============================================================== @@@@ @@@@ @@@ @@@@ @ @ @@@@ @@@@ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @@@ @ @ @@@@@ @ @@@ @@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @ @@@ @@@@ @ @ @@@@ @@@@ @ @ @ ============================================================== Volume 6.18 November 3, 1999 -------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org ======================================================================= Table of Contents ======================================================================= [1] Proposed Federal Medical Privacy Regulations Released [2] Internet Censorship Case Goes to Appeals Court [3] Privacy Left Out of Financial Modernization Bill [4] Comments Sought on Proposed Key-Recovery Standard [5] Appeals Court Permits Warrantless Thermal-Imaging Searches [6] Protection of FIDNet Spurs Calls to Weaken FOIA [7] EPIC Bookstore -- Code: And Other Laws of Cyberspace [8] Upcoming Conferences and Events ======================================================================= [1] Proposed Federal Medical Privacy Regulations Released ======================================================================= On October 29, the President presented a set of proposed federal regulations protecting the privacy of electronically stored medical records. The regulations -- produced by the Department of Health and Human Services (HHS) in concert with multiple federal agencies -- are the first federal protections of medical privacy. The Department of Health and Human Services began drafting the regulations when Congress failed to pass federal legislation covering medical privacy on August 21 of this year. The rules are available for public comment over the next sixty days. The regulations, mandated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), would apply to all health plans and many health care providers, as well as health care clearinghouses such as billing companies. However, under the HIPAA provision, the HHS regulations may cover only electronic data; paper records and verbal communications are not covered. The HHS regulations also fail to provide a private right of action and leave open significant questions about how the rules will be enforced. The government would be able to impose civil and criminal penalties. Privacy advocates, while commending the White House for moving forward on the medical privacy regulations after Congress failed to meet its self-imposed deadline for the passage of legislation, nonetheless said that comprehensive legislation would be necessary to ensure the privacy of medical records. Notice of Proposed Rulemaking, "Standards for Privacy of Individually Identifiable Health Information" http://aspe.hhs.gov/admnsimp/ HHS Medical Privacy Regulations http://www.epic.org/privacy/medical/HHS_medical_privacy_regs.html HHS Medical Privacy Regulations [PDF] http://www.epic.org/privacy/medical/HHS_medical_privacy_regs.PDF Remarks by the President on Medical Privacy, October 29, 1999 http://www.epic.org/privacy/medical/announce_med_privacy.html ======================================================================= [2] Internet Censorship Case Goes to Appeals Court ======================================================================= The legal battle to protect free speech on the Internet resumes tomorrow in Philadelphia. The U.S. Court of Appeals for the Third Circuit will hear oral arguments in the government's appeal of a lower court decision blocking enforcement of the Child Online Protection Act (COPA). The case against COPA -- brought by EPIC, the ACLU and other organizations - has been pending before the appellate court since the Justice Department filed its appeal in April. The appellate panel hearing the appeal consists of Judges McKee, Garin and Nygaard. The government's appeal challenges the finding of Judge Lowell A. Reed, Jr. that the new Internet censorship law would restrict free speech in the "marketplace of ideas." Judge Reed's February 1 ruling enjoins enforcement of COPA, the statutory successor to the Communications Decency Act (CDA), which the Supreme Court struck down in June 1997. The legal challenge to COPA was filed on behalf of 17 organizations publishing information on the World Wide Web. In granting a preliminary injunction against COPA, Judge Reed found that the plaintiffs were likely to succeed on their claim that the law "imposes a burden on speech that is protected for adults." The ruling came after a six-day hearing which featured testimony from website operators who provide free information about fine art, news, gay and lesbian issues and sexual health for women and the disabled, and who all fear that COPA would force them to shut down their websites. In his 49-page opinion, Judge Reed listed 68 separate "findings of fact" to support his decision. The judge considered evidence that COPA imposed technological and economic burdens on speakers, but concluded that ultimately the relevant inquiry is the "burden imposed on the protected speech, not the pressure placed on the pocketbooks or bottom lines of the plaintiffs." The full text of the Judge Reed's decision, and complete information on the legal challenge, is available at: http://www.epic.org/free_speech/copa/ In