============================================================== @@@@ @@@@ @@@ @@@@ @ @ @@@@ @@@@ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @@@ @ @ @@@@@ @ @@@ @@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @ @@@ @@@@ @ @ @@@@ @@@@ @ @ @ ============================================================== Volume 6.19 November 11, 1999 -------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org ======================================================================= Table of Contents ======================================================================= [1] Drivers' Privacy Protection Case Heard by Supreme Court [2] Privacy Advocates Call on FTC to Halt Online Profiling [3] Appellate Judges Slam Internet Censorship Law [4] Intelligence Funding Bill Requires Report on ECHELON [5] IETF Rejects Proposal on Internet Wiretaps [6] TRUSTe Fails to Launch Investigation into RealNetworks [7] EPIC Bookstore -- Genetic Secrets [8] Upcoming Conferences and Events ======================================================================= [1] Drivers' Privacy Protection Case Heard by Supreme Court ======================================================================= On November 10, the Supreme Court heard oral arguments in Reno v. Condon. The case involves the constitutionality of the 1994 Driver's Privacy Protection Act (DPPA), which prohibited the dissemination of information contained in state driving records. In the lower courts, the state of South Carolina had argued that the DPPA unconstitutionally infringed on state powers, in particular the Tenth Amendment right of states to regulate commerce within their own borders. The Government had argued that the DPPA was a valid exercise of the 14th Amendment, which has been interpreted as providing some privacy protections. In oral argument before the Supreme Court, both sides focused on the constitutionality of federal efforts to regulate the procedures of a state agency. Seth Waxman, Solicitor General of the United States, argued that Congress can legislate on drivers' records since the federal government has the authority to regulate interstate commerce as implicated in the selling of drivers' records to private entities. Charles Condon, Attorney General of South Carolina, repeatedly asserted that the law places an undue burden on state agencies and employees. A recent bill, the Department of Transportation and Related Agencies Appropriations Act for Fiscal Year 2000, will likely protect the privacy of state driving records regardless of the Court decides Reno v. Condon. The new legislation denies transportation funding to states that do not obtain explicit opt-in consent before selling or distributing information contained in driving records. EPIC submitted a friend-of-the-court brief in the Condon case, arguing in support of the DPPA. The brief is available at: http://www.epic.org/privacy/drivers/epic_dppa_brief.pdf For more information about Reno v. Condon, see: http://www4.law.cornell.edu/php/orderinquiry2.php3?caseid=2903 ======================================================================= [2] Privacy Advocates Call on FTC to Halt Online Profiling ======================================================================= At a workshop on "online profiling," panelists from EPIC, Junkbusters, the Center for Media Education, Privacy Times, and Privacy Journal called for the Federal Trade Commission (FTC) to immediately halt the practice of online profiling, launch an investigation into the privacy and consumer implications of the practice, and provide recommendations for proper privacy legislation. The workshop, held jointly by the FTC and the National Telecommunications and Information Administration (NTIA) of the Department of Commerce, took place on November 8. Online profiling is the collection of detailed online behavior from uniquely identified Internet users. Online behavior generally refers to records about pages that were viewed and products or services purchased. Many online advertisers use online profiling in order to target advertisements according this past behavior. The privacy concerns arise because this information is not collected with the knowledge or consent of the consumer and is often connected to personally identifiable information like a name or address. Online behavior can potentially reveal information not only about interests or hobbies, but also medical conditions, sexual preferences, and political or religious beliefs. The collection of such information also gives many businesses an unfair advantage in encouraging customers to buy products. At the workshop, a consortium of online advertisers known as the Network Advertising Initiative (NAI) presented a self-regulatory proposal to stave off regulation of data collected over the Internet. The proposal includes notice of what information is collected and how it is used and an opt-out so that consumers can request to not have their information collected from them. EPIC finds the proposal insufficient due to the lack of enforcement by other similar self-regulating agencies like TRUSTe (see item 6, below) and the undue burden that opt-out places on individuals to stop information collection that often occurs without their awareness. A joint press release issued by the privacy groups to halt online profiling is