============================================================== @@@@ @@@@ @@@ @@@@ @ @ @@@@ @@@@ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @@@ @ @ @@@@@ @ @@@ @@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @ @@@ @@@@ @ @ @@@@ @@@@ @ @ @ ============================================================== Volume 8.03 February 14, 2001 -------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org/alert/EPIC_Alert_8.03.html ======================================================================= Table of Contents ======================================================================= [1] The Privacy Coalition Launches New Initiative [2] DCS1000: The Device Formerly Known as Carnivore [3] EPIC Launches Public Interest Law Program [4] Medical Industry Seeks Roll-Back of Privacy Regulations [5] FTC Hosts Discussion on Cross-Border Legal Disputes [6] EPIC Bill-Track: New Bills in Congress [7] EPIC Bookstore - Why Things Bite Back [8] Upcoming Conferences and Events ======================================================================= [1] The Privacy Coalition Launches New Initiative ======================================================================= At a press conference at the National Press Club on February 12, The Privacy Coalition, a nonpartisan group of consumer, civil liberties, educational, library, labor, and family-based groups, launched its first initiative. The group presented "The Privacy Pledge" as the standard for future protection of privacy. Public interest organizations representing a wide spectrum of constituencies support the Privacy Pledge including: the American Association of Law Libraries, American Library Association, American Civil Liberties Union (ACLU), Center for Media Education, Computer Professionals for Social Responsibility, Consumer Action, Consumer Federation of America, Consumer Project on Technology, Consumers Union, Eagle Forum, Electronic Privacy Information Center (EPIC), Free Congress Foundation, Home School Legal Defense Association, Institute for Global Communication, International Union, United Automobile, Aerospace and Agricultural Implement Workers of America (UAW), Junkbusters, Media Access Project, National Consumers League, NetAction, Privacy Foundation, Privacy Journal, Privacy International, Privacy Rights Clearinghouse, Privacy Times, Traditional Values Coalition, and U.S. Public Interest Research Group (PIRG). The Privacy Pledge addresses the future, necessary steps to protect privacy. The pledge advocates the adoption of a legal framework based on full Fair Information Practices, including the rights to access one's own information held by others, to limit the use of the information, and to obtain redress when information is improperly used, as well as notice, consent, and security; independent enforcement and oversight; the promotion of genuine Privacy Enhancing Technologies; legal restrictions on surveillance technologies; and a foundation of federal privacy safeguards that allow the private sector and states to implement supplementary protections as needed. The Privacy Coalition invites state and federal legislators to sign the pledge and thus protect one of the most important values of the information age. The Privacy Pledge can be found at: http://www.privacypledge.org/ The press release announcing the formation of The Privacy Coalition, as well as the pledge presented on February 12: http://www.privacypledge.org/coalition_press_release.html ======================================================================= [2] DCS1000: The Device Formerly Known as Carnivore ======================================================================= In an apparent effort to minimize the damage from one of its biggest recent public relations blunders, the Federal Bureau of Investigation has given the Carnivore Internet surveillance system a new name. From now on, the FBI will refer to the controversial device as "DCS1000." Despite some reports indicating that the name is an acronym for "data collection system," a Bureau spokesperson told Reuters that it "doesn't stand for anything." The new name is reportedly just the first step in an anticipated make-over for Carnivore, which monitors large volumes of traffic passing through the facilities of an Internet service provider and, according to the FBI, captures only those data packets that the Bureau has legal authorization to collect. The Justice Department is soon expected to present the results of an internal review of Carnivore, along with recommended changes, to Attorney General John Ashcroft. That internal report was originally scheduled to be presented to former Attorney General Janet Reno in December; the Department has issued no public explanation for the delay. The re-naming is not the only damage control attempted by the Bureau in recent weeks. In a letter dated January 23, FBI Laboratory Director Donald Kerr responded to questions about Carnivore raised by Senators Orrin Hatch (R-UT) and Patrick Leahy (D-VT). The leaders of the Senate Judiciary Committee, citing language contained in internal FBI documents released to EPIC, had asked the Bureau to explain the results of a test showing that Carnivore "could reliably capture and archive all unfiltered traffic" transmitted through an Internet service provider and store the communications on a hard drive or