EPIC logo
       @@@@  @@@@  @@@  @@@@      @    @     @@@@  @@@@  @@@@@
       @     @  @   @   @        @ @   @     @     @  @    @
       @@@@  @@@    @   @       @@@@@  @     @@@   @@@     @
       @     @      @   @       @   @  @     @     @  @    @
       @@@@  @     @@@  @@@@    @   @  @@@@  @@@@  @   @   @
   Volume 7.01                                   January 12, 2000
                            Published by the
              Electronic Privacy Information Center (EPIC)
                            Washington, D.C.
Table of Contents
[1] Supreme Court Upholds Drivers' Privacy Law
[2] White House Releases "Cyber-Terrorism" Plan
[3] EPIC Comments on Use of the Internet for Campaign Activity
[4] EPIC Releases Survey of Online Privacy Policies
[5] Update on Safe Harbor Negotiations
[6] EPIC Job Announcements
[7] EPIC Bookstore -- Database Nation
[8] Upcoming Conferences and Events
  THIS JUST IN: As the Alert "goes to press," the U.S. Commerce
  Department has released the final revision of its encryption export
  control regulations.  The new rules maintain a complex and burdensome
  licensing scheme and retain substantial restrictions on the ability
  to exchange information concerning encryption.  The next issue of the
  Alert will contain additional information on the export control
[1] Supreme Court Upholds Drivers' Privacy Law
In an opinion released today, the Supreme Court has unanimously held
that Congress did not exceed its constitutional authority when it
enacted legislation establishing privacy safeguards for motor vehicle
records held by state agencies.  Several states challenged the Drivers
Privacy Protection Act, arguing that Congress had violated the Tenth
Central to the Court's decision in Condon v. Reno was the fact that
information obtained by state motor vehicle agencies is now routinely
sold in interstate commerce.  The Court, in an opinion by Chief
Justice Rehnquist, said that "the motor vehicle information which the
States have historically sold is used by insurers, manufacturers,
direct marketers, and others engaged in interstate commerce to contact
drivers with customized solicitations.  The information is also used
in the stream of interstate commerce by various public and private
entities for matters related to interstate motoring.  Because drivers'
information is, in this context, an article of commerce, its sale or
release into the interstate stream of business is sufficient to
support congressional regulation."
The Supreme Court rejected the argument made by South Carolina that
the Drivers Privacy Protection Act violated the Tenth Amendment,
holding that "the DPPA does not require the States in their sovereign
capacity to regulate their own citizens. The DPPA regulates the States
as the owners of databases."
EPIC filed an amicus brief in the case arguing in support of the
Drivers Privacy Protection Act.  EPIC said in its brief:
     The Drivers Privacy Protection Act safeguards the personal
     information of licensed drivers from improper use or
     disclosure.  It is a valid exercise of federal authority in
     that it seeks to protect a fundamental privacy interest.  It
     restricts the activities of states only to the extent that it
     concerns the subsequent use or disclosure of the information
     in a manner unrelated to the original purpose for which the
     personal information was collected.  The states should not
     impermissibly burden the right to travel by first compelling
     the collection of sensitive personal information and then
     subsequently disclosing the same information for unrelated
The decision is remarkable, particularly in light of recent cases
where the Supreme Court has typically deferred to state Tenth
Amendment claims and struck down federal statutes or claims brought in
federal court.
The decision in Condon v. Reno (US 2000) is available at:
EPIC's Amicus Brief in Condon v. Reno is available at:
[2] White House Releases "Cyber-Terrorism" Plan
The White House on January 7 released a national plan to protect
America's computer systems from unauthorized intrusions.  Included in
the proposal is the establishment of the controversial Federal
Intrusion Detection Network (FIDNET) which would monitor activity on
government computer systems.  The plan also calls for the
establishment of an "Institute for Information Infrastructure
Protection" and a new program that will offer college scholarships to
students in the field of computer security in exchange for public
service commitments.