another Internet censorship case, the Tenth Circuit issued a decision on November 2 striking down a New Mexico law that sought to criminalize the online distribution of material that is "harmful to minors." The text of the decision is available at: http://www.epic.org/free_speech/aclu_v_johnson.html ======================================================================= [3] Privacy Left Out of Financial Modernization Bill ======================================================================= S. 900, the Financial Services Modernization Bill of 1999, seeks to remove barriers to mergers in the banking and financial industry. The bill, voted on today in the Senate and tomorrow in the House, also largely abandons consumer control over the sharing of information between financial institutions and marketing companies. The current version of the legislation arose out of two separate bills in Congress. H.R. 10, the Financial Services Act of 1999, contained limited provisions for consumer control of personal financial information including: guarantees of information security, no requirement for consent to the distribution of information to third- parties, annual notice of privacy procedures, and the restricted use of account numbers and access codes. S. 900 originally had no privacy provisions. Due to the differences in the two bills, a House/Senate conference was held to reconcile the privacy provisions of the legislation. The final conference bill provides that financial institutions must provide disclosure about privacy policies, and would restrict account numbers and access codes from marketers -- but continues to omit opt-out consent before information is distributed to nonaffiliated third parties. With the conference committee revisions, S. 900 erodes any expectation of consumer control over personal financial information. The legislation does not, however, pre-empt state financial privacy laws with stronger consumer protections. EPIC, along with other privacy and consumer advocacy groups, opposes the bill since it provides inadequate consumer control over financial information. Despite the efforts of privacy-minded legislators such as Sens. Richard Shelby (R-AL) and Richard Bryan (D-NV) and Rep. Edward Markey (D-MA), the bill is expected to be passed by both the Senate and the House and signed into law by the President sometime next week. ======================================================================= [4] Comments Sought on Proposed Key-Recovery Standard ======================================================================= The final deadline is approaching for submission of comments on federal "key recovery" standards. The Department of Commerce is seeking public comments on proposed "technical specifications for accomplishing the recovery of keys used for encryption." The specifications are contained in a report issued by the Technical Advisory Committee to Develop a Federal Information Processing Standard for the Federal Key Management Infrastructure, which was chartered by the Department in 1996. The Committee was established to provide technical advice on an encryption key recovery standard for use by Federal agencies to allow for "continued government access to encrypted information in the event of the unavailability (e.g., loss due to unavailability of critical personnel) of the encryption/decryption key(s)." Techniques for "key-recovery" or "key-escrow" have long been controversial, dating back to the unveiling of the infamous Clipper Chip in 1993. Comments must be submitted no later than November 4, and can be sent to <key-recovery@nist.gov>. The text of the Committee's report, as well as other information concerning its work, is available online at: http://csrc.nist.gov/tacdfipsfkmi/ ======================================================================= [5] Appeals Court Permits Warrantless Thermal-Imaging Searches ======================================================================= The Ninth Circuit Court of Appeals, in a split opinion, has held that the police did not violate the Fourth Amendment when they used a thermal imaging device to search for evidence of marijuana cultivation. The thermal imager detected high levels of heat emission in an apartment indicating the presence of heat lamps used in growing marijuana. The defendant Kyllo claimed that the thermal scan intruded into activities within his home, in which he had an expectation of privacy, and that the police were required to obtain a warrant before conducting the search. Judge Hawkins, writing for the court, said that "the use of thermal imaging technology in this case did not constitute a search under contemporary Fourth Amendment standards." The court said that the emissions were "waste heat," entitled to no more privacy than the garbage that is placed on the street. The court said that there was no government intrusion into activities in Kyllo's home, in which he expected privacy, rather there was simply a measurement of heat emissions radiating from his home. Writing in dissent, Judge Noonan said that the warrantless use of the Agema 210 clearly violated the Fourth Amendment. I have no doubt that Kyllo did have an expectation of privacy as to what was going on in the interior of his house and that