EPIC logo
       @@@@  @@@@  @@@  @@@@      @    @     @@@@  @@@@  @@@@@
       @     @  @   @   @        @ @   @     @     @  @    @
       @@@@  @@@    @   @       @@@@@  @     @@@   @@@     @
       @     @      @   @       @   @  @     @     @  @    @
       @@@@  @     @@@  @@@@    @   @  @@@@  @@@@  @   @   @
   Volume 7.14                                      July 27, 2000
                            Published by the
              Electronic Privacy Information Center (EPIC)
                            Washington, D.C.
Table of Contents
[1] Congress Examines FBI Carnivore Surveillance System
[2] New Bill Would Require Notice of Workplace Monitoring
[3] European Commission Adopts Safe Harbor Data Principles
[4] Microsoft Offers Security Patch for Third-Party Cookies
[5] EPIC Bill-Track: New Bills in Congress
[6] Resources Available for National High School Debate Topic
[7] EPIC Bookstore - The Electronic Privacy Papers
[8] Upcoming Conferences and Events
[1] Congress Examines FBI Carnivore Surveillance System
On July 24, the House Judiciary Committee convened a hearing on the
Federal Bureau of Investigation's controversial Internet surveillance
program, Carnivore.  The Committee hoped to shed light on the largely
unknown capabilities of the program, as well as to solicit feedback
from Carnivore's critics.
Carnivore is an advanced packet sniffer which the FBI installs on an
Internet Service Provider's (ISP) backbone to scan and record selected
communications.  Carnivore scans all of an ISP's Internet traffic,
looking for and recording relevant messages.  It is Carnivore's
ability to monitor large amounts of communications, as well as its
still unknown configuration potential, that has raised concerns among
members of Congress and privacy and civil liberties advocates.
The FBI faced stiff bi-partisan questioning over Carnivore, led by
Reps. Jerrold Nadler (D-NY) and Bob Barr (R-GA).  Both representatives
expressed skepticism about the FBI's assurances that Carnivore was a
"surgical" instrument that is actually less intrusive than a standard
wiretap, and both were curious as to why the FBI had not informed
Congress about Carnivore earlier.
Witnesses on a second panel were also highly critical of the Bureau.
Barry Steinhardt of the ACLU said the use of Carnivore is like "a
wiretap capable of accessing the contents of all of the phone
company's customers."  This, he stated, was a direct violation of the
Fourth Amendment's requirement of narrow and targeted searches,
designed to protect both the privacy of individuals and the ability of
the government to conduct searches.  Like many members of the
Committee, Steinhardt was skeptical of the FBI's "trust us" approach.
One of the consistent criticisms of the Carnivore program is that very
little information on its use and capabilities has been made public.
In the interest of the fullest possible public disclosure, EPIC
submitted a Freedom of Information Act request to the FBI on July 12
seeking the disclosure of all information relating to Carnivore.
Testimony presented at the House Judiciary Committee hearing:
The hearing can be viewed in its entirety over the web at:
More on the history of FBI monitoring of Internet communications and
the "digital telephony" law (or CALEA) is available at the EPIC
Wiretap Page:
[2] New Bill Would Require Notice of Workplace Monitoring
Bi-partisan legislation introduced in both houses of Congress would
prevent employers from secretly monitoring the communications and
computer use of their employees.  The "Notice of Electronic Monitoring
Act" (S.2898 and H.R.4908) would require employers to give "clear and
conspicuous notice" to their employees if they intend to read e-mail,
monitor keystrokes or Web activity, or listen to telephone
conversations.  The bill was introduced on July 20 by Sen. Charles
Schumer (D-NY) and Reps. Charles Canady (R-FL) and Bob Barr (R-GA).
The proposed legislation would not prohibit electronic monitoring, nor
would it require employers to give notice each time they monitor an
employee's activity.  Instead, employers would be required to provide
workers with initial notices when they are hired, and then annually
and whenever there are changes to the company's monitoring policy.
Monitoring could be conducted without notice if there is reason to
believe the employee is engaging in conduct harmful to the employer or
another employee.
The required notification would have to specify the type of computer
use that would be monitored, how the monitoring would be accomplished,
the frequency of the monitoring, the kinds of information that would
be obtained, and how the information would be stored, used or
disclosed.  Employees would be able to sue employers for civil damages
if electronic monitoring is conducted without the required notice.