The initiative is an outgrowth of recommendations made in the October
1997 report of the President's Commission on Critical Infrastructure
Protection (PCCIP) and in Presidential Decision Directive 63 (PDD 63)
on Critical Infrastructure Protection issued in May 1998.
In its report "Critical Infrastructure Protection and the Endangerment
of Civil Liberties," released in October 1998, EPIC noted that the
PCCIP had proposed
     the development of a large-scale monitoring strategy for
     communications networks.  Borrowing techniques that have been
     applied to hostile governments and foreign agents, the PCCIP
     brings the Cold War home with an open-ended proposal to
     conduct ongoing surveillance on the communications of
     American citizens.
EPIC noted in its report that "these proposals are more of a threat
to our system of ordered liberty than any single attack on our
infrastructure could ever be."  Last year, EPIC filed a series of
Freedom of Information Act requests seeking the details of these
President Clinton acknowledged the privacy concerns when he announced
the new initiative. "It is essential that we do not undermine liberty
in the name of liberty.  I will continue to work equally hard to
uphold the privacy rights of the American people as well as the
proprietary rights of American businesses," he said.
The text of the "National Plan for Information Systems Protection" and
other relevant material -- including EPIC's report "Critical
Infrastructure Protection and the Endangerment of Civil Liberties --
is available at:
[3] EPIC Comments on Use of the Internet for Campaign Activity
EPIC submitted comments to the Federal Election Commission on January
4 in response to the FEC's Notice of Inquiry about the use of the
Internet for campaign activity.  The FEC is conducting a review to
determine whether to amend the Federal Election Campaign Act to
regulate the creation of Web pages supporting particular candidates.
The Commission seeks to evaluate whether websites created by
individuals constitute contributions or expenditures and whether
hyperlinks to candidate websites should be regarded as in-kind
EPIC urged the Commission to refrain from regulating political speech
online and to sustain the Internet's capacity as a vehicle for
democracy and debate.  The paper noted that -- unlike print, radio,
and television -- the Internet is a unique medium of communication
with a capacity to transfer messages to vast audiences at little or no
cost. Moreover, determining the costs associated with the utility or
maintenance of web sites is difficult if not impossible particularly
when individuals use their computers to post information about diverse
topics.  EPIC also warned the Commission that requiring individuals
who create Web sites that strongly advocate the election or defeat of
a candidate to identify themselves in disclaimer statements would
impede speech and violate the constitutional protection of anonymity.
The paper asserted that the Commission should welcome political speech
on the Web and recognize the Internet's potential to expand democratic
debate and deliberation.  EPIC explained: "Regulating speech on the
Internet could deter the individual and grassroots efforts that would
possibly gain visibility only on the Web.  Just as individuals can
hang banners on their front yards or post bumper stickers on their
car, they should be able to express their viewpoints on the Web free
of reporting obligations or abstract cost assessments."
The comments EPIC submitted to the FEC are available at:
[4] EPIC Releases Survey of Online Privacy Policies
In an effort to educate the online shopper during the past holiday
season, EPIC released its survey of the privacy policies of the top
100 e-commerce sites -- "Surfer Beware III: Privacy Policies Without
Privacy Protection" -- on December 17.
"Surfer Beware III" found that few of high-traffic websites offered
adequate privacy protection. In fact, not a single one of them
fulfilled important elements of Fair Information Practices
investigated in the survey.  Fair Information Practices serve as basic
guidelines for safeguarding personal information.  Also alarming was
the significant proportion (35 out of 100) of shopping sites that
allowed profile-based advertising networks to operate.  These
advertising networks present a stealthy and invasive way in that third
parties -- companies that display banner advertisements -- are
tracking online behavior without the knowledge of the Internet user.
EPIC Executive Director Marc Rotenberg concluded that, "On balance, we
think that consumers are more at risk today than they were in 1997,
when we first examined privacy practices on the web. The profiling is
more extensive and the marketing techniques are more intrusive.
