============================================================== @@@@ @@@@ @@@ @@@@ @ @ @@@@ @@@@ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @@@ @ @ @@@@@ @ @@@ @@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @ @@@ @@@@ @ @ @@@@ @@@@ @ @ @ ============================================================== Volume 6.20 December 6, 1999 -------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org ======================================================================= Table of Contents ======================================================================= [1] EPIC Files Suit for NSA Memos on Surveillance Authority [2] EPIC, ACLU and EFF Challenge New FBI Wiretap Rules [3] Consumer Groups Respond to "Safe Harbor" Proposal [4] Draft Crypto Regulations Fall Short of Earlier Promises [5] Advocates Call on FTC, Companies to Stop Secret Profiling [6] AOL Subscriber Privacy Preferences Expiring [7] Holiday Shopping at the EPIC Bookstore [8] Upcoming Conferences and Events ======================================================================= [1] EPIC Files Suit for NSA Memos on Surveillance Authority ======================================================================= The Electronic Privacy Information Center asked a federal court on December 3 to order the release of controversial documents concerning potential government surveillance of American citizens. EPIC's lawsuit seeks the public disclosure of internal National Security Agency (NSA) documents discussing the legality of the agency's intelligence activities. NSA refused to provide the documents to the House Intelligence Committee earlier this year, resulting in an unusual public reprimand of the secretive spy agency. Rep. Porter J. Goss, chairman of the oversight panel, wrote in a committee report in May that NSA's rationale for withholding the legal memoranda was "unpersuasive and dubious." He noted that if NSA lawyers "construed the Agency's authorities too permissively, then the privacy interests of the citizens of the United States could be at risk." Soon after the release of the Intelligence Committee report, EPIC submitted a Freedom of Information Act (FOIA) request to NSA for the documents. Despite the FOIA's time limit of 20 working days, the agency has not responded to EPIC's request. The surveillance activities of the NSA have recently come under increased scrutiny, with published reports indicating that the agency is coordinating a massive global interception initiative known as ECHELON. The current issue of the New Yorker magazine reports that it took NSA only 11 months to fill three years' worth of planned storage capacity for intercepted Internet traffic. The legal basis for NSA's interception activities is a critical issue that EPIC plans to evaluate in a comprehensive study to be released early next year. That study will be conducted by Duncan Campbell, a Scottish investigative journalist and TV producer. Earlier this year, Campbell was appointed a consultant to the European Parliament and prepared a technology assessment report on ECHELON and communications intelligence which contained the first public documentary evidence of the global surveillance system. Campbell will be working with EPIC as a Senior Research Fellow for several months to produce a report for presentation at anticipated congressional hearings on the topic of signals intelligence agencies, the Fourth Amendment and human rights. More information on ECHELON is available at the EchelonWatch website, which is administered by the American Civil Liberties Union: http://www.echelonwatch.org Duncan Campbell's report for the European Parliament is available at: http://www.gn.apc.org/duncan/stoa.htm ======================================================================= [2] EPIC, ACLU and EFF Challenge New FBI Wiretap Rules ======================================================================= EPIC joined with the American Civil Liberties Union and the Electronic Frontier Foundation on November 18 in a court challenge to block new rules that would enable the FBI to dictate the design of the nation's communication infrastructure. The challenged rules would allow the Bureau to track the physical locations of cellular phone users and monitor Internet traffic. In petitions to the U.S. Courts of Appeals for the District of Columbia Circuit and the Ninth Circuit, the groups say that the rules -- contained in a Federal Communications Commission (FCC) decision issued in August (see EPIC Alert 6.13) -- could result in a significant increase in government interception of digital communications. The court challenge involves the Communications Assistance for Law Enforcement Act ("CALEA"), a controversial law enacted by Congress in 1994, which requires the telecommunications industry to design its systems in compliance with FBI technical requirements to facilitate electronic surveillance. In negotiations over the last few years, the FBI and industry representatives were unable to agree upon those standards, resulting in the recent FCC ruling. EPIC, ACLU and EFF participated as parties in the FCC proceeding. The court filings assert that the FCC ruling exceeds the requirements of CALEA and frustrates the privacy interests protected by federal statutes and