EPIC logo
       @@@@  @@@@  @@@  @@@@      @    @     @@@@  @@@@  @@@@@
       @     @  @   @   @        @ @   @     @     @  @    @
       @@@@  @@@    @   @       @@@@@  @     @@@   @@@     @
       @     @      @   @       @   @  @     @     @  @    @
       @@@@  @     @@@  @@@@    @   @  @@@@  @@@@  @   @   @
    Volume 7.05                                     March 22, 2000
                            Published by the
              Electronic Privacy Information Center (EPIC)
                            Washington, D.C.
Table of Contents
[1] Revised Safe Harbor Proposal Released
[2] New Survey Shows Strong Support for Privacy Laws
[3] Echelon Surveillance Controversy Heats Up in Europe
[4] Cyber Patrol Hackers Face Legal Proceedings
[5] Problems with Online Advertising Persist
[6] EPIC Submits Comments on Legal Barriers to E-Commerce
[7] EPIC Bookstore -- EPIC Publications
[8] Upcoming Conferences and Events
[1] Revised Safe Harbor Proposal Released
On March 17, the International Trade Administration of the U.S.
Department of Commerce publicly released the current version of the
Safe Harbor proposal.  The Safe Harbor negotiations between American
and European authorities have dragged on for more than two years, and
this most recent version of the principles represents some progress.
EU citizens are currently legally protected by the EU Data Protection
Directive which prevents information from being sent to jurisdictions
that do not offer similarly adequate protections.  Safe Harbor is a
voluntary arrangement coordinated by the Dept. of Commerce for the
purpose of satisfying the adequacy requirement of the EU Directive.
The new proposal sets out obligations that American companies would
have to provide to European data subjects including: notice, choice
(opt-in for sensitive information, opt-out otherwise), onward
transfer, security, data integrity, access and enforcement.  Companies
choosing to join Safe Harbor can do so in several ways including
joining self-regulatory programs that adhere to these guidelines.  In
all the various options, the Federal Trade Commission (FTC) would have
ultimate enforcement authority over any company's compliance with the
While U.S. negotiators prematurely announced that an agreement had
been reached, significant issues still remain.  Enforcement remains a
key issue in the arrangement.  Both self-regulatory programs and the
FTC do not have a good record in following up on privacy complaints in
their jurisdictions.  Further, many of the provisions in the Safe
Harbor proposal, such as the access provision, provide fewer rights to
European citizens than would otherwise be available under the Data
Directive.  In addition, the Safe Harbor principles would offer
little direct support for greater privacy protections for U.S.
consumers despite growing public support (see item [2]).
At the end of this month, the Article 31 Committee, charged with
overseeing the implementation of the EU Directive, will meet and vote
on whether or not to accept the proposal.  After the expected
approval, the EU Commission could review the arrangement as early as
this May.
On the U.S. side, the proposal is subject to public comment until
March 28, 2000.  The Commerce Department requests that all comments
be submitted electronically in an HTML format to the following email
address: Ecommerce@ita.doc.gov.  If your organization does not have
the technical ability to provide comments in an HTML format, please
forward them in the body of the email, or in a Word or WordPerfect
format.  If necessary, hard copies of comments can be mailed to the
Electronic Commerce Task Force, U.S. Department of Commerce, Room
2009, 14th and Constitution Ave., NW, Washington DC 20230, or faxed
to 202-501-2548.  Please direct any questions to Becky Richards at
Rebecca_Richards@ita.doc.gov or 202-482-5227.
EPIC recommends that commentators consider whether the current
self-regulatory approach provides an adequate level of privacy
The current set of Safe Harbor Principles is available at:
Information and news on the EU Data Protection Directive:
[2] New Survey Shows Strong Support for Privacy Laws
A survey conducted by Harris Interactive demonstrates strong public
support for legal protections over personal information.  Fifty-seven
percent of respondents said "the government should pass laws now for
how personal information can be collected and used on the Internet".
