EPIC logo
       @@@@  @@@@  @@@  @@@@      @    @     @@@@  @@@@  @@@@@
       @     @  @   @   @        @ @   @     @     @  @    @
       @@@@  @@@    @   @       @@@@@  @     @@@   @@@     @
       @     @      @   @       @   @  @     @     @  @    @
       @@@@  @     @@@  @@@@    @   @  @@@@  @@@@  @   @   @
   Volume 6.18                                   November 3, 1999
                            Published by the
              Electronic Privacy Information Center (EPIC)
                            Washington, D.C.
Table of Contents
[1] Proposed Federal Medical Privacy Regulations Released
[2] Internet Censorship Case Goes to Appeals Court
[3] Privacy Left Out of Financial Modernization Bill
[4] Comments Sought on Proposed Key-Recovery Standard
[5] Appeals Court Permits Warrantless Thermal-Imaging Searches
[6] Protection of FIDNet Spurs Calls to Weaken FOIA
[7] EPIC Bookstore -- Code: And Other Laws of Cyberspace
[8] Upcoming Conferences and Events
[1] Proposed Federal Medical Privacy Regulations Released
On October 29, the President presented a set of proposed federal
regulations protecting the privacy of electronically stored medical
records.  The regulations -- produced by the Department of Health and
Human Services (HHS) in concert with multiple federal agencies -- are
the first federal protections of medical privacy.  The Department of
Health and Human Services began drafting the regulations when Congress
failed to pass federal legislation covering medical privacy on August
21 of this year.  The rules are available for public comment over the
next sixty days.
The regulations, mandated by the Health Insurance Portability and
Accountability Act of 1996 (HIPAA), would apply to all health plans
and many health care providers, as well as health care clearinghouses
such as billing companies.  However, under the HIPAA provision, the
HHS regulations may cover only electronic data; paper records and
verbal communications are not covered.
The HHS regulations also fail to provide a private right of action and
leave open significant questions about how the rules will be enforced.
The government would be able to impose civil and criminal penalties.
Privacy advocates, while commending the White House for moving forward
on the medical privacy regulations after Congress failed to meet its
self-imposed deadline for the passage of legislation, nonetheless said
that comprehensive legislation would be necessary to ensure the privacy
of medical records.
Notice of Proposed Rulemaking, "Standards for Privacy of Individually
Identifiable Health Information"
HHS Medical Privacy Regulations
HHS Medical Privacy Regulations [PDF]
Remarks by the President on Medical Privacy, October 29, 1999
[2] Internet Censorship Case Goes to Appeals Court
The legal battle to protect free speech on the Internet resumes
tomorrow in Philadelphia.  The U.S. Court of Appeals for the Third
Circuit will hear oral arguments in the government's appeal of a lower
court decision blocking enforcement of the Child Online Protection Act
(COPA).  The case against COPA -- brought by EPIC, the ACLU and other
organizations - has been pending before the appellate court since the
Justice Department filed its appeal in April.  The appellate panel
hearing the appeal consists of Judges McKee, Garin and Nygaard.
The government's appeal challenges the finding of Judge Lowell A. Reed,
Jr. that the new Internet censorship law would restrict free speech in
the "marketplace of ideas."  Judge Reed's February 1 ruling enjoins
enforcement of COPA, the statutory successor to the Communications
Decency Act (CDA), which the Supreme Court struck down in June 1997.
The legal challenge to COPA was filed on behalf of 17 organizations
publishing information on the World Wide Web.  In granting a
preliminary injunction against COPA, Judge Reed found that the
plaintiffs were likely to succeed on their claim that the law "imposes
a burden on speech that is protected for adults."  The ruling came
after a six-day hearing which featured testimony from website operators
who provide free information about fine art, news, gay and lesbian
issues and sexual health for women and the disabled, and who all fear
that COPA would force them to shut down their websites.
In his 49-page opinion, Judge Reed listed 68 separate "findings of
fact" to support his decision.  The judge considered evidence that COPA
imposed technological and economic burdens on speakers, but concluded
that ultimately the relevant inquiry is the "burden imposed on the
protected speech, not the pressure placed on the pocketbooks or bottom
lines of the plaintiffs."
