============================================================== @@@@ @@@@ @@@ @@@@ @ @ @@@@ @@@@ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @@@ @ @ @@@@@ @ @@@ @@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @ @@@ @@@@ @ @ @@@@ @@@@ @ @ @ ============================================================== Volume 6.16 October 12, 1999 -------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org ======================================================================= Table of Contents ======================================================================= [1] EPIC Sues Trade Commission For Privacy Complaints [2] New Internet Protocol Could Threaten Online Anonymity [3] Congress Enacts Drivers' Privacy Protections [4] Appeals Court to Review Bernstein Crypto Decision [5] FCC Issues New Rule on Phone Customer Data Privacy [6] Survey Ranks States on Privacy Protection [7] EPIC Bookstore - The End of Privacy [8] Upcoming Conferences and Events ======================================================================= [1] EPIC Sues Trade Commission For Privacy Complaints ======================================================================= The Electronic Privacy Information Center (EPIC) filed suit today in federal district court in Washington seeking the disclosure of records about privacy complaints received by the Federal Trade Commission. It is EPIC's contention that the FTC has failed to take action on the many privacy complaints that the agency has received from consumers. EPIC Director Marc Rotenberg said, "In order to evaluate the effective- ness of the current privacy system in the United States, it is critical to look at how the FTC responds to complaints from the public. If the FTC has no effective means to handle these complaints or to respond to public concerns, then more aggressive steps should be taken." EPIC filed the initial information request on June 10, 1999. In a letter to the Commission , EPIC requested "copies of all records concerning the FTC's investigation of privacy complaints." The request included letters, electronic mail, web submissions, fax transmissions, and formal complaints. EPIC told the Commission it was interested in "records regarding alleged privacy violations by a specific company or organization and requests for general assistance in a privacy matter, whether or not a specific company or organization is indicated." At a Senate hearing in July, Mr. Rotenberg criticized a report from the FTC on Internet privacy, saying that it failed to provide any actual information about consumer privacy complaints or the effectiveness of industry programs to protect privacy. He noted that EPIC had filed a Freedom of Information Act (FOIA) request regarding the handling of complaints and said that information would be provided to the Senate Committee once a response from the FTC was received. Today's lawsuit was filed under the FOIA, which requires federal agencies to comply with requests for disclosure of records within twenty working days. A provision in the Act allows agencies to withhold information about specific individuals if it is necessary to protect their privacy. The text of EPIC's lawsuit is available at: http://www.epic.org/privacy/internet/ftc_foia_comp.pdf The text of EPIC's Congressional testimony on Consumer Privacy and the FTC Report is available at: http://www.epic.org/privacy/internet/EPIC_testimony_799.pdf ======================================================================= [2] New Internet Protocol Could Threaten Online Anonymity ======================================================================= A new protocol being developed by the Internet Engineering Task Force (IETF) has raised privacy concerns. Internet Protocol Version 6 (IPv6) is the "next generation" protocol designed by the IETF to replace the current version Internet Protocol (IPv4), which is now nearly twenty years old. IPv6 is intended to fix a number of problems in IPv4, such as the limited number of available IPv4 addresses. It would also add improvements in areas such as routing and network autoconfiguration. The new addressing structure, however, may mean that every packet can be traced back to each user's unique network interface card ID. Whereas IPv4 has a 32-bit address field, IPv6 has 128 bits of address space. The IETF has designated 64 bits of the new space to contain EUI-64 format information, which is used to assign Ethernet addresses. That information, which is generally not transmitted outside a user's local area network, forms the basis of the privacy concerns raised by some observers of the IETF process. The EUI-64 information identifies the registered manufacturer of a NIC card and a user's 48-bit Ethernet address. This has led some critics to claim that every packet a user sends out onto the Internet using IPv6 will have the user's "fingerprints" on it. Unlike IP addresses under IPv4, which can be changed, IPv6 addresses will be permanently embedded in hardware. In that respect, IPv6 raises many of the same issues that surrounded the launch of the Intel Pentium III, which contains a "Processor Serial Number" (PSN) that is capable of uniquely identifying the user of a particular computer. Both IPv6 and the PSN present potential challenges