In comparison, only 15 percent expressed support for allowing industry
groups to develop voluntary privacy standards.
Other statistics produced by the survey shed light on growing concerns
about privacy.  Forty-one percent of online consumers were very
concerned over the use of personal information by Internet companies.
The last time the same question was asked in 1998, only 31 percent of
respondents were similarly concerned.  The survey also addressed the
recent online profiling business models.  When asked about whether
they were comfortable with websites merging browsing habits with
real-life identities, fully 68 percent were "not at all comfortable"
and an additional 21 percent were "not very comfortable."
The poll appeared in the March 20 issue of Business Week and is
available online at:
[3] Echelon Surveillance Controversy Heats Up in Europe
Public concern over the Echelon surveillance system is growing in
Europe.  Next week in Strasbourg, France, the European Commission
intends to issue a statement about Echelon, communications
surveillance, and allegations of U.S. industrial espionage, according
to Graham Watson, chairman of the European Parliament's Citizens'
Rights Committee.  The Commission -- the official government body of
the European Union -- has previously denied knowledge of documents or
factual information concerning these issues.
During the same plenary session, the European Parliament will be asked
to establish a formal commission of inquiry into communications
surveillance.  The motion to appoint a commission has been proposed by
the Parliament's Green grouping.  Early this week, the group was
reporting that 130 of the required 160 signatures had already been
obtained in support of their proposal.
The Commission statement scheduled for next week will respond
specifically to the "Interception Capabilities 2000" report, which was
presented to the Citizens' Rights Committee on February 23 by British
journalist Duncan Campbell.  Since then, the controversy has been
significantly enlarged by a series of publications and briefings from
James Woolsey, who served as Director of the Central Intelligence
Agency from 1993 to 1995.  In his most recent statement, an op-ed in
the Wall Street Journal published on March 17, Woolsey told Europeans
to "get real" about U.S. spying.  Woolsey referred to examples cited
by Campbell where surveillance had taken place against two French
companies and stated, "That's right, my continental friends, we have
spied on you because you bribe".  Both companies involved, Thomson-CSF
and Airbus Industrie, quickly issued statements denying Woolsey's
This spring, Campbell is working with EPIC in Washington, DC as
Senior Research Fellow and is currently preparing a new report on
communications surveillance issues.  The new report, scheduled for
publication in early May, will focus on the activities of the National
Security Agency and the resulting civil liberties issues.  The report
will provide a suggested roadmap for proposed Congressional hearings
into NSA activities.
The European Parliament report, "Interception Capabilities 2000" (in
PDF format) is available at:
Four other reports in the same series on the "Development of
surveillance technology and risk of abuse of economic information" are
available at:
[4] Cyber Patrol Hackers Face Legal Proceedings
A federal judge in Boston issued a temporary restraining order on
March 17, prohibiting further distribution on the Internet of a
program that discloses a list of the sites that the filtering program
Cyber Patrol blocks and reveals the password that parents use to
enable the filtering software.  U.S. District Judge Edward F.
Harrington ordered the removal of the "cphack" program, created by
Matthew Skala of Canada and Eddy L. O. Jansson of Sweden, and banned
its use by anyone working with the two cryptography experts.  The
ruling also bans further publication of the bypass codes and binaries
by any other sites that may have obtained access to the information.
Mattel and a subsidiary, Microsystems Software Inc., which sells
Cyber Patrol, filed suit against Skala and Jansson on March 15.
Microsystems claims that the pair violated U.S. copyright laws by
reverse-engineering Cyber Patrol, which is prohibited in its licensing
agreements, and then distributing the source code and binaries that
enable users to bypass the software's encryption scheme.  Skala and
Jansson published the "cphack" program March 11 and provided a
detailed description of their reverse-engineering methodology.
The "cphack" program reveals a list of more than 100,000 sites that
Cyber Patrol deems unsuitable for children.  Among the blocked sites
are all of the student organizations at Carnegie Mellon University and
all journalism-related Usenet groups, as well as information about
feminism, chess and food.  Cyber Patrol claims to protect children
from sites containing violence, hate or pornography.