the Fourth Amendment. The groups assert that the FBI is seeking surveillance capabilities that far exceed the powers law enforcement has had in the past and is entitled to under the law. The case will likely define the privacy standards for the nation's telecommunication networks, including the cellular systems and the Internet. The privacy groups are being represented on a pro bono basis by Kurt Wimmer and Gerard J. Waldron, partners at the Washington law firm of Covington & Burling. Separate challenges to the FCC CALEA rules have been filed by the U.S. Telecom Association, the Cellular Telecommunications Industry Association and the Center for Democracy and Technology. All of the petitions have been consolidated for further proceedings. Background materials on CALEA, including documents filed by EFF, ACLU and EFF with the Federal Communications Commission, are available at EPIC's website: http://www.epic.org/privacy/wiretap/ ======================================================================= [3] Consumer Groups Respond to "Safe Harbor" Proposal ======================================================================= U.S. and European Consumer organizations have submitted comments to the Department of Commerce regarding the "Safe Harbor" proposal that would allow U.S. firms to self-certify privacy practices when processing data on European citizens. The TransAtlantic Consumer Dialogue (TACD) said that the Safe Harbor proposal "still fails to provide adequate data protection for the transfer of personal information from citizens in EU countries to companies in the United States." The groups urged the adoption of stronger measures to ensure that "the loss of consumer privacy is not the cost of the information economy." The organizations said that "little progress has been made in the effort to ensure consumer access to their personal information held by businesses and there is still no significant mechanism to enforce privacy principles in the United States." The consumer organizations urged negotiators to view privacy as a fundamental human right, not simply a commercial matter. They said that the Safe Harbor process should extend principles of data protection and further urged comprehensive coverage for citizens outside of Europe. They added that further steps should be taken to ensure that the Safe Harbor principle complies with Fair Information Practices, particularly in the areas of notice, consent, purpose specification, access, enforcement and non-discrimination. The statement was endorsed by the European Consumer Association (BEUC), the Consumer Federation of America, the Center for Media Education, the Consumer Project on Technology, the Electronic Privacy Information Center, the National Consumers League, and USPIRG for the Trans Atlantic Consumer Dialogue (TACD). The TransAtlantic Consumer Dialogue is a forum of U.S. and EU consumer organizations which develops joint consumer policy recommendations for the U.S. government and European Union to promote the consumer interest in EU and U.S. policy making. It includes more than sixty consumer organizations from the United States and Europe. The following materials are available: Department of Commerce, International Safe Harbor Privacy Principles (15 November 1999) http://www.ita.doc.gov/ecom/Principles1199.htm TACD Comments on Safe Harbor (3 December 1999) http://www.epic.org/tacd_sh.html TACD Resolution on Safe Harbor (April 1999) http://www.tacd.org/meeting2/electronic.html#safe Trans Atlantic Consumer Dialogue http://www.tacd.org/ ======================================================================= [4] Draft Crypto Regulations Fall Short of Earlier Promises ======================================================================= When the Clinton Administration announced a new encryption policy in September (see EPIC Alert 6.15), some observers were quick to conclude that the end of the controversial U.S. export controls was finally at hand. Others (including EPIC) took a "wait and see" approach pending the release of final regulations implementing the new policy. A draft is now being circulated by the Administration, and the proposal is receiving largely negative reviews. Contrary to the claims made in September, the draft regulations would impose a complex and confusing classification and licensing scheme on exports of encryption hardware and software. Many products would be subject to a "technical review" by export officials. The standards for such reviews are not spelled out in the regulations, leaving officials with almost complete discretion and export applicants with little legal recourse. Another confusing aspect of the draft is its use of the term "retail" to describe those products that would be entitled to liberal export conditions. The effect on freeware encryption products and open source development projects is not clear. One positive surprise is contained in the draft regulations. Encryption source code would be eligible for export under certain conditions. Current restrictions on source code have been the subject of great controversy over the last few years, leading to litigation challenging the export rules as a "prior restraint" on academic and scientific expression. The U.S. Court of Appeals for