Workplace monitoring has become increasingly common in recent years --
an American Management Association report found that forty-five
percent of major U.S. firms record and review employee communications
and activities on the job -- but the courts have generally provided
employees with little recourse.  Privacy advocates have long
maintained that providing notice of a monitoring policy should, as a
bare minimum, be required before employers can engage in such invasive
Another privacy-related bill was introduced on July 26 by Sens. John
McCain (R-AZ), John Kerry (D-MA), and Spencer Abraham (R-MI).  The
bi-partisan Internet privacy legislation would require all commercial
websites to make clear disclosures about their information collection
practices. The mandatory disclosures would be enforced by the Federal
Trade Commission.  The Senate Commerce Committee plans to hold
hearings on the proposal in September.
The American Management Association's 1999 survey, "Workplace
Monitoring and Surveillance," is available at:
[3] European Commission Adopts Safe Harbor Data Principles
On July 26, the European Commission finalized its decision to approve
the latest U.S. Safe Harbor proposal, thereby ending two years of
negotiations between the U.S. Department of Commerce and the European
Union on the transborder flows of European citizens' personal data.
The agreement allows companies to voluntarily abide to a set of
principles protecting data belonging to EU citizens.  However, the
arrangement will not offer any increase in protections for U.S.
The Commission decided to approve this agreement in spite of a
forceful resolution by the European Parliament adopted on July 5 that
the agreement needed to be re-negotiated in order to provide adequate
protection (see EPIC Alert 7.13).  Acknowledging the Parliament's
criticisms, the Commission went ahead with the adoption of Safe Harbor
and promised to re-open negotiations on the arrangement if the
remedies available to European citizens prove inadequate.  EU member
states will have 90 days to put the Commission's decision into effect
and companies may join Safe Harbor starting in November.
In other international news, the Group of Eight (G8) has issued a
charter on the "Global Information Society."  The group, which
comprises the top eight industrial countries in the world, met last
week in Okinawa for its annual summit.  The charter recognizes the
need to promote consumer trust and confidence in the electronic
marketplace (in particular by providing reliable means of settling
cross-border disputes), developing "effective and meaningful" privacy
protections, and ensuring the security of stored data.  Addressing the
issue of cyber-crime, the Group stated that it will continue to
promote dialogue and co-operation between governments and industry.
Building on its earlier meeting in May of this year with industry
groups, the Group re-affirmed the need to tackle urgent security
issues such as hacking, viruses, and critical infrastructure.
Information regarding the European Commission's adoption of Safe
The European Parliament resolution is available at:
The G8 Communique from the Okinawa meeting is available at:
[4] Microsoft Offers Security Patch for Third-Party Cookies
On July 20, Microsoft announced that it was introducing a beta
security patch for the next version of Internet Explorer that would
allow for better management of web cookies.  The test version of the
patch should be available to the public by the end of August.
According to preliminary descriptions, the patch will offer several
features that will allow users to control cookies more effectively.
The browser will be able to differentiate between first-party and
third-party cookies and the default setting will warn the user when a
persistent third-party cookie is being served.  Persistent third-party
cookies are used heavily by Internet advertisers, such as DoubleClick,
to track computer users' activities.  In addition, the new
functionality will allow Internet users to delete all cookies with a
single click and will make information about security and privacy more
easily accessible.  The security patch does not, however, increase
consumer control over the use of first-party cookies prevalent on
commercial websites.
The cookie management features follow on the heels of other recent
security patches issued by Microsoft correcting data leak issues.  In
May, the company released a patch for the popular Outlook program that
would turn off cookies in email messages.
In related news, the newly created non-profit Privacy Foundation has
announced its first initiative, the creation of a Privacy Center at
the University of Denver.  The Privacy Center will be a research and
education organization that seeks to investigate new technology and
inform the public on how to protect themselves from privacy invasions.
Richard Smith, noted Internet privacy expert, is the Chief Technology
Officer for the organization.
Information about the security patch is available at:
For cookie management software and other privacy enhancing
technologies, visit the EPIC Online Guide to Practical Privacy Tools:
For more information about the Privacy Foundation's new research
[5] EPIC Bill-Track: New Bills in Congress
H.R.4311. Identity Theft Protection Act of 2000. Institutes
confirmations of changes of address, annually distributed free credit
reports, and access to information held by individual reference
services providers (see also S.2328). Sponsor: Rep. Hooley, Darlene
(D-OR). Referred to the Subcommittee on Financial Institutions and
Consumer Credit.
