EPIC logo
       @@@@  @@@@  @@@  @@@@      @    @     @@@@  @@@@  @@@@@
       @     @  @   @   @        @ @   @     @     @  @    @
       @@@@  @@@    @   @       @@@@@  @     @@@   @@@     @
       @     @      @   @       @   @  @     @     @  @    @
       @@@@  @     @@@  @@@@    @   @  @@@@  @@@@  @   @   @
   Volume 7.16                                 September 13, 2000
                            Published by the
              Electronic Privacy Information Center (EPIC)
                            Washington, D.C.
Table of Contents
[1] EPIC Testifies on Online Privacy Bills before Congress
[2] FBI and DOJ Continue to Oppose Disclosure of Carnivore Info
[3] GAO Study Finds that Government Websites Fail on Privacy
[4] New Polls Show Public Support for Privacy Policies
[5] FTC Seeks Public Comment on Security of Financial Data
[6] EPIC Bill-Track: New Bills in Congress
[7] EPIC Bookstore - The Privacy Law Sourcebook 2000
[8] Upcoming Conferences and Events
[1] EPIC Testifies on Online Privacy Bills before Congress
On September 6, EPIC Executive Director Marc Rotenberg testified
before the House Judiciary Committee on three bills now pending in
Congress -- the Electronic Communications Privacy Act of 2000, the
Digital Privacy Act of 2000, and the Notice of Electronic Monitoring
Act of 2000.  The first two bills would strengthen the federal wiretap
statute.  The third bill would require employers to notify employees
when they conduct electronic surveillance.
Rotenberg said that EPIC favors proposals to strengthen the standards
and oversight for wiretapping.  "We support the provisions that would
extend current reporting requirements, clarify the scope of the
exclusionary rule, establish a high standard for the issuance of
warrants for pen register and trap and trace devices, as well as
access to locational information."
Rotenberg noted that EPIC opposed passage of the Communications
Assistance for Law Enforcement Act (CALEA) in 1994, relying in part on
information contained in the federal wiretap reports that revealed
that wiretapping was hardly ever used in cases involving kidnapping or
bombings, as the FBI had alleged.  Both bills pending in Congress
would extend the reporting requirements to new forms of electronic
Rotenberg also said that strengthening the "pen register" and "trap
and trace" provisions in the federal wiretap statute was necessary
because of recent concerns about the scope of the FBI's Carnivore
monitoring system and ongoing questions about the appropriate standard
for access to transactional data.  EPIC is currently seeking
information describing the Carnivore surveillance system in a widely
reported Freedom of Information Act case (see [2] below).
On the proposal to require notice of electronic monitoring conducted
in the workplace, Rotenberg said that a stronger measure is
appropriate and necessary to safeguard privacy.  "If the bill remains
a notice-only measure, we would strongly urge the Committee to add a
provision that would require the notice to be available by means of
the World Wide Web. That would prevent intimidation of employees seen
reading the notice (a common problem with paper notices) and would
also help the labor market function by enabling prospective employees
to evaluate the privacy policies of prospective employers."
He recommended that workplace privacy legislation incorporate Fair
Information Practices and follow provisions in existing privacy U.S.
Laws, as well as the International Labour Organization privacy
EPIC's Testimony before the House Judiciary Committee:
For more information, visit the EPIC Wiretap Page:
[2] FBI and DOJ Continue to Oppose Disclosure of Carnivore Info
As Congressional committees convened hearings on the FBI's Carnivore
surveillance system, the Bureau and the Department of Justice continue
to oppose efforts to publicize important information about the design
and capabilities of the invasive technology.  The agencies recently
moved to dismiss EPIC's lawsuit seeking disclosure of information
about Carnivore, and have belatedly indicated that the full results of
an "independent review" of the system probably will not be made
On July 12, one day after the initial media coverage of Carnivore,
EPIC filed a Freedom of Information Act (FOIA) request seeking the
public release of all FBI records concerning the system, including the
source code, other technical details, and legal analyses addressing
the potential privacy implications of the technology.  On July 18,
after Carnivore had become a major issue of public concern, EPIC asked
the Justice Department to expedite the processing of its request. When
DOJ failed to respond within the statutory deadline, EPIC filed suit
in U.S. District Court seeking the immediate release of all
information concerning Carnivore. (See EPIC Alert 7.15).