the Ninth Circuit ruled earlier this year in the Bernstein case that the source code restrictions do, indeed, violate the First Amendment (see EPIC Alert 6.07). That ruling is now being reviewed "en banc" by the Ninth Circuit. A final version of the new rules is expected to be issued around December 15. The text of the draft is available at: http://www.epic.org/crypto/export_controls/draft_regs_11_99.html ======================================================================= [5] Advocates Call on FTC, Companies to Stop Secret Profiling ======================================================================= Privacy and consumers groups and a leading security expert have asked the Federal Trade Commission to require software makers to close a loophole in many popular email systems that allows senders of bulk commercial email to track the surfing behavior of people who merely read the email. Security expert Richard M. Smith said, "Web browser cookies and email messages don't mix. Web surfing is supposed to be anonymous, but with the cookie leak security hole, companies can easily match our Email addresses to the Web sites we visit. I hope that Netscape, Microsoft and other software makers will quickly patch this hole." Many email readers display email messages using a Web browser. If the message contains graphics retrieved from the Web when the mail is opened, the loophole allows the recipient to be assigned a unique serial number in a "cookie," which will later be silently transmitted as the recipient surfs the Web. Many companies encode the recipient's email address in the URL (web address) of the graphic, so that their servers can match the cookie to the email address. Jason Catlett, President of Junkbusters Corp. said, "Cookie leaks are the bug from spammers that keeps on bugging. It's intolerable that email can be used to silently zap a nametag onto you that might be scanned by a site you visit later. It's like secretly bar-coding people with invisible ink." At the FTC's hearings on online profiling last month, privacy groups called for an immediate halt to online profiling, warning that in the absence of effective legal safeguards personal information would be gathered secretly by marketing companies. Andrew Shen, Policy Analyst at EPIC, said that "The lack of government action continues to place the average user -- unaware of the tracking and surveillance technologies at work -- at the mercy of companies that often abuse their privacy." The organizations that urged an investigation of the "cookie leak" included Junkbusters, the Center for Media Education, the Privacy Rights Clearinghouse, the Consumer Project on Technology, the Commercial Alert, the Private Citizen Inc., the Electronic Frontier Foundation, and the Electronic Privacy Information Center. The groups' press release on the "Cookie Leak" announcement is available at: http://www.junkbusters.com/ht/en/nr31.html Richard Smith's paper, "The Cookie Leak Security Hole in HTML Email Messages," is available at: http://www.tiac.net/users/smiths/privacy/cookleak.htm ======================================================================= [6] AOL Subscriber Privacy Preferences Expiring ======================================================================= America Online (AOL) recently sent a message to its twenty million subscribers advising them that their declared privacy preferences will expire in early December. In what will become an annual chore, all AOL users will have to opt-out -- take it upon themselves to make specific requests -- not to receive advertisements via mail, email, or pop-up messages. While AOL spokesmen said that their privacy policy has always been upfront about the need for annual revisions, EPIC expects most AOL subscribers will be surprised that they have to reiterate their privacy preferences. AOL's action underscores the problems with "opt-out" procedures, which unfairly place the burden of privacy protection on individuals. "Opt-out" has become the preferred industry means of addressing privacy concerns, and forms the basis of many of the "self-regulatory" initiatives advanced as alternatives to legal privacy protections. AOL also rents subscriber lists with personal account information to marketers, but AOL subscribers who have already opted-out of that practice will not have to renew that part of their preferences. ======================================================================= [7] Holiday Shopping at the EPIC Bookstore ======================================================================= Planning to buy a book, video, or DVD this holiday season? Visit the EPIC Bookstore for all the greatest books on privacy, free speech and online liberty. And just in time for the holidays, we've updated our video section to include a new selection of top films. This holiday season EPIC features on DVD the blockbuster hit "The Matrix" with all-time cyberstar Keanu Reeves, Gene Hackman's reprise as a surveillance specialist in "Enemy of the State," and the captivating "Dark City." The Matrix http://www.amazon.com/exec/obidos/ASIN/B00000K19E/electronicprivacA/ Amazon reviewers: 4.5 " . . .one of the most exhilarating sci-fi/action movies of the 1990s. Set in the not too distant future, we find a young