to online anonymity, which is a fundamental guarantee of both privacy and free expression on the Internet. Additional information on IPv6 is available at: http://www.ipv6.org/ Additional information on the Intel Pentium III PSN is available at: http://www.bigbrotherinside.org ======================================================================= [3] Congress Enacts Drivers' Privacy Protections ======================================================================= H.R. 2084, the Department of Transportation and Related Agencies Appropriations Act for FY2000, contains two key privacy protections for automobile drivers. The first prevents what could have resulted in the establishment of a national ID system; the second creates new protections for drivers' license information. The bill has been approved by Congress and is expected to be signed by the President. The first key provision in the bill repeals Section 656(b) of the Illegal Immigration Reform and Immigrant Responsibility Act of 1996, which required Social Security numbers to be displayed electronically or through other means on all drivers' licenses. While the statute was intended to prevent illegal immigrants (who do not legally possess Social Security numbers) from using false drivers' licenses as identification, including Social Security numbers on all licenses could undermine privacy and actually increase fraud. Even considering the substantial risks of including SSNs on drivers' licenses, the National Highway Traffic Safety Administration (NHTSA) chose to expand on 656(b) by mandating national format standards for drivers' licenses -- in effect, creating a national ID system. The new legislation is intended to prevent such a result. The second provision in the bill places new restrictions on the ability of state motor vehicle administrations to sell drivers' license information. In a significant advance for privacy, state DMVs, before receiving any of the federal funds provided in the bill, would have to receive the explicit permission from a driver to distribute or sell any of his or her information. The information includes drivers' license photographs, Social Security numbers, and medical or disability information. Congress' new approach to protecting drivers' license information presents an alternative to the Drivers Privacy Protection Act (DPPA), which will be reviewed in an upcoming Supreme Court case, Reno v. Condon (see EPIC Alert 6.11). Unlike the DPPA -- which prohibits the release of all information contained in drivers' records -- H.R. 2084 merely prohibits any federal transportation funding for states that release personal data without prior consent. More information about the risks of widespread use of Social Security numbers, is available at: http://www.epic.org/privacy/ssn/ EPIC's response to NHTSA's expansion of 656(b) can be found at: http://www.epic.org/privacy/id_cards/epic-dot-898.html ======================================================================= [4] Appeals Court to Review Bernstein Crypto Decision ======================================================================= The U.S. Court of Appeals for the Ninth Circuit has granted the Justice Department's motion for rehearing in the closely watched encryption case Bernstein v. DOJ. The case will be re-argued before an 11-judge "en banc" panel of the court on December 16 in San Francisco. On June 21, the Department filed its petition, seeking to overturn the recent opinion of a Ninth Circuit panel holding that encryption source code is scientific expression protected by the First Amendment. The federal appeals court ruled on May 6 that federal regulations that prohibit the dissemination of encryption source code violate the First Amendment. The court found that the regulations are an unconstitutional prior restraint on speech because they "grant boundless discretion to government officials" and have "effectively chilled [cryptographers] from engaging in valuable scientific expression." The case was initiated by researcher Daniel Bernstein, who sought government permission to export source code he had written. EPIC was both co-counsel and coordinator of a "friend-of-the-court" (amicus) brief in the case, arguing against the government controls on privacy-enhancing technology. Civil liberties and privacy organizations have consistently opposed restrictions on the dissemination of encryption technology, and welcomed the Bernstein decision as a major breakthrough. The opinion was notable for its recognition of the threats to privacy that citizens face today and the role of encryption in protecting information. In seeking the Ninth Circuit's reconsideration of the case, the Justice Department argued that the May 6 decision rests on fundamental errors regarding First Amendment and severability law. As a result of those errors, the panel has placed the entire encryption export regime in jeopardy. The potential consequences of repudiating the President's decisions regarding encryption export controls are grave and far-reaching. Before the views of the panel majority become the law of this Circuit, and unrestricted export of encryption products receives this Court's imprimatur, further review is imperative. The Clinton Administration has announced