At an emergency hearing held on August 2, U.S. District Judge James
Robertson ordered the FBI to report back to the court by August 16 and
to identify the amount of material at issue and the Bureau's schedule
for releasing it.  The FBI subsequently reported that 3000 pages of
responsive material were located, but refused to commit to a date for
the completion of processing.  EPIC immediately sought a court order
requiring the FBI to release the material by December 1, 2000 -- when
the Justice Department plans to release the results of an "independent
review" of the Carnivore system.
In response to EPIC's motion for a disclosure deadline, the Justice
Department and the FBI on August 24 moved to dismiss the lawsuit,
claiming that the court has no authority to order the release of
Carnivore documents by any particular date.  EPIC responded to the
government motion on September 1.
As it was moving to dismiss the FOIA suit, the Justice Department
finally revealed the details of its proposed independent review of the
Carnivore system.  In the request for proposals released on August 24,
DOJ acknowledged that the complete report of the reviewers probably
will not be made available to the public:
     The contractor will document the results of the technical
     review into a draft and final report that the Department
     will *make public to the maximum extent that is consistent
     with otherwise applicable law or contractual obligations
     and with preserving the effectiveness of Carnivore* as a
     tool for effectuating court-ordered interceptions of
     electronic communications or related information.
     (emphasis added).
USA Today has reported that most of the universities that had
initially expressed an interest in performing the review are unwilling
to do so under the conditions imposed by DOJ.  Regardless of its
outcome, EPIC continues to believe that the proposed independent
review is no substitute for the public disclosure of information
concerning Carnivore, consistent with the requirements of the FOIA.
More information on EPIC's FOIA litigation, and the DOJ independent
review, is available at:
[3] GAO Study Finds that Government Websites Fail on Privacy Policies
On September 12, the General Accounting Office (GAO) released its
study of government website privacy policies and how they conform to
Fair Information Practices as formulated by the Federal Trade
Commission (FTC).  The results of the study found that ninety-seven
percent of government websites failed to address the FTC Fair
Information Practices of notice, choice, access, and security. Earlier
this year, a group of House Republicans asked for the study in
response to the FTC's own recommendation to Congress for legislation
over private sector websites.
Of the sixty-five government agency websites surveyed, eighty-five
percent posted a privacy policy.  In addition, fourteen percent of the
notices stated that the website allowed cookies to be placed by
third-parties.  Third-party cookies, often used for online profiling
by Internet advertising companies, have been the focus of recent
privacy controversies.
While some, on the basis of the GAO's study, have concluded that the
results are evidence that Congress should not be looking into
regulating Internet privacy in the private sector, others have pointed
out that citizens already have rights and protections under the
Privacy Act of 1974.  The Privacy Act requires government agencies to
provide the full range of Fair Information Practices including access,
purpose specification, use limitation, and data integrity principles
not fully provided in the FTC's formulation.  Also, unlike commercial
websites, the privacy protections available to visitors to government
web pages do not depend on the website operator's own stated
The GAO Study (1500K PDF) is available online at:
An online version of the Privacy Act of 1974:
[4] New Polls Show Public Support for Privacy
On August 20, the Pew Internet & American Life Project released a
report, "Trust and Privacy Online: Why Americans Want to Rewrite the
Rules," examining the public's attitudes towards privacy and the
Internet.  The survey of over 2,000 adults found that the majority of
interviewed online users want the presumption of privacy on the
Internet but do not possess the necessary technical knowledge about
how their privacy may be invaded or how to protect themselves.
The report also documented that 86 percent of Internet users support
an opt-in standard for privacy protection, diverging from the opt-out
favored by the Federal Trade Commission and industry-sponsored
self-regulatory groups.  The survey also found that 84 percent of
those surveyed were concerned about unknown third parties accessing
their personal information, while 68 percent were concerned about
hackers obtaining their credit card numbers.  In addition, while 62
percent of those have been online for a short amount of time are
concerned about privacy online, 50 percent of those who have been
online for more than three years continue to share those sentiments.
A separate survey conducted by Yankelovich Partners found a similar
widespread concern about privacy on the Internet.  The survey of over
1,000 adults found that 90 percent of respondents felt that privacy
was the most pressing concern when shopping online, rating higher than
prices and return policies.  The survey also found that 79 percent of
respondents leave websites when required to provide personal
information to proceed.
