EPIC logo

       @@@@  @@@@  @@@  @@@@      @    @     @@@@  @@@@  @@@@@
       @     @  @   @   @        @ @   @     @     @  @    @
       @@@@  @@@    @   @       @@@@@  @     @@@   @@@     @
       @     @      @   @       @   @  @     @     @  @    @
       @@@@  @     @@@  @@@@    @   @  @@@@  @@@@  @   @   @
   Volume 7.20                                  November 14, 2000
                            Published by the
              Electronic Privacy Information Center (EPIC)
                            Washington, D.C.
Table of Contents
[1] President Vetoes "Official Secrets Act" Legislation
[2] California Enacts New Privacy Laws
[3] IRS Gains Access to Overseas Credit Card Accounts
[4] Information Brokers Challenge Financial Privacy Rules
[5] Poll Finds Strong Majority Concerned About Online Privacy
[6] "Safe Harbor" Arrangement Begins
[7] EPIC Bookstore - Rethinking PKI and Digital Certificates
[8] Upcoming Conferences and Events
[1] President Vetoes "Official Secrets Act" Legislation
President Clinton on November 4 vetoed legislation that would have made
leaking of government secrets a criminal act (see EPIC Alert 7.19).
The president, in his veto message, said he agreed that some leaks "can
be extraordinarily harmful" to national security. But he agreed with
critics of the provision who argued that the new penalties could
silence whistle-blowers: "We must never forget that the free flow of
information is essential to a democratic society." The provision, which
was contained in an intelligence spending bill (H.R. 5630), would have
extended penalties that now exist for leaking classified, national
defense information, to the leaking of other classified, but nondefense
data that could harm the United States if made public or given to
foreign governments.
A broad coalition of public interest groups -- including EPIC -- said
that the legislation was likely to stifle public debate on important
policy matters.  Several of the nation's largest news organization --
including CNN, The Washington Post, The New York Times and the
Newspaper Association of America -- also appealed to Clinton to veto
the bill.    The legislation's opponents said it amounted to the
nation's first "Official Secrets Act," and noted that even members of
Congress would be subject to criminal charges for leaking classified
In his veto statement, Clinton said, "As president ... it is my
responsibility to protect not only our government's vital information
from improper disclosure but also to protect the rights of citizens to
receive the information necessary for democracy to work."  He added
that it requires a careful balance to reconcile the goals of protecting
national security and the public's right to know. "This legislation
does not achieve the proper balance."
On November 13, the House voted to again pass the intelligence
authorization bill, without the controversial secrecy provision.
President Clinton's veto statement is available at:
[2] California Enacts New Privacy Laws
In October, California Governor Gray Davis signed into law six new
privacy measures aimed at protecting consumers' privacy and protecting
against identity theft.  One of the new laws establishes the first
dedicated U.S. privacy protection agency within the Department of
Consumer Affairs.  The new Office of Privacy Protection will operate as
a central clearinghouse for privacy complaints and will provide
information, advice and referrals to consumers to help resolve privacy
disputes and concerns.
Another law requires businesses to destroy customer records containing
personal information by shredding them, erasing them or otherwise
making them unreadable. Two of the laws specifically address the
growing problem of identify theft.  The first allows victims of
identity theft to seek the assistance of the courts in clearing their
names and restoring their identities.  The second allows those victims
to join law enforcement in accessing a statewide database documenting
identity theft crimes.  Under the fifth law, credit card companies will
have to give consumers an opportunity to "opt-out" annually of having
their personal information shared.  The final law prohibits consumer
credit reporting agencies from including medical information, provided
for insurance purposes, in consumer credit reports.
This new package of laws, coupled with the state's strong
constitutional right to privacy, clearly establishes California as the
leading U.S. state in the protection of individual privacy.
Press release from the California Department of Consumer Affairs
discussing the new legislation:
[3] IRS Gains Access to Overseas Credit Card Accounts
A federal judge on October 30 granted the Internal Revenue Service
(IRS) access to thousands of MasterCard and American Express credit
card accounts held by U.S. taxpayers in several offshore banking
havens.  U.S. District Judge Adalberto Jordan's order allows the IRS to
issue summonses for information concerning charge, debit and credit
cards issued by banks in the Cayman Islands, Bahamas and Antigua and
Barbuda in 1998 and 1999. Banks in the targeted jurisdictions require
customers to open bank accounts before obtaining credit cards, so
obtaining the names of cardholders produces the names of bank account
holders as well.
IRS investigators are reportedly interested in reviewing things like
car, boat and airline ticket purchases and hotel and car rentals to
determine whether credit card account holders are living beyond their
reported means.  Offshore credit accounts are legal for U.S. taxpayers,
but they are required to file forms with the IRS disclosing them. The
three nations targeted by the IRS have long been identified by U.S.
authorities as offshore tax havens and centers of money launderering.
An affidavit filed by the IRS with the summons request claimed the U.S.
Treasury loses an estimated $70 billion yearly from individual
taxpayers who use offshore accounts to evade taxes.