H.R.4857. Privacy and Identity Protection Act of 2000. Far-reaching
law that would restrict government uses of the social security number
and create regulations over the sale and purchase and sale of social
security numbers by the private sector (see also S.2876). Sponsor:
Rep. Shaw, E. Clay, Jr. (R-FL). Forwarded by Subcommittee to Full
House Ways and Means Committee (Amended) by Voice Vote.
H.R.4908 Notice of Electronic Monitoring Act. Amends the Electronic
Communications Privacy Act to require employers to provide notice to
employees of electronic monitoring unless the employer believes the
employee is engaged in harmful activity (see also S.2898). Sponsor:
Rep. Canady, Charles T. (R-FL). Referred to the House Committee on the
S.2328. Identity Theft Prevention Act of 2000. Institutes
confirmations of changes of address, annually distributed free credit
reports, and access to information held by individual reference
services providers (see also H.R.4311). Sponsor: Sen. Feinstein,
Dianne (D-CA). Read twice and referred to the Committee on Banking,
Housing, and Urban Affairs.
S.2554. Amy Boyer's Law. Would limit display of social security
numbers. Sponsor: Sen. Gregg, Judd (R-NH). Read twice and referred to
the Committee on Finance.
S.2871. Social Security Number Privacy Act of 1999. Amends the
Gramm-Leach-Bliley Act (see S.900) to prohibit financial institutions
from selling social security numbers. Sponsor: Sen. Shelby, Richard C.
(R-AL). Read twice and referred to the Committee on Banking, Housing,
and Urban Affairs.
S.2876. Privacy and Identity Protection Act of 2000. Far-reaching law
that would restrict government uses of the social security number and
create regulations over the sale and purchase and sale of social
security numbers by the private sector (see also H.R.4857). Sponsor:
Sen. Bunning, Jim (R-KY). Read twice and referred to the Committee on
S.2898. Notice of Electronic Monitoring Act. Amends the Electronic
Communications Privacy Act to require employers to provide notice to
employees of electronic monitoring unless the employer believes the
employee is engaged in harmful activity (see also H.R. 4908). Sponsor:
Sen. Schumer, Charles E. (D-NY). Read twice and referred to the
Committee on the Judiciary.
EPIC Bill Track: Tracking Privacy, Speech, and Cyber-Liberties Bills
in the 106th Congress, is available at:
[6] Resources Available for National High School Debate Topic
In response to requests for information regarding the 2000-2001
National High School Debate Topic, "Resolved: that the United States
federal government should significantly increase protection of privacy
in one or more of the following areas: employment, medical records,
consumer information, search and seizure," EPIC has produced a webpage
containing links to relevant websites, litigation, court cases, and
surveys.  A brief essay on the subject is also included.
We at EPIC are encouraged that the national debate topic relates to
privacy issues, and hope that the ideas and discussions produced will
become part of the larger debate on privacy.
The National High School Debate Topic Resources page is at:
[7] EPIC Bookstore - The Electronic Privacy Papers
The Electronic Privacy Papers: Documents on the Battle for Privacy in
the Age of Surveillance by Bruce Schneier, David Banisar
While most books on privacy and security issues in cyberspace simply
give accounts of debates on the issues, The Electronic Privacy Papers
documents the war--practically salvo by salvo.  Authors Schneier and
Banisar present the actual government and industry documents, which
cover both legal and technical matters.  The information includes
research reports on the value of wiretaps, influential speeches and
articles, and actual legislation that has gone before Congress.  Many
of the government documents, although legally available to the public
through the Freedom of Information Act, were improperly kept secret
until several lawsuits eventually forced their release.  These
"hidden" papers exhibit the FBI's push for government access to all
electronic communications, report on how increased government access
could also increase the opportunities for computer crime, and record
the conflict between those who favor private encryption technology and
those who'd make illegal encryption systems that don't allow
government agencies access to decryption keys.  Legislation and
Supreme Court decisions on these disputes are also presented.  This
book will give you a clear understanding of both sides of the debate
and will provide insight into the strategies that both government and
privacy advocates use in attempt to achieve their desired result.
EPIC Publications:
"Cryptography and Liberty 2000: An International Survey of Encryption
Policy," Wayne Madsen and David Banisar, editors, (EPIC 2000).