this expectation was infringed by the government's use of the Agema 210 although the machine itself never penetrated into the interior. The closest analogy is use of a telescope that, unknown to the homeowner, is able from a distance to see into his or her house and report what he or she is reading or writing. Such an enhancement of normal vision by technology, permitting the government to discern what is going on in the home, violates the Fourth Amendment. Both the Washington state Supreme Court and the Montana Supreme Court have held that thermal imaging is a search under their respective state constitutions. USA v. Kyllo, 96-3033 (CA9 1999) http://www.ce9.uscourts.gov/web/newopinions.nsf/f606ac175e010d6488 2566eb00658118/b686f731840272eb882567e7005de14a?OpenDocument#top ======================================================================= [6] Protection of FIDNet Spurs Calls to Weaken FOIA ======================================================================= As reported by the National Journal's Technology Daily on October 20, the Department of Justice is putting together a proposal to repeal part of the Freedom of Information Act (FOIA) in order to implement the Federal Intrusion Detection Network (FIDNet). Details about FIDNet, a plan to monitor nationwide communications in the interest of "critical infrastructure protection," first emerged in July. While many of the details surrounding the eventual establishment of FIDNet are still unclear, part of the original plan involved monitoring private sector computer networks. To encourage the cooperation of businesses, the government had previously promised companies that the information about businesses necessary for the operation of FIDNet would remain confidential. The Freedom of Information Act became law in 1966, ensuring the right of citizens to access federal agency records. Many companies are worried that information revealed through FOIA requests via their involvement in FIDNet would publicly reveal weaknesses in network security or threaten the confidentiality of business negotiations. While FOIA does offer exemptions for certain types of information, companies argue that there is no guarantee that all information would remain confidential once provided to the government. In response to the reluctance of businesses to cooperate with FIDNet under the present FOIA conditions, the Administration is in the process of developing proposals to repeal parts of FOIA to garner private sector compliance. These plans have already received criticism in Congress. For more information about FOIA, see the EPIC Open Government page: http://www.epic.org/open_gov/ FIDNet will also be the topic of an upcoming event, "The Government's Role in Computer Surveillance and The Federal Intrusion Detection Network", to be held jointly by the Association for Computing Machinery (ACM) and Stanford University on November 9. For more information, see: http://www.acm.org ======================================================================= [7] EPIC Bookstore -- Code: And Other Laws of Cyberspace ======================================================================= Code: And Other Laws of Cyberspace by Lawrence Lessig. http://www.amazon.com/exec/obidos/ISBN=046503912X/electronicprivacA (Note: This book will come out on December 1 but can be ordered now.) An exciting examination of the core values of cyberspace-intellectual property, free speech, and privacy -- from one of America's most brilliant young legal theorists. Lawrence Lessig "has staked out a role as one of academia's avant-garde thinkers about cyberspace and the law." - Wall Street Journal How should we regulate cyberspace? Can we? It's a cherished belief of techies and net denizens everywhere that cyberspace is fundamentally, unalterably impossible to regulate. Thus the legendary freedom of the Net. Lawrence Lessig warns that, if we're not careful, we'll wake up one day to discover that the character of cyberspace has changed out from under us. Commercial forces will dictate the change, and architecture-the very structure of cyberspace itself-will dictate the form our interactions can and cannot take. The author of the classic paper "Reading the Constitution in Cyberspace," Lessig shows how code can make a domain, site, or network free or restrictive; how architectures influence people's behavior and the values they adopt; and how changes in code affect the pressing issues of free speech, intellectual property, and privacy in cyberspace. EPIC Publications: "The Privacy Law Sourcebook: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 1999). Price: $50. http://www.epic.org/pls/ The "Physicians Desk Reference of the privacy world." An invaluable resource for students, attorneys, researchers and journalists who need an up-to-date collection of US and International privacy law, as well as a comprehensive listing of privacy resources. ================================ "Filters and Freedom - Free Speech Perspectives on Internet Content Controls," David Sobel, editor (EPIC 1999). Price: $20. http://www.epic.org/filters&freedom/ A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ "Cryptography and Liberty: An International Survey of Cryptography Policy" Wayne Madsen and David Banisar, editors, (EPIC 