Another court hearing has been scheduled for March 27.  No defense
lawyers were present at the March 17 hearing.
For more information about filtering software and their free speech
implications, visit the homepage of the Internet Free Expression
[5] Problems with Online Advertising Persist
Online profiling has not gone away.
While DoubleClick released a statement on March 2 vowing not to join
online profiles to real-life identities, concerns about the company's
tracking of Internet users have not ended.  DoubleClick continues to
use invisible images embedded in web pages, also referred to as "web
bugs," to track users.  The advertising company also continues to
maintain two separate websites -- the Internet Address Finder
(www.iaf.net) and the Get Away From It All Sweepstakes site
(www.netdeals.com) -- both of which collect personal information. In
addition, South Carolina Attorney General Charles Condon has joined
attorney generals from both Michigan and New York State in
investigating DoubleClick's information collection and use practices.
Other online advertising companies have had to scale back their plans
to personally identify online profiles as well.  Online advertiser
24/7 has voluntarily refused to capitalize on its capability to join
personal information to online profiles.  As reported in the Wall
Street Journal on March 20, several companies with online operations
have started to restrict information available to their advertisers.
Procter & Gamble, General Motors, and the Ford Motor Company have all
started to limit the information transmitted to online advertisers
DoubleClick, Real Media, and MatchLogic.
For more information about "web bugs" and online profiling, visit
Richard Smith's page on Internet Privacy:
For archived news reports and an analysis of the DoubleClick
[6] EPIC Submits Comments on Legal Barriers to E-Commerce
On March 17, EPIC responded to the Department of Commerce's Request
for Public Comment on Legal Barriers to Electronic Commerce.
In its submission, EPIC said that legally enforceable privacy
protections, the free use and availability of cryptography and the
formation of international consumer protection standards would greatly
promote trust and confidence in electronic commerce and remove
barriers to its full development.  In its submission, EPIC argues that
in developing national policies in each of these three key areas, the
U.S. Government should co-operate with its international partners and
be influenced by the sound principles set out in the related
Organization for Economic Co-Operation and Development (OECD)
The text of EPIC's response to the Department of Commerce is available
online at:
The Request for Public Comment and submitted comments are available
Copies of the OECD guidelines on privacy, cryptography, and consumer
protection in electronic commerce can be found at:
[7] EPIC Bookstore -- EPIC Publications
EPIC Publications:
"The Privacy Law Sourcebook: United States Law, International Law, and
Recent Developments," Marc Rotenberg, editor (EPIC 1999). Price: $50.
The "Physicians Desk Reference of the privacy world." An invaluable
resource for students, attorneys, researchers and journalists who need
an up-to-date collection of U.S. and International privacy law, as well
as a comprehensive listing of privacy resources.
"Filters and Freedom - Free Speech Perspectives on Internet Content
Controls," David Sobel, editor (EPIC 1999). Price: $20.
A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.
"Cryptography and Liberty: An International Survey of Cryptography
Policy," Wayne Madsen and David Banisar, editors, (EPIC 1999). Price:
$15. http://www.epic.org/cryptobook99/
An international survey of encryption policies around the world. Survey
results show that in the vast majority of countries, cryptography may
be freely used, manufactured, and sold without restriction, with the
U.S. being a notable exception.
"Privacy and Human Rights 1999: An International Survey of Privacy Laws
and Developments," David Banisar, Simon Davies, editors, (EPIC 1999).
Price: $15. http://www.epic.org/privacy&humanrights99/
An international survey of the privacy and data protection laws found
in 50 countries around the globe.  This report outlines the
constitutional and legal conditions of privacy protection, and
summarizes important issues and events relating to privacy and
Additional titles on privacy, open government, free expression,
computer security, and crypto, as well as films and DVDs can be
ordered through the EPIC Bookstore: http://www.epic.org/bookstore/
[8] Upcoming Conferences and Events
***** Big Brother Awards Nominations ***** Awards to be presented at
the Computers, Freedom, and Privacy 2000 Conference in Toronto,
Canada. For more information and submission of nominees:
Is It Any of Your Business? Consumer Information, Privacy, and the
Financial Services Industry. Federal Deposit Insurance Corporation.