The full text of the Judge Reed's decision, and complete information on
the legal challenge, is available at:
In another Internet censorship case, the Tenth Circuit issued a
decision on November 2 striking down a New Mexico law that sought to
criminalize the online distribution of material that is "harmful to
minors."  The text of the decision is available at:
[3] Privacy Left Out of Financial Modernization Bill
S. 900, the Financial Services Modernization Bill of 1999, seeks to
remove barriers to mergers in the banking and financial industry. The
bill, voted on today in the Senate and tomorrow in the House, also
largely abandons consumer control over the sharing of information
between financial institutions and marketing companies.
The current version of the legislation arose out of two separate
bills in Congress.  H.R. 10, the Financial Services Act of 1999,
contained limited provisions for consumer control of personal financial
information including:  guarantees of information security, no
requirement for consent to the distribution of information to third-
parties, annual notice of privacy procedures, and the restricted
use of account numbers and access codes.  S. 900 originally had no
privacy provisions.  Due to the differences in the two bills, a
House/Senate conference was held to reconcile the privacy provisions
of the legislation.
The final conference bill provides that financial institutions must
provide disclosure about privacy policies, and would restrict account
numbers and access codes from marketers -- but continues to omit
opt-out consent before information is distributed to nonaffiliated
third parties.  With the conference committee revisions, S. 900 erodes
any expectation of consumer control over personal financial
information.  The legislation does not, however, pre-empt state
financial privacy laws with stronger consumer protections.
EPIC, along with other privacy and consumer advocacy groups, opposes
the bill since it provides inadequate consumer control over financial
information.  Despite the efforts of privacy-minded legislators such as
Sens. Richard Shelby (R-AL) and Richard Bryan (D-NV) and Rep. Edward
Markey (D-MA), the bill is expected to be passed by both the Senate and
the House and signed into law by the President sometime next week.
[4] Comments Sought on Proposed Key-Recovery Standard
The final deadline is approaching for submission of comments on federal
"key recovery" standards.  The Department of Commerce is seeking public
comments on proposed "technical specifications for accomplishing the
recovery of keys used for encryption."  The specifications are
contained in a report issued by the Technical Advisory Committee to
Develop a Federal Information Processing Standard for the Federal Key
Management Infrastructure, which was chartered by the Department in
1996.  The Committee was established to provide technical advice on an
encryption key recovery standard for use by Federal agencies to allow
for "continued government access to encrypted information in the event
of the unavailability (e.g., loss due to unavailability of critical
personnel) of the encryption/decryption key(s)."
Techniques for "key-recovery" or "key-escrow" have long been
controversial, dating back to the unveiling of the infamous Clipper
Chip in 1993.
Comments must be submitted no later than November 4, and can be sent to
The text of the Committee's report, as well as other information
concerning its work, is available online at:
[5] Appeals Court Permits Warrantless Thermal-Imaging Searches
The Ninth Circuit Court of Appeals, in a split opinion, has held that
the police did not violate the Fourth Amendment when they used a
thermal imaging device to search for evidence of marijuana cultivation.
The thermal imager detected high levels of heat emission in an
apartment indicating the presence of heat lamps used in growing
The defendant Kyllo claimed that the thermal scan intruded into
activities within his home, in which he had an expectation of privacy,
and that the police were required to obtain a warrant before conducting
the search.
Judge Hawkins, writing for the court, said that "the use of thermal
imaging technology in this case did not constitute a search under
contemporary Fourth Amendment standards."  The court said that the
emissions were "waste heat," entitled to no more privacy than the
garbage that is placed on the street.  The court said that there was
no government intrusion into activities in Kyllo's home, in which he
expected privacy, rather there was simply a measurement of heat
emissions radiating from his home.
Writing in dissent, Judge Noonan said that the warrantless use of the
Agema 210 clearly violated the Fourth Amendment.
     I have no doubt that Kyllo did have an expectation of privacy as
     to what was going on in the interior of his house and that this
     expectation was infringed by the government's use of the Agema 210
     although the machine itself never penetrated into the interior.
     The closest analogy is use of a telescope that, unknown to the
     homeowner, is able from a distance to see into his or her house
     and report what he or she is reading or writing. Such an
     enhancement of normal vision by technology, permitting the
     government to discern what is going on in the home, violates the
     Fourth Amendment.
