EPIC logo
       @@@@  @@@@  @@@  @@@@      @    @     @@@@  @@@@  @@@@@
       @     @  @   @   @        @ @   @     @     @  @    @
       @@@@  @@@    @   @       @@@@@  @     @@@   @@@     @
       @     @      @   @       @   @  @     @     @  @    @
       @@@@  @     @@@  @@@@    @   @  @@@@  @@@@  @   @   @
   Volume 7.15                                     August 3, 2000
                            Published by the
              Electronic Privacy Information Center (EPIC)
                            Washington, D.C.
Table of Contents
[1] Federal Judge Orders Fast FBI Action on Carnivore Material
[2] Flashback: It's the Clipper Chip All Over Again
[3] Report on Online Profiling Analyzes Recent FTC Agreement
[4] NGOs to Hold Public Voice Meeting on Emerging Privacy Issues
[5] Study Examines Children's Privacy and "Free" Internet Access
[6] Administration Seeks Public Comment on Privacy and Bankruptcy
[7] EPIC Bookstore - Privacy in the Information Age
[8] Upcoming Conferences and Events
[1] Federal Judge Orders Fast FBI Action on Carnivore Material
In response to a lawsuit filed by EPIC, a federal judge in Washington
has ordered the Federal Bureau of Investigation to establish a
timetable for the expedited release of information about the
"Carnivore" system no later than August 16.  The ruling came during an
emergency hearing convened by U.S. District Judge James Robertson on
August 2, only hours after EPIC filed an application for the immediate
public disclosure of information concerning the FBI's controversial
surveillance system.  EPIC's lawsuit charges that the Department of
Justice and the FBI have violated the law by failing to act on a
request to expedite the processing of a Freedom of Information Act
request EPIC submitted to the FBI on July 12.
The Carnivore system monitors traffic at the facilities of Internet
service providers (ISPs) in order to intercept information contained
in the electronic mail of criminal suspects.  Carnivore can reportedly
scan millions of e-mails each second and is capable of providing law
enforcement agents the ability to intercept all of an ISP's customers'
digital communications.  Serious questions have been raised in
Congress, in the media and in the privacy community concerning the
legality of Carnivore and its potential for abuse.
In response to the public uproar over Carnivore, Attorney General
Janet Reno announced on July 27 that the technical specifications of
the system would be disclosed to a "group of experts" to allay public
concerns.  But according to EPIC General Counsel David L. Sobel,
"There is no substitute for a full and open public review of the
Carnivore system.  The only way that the privacy questions can be
resolved is for the FBI to release all relevant information, both
legal and technical."  EPIC's FOIA request, which is the subject of
the federal court order, seeks the disclosure of "all records"
concerning Carnivore, including the underlying software and legal
analyses addressing the limitations, if any, that have been placed on
the use of the system.  A similar request for access to Carnivore
material was filed by the American Civil Liberties Union.
In a detailed submission to the Justice Department shortly after it
transmitted its request to the FBI, EPIC asserted that its Carnivore
request concerns "a matter of widespread and exceptional media
interest in which there exist possible questions about the
government's integrity which affect public confidence" -- one of the
legal standards that qualifies a request for "expedited processing."
Despite a ten-day time limit to answer requests for accelerated
processing, the Department failed to respond to EPIC's request until a
little more than an hour before the emergency court hearing.  In a fax
sent to EPIC, the FBI finally conceded that the Carnivore request
requires expedited treatment.
EPIC is a frequent FOIA requester and litigant, and previously sought
the disclosure of information from the FBI on the Communications
Assistance to Law Enforcement Act (CALEA) and from the National
Security Agency on the Clipper Chip (see below) and U.S. encryption
policy, among other subjects.
The legal memorandum in support of EPIC's motion for a temporary
restraining order is available in HTML at:
and in PDF at:
[2] Flashback: It's the Clipper Chip All Over Again
Longtime readers of the EPIC Alert might feel a sense of deja vu when
they read about the current controversy over the FBI's Carnivore
surveillance system.  That's probably because official statements on
the matter bear a striking resemblance to statements made in the early
days of the Clipper Chip controversy.  The Clipper Chip used
classified technology developed by the National Security Agency that,
according to the initial White House announcement on April 16, 1993,
"preserves the ability of federal, state and local law enforcement
agencies to intercept lawfully the phone conversations of criminals."