1999). Price: $15. http://www.epic.org/cryptobook99/ An international survey of encryption policies around the world. Survey results show that in the vast majority of countries, cryptography may be freely used, manufactured, and sold without restriction, with the U.S. being a notable exception. ================================ "Privacy and Human Rights 1999: An International Survey of Privacy Laws and Developments" David Banisar, Simon Davies, editors, (EPIC 1999). Price: $15. http://www.epic.org/privacy&humanrights99/ An international survey of the privacy and data protection laws found in 50 countries around the globe. This report outlines the constitutional and legal conditions of privacy protection, and summarizes important issues and events relating to privacy and surveillance. ================================ Additional titles on privacy, open government, free expression, computer security, and crypto, as well as films and DVDs can be ordered through the EPIC Bookstore: http://www.epic.org/bookstore/ ======================================================================= [8] Upcoming Conferences and Events ======================================================================= Washington, D.C., USA Internet Engineering Task Force (IETF) Meeting. November 7-12, 1999. Omni Shoreham Hotel. Washington, D.C. For more information: http://www.ietf.org/meetings/IETF-46.html Public Workshop on "Online Profiling" -- November 8, 1999. National Telecommunications and Information Administration, Commerce and Federal Trade Commission. For more information: http://www.ftc.gov/bcp/profiling/index.htm Consumer Privacy in the Next Decade: New Trends, Forces and Directions and The All New Practitioner's Privacy Policy Workshop. Privacy & American Business' Sixth Annual National Conference. November 8-10, 1999. Hyatt Regency Hotel. Arlington, VA. For more information: ctrslr@aol.com ID and Authentication 2000. Smart Card Forum. November 8-11, 1999. For more information: http://www.smartcardforum.org The Government's Role in Computer Surveillance and the Federal Intrusion Detection Network (FIDNet). Association for Computing Machinery and Stanford University. November 9, 1999. Kresge Auditorium, Stanford University. For more information: http://www.acm.org The 1999 BNA Public Policy Forum: E-Commerce and Internet Regulation. November 15, 1999. Mayflower Hotel. Washington, D.C. For more information: http://internetconference.pf.com/ Call for Papers -- Impacts of Economic Liberalization on IT Production and Use. The Information Society. Manuscripts due November 15, 1999. For more information: http://www.slis.indiana.edu/TIS Call for Papers -- Telecommunications: The Bridge to Globalization in the Information Society. International Telecommunications Society. Abstracts due November 15, 1999. For more information: http://www.its2000.org.ar Annual Computer Security Applications Conference: Practical Solutions to Real Security Problems. December 6-10, 1999. Radisson Resort Scottsdale. Phoenix, Arizona. For more information: http://www.acsac.org/ Integrating Government with New Technologies '99 Policy vs Technology: Service Integration in the New Environments - A two-day Seminar and Training Session. December 13-14, 1999. Government Conference Center. Ottawa, Canada. For more information: http://www.rileyis.com/seminars Surveillance Expo '99. December 13-15, 1999. Doubletree Hotel. Crystal City, Virginia. For more information: http://www.rosseng.com PEN/Newman's Own Eighth Annual First Amendment Award. Nominations due December 31, 1999. For more information: http://www.pen.org RSA 2000. The ninth annual RSA Data Security Conference and Expo. January 16-20, 2000. San Jose McEnery Convention Center. San Jose, CA. For more information: http://www.rsa.com/rsa2000/ Telecommunications: The Bridge to Globalization in the Information Society. Biennial Conference of the International Telecommunications Society. July 2-5, 2000. For more information: http://www.its2000.org.ar ======================================================================= Subscription Information ======================================================================= The EPIC Alert is a free biweekly publication of the Electronic Privacy Information Center. A Web-based form is available for subscribing or unsubscribing at: http://www.epic.org/alert/subscribe.html To subscribe or unsubscribe using email, send email to epic-news@epic.org with the subject: "subscribe" (no quotes) or "unsubscribe". Back issues are available at: http://www.epic.org/alert/ ======================================================================= About EPIC ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC is sponsored by the Fund for Constitutional Government, a non-profit organization established in 1974 to protect civil liberties and constitutional rights. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, e-mail info@epic.org, http://www.epic.org or write EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544 9240 (tel), +1 202 547 5482 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "The Fund for Constitutional Government" and sent to EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ---------------------- END EPIC Alert 6.18 ----------------------- .