at: http://www.epic.org/privacy/internet/profiling_press_release.html Details about the Public Workshop on "On-line Profiling" are available: http://www.ftc.gov/bcp/profiling/index.htm ======================================================================= [3] Appellate Judges Slam Internet Censorship Law ======================================================================= Two federal appellate judges harshly questioned the constitutionality of the Child Online Protection Act (COPA) on November 4. COPA would prohibit commercial Web site operators from exposing children under 17 to sexually explicit material that is deemed "harmful to minors." The judges suggested that COPA may violate the First Amendment by not specifying which community's standards would apply when assessing content on the Internet. Soon after President Clinton signed COPA into law last year, it was challenged by a coalition of cyber-rights groups and Web publishers, including EPIC and the ACLU. In February, U.S. District Judge Reed issued a preliminary injunction blocking enforcement of COPA, stating that the law would likely fail to survive judicial scrutiny. The government appealed the decision to the U.S. Court of Appeals for the Third Circuit in Philadelphia. In court last Thursday, Senior U.S. Circuit Judge Leonard I. Garth asked the Justice Department's lawyer how the phrase "contemporary community standards" can be defined, given that the Internet is a global communications medium. "It seems to me that in terms of the World Wide Web, what that statute contemplates is that we would be remitted to the most severe community standards -- perhaps those in Iran or Iraq -- where the exposure of a woman's face is deemed to be improper," Garth said. Judge Theodore A. McKee expressed concern with the law's provision that Web site operators could avoid criminal sanctions by instituting age verification mechanisms, such as credit-card numbers, to restrict access by minors. McKee noted that such a screening process could have a chilling effect on adults who would be forced to reveal personal information in order to access material on sensitive subjects, such as homosexuality. Both McKee and Garth openly questioned whether it is possible to create legislation that satisfies the First Amendment and controls children's access to harmful content. Garth said, "I'm not at all sure that, in light of the Web, one can structure legislation which can control" access to online content. For more information on COPA and the full text of Judge Reed's district court ruling, see: http://www.epic.org/free_speech/copa/ ======================================================================= [4] Intelligence Funding Bill Requires Report on ECHELON ======================================================================= The House of Representatives has approved a provision that would require the intelligence agencies to jointly provide Congress with a detailed analysis of the legal standards they apply when conducting signals intelligence, including electronic surveillance. The requirement grows out of the controversy surrounding Project ECHELON, a global surveillance network coordinated by the National Security Agency. The reporting requirement is contained in the final version of the Intelligence Authorization Act for Fiscal Year 2000, which is expected to be approved by the Senate. The report must be submitted in both classified and unclassified form to the Intelligence and Judiciary committees of the House and Senate within 60 days of final passage. It must disclose the legal standards for interception of communications when such interception may result in the acquisition of information from a communication to or from United States persons; for intentional targeting of the communications to or from United States persons; for receipt from non-United States sources of information pertaining to communications to or from United States persons; and for dissemination of information acquired through the interception of the communications to or from United States persons. The reporting requirement was added to the appropriations bill at the insistence of Rep. Bob Barr (R-GA). In a statement released after the House passage of the bill, Barr said, "If American intelligence agencies are intercepting, receiving or distributing communications involving our citizens without court orders, or legal authority, they are doing so outside the bounds of the Constitution. If Project ECHELON exists as reported, all Americans who care about the integrity of our Constitution should be concerned." Last spring, Rep. Porter Goss (R-FL), chairman of the House Intelligence Committee, requested access to legal memoranda on surveillance authority prepared by NSA's General Counsel, but the agency rebuffed the request citing "attorney-client privilege." (See EPIC Alert 6.08). ======================================================================= [5] IETF Rejects Proposal on Internet Wiretaps ======================================================================= In a public, plenary session on November 10, members of the Internet Engineering Task Force (IETF) decided overwhelmingly not to develop technical standards that would facilitate wiretapping of Internet communications. After an hour-long debate, the IETF members