Clipper was an encryption system that deposited a spare decryption key
with the federal government.  Not surprisingly, the proposal was met
with a great deal of public mistrust and concern about potential
In an effort to address the public concerns over the Clipper Chip, the
White House announced that "respected experts from outside the
government will be offered access to the confidential details of the
algorithm to assess its capabilities and publicly report their
findings."  Although the reviewers eventually stated their
satisfaction with the technical specifications, the secrecy
surrounding the Clipper Chip was never lifted.  In fact, EPIC went to
court seeking the release of the underlying SKIPJACK algorithm, and
Today, the FBI steadfastly refuses to disclose the source code or
technical specifications of Carnivore.  Attorney General Reno
addressed the issue on July 27 and announced the Justice Department's
     The first step will be to have an individual expert or
     a group of experts, probably from an academic community,
     conduct a detailed review of the source code.  Those
     experts will report their findings to a panel of interested
     parties, people from the telecommunications and computer
     industries, as well as privacy experts. . . .
     I think it's a matter of explaining and trying to bring
     in experts that will give people additional confidence . . .
The Clipper Chip experience suggests that there's no real substitute
for full public disclosure.  While keeping the actual details under
wraps, various agencies posted reassuring statements and "Frequently
Asked Questions" files.  After several years of unsuccessfully trying
to promote the technology, the government eventually dropped the
initiative.  Today, a search for "Clipper Chip" at the Justice
Department's website yields a "no records" response.
For more background information on the Clipper Chip see:
[3] Report on Online Profiling Analyzes Recent FTC Agreement
On July 28, EPIC, in conjunction with Junkbusters, released a report
on the recent agreement between the Federal Trade Commission (FTC) and
the Network Advertising Initiative (NAI) on a set of self-regulatory
guidelines.  The NAI is a consortium of Internet advertising companies
representing roughly ninety percent of the growing industry and
includes companies such as DoubleClick and Engage.  Entitled "Network
Advertising Initiative: Principles not Privacy," the report examines
the year-long controversy of online profiling, the shortcomings of the
NAI guidelines, and proposes principles that would offer an adequate
level of privacy protection.
Online profiling, currently a common practice of Internet advertisers,
entails the collection of information about Internet behavior for the
creation of a profile or a representation about an Internet user's
interests and preferences.  Recent controversies have erupted around
not only the practice of online profiling, but also the linking
of these profiles to personal data.
The report argues that the self-regulatory guidelines endorsed by the
FTC and negotiated without significant involvement from consumer and
privacy groups, do not provide an adequate level of privacy
protection.  The guidelines will allow companies to collect online
profiling data on the basis of notice and opt-out, which provides no
assurances that consumers will know that their behavior is being
tracked and recorded.  The principles will also permit companies to
link online profiling data with personal data on the basis of a
"robust" notice and opt-out with little guidance as to what "robust"
procedures will be.  Similarly, provisions about access, the ability
to view and edit information collected, and the transfer of personal
data to third parties are vague and indeterminate.
In light of the inadequacy of the FTC-NAI agreement, the report
recommends that legislation built on Fair Information Practices will
better protect privacy and conform to the standards that consumers
prefer.  Such legal standards would also spur the development of more
innovative Internet advertising practices that do not rely on the
tracking of Internet users.
"Network Advertising Initiative: Principles not Privacy":
The recommendation of the Federal Trade Commission and materials
related to the Network Advertising Initiative guidelines:
[4] NGOs to Hold Public Voice Meeting on Emerging Privacy Issues
On September 27, EPIC and Privacy International will host a
conference, "The Public Voice in Privacy Policy," in Venice, Italy.
The meeting will be held in conjunction with the annual meeting of the
Data Protection and Privacy Commissioners to take place on September
The conference will bring together leading academic experts, NGO
leaders, and privacy officials from around the world to explore
current issues in privacy protection.  Panel discussions will focus on
the globalization of surveillance; copyright protection and privacy;
the EU-US negotiations on transborder data flows (Safe Harbor); and
the need for an international convention on data protection.