Both the Washington state Supreme Court and the Montana Supreme Court
have held that thermal imaging is a search under their respective state
USA v. Kyllo, 96-3033 (CA9 1999)
[6] Protection of FIDNet Spurs Calls to Weaken FOIA
As reported by the National Journal's Technology Daily on October 20,
the Department of Justice is putting together a proposal to repeal part
of the Freedom of Information Act (FOIA) in order to implement the
Federal Intrusion Detection Network (FIDNet).
Details about FIDNet, a plan to monitor nationwide communications in
the interest of "critical infrastructure protection," first emerged
in July.  While many of the details surrounding the eventual
establishment of FIDNet are still unclear, part of the original plan
involved monitoring private sector computer networks.  To encourage
the cooperation of businesses, the government had previously promised
companies that the information about businesses necessary for the
operation of FIDNet would remain confidential.
The Freedom of Information Act became law in 1966, ensuring the right
of citizens to access federal agency records.  Many companies are
worried that information revealed through FOIA requests via their
involvement in FIDNet would publicly reveal weaknesses in network
security or threaten the confidentiality of business negotiations.
While FOIA does offer exemptions for certain types of information,
companies argue that there is no guarantee that all information would
remain confidential once provided to the government.
In response to the reluctance of businesses to cooperate with FIDNet
under the present FOIA conditions, the Administration is in the process
of developing proposals to repeal parts of FOIA to garner private
sector compliance.  These plans have already received criticism in
For more information about FOIA, see the EPIC Open Government page:
FIDNet will also be the topic of an upcoming event, "The Government's
Role in Computer Surveillance and The Federal Intrusion Detection
Network", to be held jointly by the Association for Computing Machinery
(ACM) and Stanford University on November 9. For more information, see:
[7] EPIC Bookstore -- Code: And Other Laws of Cyberspace
Code: And Other Laws of Cyberspace by Lawrence Lessig.
(Note: This book will come out on December 1 but can be ordered now.)
An exciting examination of the core values of cyberspace-intellectual
property, free speech, and privacy -- from one of America's most
brilliant young legal theorists.
Lawrence Lessig "has staked out a role as one of academia's avant-garde
thinkers about cyberspace and the law." - Wall Street Journal
How should we regulate cyberspace? Can we? It's a cherished belief of
techies and net denizens everywhere that cyberspace is fundamentally,
unalterably impossible to regulate. Thus the legendary freedom of the
Net. Lawrence Lessig warns that, if we're not careful, we'll wake up
one day to discover that the character of cyberspace has changed out
from under us. Commercial forces will dictate the change, and
architecture-the very structure of cyberspace itself-will dictate the
form our interactions can and cannot take.
The author of the classic paper "Reading the Constitution in
Cyberspace," Lessig shows how code can make a domain, site, or network
free or restrictive; how architectures influence people's behavior and
the values they adopt; and how changes in code affect the pressing
issues of free speech, intellectual property, and privacy in
EPIC Publications:
"The Privacy Law Sourcebook: United States Law, International Law, and
Recent Developments," Marc Rotenberg, editor (EPIC 1999). Price: $50.
The "Physicians Desk Reference of the privacy world." An invaluable
resource for students, attorneys, researchers and journalists who need
an up-to-date collection of US and International privacy law, as well
as a comprehensive listing of privacy resources.
"Filters and Freedom - Free Speech Perspectives on Internet Content
Controls," David Sobel, editor (EPIC 1999). Price: $20.
A collection of essays, studies, and critiques of Internet content
filtering. These papers are instrumental in explaining why filtering
threatens free expression.
"Cryptography and Liberty: An International Survey of Cryptography
Policy" Wayne Madsen and David Banisar, editors, (EPIC 1999). Price:
$15. http://www.epic.org/cryptobook99/
An international survey of encryption policies around the world. Survey
results show that in the vast majority of countries, cryptography may
be freely used, manufactured, and sold without restriction, with the
U.S. being a notable exception.
"Privacy and Human Rights 1999: An International Survey of Privacy Laws
and Developments" David Banisar, Simon Davies, editors, (EPIC 1999).
