EPIC logo

       @@@@  @@@@  @@@  @@@@      @    @     @@@@  @@@@  @@@@@
       @     @  @   @   @        @ @   @     @     @  @    @
       @@@@  @@@    @   @       @@@@@  @     @@@   @@@     @
       @     @      @   @       @   @  @     @     @  @    @
       @@@@  @     @@@  @@@@    @   @  @@@@  @@@@  @   @   @
   Volume 7.19                                   October 31, 2000
                            Published by the
              Electronic Privacy Information Center (EPIC)
                            Washington, D.C.
Table of Contents
[1] Federal Filtering Mandate Moves Toward Enactment
[2] Opposition Grows to "Anti-Leak" Secrecy Legislation
[3] U.S. Copyright Office Announces Exceptions to DMCA
[4] International NGOs Oppose Draft Computer Crime Convention
[5] U.S. Implements Relaxed Encryption Export Controls
[6] IETF Issues New RFCs on Cookies
[7] EPIC Bookstore - Secrets and Lies
[8] Upcoming Conferences and Events
[1] Federal Filtering Mandate Moves Toward Enactment
Despite strong opposition from education, library and civil liberties
organizations, Congress appears to be on the verge of adopting a
mandatory requirement for schools and libraries to install Internet
filtering software (see EPIC Alert 7.17).  The filtering mandate was
attached to the appropriations bill for the Departments of Labor,
Health and Human Services, and Education by Sen. John McCain (R-AZ)
and Rep. Ernest Istook (R-OK).  Although the $350 billion spending
bill is currently tied up in partisan wrangling, the White House and
Republican leaders appear to have reached an agreement on the
filtering provision.
The bill would require schools and libraries to use "technology
protection measures" to block access to obscenity and child
pornography on all computers and material "harmful to minors" on all
computers used by minors.  It would also require schools and libraries
to hold public hearings on creating "Internet safety policies," a
component of which would include the mandatory technological solution.
Congress is moving ahead with the filtering mandate despite growing
evidence that filtering systems block access to valuable material that
is not even arguably "pornographic."  A joint report released last
week by EPIC and Peacefire.org  -- "Mandated Mediocrity: Blocking
Software Gets a Failing Grade" -- illustrates the dangers of blocking
software in public schools.  The report documents how N2H2's popular
software package "Bess" blocks access to a large number of educational
and political webpages.
If, as now appears likely, the filtering mandate is enacted into law,
the issue is likely to reach the courts, where prior legislation on
Internet content regulation, such as the Communications Decency Act
and Child Online Protection Act have been ruled unconstitutional.
EPIC participated in the challenges to those earlier measures and will
likely join other organizations in challenging mandatory filtering
In a related development, three U.S.-based websites today re-posted a
program that reveals a list of Web sites blocked by the Cyber Patrol
filtering software package.  The site operators had been coerced into
removing the program because of Cyber Patrol's claim that doing so
would violate its copyright.  But a First Circuit Court of Appeals
review of a lower court decision last month confirmed the operators'
belief that they are not bound by the earlier ruling.  In a further
vindication of the operators' position, final copyright law
regulations issued last week by the Library of Congress recognize the
important free speech rights at stake, and exempt from the new digital
copyright law any "reverse engineering" of, or unauthorized access to,
filtering software in order to expose lists of blocked sites (see item
3, below).
Additional information on the Cyber Patrol case is available at:
The EPIC/Peacefire report "Mandated Mediocrity: Blocking Software Gets
a Failing Grade" is available at:
[2] Opposition Grows to "Anti-Leak" Secrecy Legislation
President Clinton is being urged to veto legislation that would
greatly increase the secrecy of government information and possibly
authorize intrusive investigations.  The provision, which Congress
passed on a voice vote, is being compared to Britain's infamous
"Official Secrets Act."  The legislation, which was enacted without
public hearings as part of the Intelligence Authorization Act (H.R.
4392), criminalizes the disclosure by government officials of a broad
array of classified or "classifiable" information.  "Classifiable"
information is any unclassified information which a government
official later determines should have been classified but was not.
Although the law only applies to disclosures by government employees,
investigators could subpoena journalists' notebooks, computer disks,
phone records, and other private information in order to pursue
government leakers.