Anonymity, which remains crucial to privacy on the Internet, is being
squeezed out by the rise of electronic commerce."  To improve privacy
protection on the web, Rotenberg added that legally enforceable
standards of protection and more techniques enabling anonymity are
"Surfer Beware III: Privacy Policies without Privacy Protection" is
available at:
[5] Update on Safe Harbor Negotiations
Safe Harbor negotiations between the U.S. Department of Commerce and
the European Union continue although both sides remain outwardly
optimistic about a long-awaited agreement.  The latest in a long line
of estimated deadlines is this upcoming March.
The Safe Harbor proposal, a U.S.-sponsored set of principles that U.S.
companies would abide by to protect personal data of EU citizens, has
been the subject of debate for almost two years.  As EU citizens have
strong legal protections over their personal information via the 1995
EU Data Protection Directive, European authorities are attempting to
seek guarantees that those protections will continue when the data is
in the hands of U.S. companies.  As the United States has no
comprehensive laws protecting personal information in the hands of the
private sector, much of the debate has centered on how the Safe Harbor
Principles would be enforced.
The lack of enforcement and the overall weakness of the last draft of
the Safe Harbor Principles released on November 15 have been pointed
out in comments submitted by the TransAtlantic Consumer Dialogue
(TACD) -- a coalition of EU and US consumer groups -- and by the
Article 29 Working Group -- an expert panel of Privacy Commissioners
established to oversee the implementation of the EU Data Protection
Directive.  Despite opposition from the aforementioned groups and
others, on December 13, the semi-annual EU-US summit was expected
unveil an agreement between the negotiating parties.  Shortly before
the summit, it was announced that no such agreement had yet been
Related to the ongoing debates, on January 11, the European Commission
announced that it would take France, Luxembourg, the Netherlands,
Germany, and Ireland to court for failing to implement the EU Data
Protection Directive in national law.  The EU Data Protection
Directive has come under fire for failing to gain statutory support in
some of its member countries.  However, this recent action
demonstrates that European authorities continue to take implementation
of the Directive seriously.
TACD Comments on the Latest Draft of the Safe Harbor Principles (see
also EPIC Alert 6.20):
Article 29 Working Group Opinion on the Safe Harbor Principles:
[6] EPIC Job Announcements
EPIC will be filling two new job openings in the upcoming months. The
Internet Activist position requires someone with an interest in civil
liberties issues and a strong technical background to maintain
internal equipment and work on web projects.  The Policy Analyst
opening seeks a person with the same civil liberties focus who would
work on research and writing projects and monitor legislation.
Applications are due on March 1, 2000.  Please send resumes and cover
letters to jobs@epic.org.
The complete job announcements can be found at:
[7] EPIC Bookstore -- Database Nation
EPIC is pleased to announce the publication of "Database Nation: The
Death of Privacy in the 21st Century" by noted author Simson
Fifty years ago George Orwell imagined a future in which privacy was
vanquished by a totalitarian state that used spies and video
surveillance to maintain control. In 2000 we find that the threats to
our privacy are not coming from a monolithic "Big Brother", but --
even harder to grapple with -- hundreds of sources, not seeking to
control us, merely to market to us, track us, count us, or streamline
paperwork.  The result, though, is still as chilling as "1984".
"Database Nation" explores the many threats to privacy in the Twenty
First century and warns its readers, as Orwell's 1984 did before, that
the cost of inaction will be the loss of freedom.  It has already
received widespread critical acclaim:
     "This is a chilling compendium of the myriad methods government
     and industry have devised to catalog and profile the preferences
     of American citizens. It is an essential handbook in the fight
     against the insidious erosion of a right so dear that freedom
     itself depends on it."