that it will release revised regulations on encryption exports by December 15 -- one day before the scheduled re-argument in the Bernstein case (see EPIC Alert 6.15). It is unclear what effect those revisions might have on the Bernstein litigation. Information on encryption export controls, including the text of the Bernstein decision and the EPIC amicus brief, is available at the EPIC Cryptography Archive: http://www.epic.org/crypto/ ======================================================================= [5] FCC Issues New Rule on Phone Customer Data Privacy ======================================================================= The Federal Communications Commission has issued a new rule on "customer proprietary network information," or CPNI. The 1996 Telecommunications Act defines CPNI to include such personal data as when, where and for how long telephone calls are placed. Section 222 of the Act prohibits telephone companies from accessing this information (except for reasons such as billing or to detect fraud) or disclosing this data to third parties, without customer approval. The new rule, issued on October 1, exempts personal information collected from the sale of telephone equipment and "information services" from CPNI restrictions. This would allow telephone companies to use and distribute records collected from the sale of telephones, answering machines and telephone wiring and directory assistance calls. The new rule would also permit telephone companies to separate their solicitation of customer approval from notice of customer rights under section 222. This provision would allow companies to send solicitations for approval months after a customer has received an explanation of the significance of approving access to CPNI. Further, the FCC has changed the previous rules governing how telephone companies could prove that approval had been granted. Currently, customers are protected by an electronic flagging system. The new rule would only require that telephone companies' records clearly establish that customer approval had been granted. The FCC's previous CPNI rule is being litigated. On August 18, the Tenth Circuit Court of Appeals ruled that regulations developed by the FCC to implement the privacy provisions of the 1996 Telecommunications Act violate the First Amendment rights of telephone companies to disclose the detailed calling records of their customers (see EPIC Alert 6.13). The FCC has filed a petition for reconsideration of that decision. The text of the new FCC rule on CPNI is available at: http://www.epic.org/privacy/consumer/fcc_cpni.pdf ======================================================================= [6] Survey Ranks States on Privacy Protection ======================================================================= A new survey conducted by the Privacy Journal ranks California and Minnesota as the strongest states in protecting personal privacy. The top ten states, according to the survey, are (in alphabetical order) California, Connecticut, Florida, Hawaii, Illinois, Massachusetts, Minnesota, New York, Rhode Island, and Wisconsin. California was ranked first, despite losing points for its demands for fingerprints and Social Security numbers to get a driver's license. Its courts and its constitution provide the strongest privacy protection in the nation, according to the publication, and it has probably the strongest collection of laws protecting personal information. Minnesota's state government and legislature have strong records on protecting privacy, Privacy Journal noted, even though its news organizations have regarded privacy protections as restrictions on the release of government documents and have traditionally resisted them. The state has the most sophisticated enforcement scheme for monitoring state and local agencies' compliance with a state law permitting citizens to inspect and correct records about themselves. The rankings place the states in four tiers, based on their laws, court decisions, and administrative actions. Privacy Journal rates the states on several factors, including whether they protect privacy in their constitutions; have laws protecting financial, medical, library, and government files; and have fair credit reporting laws stronger than the federal law. "If the federal government had been ranked like a state it would have placed in the third tier -- but barely," according to Privacy Journal Publisher Robert Ellis Smith. Federal laws do not protect medical records nor provide access to them, they do not protect library records at all, and federal laws have only partial protection for financial records. On the other hand, federal protection for personal information in government files exceeds the protections in nearly all states. "But, if we had included anti-privacy actions by Congress in 1996, the federal government would have ended up with a negative score," Smith said. Privacy Journal judged four states "not on the radar screen" because of their inadequate privacy protections. They are Idaho, Missouri, South Carolina, and Texas. "Citizens in these states are very vulnerable," Smith said. "We could find no protections at all in Texas," he said. The full listing of the 50 states, along with the criteria for