanation of the significance of approving access to CPNI.  Further,
the FCC has changed the previous rules governing how telephone
companies could prove that approval had been granted.  Currently,
customers are protected by an electronic flagging system.  The new rule
would only require that telephone companies' records clearly establish
that customer approval had been granted.
The FCC's previous CPNI rule is being litigated.  On August 18, the
Tenth Circuit Court of Appeals ruled that regulations developed by the
FCC to implement the privacy provisions of the 1996 Telecommunications
Act violate the First Amendment rights of telephone companies to
disclose the detailed calling records of their customers (see EPIC
Alert 6.13).  The FCC has filed a petition for reconsideration of that
The text of the new FCC rule on CPNI is available at:
[6] Survey Ranks States on Privacy Protection
A new survey conducted by the Privacy Journal ranks California and
Minnesota as the strongest states in protecting personal privacy.  The
top ten states, according to the survey, are (in alphabetical order)
California, Connecticut, Florida, Hawaii, Illinois, Massachusetts,
Minnesota, New York, Rhode Island, and Wisconsin.
California was ranked first, despite losing points for its demands for
fingerprints and Social Security numbers to get a driver's license.
Its courts and its constitution provide the strongest privacy
protection in the nation, according to the publication, and it has
probably the strongest collection of laws protecting personal
Minnesota's state government and legislature have strong records on
protecting privacy, Privacy Journal noted, even though its news
organizations have regarded privacy protections as restrictions on the
release of government documents and have traditionally resisted them.
The state has the most sophisticated enforcement scheme for monitoring
state and local agencies' compliance with a state law permitting
citizens to inspect and correct records about themselves.
The rankings place the states in four tiers, based on their laws, court
decisions, and administrative actions.  Privacy Journal rates the
states on several factors, including whether they protect privacy in
their constitutions; have laws protecting financial, medical, library,
and government files; and have fair credit reporting laws stronger than
the federal law.
"If the federal government had been ranked like a state it would have
placed in the third tier -- but barely," according to Privacy Journal
Publisher Robert Ellis Smith.  Federal laws do not protect medical
records nor provide access to them, they do not protect library records
at all, and federal laws have only partial protection for financial
records.  On the other hand, federal protection for personal
information in government files exceeds the protections in nearly all
states.  "But, if we had included anti-privacy actions by Congress in
1996, the federal government would have ended up with a negative
score," Smith said.
Privacy Journal judged four states "not on the radar screen" because of
their inadequate privacy protections. They are Idaho, Missouri, South
Carolina, and Texas. "Citizens in these states are very vulnerable,"
Smith said. "We could find no protections at all in Texas," he said.
The full listing of the 50 states, along with the criteria for rating
the states, is available at the Privacy Journal's web site:
[7] EPIC Bookstore - The End of Privacy
"The End of Privacy," by Charles J. Sykes
As Justice Louis Brandeis suggested more than a century ago, privacy
-- the right to be let alone -- is the most valued, if not the most
celebrated, right enjoyed by Americans.  But in the face of computer,
video, and audio technology, aggressive and sophisticated marketing
databases, state and federal "wars" against crime and terrorism, new
laws governing personal behavior, and an increasingly-intrusive media,
all of us find our personal space and freedom under attack.
In The End of Privacy, Charles Sykes traces the roots of privacy in our
nation's founding and Constitution, and reveals its inexorable erosion
in our time.  From our homes and offices to the Presidency, Sykes
defines what we have lost, citing example after example of citizens who
have had their conversations monitored, movements surveilled, medical
and financial records accessed, sexual preferences revealed, homes
invaded, possessions confiscated, and even lives threatened - all in
the name of some alleged higher social or governmental good.  Sykes
concludes by suggesting steps by which we might begin to recover the
territory we've lost: our fundamental right to our own lives.
Additional titles -- including EPIC publications -- on privacy, open
government, free expression, computer security, and crypto, as well as
films and DVDs can be ordered through the EPIC Bookstore:
[8] Upcoming Conferences and Events
The Internet Security Conference (TISC). October 11-15, 1999. Boston
World Trade Center. Boston, MA. For more information:
Virtual Money, Privacy, and the Internet. October 20, 1999. The
Independent Institute Conference Center. Oakland, CA. For more
information: http://www.independent.org/tii/forums/CurrentIPF.html
Public Workshop on "Online Profiling" -- November 8, 1999. National
Telecommunications and Information Administration, Commerce and Federal
Trade Commission. Submissions and requests to participate due October
18, 1999. For more information:
Consumer Privacy in the Next Decade: New Trends, Forces and Directions
and The All New Practitioner's Privacy Policy Workshop. Privacy &
American Business' Sixth Annual National Conference. November 8-10,
1999. Hyatt Regency Hotel. Arlington, VA. For more information:
The 1999 BNA Public Policy Forum: E-Commerce and Internet Regulation.
November 15, 1999. Mayflower Hotel. Washington, D.C. For more
information: http://internetconference.pf.com/
Annual Computer Security Applications Conference: Practical Solutions
to Real Security Problems. December 6-10, 1999. Radisson Resort
Scottsdale. Phoenix, Arizona. For more information:
Integrating Government with New Technologies '99 Policy vs Technology:
Service Integration in the New Environments - A two-day Seminar and
Training Session. December 13-14, 1999. Government Conference Center.
Ottawa, Canada. For more information: http://www.rileyis.com/seminars
Surveillance Expo '99. December 13-15, 1999. Doubletree Hotel. Crystal
City, Virginia. For more information: http://www.rosseng.com
PEN/Newman's Own Eighth Annual First Amendment Award. Nominations due
December 31, 1999. For more information: http://www.pen.org
RSA 2000. The ninth annual RSA Data Security Conference and Expo.
January 16-20, 2000. San Jose McEnery Convention Center. San Jose, CA.
For more information: http://www.rsa.com/rsa2000/
Subscription Information
The EPIC Alert is a free biweekly publication of the Electronic
Privacy Information Center. A Web-based form is available for
subscribing or unsubscribing at:
To subscribe or unsubscribe using email, send email to
epic-news@epic.org with the subject: "subscribe" (no quotes) or
Back issues are available at:
About EPIC
The Electronic Privacy Information Center is a public interest
research center in Washington, DC.  It was established in 1994 to focus
public attention on emerging privacy issues such as the Clipper Chip,
the Digital Telephony proposal, national ID cards, medical record
privacy, and the collection and sale of personal information. EPIC is
sponsored by the Fund for Constitutional Government, a non-profit
organization established in 1974 to protect civil liberties and
constitutional rights.  EPIC publishes the EPIC Alert, pursues Freedom
of Information Act litigation, and conducts policy research. For more
information, e-mail info@epic.org, http://www.epic.org or write EPIC,
666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544
9240 (tel), +1 202 547 5482 (fax).
If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible.  Checks
should be made out to "The Fund for Constitutional Government" and sent
to EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003.
Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation of encryption
and expanding wiretapping powers.
Thank you for your support.
  ---------------------- END EPIC Alert 6.16 -----------------------
Return to:

Alert Home Page | EPIC Home Page