removable disks (see EPIC Alert 7.21). Kerr responded that: Theoretically if Carnivore were to be installed and configured so as to attempt to intercept and archive "all" traffic in a *very small* ISP . . . , Carnivore might conceivably be able to reliably capture and archive the traffic packets. However, it could not do so as to an ISP of any true size. The FBI recently completed its processing of EPIC's Freedom of Information Act request for Carnivore material, withholding a significant amount of information. EPIC's FOIA lawsuit is continuing, and the court will consider the propriety of the Bureau's withholding decisions over the next few months. A scanned image of the January 23 FBI letter to Sens. Hatch and Leahy is available at: http://www.epic.org/privacy/carnivore/kerr_letter.html ======================================================================= [3] EPIC Launches Public Interest Law Program ======================================================================= On February 8, EPIC launched the Internet Public Interest Opportunities Program (IPIOP) which will serve law students from across the country interested in public interest law and the Internet. The program is made possible by a generous grant provided by Professor Pam Samuelson and Dr. Robert Glushko. The IPIOP will draw on EPIC's past experience in many of the Internet's most significant policy and legal issues such as litigation of the Communications Decency Act and the Child Online Protection Act, campaigns against the Clipper Chip and for free export of encryption products, advocacy for greater protection of consumer privacy, as well as continued use of the Freedom of Information Act. "EPIC has done a wonderful job as a leading voice for the public on these new challenges and has provided a great learning experience for students interested in cyber law," said Professor Samuelson, a Boalt Hall professor and a world-renowned expert on cyberlaw and intellectual property. The EPIC Internet Public Interest Opportunities Program will work in conjunction with the newly established Samuelson Law, Technology and Public Policy Clinic at the University of California at Berkeley, Boalt School of Law, as well as other similar centers around the country. The Samuelson Clinic is the first law school program in the country to focus on technology and the public interest. For more details, see the press release announcing the establishment of the EPIC Internet Public Interest Opportunities Program: http://www.epic.org/ipiop_pr.html For more information about the Samuelson Law, Technology and Public Policy Clinic: http://www.law.berkeley.edu:80/news/releases/20000424Samuelson.shtml ======================================================================= [4] Medical Industry Seeks Roll-Back of Privacy Regulations ======================================================================= As reported by the New York Times on February 12, health care lobbyists have pressured the Bush administration to weaken, delay, or even withdraw the implementation of recently promulgated regulations designed to protect patients' privacy. The regulations require health care providers to gain written consent from patients before using or disclosing their medical records. Also, patients have the right to inspect their records and suggest corrections where inaccurate information is held. The regulations carry civil and criminal penalties for violations. Industry lobbyists argue that the regulations impose burdensome requirements, including the re-training of employees, the purchase of new systems designed to comply with the privacy protections, and the hiring of privacy officers charged with the duty of ensuring compliance. Supporters of the new regulations have stated that providing an adequate level of privacy protection will encourage patients to be more forthcoming about their conditions and thus facilitate medical treatment and research. Privacy advocates, while supporting the adoption of federal standards for the protection of medical privacy, have pointed to areas in which the regulations could be improved. Under the new rules, marketers can target advertising to patients based on their afflictions. Patients must "opt-out" from this marketing. In addition, the regulations allow law enforcement officials to gain access to patients' medical records without judicial review. Senator Patrick Leahy (D-VT) has announced that his staff is drafting a bill to address the marketing loophole exposed by privacy advocates. Leahy's bill would give patients a private right of action where medical information is sold by third parties. The bill would also require patients' consent before marketers could use their records for advertising. The regulations are available online at: http://www.hhs.gov/ocr/hipaa.html ======================================================================= [5] FTC Hosts Discussion on Cross-Border Legal Disputes ======================================================================= On February 6, the Federal Trade Commission (FTC) held a roundtable discussion on alternative dispute resolution (ADR) and the future Hague Treaty on Jurisdiction and Enforcement of Foreign Judgments. Panelists included academics, business representative, civil liberties groups, consumer advocates, government officials and trial lawyers. The