March 23, 2000. Seidman Center Auditorium. Arlington, VA. For more
information: http://www.fdic.gov/news/news/press/2000/pr0014.html
Privacy, Security & Confidentiality of Medical Records 2000: Complying
With New HIPAA Regulations. NonProfit Management. One Day Seminars.
Various Locations and Times. For more information:
Chief Privacy Officer (CPO) Program 2000. Privacy & American Business.
For more information: http://www.pandab.org/
Federal Trade Commission Advisory Committee on Online Privacy and
Security. Series of Meetings. Federal Trade Commission Headquarters.
Washington, DC. For more information: http://www.ftc.gov/acoas/
HIPAA Security and Privacy Requirements: A How To Blueprint for
Compliance. MIS Training Institute. Two-day Seminars. Various
Locations and Times. For more information: http://www.misti.com
Call for Papers -- Freedom of Expression in the Information Age.
Stanford Journal of International Law. Deadline April 15, 2000. For
more information: http://www.stanford.edu/group/SJIL/
Access Act Reform: The Destruction of Records and Proposed Access Act
Amendments. Riley Information Services. May 1, 2000. Westin Hotel.
Ottawa, Canada. For more information: http://www.rileyis.com/seminars/
Entrust SecureSummit 2000. May 1-4, 2000. Hyatt Regency Dallas at
Reunion. Dallas, TX. For more information: http://www.securesummit.com
Call for Papers -- 16th Annual Computer Security Applications
Conference. Deadline May 12, 2000. Sheraton Hotel. New Orleans, LA.
December 11-15, 2000. For more information: http://www.acsac.org/
Electronic Government: New Challenges for Public Administration and
Law. May 18, 2000. Center for Law, Public Administration, and
Informatization of Tilburg University, Netherlands. For more
information: http://schoordijk.kub.nl/crbi/egov/
Shaping the Network: The Future of the Public Sphere in Cyberspace.
Computer Professionals for Social Responsibility (CPSR). May 20-23,
2000. Seattle, WA. For more information:
Telecommunications: The Bridge to Globalization in the Information
Society. Biennial Conference of the International Telecommunications
Society. July 2-5, 2000. For more information:
KnowRight 2000 - InfoEthics Europe. Austrian Computer Society and
UNESCO. September 26-29, 2000. Vienna, Austria. For more information:
Privacy2000: Information and Security in the Digital Age. November 29,
2000. Adam's Mark Hotel. Columbus, Ohio. For more information:
Subscription Information
The EPIC Alert is a free biweekly publication of the Electronic Privacy
Information Center. A Web-based form is available for subscribing or
unsubscribing at:
To subscribe or unsubscribe using email, send email to
epic-news@epic.org with the subject: "subscribe" (no quotes) or
Back issues are available at:
About EPIC
The Electronic Privacy Information Center is a public interest research
center in Washington, DC.  It was established in 1994 to focus public
attention on emerging privacy issues such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale of personal information. EPIC is sponsored
by the Fund for Constitutional Government, a non-profit organization
established in 1974 to protect civil liberties and constitutional
rights.  EPIC publishes the EPIC Alert, pursues Freedom of Information
Act litigation, and conducts policy research. For more information,
e-mail info@epic.org, http://www.epic.org or write EPIC, 666
Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544 9240
(tel), +1 202 547 5482 (fax).
If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible.  Checks
should be made out to "The Fund for Constitutional Government" and sent
to EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003.
Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation of encryption
and expanding wiretapping powers.
Thank you for your support.
  ---------------------- END EPIC Alert 7.05 -----------------------
Return to:

Alert Home Page | EPIC Home Page