rating the states, is available at the Privacy Journal's web site: http://www.townonline.com/privacyjournal/ ======================================================================= [7] EPIC Bookstore - The End of Privacy ======================================================================= "The End of Privacy," by Charles J. Sykes http://www.amazon.com/exec/obidos/ISBN=0312203500/electronicprivacA As Justice Louis Brandeis suggested more than a century ago, privacy -- the right to be let alone -- is the most valued, if not the most celebrated, right enjoyed by Americans. But in the face of computer, video, and audio technology, aggressive and sophisticated marketing databases, state and federal "wars" against crime and terrorism, new laws governing personal behavior, and an increasingly-intrusive media, all of us find our personal space and freedom under attack. In The End of Privacy, Charles Sykes traces the roots of privacy in our nation's founding and Constitution, and reveals its inexorable erosion in our time. From our homes and offices to the Presidency, Sykes defines what we have lost, citing example after example of citizens who have had their conversations monitored, movements surveilled, medical and financial records accessed, sexual preferences revealed, homes invaded, possessions confiscated, and even lives threatened - all in the name of some alleged higher social or governmental good. Sykes concludes by suggesting steps by which we might begin to recover the territory we've lost: our fundamental right to our own lives. Additional titles -- including EPIC publications -- on privacy, open government, free expression, computer security, and crypto, as well as films and DVDs can be ordered through the EPIC Bookstore: http://www.epic.org/bookstore/ ======================================================================= [8] Upcoming Conferences and Events ======================================================================= The Internet Security Conference (TISC). October 11-15, 1999. Boston World Trade Center. Boston, MA. For more information: http://tisc.corecom.com Virtual Money, Privacy, and the Internet. October 20, 1999. The Independent Institute Conference Center. Oakland, CA. For more information: http://www.independent.org/tii/forums/CurrentIPF.html Public Workshop on "Online Profiling" -- November 8, 1999. National Telecommunications and Information Administration, Commerce and Federal Trade Commission. Submissions and requests to participate due October 18, 1999. For more information: http://www.ntia.doc.gov/ntiahome/privacy/index.html Consumer Privacy in the Next Decade: New Trends, Forces and Directions and The All New Practitioner's Privacy Policy Workshop. Privacy & American Business' Sixth Annual National Conference. November 8-10, 1999. Hyatt Regency Hotel. Arlington, VA. For more information: ctrslr@aol.com The 1999 BNA Public Policy Forum: E-Commerce and Internet Regulation. November 15, 1999. Mayflower Hotel. Washington, D.C. For more information: http://internetconference.pf.com/ Annual Computer Security Applications Conference: Practical Solutions to Real Security Problems. December 6-10, 1999. Radisson Resort Scottsdale. Phoenix, Arizona. For more information: http://www.acsac.org/ Integrating Government with New Technologies '99 Policy vs Technology: Service Integration in the New Environments - A two-day Seminar and Training Session. December 13-14, 1999. Government Conference Center. Ottawa, Canada. For more information: http://www.rileyis.com/seminars Surveillance Expo '99. December 13-15, 1999. Doubletree Hotel. Crystal City, Virginia. For more information: http://www.rosseng.com PEN/Newman's Own Eighth Annual First Amendment Award. Nominations due December 31, 1999. For more information: http://www.pen.org RSA 2000. The ninth annual RSA Data Security Conference and Expo. January 16-20, 2000. San Jose McEnery Convention Center. San Jose, CA. For more information: http://www.rsa.com/rsa2000/ ======================================================================= Subscription Information ======================================================================= The EPIC Alert is a free biweekly publication of the Electronic Privacy Information Center. A Web-based form is available for subscribing or unsubscribing at: http://www.epic.org/alert/subscribe.html To subscribe or unsubscribe using email, send email to epic-news@epic.org with the subject: "subscribe" (no quotes) or "unsubscribe". Back issues are available at: http://www.epic.org/alert/ ======================================================================= About EPIC ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC is sponsored by the Fund for Constitutional Government, a non-profit organization established in 1974 to protect civil liberties and constitutional rights. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, e-mail info@epic.org, http://www.epic.org or write EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544 9240 (tel), +1 202 547 5482 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "The Fund for Constitutional Government" and sent to EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ---------------------- END EPIC Alert 6.16 ----------------------- .