"Trust and Privacy Online: Why American Want to Rewrite the Rules" is
available at:
An archive of surveys of public attitudes towards Internet privacy is
available at:
[5] FTC Seeks Public Comment on Security of Financial Data
On August 31, the Federal Trade Commission (FTC) began soliciting
public comments on the portion of Gramm-Leach-Bliley, the Financial
Services Modernization Act, addressing safeguards and security for
nonpublic financial data.  Section 501(b) of Gramm-Leach-Bliley
required the FTC and other agencies with jurisdiction over financial
institutions to establish rules setting security standards for
personal financial information.  The notice from the FTC does not
propose a rule for security, but instead requests comment on the scope
and specificity of such a rule, as well as how it should work with
guidelines produced by other government agencies with jurisdiction
over financial institutions.
In related news, the comment period for the Department of Justice
study on bankruptcy and privacy has been extended to September 22 (see
EPIC Alert 7.15).  The study will examine both the privacy of personal
data submitted in the course of bankruptcy filings as well as whether
such data can be declared as an asset in bankruptcy proceedings.
For more information about the Gramm-Leach-Bliley Safeguards Rule:
For more information on the DOJ Privacy and Bankruptcy study:
[6] EPIC Bill-Track: New Bills in Congress
H.R.4987. Digital Privacy Act of 2000. Updates wiretap statute to
include greater reporting requirements, higher standards for use of
pen registers, and restrictions on government access to cellular phone
location information. Sponsor: Rep. Barr, Bob (R-GA). Referred to
House Committee on the Judiciary.
H.R.5018. Electronic Communications Privacy Act of 2000. Updates
wiretap statute to include stored electronic communication. Also
expands reporting requirements and raises the legal standard for use
of pen registers. Sponsor: Rep. Canady, Charles T. (R-FL). Referred to
House Committee on the Judiciary, Subcommittee on the Constitution.
S.2360. Freedom From Behavioral Profiling Act of 2000. Amends
Gramm-Leach-Bliley (Financial Services Modernization Act) to require
consent before financial institutions can disclose information about a
customer's purchasing habits or financial practices. Sponsor: Sen.
Shelby, Richard C. (R-AL). Read twice and referred to the Committee on
Banking, Housing, and Urban Affairs.
S.2857. Privacy Policy Enforcement in Bankruptcy Act of 2000. Prevents
personal data such as a name, address, or credit card number to
claimed as an asset in bankruptcy proceedings. Sponsor: Sen. Leahy,
Patrick J. (D-VT). Read twice and referred to the Committee on the
S.2928. Consumer Internet Privacy Enhancement Act. Requires commercial
websites to provide notice and opt-out when collecting personal
information. Notably, also pre-empts state laws regarding Internet
privacy. Sponsor: Sen. McCain, John (R-AZ). Referred to Senate
Committee on Commerce, Science, and Transportation.
EPIC Bill Track: Tracking Privacy, Speech, and Cyber-Liberties Bills
in the 106th Congress, is available at:
[7] EPIC Bookstore - The Privacy Law Sourcebook 2000
The Privacy Law Sourcebook 2000: United States Law, International Law,
and Recent Developments edited by Marc Rotenberg
The Privacy Law Sourcebook is the first one-volume resource for
students, attorneys, researchers and journalists who need a
comprehensive collection of US and International privacy law, as well
as a fully up-to-date section on recent developments. Includes the
full texts of most major privacy laws and directives such as the FCRA,
the Privacy Act, FOIA, Family Education Rights and Privacy Act, Right
to Financial Privacy Act, Privacy Protection Act, Cable Communications
Policy Act, ECPA, Video Privacy Protection Act, OECD Privacy
Guidelines, OECD Crytpography Guidelines, European Union Directives
for both Data Protection and Telecommunications, and more. The Privacy
Law Sourcebook is updated and expanded for 2000 to include the new
Canadian privacy law, the final documents for the Safe Harbor
arrangement, and recent opinions from the European Commission on
compliance with the EU Data Directive. Also included is an extensive
section on privacy resources with useful web sites and contact
information for privacy agencies, organizations, and publications.
EPIC Publications:
"Cryptography and Liberty 2000: An International Survey of Encryption
Policy," Wayne Madsen and David Banisar, editors, (EPIC 2000).
Price: $20. http://www.epic.org/crypto&/
EPIC's third survey of encryption policies around the world. The
results indicate that the efforts to reduce export controls on strong
encryption products have largely succeeded, although several
governments are gaining new powers to combat the perceived threats of
encryption to law enforcement.
"Filters and Freedom - Free Speech Perspectives on Internet Content
Controls," David Sobel, editor (EPIC 1999). Price: $20.
A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.
"Privacy and Human Rights 1999: An International Survey of Privacy Laws
and Developments," David Banisar, Simon Davies, editors, (EPIC 1999).