The "anti-leak" legislation was requested by the Central Intelligence
Agency, which claims its operations have been compromised by newspaper
articles based on leaks of classified information.  Although Justice
Department officials assert that the provision was narrowly drafted
and merely fills gaps in existing disclosure laws, many journalists
and free speech advocates oppose the bill.  Representing the two ends
of the political spectrum, Reps. Bob Barr (R-GA) (a former CIA
attorney) and John Conyers (D-MI) have both voiced opposition to the
bill.  Barr lambasted the bill in the House, stating, "This
legislation contains a provision that will create -- make no mistake
about it, with not one day of hearings, without one moment of public
debate, without one witness -- an official secrets act."
Current law makes it a crime to disclose classified information if the
disclosure aids a foreign government, exposes covert intelligence
agents or relates to national defense.  The breadth of the new
legislation is subject to dispute, with critics saying it would cover
virtually all classified information, and the Justice Department
claiming that it includes only disclosures of information that would
harm national security.  The legislation's critics believe that this
ambiguity would have a chilling effect on public debate.
Although White House officials had initially signed off on the
legislation, opinion within the Administration is reportedly changing
in response to the strong opposition to the bill.  The president has
until Nov. 4 to act on the measure.  Opponents of the secrecy
provision are also seeking the passage of new legislation to delay the
effective date of the criminal liability provision of the secrecy bill
until 2002.
Additional details, including contact information for key members of
Congress, is available at the website of the Government Accountability
[3] U.S. Copyright Office Announces Exceptions to DMCA
On October 27, the U.S. Copyright Office issued its final rule
implementing the anti-circumvention provisions of the Digital
Millennium Copyright Act (DMCA).  The statutory provisions prohibit
the circumvention of technical measures that prevent the unauthorized
copying, transmission or access of copyrighted works, subject to this
rulemaking of the Copyright Office.
The final rule establishes two exceptions to the anti-circumvention
provisions.  The first exception will allow users of Internet content
filtering programs to view lists of websites blocked by such software.
The Copyright Office recognized a First Amendment interest in access
to this information and stated the need for circumvention in this
instance "since persons who wish to criticize and comment on them
cannot ascertain which sites are contained in the lists unless they
circumvent."  This exception to the DMCA rule will likely impact the
ongoing public debate about filters.  In March, two programmers who
revealed the list of thousands of websites blocked by the Internet
filtering program Cyber Patrol faced charges of copyright violation
(see EPIC Alert 7.05).  The second exception is for software programs
that malfunction or are damaged and fail to permit lawful use.  The
exceptions went into effect on October 28 and will be re-evaluated in
The American Library Association (ALA), in conjunction with the
American Association of Law Libraries, the Medical Library Association
and the Special Libraries Association, have argued for broader
exceptions.  The library groups, as well as educational associations
and technical experts, believe that restrictive anti-circumvention
provisions could restrict public access to copyrighted works,
especially if digital publishers move towards a pay-per-use model.
In a public statement, the ALA stated that "users of digital
information will have fewer rights and opportunities than users of
print information."
In 1998, EPIC Executive Director Marc Rotenberg testified in
opposition to the DMCA, stating that the bill would diminish online
privacy and warned that "the anti-circumvention language in section
1201 is extraordinarily broad and will have all sorts of unintended
consequences."  EPIC said that the "crime of circumvention should be
specifically linked to the actual infringing act and not simply the
use of a particular technique that may or may not be harmful."  EPIC
also recommended the development of techniques to protect copyrighted
works that did not track the activities of Internet users.  Some of
these concerns were addressed in the final version of the DMCA but
others were not.
American Library Association (ALA) Office for Information Technology
Policy's Anti-Circumvention Page:
U.S. Copyright Office, Rulemaking on Exemptions from Prohibition on
EPIC Testimony before the House Committee on International Relations
on Copyright and Privacy:
[4] International NGOs Oppose Draft Computer Crime Convention
On October 18, members of the Global Internet Liberty Campaign (GILC),
an international coalition of civil liberties and human rights groups,
voiced their opposition to the Council of Europe's Convention on
Cyber-Crime.  The Cyber-Crime Convention first appeared in April and
was recently discussed at an October 24 meeting of the Group of Eight
(G-8) in Berlin.
In a letter addressed to the Council of Europe (COE) Secretary General
and Committee of Cyber-Crime experts, the groups stated that the draft
treaty runs "contrary to well established norms for the protection of
the individual, that it improperly extends the police authority of
national governments, that it will undermine the development of
network security techniques, and that it will reduce government
accountability in future law enforcement conduct."