Promoters of offshore accounts often claim that they can be used to
shelter income because the U.S. government cannot penetrate some
foreign banking secrecy laws.  But the IRS believed it could avoid
those laws by getting records through the Miami headquarters of the
companies' Caribbean operations, an approach that Judge Jordan
MasterCard International issued a brief statement saying it has "always
cooperated with, and will continue to cooperate with, investigations by
governmental agencies."  The company added that it is "mindful of
customers' privacy concerns."
[4] Information Brokers Challenge Financial Privacy Rules
An industry association representing information brokers -- the
Individual Reference Services Group (IRSG) -- has challenged the
Federal Trade Commission's (FTC) newly-enacted financial privacy rules.
As one of the federal agencies promulgating privacy rules under the
Financial Services Modernization Act (Gramm-Leach-Bliley), the FTC
designated credit headers as a type of personal financial information
subject to opt-out privacy protections (see EPIC Alert 7.10). Credit
headers, so-called because they are at the top of credit reports,
contain information such as names, addresses, phone numbers, and Social
Security numbers.  IRSG companies sell credit header information to
direct marketers, private investigators, and other information brokers.
The IRSG complaint, filed in the U.S. District Court for the District
of Columbia, alleges that the FTC credit header rule unlawfully expands
the definition of non-public personal information contained in the
legislation, and that it improperly supersedes the Fair Credit
Reporting Act, which has not traditionally protected credit header
information.  The FTC contends that its rulemaking follows the law's
legislative intent.
In related privacy news, the Social Security number provisions
contained in the Commerce-Justice-State appropriations bill were
singled out in a veto threat letter sent by President Clinton to
Congress before the election recess.  The Social Security number
provisions are opposed by consumer and privacy groups (see EPIC Alert
7.18).  The provisions are still included in the appropriations bill
which has yet to pass and is pending before the current lame duck
The FTC's final financial privacy rules (PDF) are available at:
See President Clinton's letter threatening to veto the Commerce-
Justice-State Appropriations bill:
[5] Poll Finds Strong Majority Concerned About Online Privacy
A newly released Gallup poll finds that a majority of Americans are
concerned about their privacy on the Internet.  The Gallup survey,
which was commissioned by the MedicAlert Foundation, an emergency
medical information service, questioned individuals' willingness to
transmit personal health information over the Internet.
As a result of privacy concerns, only seven percent of all respondents
said that they would be willing to store or transmit personal health
information on the Internet.  Seventy-seven percent of respondents
considered the privacy of their health and medical information to be
very important, and 84 percent said that they would be concerned if
that information was made available to others without their consent.
Whereas 90 percent of respondents said that they trust their own doctor
to keep their personal health information private and secure, only
eight percent would trust an Internet website to do the same.  Thirty
percent said that they would be more willing to disclose this
information on the Internet if they could be assured of its privacy and
A summary of the results of the Gallup survey is available at:
[6] "Safe Harbor" Arrangement Begins
On November 1, the long-negotiated Safe Harbor agreement formally went
into effect.  Safe Harbor allows U.S. companies to voluntarily
subscribe to a set of principles and procedures for the handling of
data originating in the European Union.  The EU Data Protection
Directive requires that an adequate level of privacy protection exist
before any personal information can be transferred to a third country.
The European Commission has agreed that any U.S. company that
subscribes to Safe Harbor should be deemed to be providing an adequate
level of privacy protection for such data.
The U.S. Department of Commerce maintains the official list of U.S.
companies that join the arrangement.  Both the European Commission and
U.S. government officials are expected to monitor the number of
companies that join over the next few months.  Due to earlier
opposition from the European Parliament to the agreement, the European
Commission is expected to review the arrangement by the middle of next
Since the beginning of the month, only one U.S. entity -- TRUSTe -- has
joined the system.
To see the Safe Harbor list, as well as related materials:
Past comments on Safe Harbor are available from the TransAtlantic
Consumer Dialogue:
[7] EPIC Bookstore - Rethinking PKI and Digital Certificates
Rethinking Public Key Infrastructures and Digital Certificates:
Building in Privacy by Stefan A. Brands
As paper-based communication and transaction mechanisms are replaced
by automated ones, traditional forms of security such as photographs
and handwritten signatures are becoming outdated.  Most security
experts believe that digital certificates offer the best technology
for safeguarding electronic communications.  They are already widely
used for authenticating and encrypting email and software, and
eventually will be built into any device or piece of software that
must be able to communicate securely.  There is a serious problem,
however, with this unavoidable trend: unless drastic measures are
taken, everyone will be forced to communicate via what will be the
most pervasive electronic surveillance tool ever built.  There will
also be abundant opportunity for misuse of digital certificates by
hackers, unscrupulous employees, government agencies, financial
institutions, insurance companies, and so on.
In this book Stefan Brands proposes cryptographic building blocks
for the design of digital certificates that preserve privacy without
sacrificing security.  Such certificates function in much the same
way as cinema tickets or subway tokens: anyone can establish their
validity and the data they specify, but no more than that.