The first of these conferences was organized by Privacy International
and held in Sydney in 1992.  Subsequent meetings have taken place in
Manchester (1993), The Hague (1994), Copenhagen (1995), Ottawa (1996),
Brussels (1997), and Hong Kong (1999).
For program and registration details see:
For details on the Data Protection Commissioner's conference visit the
homepage of the Italian Data Protection Commission:
[5] Study Examines Children's Privacy and "Free" Internet Access
The Center for Advanced Technology at the University of Oregon has
produced a study, "Capturing the Eyeballs and E-Wallets of Captive
Kids in School: Dot.com Invades Dot.edu," examining companies that
offer "free" Internet access to schools in exchange for the
collection of marketing information from their students.  Schools
faced with an increasing amount of pressure to provide Internet access
to students are being lured into these deals by companies like Zapme!
and HiFusion.
Companies looking for an opportunity to reach younger audiences have
found that by offering free or reduced prices for computer equipment
or Internet access, they can start creating online profiles -
information about their interests and preferences - of children while
they are at school.  Some of these companies collect personal
information as well as information about Internet surfing behavior.
The study goes on to say that far too often, school administrators
approve partnerships with such companies without being fully aware of
the invasive practices of these companies.  In addition, parents who
trust the judgment of school officials are easily persuaded to consent
these practices.
Most importantly, the study argues that allowing online profiling
companies to begin collecting information on younger kids will likely
mold the expectation of privacy they may have as they become older. If
this practice becomes widespread, in the future, many children may
have a diminished sense of the proper boundaries of personal privacy.
"Capturing the Eyeballs and E-Wallets of Captive Kids in School:
Dot.com Invades Dot.edu" is available at:
[6] Administration Seeks Public Comment on Privacy and Bankruptcy
Following up on a proposal made earlier this year by the Clinton
Administration, the Department of Justice, the Department of the
Treasury and the Office of Management and Budget, in conjunction with
the Administrative Office of U.S. Courts, will be conducting a study on
the privacy of financial information disclosed to the public through
bankruptcy filings.  The agencies are currently soliciting public
comments on the issue.
The study will also discuss other controversial issues such as the
ability to sell personal information or customer lists as assets when
companies go bankrupt.  Recently, bankrupt online retailer
Toysmart.com has drawn criticism for attempting to sell its customer
lists to the highest bidder (see EPIC Alert 7.13).
The public comment period will end on September 8, 2000.
For more information on the study or to submit comments:
[7] EPIC Bookstore - Privacy in the Information Age
Privacy in the Information Age (Library in a Book) by Harry Henderson
Privacy in the Information Age examines the growing controversy of
diminishing privacy as advancements in computer technology facilitate
the monitoring and collection of information from people's daily
lives.  Everything from medical records to e-mail correspondence and
financial statements can be reviewed by other people without the
knowledge or consent of those whose information it is.  These records
can also be stored in database files.  Eventually, all aspects of an
individual's life may be gathered in a single computer file. While
this could be a powerful and useful tool, it raises many questions.
Who has the right to this information?  How can one control what sort
of information is being collected and whether or not that information
is accurate?  Author Harry Henderson examines the history of how
technology has created this dilemma and discusses the current status
of privacy laws.
EPIC Publications:
"Cryptography and Liberty 2000: An International Survey of Encryption
Policy," Wayne Madsen and David Banisar, editors, (EPIC 2000).
Price: $20. http://www.epic.org/crypto&/
EPIC's third survey of encryption policies around the world. The
results indicate that the efforts to reduce export controls on strong
encryption products have largely succeeded, although several
governments are gaining new powers to combat the perceived threats of
encryption to law enforcement.
"The Privacy Law Sourcebook: United States Law, International Law, and
Recent Developments," Marc Rotenberg, editor (EPIC 1999). Price: $50.
The "Physicians Desk Reference of the privacy world." An invaluable
resource for students, attorneys, researchers and journalists who need
an up-to-date collection of U.S. and International privacy law, as well
as a comprehensive listing of privacy resources.