The organizations went on to say that the Convention would require
Internet companies to retain records of customer activity and monitor
personal communications.  The draft Convention would also criminalize
copyright violations and discourage the development of network
security tools.  Other sections of the international agreement would
encourage law enforcement access to stored records and encryption keys
without sufficient legal safeguards and expand surveillance powers.
The Council of Europe plans to finalize its Convention on Cyber-Crime
in December.  The GILC member letter is still open for signatures from
Internet users' organizations.  If you are a member of an organization
that opposes the Cyber-Crime treaty and seeks to protect the rights of
all Internet users, send an email to gilc@gilc.org.
Global Internet Liberty Campaign Member Letter on Council of Europe
Convention on Cyber-Crime:
[5] U.S. Implements Relaxed Encryption Export Controls
On October 19, the U.S. Department of Commerce's Bureau of Export
Administration (BXA) published an amendment to its export regulations
on encryption products.  The new rule amends the Export Administration
Requirements (EAR) and liberalizes exports and re-exports of
encryption products to the fifteen European Union member states plus
Australia, the Czech Republic, Hungary, Japan, New Zealand, Norway,
Poland and Switzerland.
Encryption products may now be exported to these countries and to the
offices of firms, organizations and governments headquartered there,
under license exemption.  Exporters may ship these products
immediately upon filing a commodity classification with the Bureau of
Export Administration without waiting for a full review and
classification.  Technical reviews and post-reporting requirements are
removed for consumer products preloaded with encryption software and
short range wireless technologies.  Reporting requirements are also
reduced for foreign-based U.S. distributors including subsidiaries of
U.S. companies.  Finally, encryption source code may now be exported
to non-government end users once a classification request is filed.
The Administration announced its intention to update its encryption
policy on July 17 in response to the European Union's decision earlier
that month to revise its restrictions on certain "dual use"
technologies.  Under the European Union's previous export regime,
encryption products could only be exported to countries outside the
EU upon the issuance of a special license from national authorities.
The new regulations allow member states to obtain a single license for
the export of most dual use goods to other member states and ten
non-EU countries including the U.S., Canada and Japan.  The U.S.
Administration had promised, since January 2000, that it would match
any relaxation on the export of encryption products introduced by the
European Union in order to assure the competitiveness of U.S.
companies internationally.
The text of the revised rules are available at:
For more information about the availability of cryptography worldwide,
see "Cryptography & Liberty 2000: An International Survey of
Encryption Policy":
[6] IETF Issues New RFCs on Cookies
The Internet Engineering Task Force (IETF) has posted two new Requests
For Comments (RFCs) that address privacy issues surrounding the use of
RFC 2965 ("HTTP State Management Mechanism") is a proposed standard
replacing RFC 2109, one of the first cookie documentations.  The
updated RFC pays particular attention to the privacy standards for
cookie use.  The document states that "Informed consent should guide
the design of systems that use cookies."  In the protocol, both the
server setting the cookie and the web browser should incorporate an
informed consent standard.
RFC 2964 ("Use of HTTP State Management") discusses Best Current
Practices for the use of cookies.  While pointing out the positive
purposes for cookies, the document also recommends that cookies should
be used only with the user's awareness, the user's ability to delete
cookies, and assurances that information collected through tracking is
not passed onto third parties without explicit consent.
EPIC's view is that these proposals are a step in the right direction
and could help limit several of the current problems with cookie
misuse.  At the same time, the RFCs place too much emphasis on
"informed consent" and not enough on the ongoing obligations of
organizations that collect personal information that are typically
found in privacy standards based on "Fair Information Practices."
EPIC recommends that the RFCs be further revised to comply with the
OECD Privacy Guidelines.
The IETF Request For Comments (RFCs) can be found at:
Also check out the EPIC Cookies page:
[7] EPIC Bookstore - Secrets and Lies
Secrets and Lies: Digital Security in a Networked World, by Bruce
Internationally recognized information security expert Bruce Schneier
provides a practical, straightforward guide to understanding and
achieving security throughout computer networks.  Schneier uses his
extensive field experience with his own clients to dispel the myths
that can mislead you while trying to build secure systems.  He also
clearly covers everything you'll need to know to protect your
company's digital information.  And he shows you how to assess your
business and corporate security needs so that you can choose the right
products and implement the right processes.
EPIC Publications:
"Privacy & Human Rights 2000: An International Survey of Privacy Laws
and Developments," David Banisar, author (EPIC 2000).