resolved the question of whether the standards group should build the kind of surveillance capabilities that are mandated for telephone systems by the controversial Communications Assistance to Law Enforcement Act (CALEA). The Internet Engineering Steering Group and the Internet Architecture Board will soon publish a formal IETF position paper based on the consensus of the membership. Prior to the debate, a group of computer security, cryptography, law, and policy experts sent an open letter to the IETF urging rejection of wiretap standards. They said that "such a development would harm network security, result in more illegal activities, diminish users' privacy, stifle innovation, and impose significant costs on developers of communications." The rejected proposal arose when some IETF members asserted that CALEA required such Internet standards. With the emergence of Internet telephony, some have argued that the law should now be read to cover the Internet. That view, however, is countered by the legislative history of the 1994 law, which clearly stated that CALEA "does not require reengineering of the Internet, nor does it impose prospectively functional requirements on the Internet." The text of the open letter to the IETF is available at: http://www.epic.org/privacy/internet/letter_to_ietf.html The legislative history of CALEA is available at: http://www.epic.org/privacy/wiretap/calea/H_Rpt_103_827.txt ======================================================================= [6] TRUSTe Fails to Launch Investigation into RealNetworks ======================================================================= On November 1, the New York Times reported on the discovery made by independent security consultant Richard Smith that online software distributor RealNetworks was collecting information about the music tastes of 13.5 million Real product users without their knowledge. Despite initially indicating that it would launch an investigation into its licensee RealNetworks, the TRUSTe privacy certification organization has chosen not to pursue an inquiry, citing a loophole in the existing license agreement. TRUSTe claims to provide adequate privacy guidelines and oversight of privacy violations for companies that it certifies. RealJukebox (software downloaded through the site of RealNetworks) was surreptitiously scanning computer hard drives for music files and transmitting information about the genre of music, the format of the music files, and the type of connected music player used back to RealNetworks. This information was also tied to personal information previously collected through registration forms. After the activities of the RealJukebox software became public, RealNetworks provided a software "patch" that would prevent the further transmission of information. TRUSTe refused to launch an investigation since RealNetworks did not technically violate any part of its license agreement. The TRUSTe license agreement only covers information collected from individuals over a website. TRUSTe claimed that since the information collection and transmission occurred through software downloaded at a site, there was in fact no violation of the license agreement. TRUSTe did announce plans to change its license agreement to include software downloaded through a website. This is not the first time that TRUSTe has failed to launch an investigation into an apparent violation of one of its licensees. In March, Microsoft was found to be including Globally Unique Identifiers (GUIDs) within Microsoft Office 1998 that would allow all documents and visits to Microsoft operated websites to be tied with personal information provided through earlier software registrations. As in the case of RealNetworks, TRUSTe found that Microsoft did not violate the TRUSTe license agreement and refused to perform an investigation. Remedies for Real users may still be available; several class action lawsuits have been filed alleging that RealNetworks violated various federal and state laws by secretly collecting data. For more information on the RealNetworks and Microsoft privacy Incidents, see: http://www.junkbusters.com ======================================================================= [7] EPIC Bookstore -- Genetic Secrets ======================================================================= Genetic Secrets: Protecting Privacy and Confidentiality in the Genetic Era by Mark A. Rothenstein http://www.amazon.com/exec/obidos/ISBN=0300080638/electronicprivacA Twenty-three articles by professionals from law, medicine, bioethics, public health, science policy, clinical genetics, philosophy, and other fields grapple with new issues of medical privacy and confidentiality brought about by recent advances in genetic research. Coverage includes topics such as genetic information in the schools, laws to regulate the use of genetic information, environmental population screening, public health lessons from the HIV experience, European data protection law, and implications of testing for health and life insurance. The book concludes with a recommendation of a framework for deciding future policy written by the editor. EPIC Publications: "The Privacy Law Sourcebook: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 1999). Price: $50. http://www.epic.org/pls/ The "Physicians Desk