Furthermore, different actions by the same person cannot be linked.
Certificate holders have control over what information is disclosed,
and to whom.  Subsets of the proposed cryptographic building blocks
can be used in combination, allowing a cookbook approach to the design
of public key infrastructures.  Potential applications include
electronic cash, electronic postage, digital rights management,
pseudonyms for online chat rooms, health care information storage,
electronic voting, and even electronic gambling.
EPIC Publications:
"Privacy & Human Rights 2000: An International Survey of Privacy Laws
and Developments," David Banisar, author (EPIC 2000).
Price: $20. http://www.epic.org/phr/
This survey, by EPIC and Privacy International, reviews the state of
privacy in over fifty countries around the world.  The survey examines
a wide range of privacy issues including, data protection, telephone
tapping, genetic databases, ID systems and freedom of information
"The Privacy Law Sourcebook 2000: United States Law, International
Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2000).
Price: $40. http://www.epic.org/pls/
The "Physicians Desk Reference of the privacy world." An invaluable
resource for students, attorneys, researchers and journalists who need
an up-to-date collection of U.S. and International privacy law, as
well as a comprehensive listing of privacy resources.
"Cryptography and Liberty 2000: An International Survey of Encryption
Policy," Wayne Madsen and David Banisar, editors (EPIC 2000).
Price: $20. http://www.epic.org/crypto&/
EPIC's third survey of encryption policies around the world. The
results indicate that the efforts to reduce export controls on strong
encryption products have largely succeeded, although several
governments are gaining new powers to combat the perceived threats of
encryption to law enforcement.
"Filters and Freedom - Free Speech Perspectives on Internet Content
Controls," David Sobel, editor (EPIC 1999). Price: $20.
A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.
Additional titles on privacy, open government, free expression,
computer security, and crypto, as well as films and DVDs can be
ordered through the EPIC Bookstore: http://www.epic.org/bookstore/
[8] Upcoming Conferences and Events
Election 2000: Implications for Science & Technology. Washington
Science Policy Alliance. November 15, 2000. Washington, DC. For more
information: http://www.aaas.org/spp/dspp/rd/gwu.htm
2000 BNA Public Policy Forum: e-commerce and internet regulation.
November 15-16, 2000. Tysons Corner, VA. For more information:
Privacy by Design: The Future of Privacy Compliance and Business.
Zero-Knowledge Systems. November 19-21, 2000. Le Château Montebello,
Quebec. For more information:
Managing the Privacy Revolution. Privacy and American Business's
Seventh Annual Conference. November 28-30, 2000. Washington, DC. For
more information: http://www.pandab.org
Government Secrecy in a New Administration and a New Century.
Information Security Oversight Office and the James Madison Project.
December 5, 2000. Washington, DC. For more information:
16th Annual Computer Security Applications Conference (ACSAC).
December 11-15, 2000. New Orleans, Louisiana. For more information:
Network and Distributed System Security Symposium (NDSS '01). Internet
Society. February 7-9, 2001. San Diego, CA. For more information:
EUROSEC 2001: Forum sur la Sécurité des Systèmes d'Information. XP
Conseil. March 13-15, 2001. Paris, France. For more information:
Online, Offshore and Cross-Border: Regulating Global E-Commerce.
Washington College of Law, American University. March 30, 2001.
Washington, DC. For more information: http://www.wcl.american.edu
First International Conference on Human Aspects of the Information
Society. Information Management Research Institute, University of
Northumbria at Newcastle. April 9-11, 2001. Newcastle upon Tyne,
England. For more information: http://is.northumbria.ac.uk/imri
Subscription Information
The EPIC Alert is a free biweekly publication of the Electronic
Privacy Information Center. A Web-based form is available for
subscribing or unsubscribing at:
To subscribe or unsubscribe using email, send email to
epic-news@epic.org with the subject: "subscribe" (no quotes) or
Back issues are available at:
Privacy Policy
The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities.  We do not sell, rent or share our
mailing list.  We also intend to challenge any subpoena or other legal
process seeking access to our mailing list.  We do not enhance (link
to other databases) our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe your email address
from this list, please follow the above instructions under
"subscription information".  Please contact info@epic.org if you have
any other questions.
About EPIC
The Electronic Privacy Information Center is a public interest
research center in Washington, DC.  It was established in 1994 to
focus public attention on emerging privacy issues such as the Clipper
Chip, the Digital Telephony proposal, national ID cards, medical
record privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Act
litigation, and conducts policy research.  For more information,
e-mail info@epic.org, http://www.epic.org or write EPIC, 1718
Connecticut Ave., NW, Suite 200, Washington, DC 20009.
+1 202 483 1140 (tel), +1 202 483 1248 (fax).
If you'd like to support the work of the Electronic Privacy
Information Center, contributions are welcome and fully
tax-deductible.  Checks should be made out to "EPIC" and sent to
1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009.
Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the
right of privacy and efforts to oppose government regulation of
encryption and expanding wiretapping powers.
Thank you for your support.
  ---------------------- END EPIC Alert 7.20 -----------------------