Price: $20. http://www.epic.org/phr/
This survey, by EPIC and Privacy International, reviews the state of
privacy in over fifty countries around the world.  The survey examines
a wide range of privacy issues including, data protection, telephone
tapping, genetic databases, ID systems and freedom of information
"The Privacy Law Sourcebook 2000: United States Law, International
Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2000).
Price: $40. http://www.epic.org/pls/
The "Physicians Desk Reference of the privacy world." An invaluable
resource for students, attorneys, researchers and journalists who need
an up-to-date collection of U.S. and International privacy law, as
well as a comprehensive listing of privacy resources.
"Cryptography and Liberty 2000: An International Survey of Encryption
Policy," Wayne Madsen and David Banisar, editors (EPIC 2000).
Price: $20. http://www.epic.org/crypto&/
EPIC's third survey of encryption policies around the world. The
results indicate that the efforts to reduce export controls on strong
encryption products have largely succeeded, although several
governments are gaining new powers to combat the perceived threats of
encryption to law enforcement.
"Filters and Freedom - Free Speech Perspectives on Internet Content
Controls," David Sobel, editor (EPIC 1999). Price: $20.
A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.
Additional titles on privacy, open government, free expression,
computer security, and crypto, as well as films and DVDs can be
ordered through the EPIC Bookstore: http://www.epic.org/bookstore/
[8] Upcoming Conferences and Events
Privacy2000: Information and Security in the Digital Age.
October 31-November 1, 2000. Columbus, Ohio. For more information:
Mealey's Internet Law 101 Conference. November 1-2, 2000. Tysons
Corner, VA. For more information: seminars@mealeys.com
Call for Papers. First International Conference on Human Aspects of
the Information Society. Information Management Research Institute,
University of Northumbria at Newcastle. November 10, 2000. Newcastle
upon Tyne, England. For more information:
Data Protection and System Design Workshop. Innovation Through
Electronic Commerce: 3rd International Conference. November 14, 2000.
Manchester, England. For more information: http://www.iec2000.org.uk/
2000 BNA Public Policy Forum: e-commerce and internet regulation.
November 15-16, 2000. Tysons Corner, VA. For more information:
Privacy by Design: The Future of Privacy Compliance and Business.
Zero-Knowledge Systems. November 19-21, 2000. Le Château Montebello,
Quebec. For more information:
Managing the Privacy Revolution. Privacy and American Business's
Seventh Annual Conference. November 28-30, 2000. Washington, DC. For
more information: http://www.pandab.org
16th Annual Computer Security Applications Conference (ACSAC).
December 11-15, 2000. New Orleans, Louisiana. For more information:
Network and Distributed System Security Symposium (NDSS '01). Internet
Society. February 7-9, 2001. San Diego, CA. For more information:
Online, Offshore and Cross-Border: Regulating Global E-Commerce.
Washington College of Law, American University. March 30, 2001.
Washington, DC. For more information: http://www.wcl.american.edu
Subscription Information
The EPIC Alert is a free biweekly publication of the Electronic
Privacy Information Center. A Web-based form is available for
subscribing or unsubscribing at:
To subscribe or unsubscribe using email, send email to
epic-news@epic.org with the subject: "subscribe" (no quotes) or
Back issues are available at:
Privacy Policy
The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities.  We do not sell, rent or share our
mailing list.  We also intend to challenge any subpoena or other legal
process seeking access to our mailing list.  We do not enhance (link
to other databases) our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe your email address
from this list, please follow the above instructions under
"subscription information".  Please contact info@epic.org if you have
any other questions.
About EPIC
The Electronic Privacy Information Center is a public interest
research center in Washington, DC.  It was established in 1994 to
focus public attention on emerging privacy issues such as the Clipper
Chip, the Digital Telephony proposal, national ID cards, medical
record privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Act
litigation, and conducts policy research.  For more information,
e-mail info@epic.org, http://www.epic.org or write EPIC, 1718
Connecticut Ave., NW, Suite 200, Washington, DC 20009.
+1 202 483 1140 (tel), +1 202 483 1248 (fax).
If you'd like to support the work of the Electronic Privacy
Information Center, contributions are welcome and fully
tax-deductible.  Checks should be made out to "EPIC" and sent to
1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009.
Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the
right of privacy and efforts to oppose government regulation of
encryption and expanding wiretapping powers.
Thank you for your support.
  ---------------------- END EPIC Alert 7.19 -----------------------