"Filters and Freedom - Free Speech Perspectives on Internet Content
Controls," David Sobel, editor (EPIC 1999). Price: $20.
A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.
"Privacy and Human Rights 1999: An International Survey of Privacy Laws
and Developments," David Banisar, Simon Davies, editors, (EPIC 1999).
Price: $15. http://www.epic.org/privacy&humanrights99/
An international survey of the privacy and data protection laws found
in 50 countries around the globe.  This report outlines the
constitutional and legal conditions of privacy protection, and
summarizes important issues and events relating to privacy and
Additional titles on privacy, open government, free expression,
computer security, and crypto, as well as films and DVDs can be
ordered through the EPIC Bookstore: http://www.epic.org/bookstore/
[8] Upcoming Conferences and Events
CPSR Meeting on Privacy & Security. August 15, 2000. Toronto
Cypherpunks/Webgrrls. Toronto, Canada.  For more information:
First International Hackers Forum. The Green Planet. August 18-20,
2000. Zaporozhye, Ukraine. For more information:
Surveillance Expo 2000. August 28-30, 2000. Arlington, VA. For more
information: http://www.surveillance-expo.com
Financial Privacy: Guaranteeing the Integrity of Your Customers
Information. International Communications for Management. September
7-8, 2000. New York, NY. For more information:
Health Information Privacy: A Dialogue with the Stakeholders.
September 21, 2000. Westin Hotel. Ottawa, Canada. For more
information: http://www.rileyis.com/seminars
KnowRight 2000 - InfoEthics Europe. Austrian Computer Society and
UNESCO. September 26-29, 2000. Vienna, Austria. For more information:
The Public Voice in Privacy Policy. EPIC and Privacy International.
September 27, 2000. Venice, Italy. For more information:
One World, One Privacy: 22nd Annual International Conference on
Privacy and Personal Data Protection. September 28-30, 2000. Venice,
Italy. For more information: http://www.dataprotection.org/
Drawing the Blinds: Reconstructing Privacy in the Information Age.
CPSR's Annual Conference and Wiener Award Dinner. October 14, 2000.
Philadelphia, PA. For more information: http://www.cpsr.org.
Privacy: A Social Research Conference. New School University. October
5-7, 2000. New York, NY. For more information:
Privacy2000: Information and Security in the Digital Age. October 31-
November 1, 2000. Columbus, Ohio. Adam's Mark Hotel. For more
information: http://www.privacy2000.org
Subscription Information
The EPIC Alert is a free biweekly publication of the Electronic
Privacy Information Center. A Web-based form is available for
subscribing or unsubscribing at:
To subscribe or unsubscribe using email, send email to
epic-news@epic.org with the subject: "subscribe" (no quotes) or
Back issues are available at:
About EPIC
The Electronic Privacy Information Center is a public interest
research center in Washington, DC.  It was established in 1994 to
focus public attention on emerging privacy issues such as the Clipper
Chip, the Digital Telephony proposal, national ID cards, medical
record privacy, and the collection and sale of personal information.
EPIC is sponsored by the Fund for Constitutional Government, a
non-profit organization established in 1974 to protect civil liberties
and constitutional rights.  EPIC publishes the EPIC Alert, pursues
Freedom of Information Act litigation, and conducts policy research.
For more information, e-mail info@epic.org, http://www.epic.org or
write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC
20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax).
If you'd like to support the work of the Electronic Privacy
Information Center, contributions are welcome and fully
tax-deductible.  Checks should be made out to "The Fund for
Constitutional Government" and sent to EPIC, 1718 Connecticut
Ave., NW, Suite 200, Washington, DC 20009.
Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the
right of privacy and efforts to oppose government regulation of
encryption and expanding wiretapping powers.
Thank you for your support.
Privacy Policy
The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities.  We do not sell, rent or share our
mailing list.  We also intend to challenge any subpoena or other legal
process seeking access to our mailing list.  We do not enhance (link
to other databases) our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe your email address
from this list, please follow the above instructions under
"subscription information".  Please contact info@epic.org if you have
any other questions.
  ---------------------- END EPIC Alert 7.15 -----------------------