Price: $15. http://www.epic.org/privacy&humanrights99/
An international survey of the privacy and data protection laws found
in 50 countries around the globe. This report outlines the
constitutional and legal conditions of privacy protection, and
summarizes important issues and events relating to privacy and
Additional titles on privacy, open government, free expression,
computer security, and crypto, as well as films and DVDs can be ordered
through the EPIC Bookstore: http://www.epic.org/bookstore/
[8] Upcoming Conferences and Events
Washington, D.C., USA Internet Engineering Task Force (IETF) Meeting.
November 7-12, 1999. Omni Shoreham Hotel. Washington, D.C. For more
information: http://www.ietf.org/meetings/IETF-46.html
Public Workshop on "Online Profiling" -- November 8, 1999. National
Telecommunications and Information Administration, Commerce and Federal
Trade Commission. For more information:
Consumer Privacy in the Next Decade: New Trends, Forces and Directions
and The All New Practitioner's Privacy Policy Workshop. Privacy &
American Business' Sixth Annual National Conference. November 8-10,
1999. Hyatt Regency Hotel. Arlington, VA. For more information:
ID and Authentication 2000. Smart Card Forum. November 8-11, 1999. For
more information: http://www.smartcardforum.org
The Government's Role in Computer Surveillance and the Federal
Intrusion Detection Network (FIDNet). Association for Computing
Machinery and Stanford University. November 9, 1999. Kresge Auditorium,
Stanford University. For more information: http://www.acm.org
The 1999 BNA Public Policy Forum: E-Commerce and Internet Regulation.
November 15, 1999. Mayflower Hotel. Washington, D.C. For more
information: http://internetconference.pf.com/
Call for Papers -- Impacts of Economic Liberalization on IT Production
and Use. The Information Society. Manuscripts due November 15, 1999.
For more information: http://www.slis.indiana.edu/TIS
Call for Papers -- Telecommunications: The Bridge to Globalization in
the Information Society. International Telecommunications Society.
Abstracts due November 15, 1999. For more information:
Annual Computer Security Applications Conference: Practical Solutions
to Real Security Problems. December 6-10, 1999. Radisson Resort
Scottsdale. Phoenix, Arizona. For more information:
Integrating Government with New Technologies '99 Policy vs Technology:
Service Integration in the New Environments - A two-day Seminar and
Training Session. December 13-14, 1999. Government Conference Center.
Ottawa, Canada. For more information: http://www.rileyis.com/seminars
Surveillance Expo '99. December 13-15, 1999. Doubletree Hotel. Crystal
City, Virginia. For more information: http://www.rosseng.com
PEN/Newman's Own Eighth Annual First Amendment Award. Nominations due
December 31, 1999. For more information: http://www.pen.org
RSA 2000. The ninth annual RSA Data Security Conference and Expo.
January 16-20, 2000. San Jose McEnery Convention Center. San Jose, CA.
For more information: http://www.rsa.com/rsa2000/
Telecommunications: The Bridge to Globalization in the Information
Society. Biennial Conference of the International Telecommunications
Society. July 2-5, 2000. For more information:
Subscription Information
The EPIC Alert is a free biweekly publication of the Electronic Privacy
Information Center. A Web-based form is available for subscribing or
unsubscribing at:
To subscribe or unsubscribe using email, send email to
epic-news@epic.org with the subject: "subscribe" (no quotes) or
Back issues are available at:
About EPIC
The Electronic Privacy Information Center is a public interest research
center in Washington, DC.  It was established in 1994 to focus public
attention on emerging privacy issues such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale of personal information. EPIC is sponsored
by the Fund for Constitutional Government, a non-profit organization
established in 1974 to protect civil liberties and constitutional
rights.  EPIC publishes the EPIC Alert, pursues Freedom of Information
Act litigation, and conducts policy research. For more information,
e-mail info@epic.org, http://www.epic.org or write EPIC, 666
Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544 9240
(tel), +1 202 547 5482 (fax).
If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible.  Checks
should be made out to "The Fund for Constitutional Government" and sent
to EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003.
Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation of encryption
and expanding wiretapping powers.
Thank you for your support.
  ---------------------- END EPIC Alert 6.18 -----------------------
Return to:

Alert Home Page | EPIC Home Page