Price: $15. http://www.epic.org/privacy&humanrights99/
An international survey of the privacy and data protection laws found
in 50 countries around the globe.  This report outlines the
constitutional and legal conditions of privacy protection, and
summarizes important issues and events relating to privacy and
Additional titles on privacy, open government, free expression,
computer security, and crypto, as well as films and DVDs can be
ordered through the EPIC Bookstore: http://www.epic.org/bookstore/
[8] Upcoming Conferences and Events
Panel on Online Privacy. DC Internet Society. September 13, 2000.
Library of Congress, Madison Building. Washington, DC. For more
information: tweigler@dcisoc.org
Online Privacy Technologies Workshop. National Telecommunications and
Information Administration, Department of Commerce. September 19,
2000. Washington, DC. For more information:
Health Information Privacy: A Dialogue with the Stakeholders.
September 21, 2000. Ottawa, Canada. For more information:
International Forum on Surveillance by Design. Organized by Privacy
International, the American Civil Liberties Union, and Quintessenz.
September 22, 2000. London, England. For more information:
KnowRight 2000 - InfoEthics Europe. Austrian Computer Society and
UNESCO. September 26-29, 2000. Vienna, Austria. For more information:
The Public Voice in Privacy Policy. EPIC and Privacy International.
September 27, 2000. Venice, Italy. For more information:
Media, Democracy & The Constitution. The Fund for Constitutional
Government. September 27, 2000. National Press Club. Washington, DC.
For more information: FunConGov@aol.com
One World, One Privacy: 22nd Annual International Conference on
Privacy and Personal Data Protection. September 28-30, 2000. Venice,
Italy. For more information: http://www.dataprotection.org/
Drawing the Blinds: Reconstructing Privacy in the Information Age.
CPSR's Annual Conference and Wiener Award Dinner. October 14, 2000.
Philadelphia, PA. For more information: http://www.cpsr.org.
Privacy: A Social Research Conference. New School University. October
5-7, 2000. New York, NY. For more information:
Call for Papers. Online, Offshore and Cross-Border:  Regulating Global
E-Commerce. Washington College of Law, American University. October
15, 2000. For more information: lawrev@wcl.american.edu
Measuring & Analyzing Online Customer Behavior. International Quality
and Productivity Center. October 23-24, 2000. Chicago, IL. For more
information: http://www.iqpc.com
Privacy2000: Information and Security in the Digital Age. October 31-
November 1, 2000. Columbus, Ohio. For more information:
Mealey's Internet Law 101 Conference. November 1-2, 2000. Tysons
Corner, VA. For more information: seminars@mealeys.com
2000 BNA Public Policy Forum: e-commerce and internet regulation.
November 15-16, 2000. Tysons Corner, VA. For more information:
Subscription Information
The EPIC Alert is a free biweekly publication of the Electronic
Privacy Information Center. A Web-based form is available for
subscribing or unsubscribing at:
To subscribe or unsubscribe using email, send email to
epic-news@epic.org with the subject: "subscribe" (no quotes) or
Back issues are available at:
Privacy Policy
The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities.  We do not sell, rent or share our
mailing list.  We also intend to challenge any subpoena or other legal
process seeking access to our mailing list.  We do not enhance (link
to other databases) our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe your email address
from this list, please follow the above instructions under
"subscription information".  Please contact info@epic.org if you have
any other questions.
About EPIC
The Electronic Privacy Information Center is a public interest
research center in Washington, DC.  It was established in 1994 to
focus public attention on emerging privacy issues such as the Clipper
Chip, the Digital Telephony proposal, national ID cards, medical
record privacy, and the collection and sale of personal information.
EPIC is sponsored by the Fund for Constitutional Government, a
non-profit organization established in 1974 to protect civil liberties
and constitutional rights.  EPIC publishes the EPIC Alert, pursues
Freedom of Information Act litigation, and conducts policy research.
For more information, e-mail info@epic.org, http://www.epic.org or
write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC
20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax).
If you'd like to support the work of the Electronic Privacy
Information Center, contributions are welcome and fully
tax-deductible.  Checks should be made out to "The Fund for
Constitutional Government" and sent to EPIC, 1718 Connecticut
Ave., NW, Suite 200, Washington, DC 20009.
Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the
right of privacy and efforts to oppose government regulation of
encryption and expanding wiretapping powers.
Thank you for your support.
  ---------------------- END EPIC Alert 7.16 -----------------------