     The Hon. Edward J. Markey
     U.S. House of Representatives
     Database Nation by Simson Garfinkel is a graphic and blistering
     indictment of the burgeoning technologies used by business,
     government, and others to invade the self - yourselves - and
     restrict both your freedom to participate in power and your
     freedom from abuses of power.  The right of privacy is a
     constitutionally protected right, and its erosion or destruction
     undermines democratic society as it generate, in one circumstance
     after another, a new kind of serfdom.  This book is one that
     you're entitled to take very personally."
     Ralph Nader, Consumer Advocate
     "Simson has captured the depth and breadth of our ever-increasing
     privacy problems, demonstrating their insidious nature and the
     extreme difficulties that they present for all of us. This book is
     hugely important. It should be read by everyone. Wonderfully
     readable. Five stars."
     Peter G. Neumann
     Principal Scientist, SRI-CRL
     Author, Inside Risks
Database Nation is now available for sale at the EPIC Bookstore.
Garfinkel, "Database Nation: The Death of Privacy in the 21st Century":
Database Nation website:
EPIC Bookstore:
[8] Upcoming Conferences and Events
RSA 2000. The ninth annual RSA Data Security Conference and Expo.
January 16-20, 2000. San Jose McEnery Convention Center. San Jose, CA.
For more information: http://www.rsa.com/rsa2000/
Privacy, Security & Confidentiality of Medical Records 2000: Complying
With New HIPAA Regulations. NonProfit Management. One Day Seminars.
Various Locations and Times. For more information:
Cyberspace and Privacy: A New Legal Paradigm? February 7, 2000.
Stanford Law School. Stanford, CA. For more information:
http://lawreview.stanford.edu or http://stlr.stanford.edu
Santa Clara University Computer and High Technology Journal Symposium
on Internet Privacy. February 11-12, 2000. For more information:
E-Commerce and Privacy: Implementing the New Law. Riley Information
Services. February 21, 2000. Westin Hotel, Ottawa. For more
information: http://www.rileyis.com/seminars/
Financial Cryptography '00. International Financial Cryptography
Association. February 21-24, 2000. InterIsland Hotel. Anguilla,
British West Indies. For more information: http://fc00.ai/
The New Wave of Privacy Protection in Canada. BC Freedom of
Information and Privacy Association and Riley Information Services.
March 9-10, 2000. Hotel Vancouver. Vancouver, British Columbia. For
more information: http://www.rileyis.com
Entrust SecureSummit 2000. May 1-4, 2000. Hyatt Regency Dallas at
Reunion. Dallas, Texas. For more information:
Shaping the Network: The Future of the Public Sphere in Cyberspace.
Computer Professionals for Social Responsibility (CPSR). Call for
Papers -- Abstracts Due February 15. May 20-23, 2000. Seattle,
Washington. For more information: http://www.scn.org/cpsr/diac-00
Telecommunications: The Bridge to Globalization in the Information
Society. Biennial Conference of the International Telecommunications
Society. July 2-5, 2000. For more information:
Subscription Information
The EPIC Alert is a free biweekly publication of the Electronic Privacy
Information Center. A Web-based form is available for subscribing or
unsubscribing at:
To subscribe or unsubscribe using email, send email to
epic-news@epic.org with the subject: "subscribe" (no quotes) or
Back issues are available at:
About EPIC
The Electronic Privacy Information Center is a public interest research
center in Washington, DC.  It was established in 1994 to focus public
attention on emerging privacy issues such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale of personal information. EPIC is sponsored
by the Fund for Constitutional Government, a non-profit organization
established in 1974 to protect civil liberties and constitutional
rights.  EPIC publishes the EPIC Alert, pursues Freedom of Information
Act litigation, and conducts policy research. For more information,
e-mail info@epic.org, http://www.epic.org or write EPIC, 666
Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544 9240
(tel), +1 202 547 5482 (fax).
If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible.  Checks
should be made out to "The Fund for Constitutional Government" and sent
to EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003.
Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation of encryption
and expanding wiretapping powers.
Thank you for your support.
  ---------------------- END EPIC Alert 7.01 -----------------------
Return to:

Alert Home Page | EPIC Home Page