Price: $20. http://www.epic.org/crypto&/
EPIC's third survey of encryption policies around the world. The
results indicate that the efforts to reduce export controls on strong
encryption products have largely succeeded, although several
governments are gaining new powers to combat the perceived threats of
encryption to law enforcement.
"The Privacy Law Sourcebook: United States Law, International Law, and
Recent Developments," Marc Rotenberg, editor (EPIC 1999). Price: $50.
The "Physicians Desk Reference of the privacy world." An invaluable
resource for students, attorneys, researchers and journalists who need
an up-to-date collection of U.S. and International privacy law, as well
as a comprehensive listing of privacy resources.
"Filters and Freedom - Free Speech Perspectives on Internet Content
Controls," David Sobel, editor (EPIC 1999). Price: $20.
A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.
"Privacy and Human Rights 1999: An International Survey of Privacy Laws
and Developments," David Banisar, Simon Davies, editors, (EPIC 1999).
Price: $15. http://www.epic.org/privacy&humanrights99/
An international survey of the privacy and data protection laws found
in 50 countries around the globe.  This report outlines the
constitutional and legal conditions of privacy protection, and
summarizes important issues and events relating to privacy and
Additional titles on privacy, open government, free expression,
computer security, and crypto, as well as films and DVDs can be
ordered through the EPIC Bookstore: http://www.epic.org/bookstore/
[8] Upcoming Conferences and Events
CPSR Meeting on Privacy & Security. August 15, 2000. Toronto
Cypherpunks/Webgrrls. Toronto, Canada.  For more information:
First International Hackers Forum. The Green Planet. August 18-20,
2000. Zaporozhye, Ukraine. For more information:
Surveillance Expo 2000. August 28-30, 2000. Arlington, VA. For more
information: http://www.surveillance-expo.com
Health Information Privacy: A Dialogue with the Stakeholders.
September 21, 2000. Westin Hotel. Ottawa, Canada. For more
information: http://www.rileyis.com/seminars
KnowRight 2000 - InfoEthics Europe. Austrian Computer Society and
UNESCO. September 26-29, 2000. Vienna, Austria. For more information:
One World, One Privacy: 22nd Annual International Conference on
Privacy and Personal Data Protection. September 28-30, 2000. Venice,
Italy. For more information: http://www.dataprotection.org/
Privacy: A Social Research Conference. New School University. October
5-7, 2000. New York, NY. For more information:
Privacy2000: Information and Security in the Digital Age. October 31-
November 1, 2000. Columbus, Ohio. Adam's Mark Hotel. For more
information: http://www.privacy2000.org
Subscription Information
The EPIC Alert is a free biweekly publication of the Electronic
Privacy Information Center. A Web-based form is available for
subscribing or unsubscribing at:
To subscribe or unsubscribe using email, send email to
epic-news@epic.org with the subject: "subscribe" (no quotes) or
Back issues are available at:
About EPIC
The Electronic Privacy Information Center is a public interest
research center in Washington, DC.  It was established in 1994 to
focus public attention on emerging privacy issues such as the Clipper
Chip, the Digital Telephony proposal, national ID cards, medical
record privacy, and the collection and sale of personal information.
EPIC is sponsored by the Fund for Constitutional Government, a
non-profit organization established in 1974 to protect civil liberties
and constitutional rights.  EPIC publishes the EPIC Alert, pursues
Freedom of Information Act litigation, and conducts policy research.
For more information, e-mail info@epic.org, http://www.epic.org or
write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC
20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax).
If you'd like to support the work of the Electronic Privacy
Information Center, contributions are welcome and fully
tax-deductible.  Checks should be made out to "The Fund for
Constitutional Government" and sent to EPIC, 1718 Connecticut
Ave., NW, Suite 200, Washington, DC 20009.
Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the
right of privacy and efforts to oppose government regulation of
encryption and expanding wiretapping powers.
Thank you for your support.
Privacy Policy
The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities.  We do not sell, rent or share our
mailing list.  We also intend to challenge any subpoena or other legal
process seeking access to our mailing list.  We do not enhance (link
to other databases) our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe your email address
from this list, please follow the above instructions under
"subscription information".  Please contact info@epic.org if you have
any other questions.
  ---------------------- END EPIC Alert 7.14 -----------------------