man named Neo (Keanu Reeves). A software techie by day and a computer hacker by night, he sits alone at home by his monitor, waiting for a sign, until one night a mysterious woman named Trinity (Carrie-Anne Moss) introduces him to Morpheus (Laurence Fishburne). A messiah of sorts, Morpheus presents Neo with the truth about his world by shedding light on the dark secrets that have troubled him for so long: "You've felt it your entire life, that there's something wrong with the world. You don't know what it is, but it's there, like a splinter in your mind, driving you mad." Morpheus shows Neo what the Matrix is -- a reality beyond reality that controls all of their lives in a way that Neo can barely comprehend." Enemy of the State http://www.amazon.com/exec/obidos/ASIN/6305428115/electronicprivacA/ Amazon reviewers: 4.5 "Robert Clayton Dean (Will Smith) is a lawyer with a wife and family whose happily normal life is turned upside down after a chance meeting with a college buddy (Jason Lee) at a lingerie shop. Unbeknownst to the lawyer, he's just been burdened with a videotape of a congressman's assassination. Hot on the tail of this tape is a ruthless group of National Security Agents commanded by a belligerently ambitious fed named Reynolds (Jon Voight). Using surveillance from satellites, bugs, and other sophisticated snooping devices, the NSA infiltrates every facet of Dean's existence, tracing each physical and digital footprint he leaves. Driven by acute paranoia, Dean enlists the help of a clandestine former NSA operative named Brill (Gene Hackman), and Enemy of the State kicks into high-intensity hyperdrive." Dark City http://www.amazon.com/exec/obidos/ASIN/0780622553/electronicprivacA/ Amazon reviewers: 4.5 In a city where it is always night, aliens conduct secret experiments to learn what makes us human. Meanwhile, his memory mostly gone, Sewell is suspected of being a serial killer, and finds he now has telekinetic powers. Richly plotted sci-fi has striking set design and excellent use of special effects; complex, with a new surprise every few minutes. - Leonard Maltin's Movie & Video Guide EPIC Books - "Our Favorites" http://www.epic.org/bookstore/amazon_books.html EPIC Videos http://www.epic.org/bookstore/films.html EPIC Publications http://www.epic.org/bookstore/feature.html ======================================================================= [8] Upcoming Conferences and Events ======================================================================= Annual Computer Security Applications Conference: Practical Solutions to Real Security Problems. December 6-10, 1999. Radisson Resort Scottsdale. Phoenix, Arizona. For more information: http://www.acsac.org/ Integrating Government with New Technologies '99 Policy vs Technology: Service Integration in the New Environments - A two-day Seminar and Training Session. December 13-14, 1999. Government Conference Center. Ottawa, Canada. For more information: http://www.rileyis.com/seminars Surveillance Expo '99. December 13-15, 1999. Doubletree Hotel. Crystal City, Virginia. For more information: http://www.rosseng.com PEN/Newman's Own Eighth Annual First Amendment Award. Nominations due December 31, 1999. For more information: http://www.pen.org RSA 2000. The ninth annual RSA Data Security Conference and Expo. January 16-20, 2000. San Jose McEnery Convention Center. San Jose, CA. For more information: http://www.rsa.com/rsa2000/ Cyberspace and Privacy: A New Legal Paradigm? February 7, 2000. Stanford Law School. Stanford, CA. For more information: http://lawreview.stanford.edu or http://stlr.stanford.edu Santa Clara University Computer and High Technology Journal Symposium on Internet Privacy. February 11-12, 2000. For more information: http://www.scu.edu/techlaw/symposium Telecommunications: The Bridge to Globalization in the Information Society. Biennial Conference of the International Telecommunications Society. July 2-5, 2000. For more information: http://www.its2000.org.ar ======================================================================= Subscription Information ======================================================================= The EPIC Alert is a free biweekly publication of the Electronic Privacy Information Center. A Web-based form is available for subscribing or unsubscribing at: http://www.epic.org/alert/subscribe.html To subscribe or unsubscribe using email, send email to epic-news@epic.org with the subject: "subscribe" (no quotes) or "unsubscribe". Back issues are available at: http://www.epic.org/alert/ ======================================================================= About EPIC ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC is sponsored by the Fund for Constitutional Government, a non-profit organization established in 1974 to protect civil liberties and constitutional rights. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, e-mail info@epic.org, http://www.epic.org or write EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544 9240 (tel), +1 202 547 5482 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "The Fund for Constitutional Government" and sent to EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ---------------------- END EPIC Alert 6.20 ----------------------- .