Reference of the privacy world." An invaluable resource for students, attorneys, researchers and journalists who need an up-to-date collection of US and International privacy law, as well as a comprehensive listing of privacy resources. ================================ "Filters and Freedom - Free Speech Perspectives on Internet Content Controls," David Sobel, editor (EPIC 1999). Price: $20. http://www.epic.org/filters&freedom/ A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ "Cryptography and Liberty: An International Survey of Cryptography Policy" Wayne Madsen and David Banisar, editors, (EPIC 1999). Price: $15. http://www.epic.org/cryptobook99/ An international survey of encryption policies around the world. Survey results show that in the vast majority of countries, cryptography may be freely used, manufactured, and sold without restriction, with the U.S. being a notable exception. ================================ "Privacy and Human Rights 1999: An International Survey of Privacy Laws and Developments" David Banisar, Simon Davies, editors, (EPIC 1999). Price: $15. http://www.epic.org/privacy&humanrights99/ An international survey of the privacy and data protection laws found in 50 countries around the globe. This report outlines the constitutional and legal conditions of privacy protection, and summarizes important issues and events relating to privacy and surveillance. ================================ Additional titles on privacy, open government, free expression, computer security, and crypto, as well as films and DVDs can be ordered through the EPIC Bookstore: http://www.epic.org/bookstore/ ======================================================================= [8] Upcoming Conferences and Events ======================================================================= Washington, D.C., USA Internet Engineering Task Force (IETF) Meeting. November 7-12, 1999. Omni Shoreham Hotel. Washington, D.C. For more information: http://www.ietf.org/meetings/IETF-46.html The 1999 BNA Public Policy Forum: E-Commerce and Internet Regulation. November 15, 1999. Mayflower Hotel. Washington, D.C. For more information: http://internetconference.pf.com/ Call for Papers -- Impacts of Economic Liberalization on IT Production and Use. The Information Society. Manuscripts due November 15, 1999. For more information: http://www.slis.indiana.edu/TIS Call for Papers -- Telecommunications: The Bridge to Globalization in the Information Society. International Telecommunications Society. Abstracts due November 15, 1999. For more information: http://www.its2000.org.ar PDD-63 Congressional Research Service Seminar. November 19, 1999. James Madison Building, Library of Congress. For more information: JMOTEFF@crs.loc.gov Annual Computer Security Applications Conference: Practical Solutions to Real Security Problems. December 6-10, 1999. Radisson Resort Scottsdale. Phoenix, Arizona. For more information: http://www.acsac.org/ Integrating Government with New Technologies '99 Policy vs Technology: Service Integration in the New Environments - A two-day Seminar and Training Session. December 13-14, 1999. Government Conference Center. Ottawa, Canada. For more information: http://www.rileyis.com/seminars Surveillance Expo '99. December 13-15, 1999. Doubletree Hotel. Crystal City, Virginia. For more information: http://www.rosseng.com PEN/Newman's Own Eighth Annual First Amendment Award. Nominations due December 31, 1999. For more information: http://www.pen.org RSA 2000. The ninth annual RSA Data Security Conference and Expo. January 16-20, 2000. San Jose McEnery Convention Center. San Jose, CA. For more information: http://www.rsa.com/rsa2000/ Santa Clara University Computer and High Technology Journal Symposium on Internet Privacy. February 11-12, 2000. For more information: http://www.scu.edu/techlaw/symposium Telecommunications: The Bridge to Globalization in the Information Society. Biennial Conference of the International Telecommunications Society. July 2-5, 2000. For more information: http://www.its2000.org.ar ======================================================================= Subscription Information ======================================================================= The EPIC Alert is a free biweekly publication of the Electronic Privacy Information Center. A Web-based form is available for subscribing or unsubscribing at: http://www.epic.org/alert/subscribe.html To subscribe or unsubscribe using email, send email to epic-news@epic.org with the subject: "subscribe" (no quotes) or "unsubscribe". Back issues are available at: http://www.epic.org/alert/ ======================================================================= About EPIC ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC is sponsored by the Fund for Constitutional Government, a non-profit organization established in 1974 to protect civil liberties and constitutional rights. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, e-mail info@epic.org, http://www.epic.org or write EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544 9240 (tel), +1 202 547 5482 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "The Fund for Constitutional Government" and sent to EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ---------------------- END EPIC Alert 6.19 ----------------------- .