morning session focused on developing principles for online dispute resolution for small value consumer contracts. Overall consensus was reached on the need for effective, inexpensive, fair and accessible ADR services with some kind of oversight mechanism for consumers. There was strong disagreement, however, with proposals from business groups that ADR should be mandatory and binding on consumers. Consumer groups and trial lawyers stated out that this could deny a consumer's right to access the courts, prohibit class action lawsuits, and discourage trust and confidence in the marketplace. They also pointed out that there are certain cases where ADR is clearly not appropriate, for instance in some privacy cases, where injunctive or other judicial relief would be needed. The afternoon session was more contentious. The discussion focused on the future Hague Convention on Jurisdiction and Enforcement of Foreign Judgments which is being negotiated by the Hague Conference on Private International Law. This convention will potentially affect all civil and commercial cross-border lawsuits, including consumer, privacy, intellectual property and free-speech disputes. It will harmonize rules of jurisdiction for cross border disputes and allow judgment holders in one country to have their judgments enforced in the country where the defendant is based. The main source of controversy between business and consumer groups was Article 7 of the October 1999 Draft Treaty, which would prohibit businesses from including "choice of court" clauses in consumer contracts and give consumers the right to sue in their home courts. Concerns were also raised by consumer and civil liberties groups regarding intellectual property and free speech issues. They argued that unless claims involving, for example, breach of copyright, defamation or trade secrets are specifically excluded from the Treaty, individuals in one country may be sued by "rights-holders" in other countries with far more restrictive laws on these issues. Discussions on this Convention are ongoing. The next meeting of the Hague Conference will be held in Ottawa from February 26 to March 2. For details of the FTC's February 6 roundtable meeting visit: http://www.ftc.gov/bcp/altdisresolution/roundtable/ For the October 1999 Draft Convention and other relevant documents, see the Consumer Project on Technology's page on the Hague Treaty: http://www.cptech.org/ecom/jurisdiction/hague.html See also the Trans Atlantic Consumer Dialogue (TACD) resolution on Alternative Dispute Resolution at: http://www.tacd.org/ecommercef.html#adr ======================================================================= [6] EPIC Bill-Track: New Bills in Congress ======================================================================= *House* H.R.260 Wireless Privacy Protection Act of 2001, To require customer consent to the provision of wireless call location information. Sponsor: Rep Frelinghuysen, Rodney P (R-NJ). Latest Major Action: 1/30/2001 Referred to House committee: House Energy and Commerce. H.R.347 Consumer Online Privacy and Disclosure Act, To require the Federal Trade Commission to prescribe regulations to protect the privacy of personal information collected from and about individuals on the Internet, to provide greater individual control over the collection and use of that information, and for other purposes. Sponsor: Rep Green, Gene (D-TX), Latest Major Action: 1/31/2001 Referred to House committee: House Energy and Commerce. H.R.583 Privacy Commission Act, to establish the Commission for the Comprehensive Study of Privacy Protection. Sponsor: Rep Hutchinson, Asa (R-AR). Latest Major Action: 2/13/2001 Referred to House committee: House Government Reform. *Senate* S.197 Spyware Control and Privacy Protection Act of 2001, a bill to provide for the disclosure of the collection of information through computer software, and for other purposes. Sponsor: Sen Edwards, John (D-NC). Latest Major Action: 1/29/2001 Referred to Senate committee: Senate Commerce, Science, and Transportation S.201 Federal Employee Protection Act of 2001, a bill to require that Federal agencies be accountable for violations of antidiscrimination and whistleblower protection laws, and for other purposes. Sponsor: Sen Warner, John W. (R-VA) Latest Major Action: 1/29/2001 Referred to Senate committee: Senate Governmental Affairs. S.290 The Student Privacy Protection Act, a bill to increase parental involvement and protect student privacy. Sponsor: Sen Dodd, Christopher J. (D-CT) Latest Major Action: 2/8/2001 Referred to Senate committee: Senate Health, Education, Labor, and Pensions EPIC Bill Track: Tracking Privacy, Speech, and Cyber-Liberties Bills in the 107th Congress, is available at: http://www.epic.org/privacy/bill_track.html ======================================================================= [7] EPIC Bookstore - Why Things Bite Back ======================================================================= Why Things Bite Back: Technology and the Revenge of Unintended Consequences, by Edward Tenner http://www.powells.com/cgi-bin/partner?partner_id=24075&cgi=search/ search&searchtype=isbn&searchfor=0679747567 In this perceptive and provocative look at everything from computer software that requires faster processors and more support staff to antibiotics that breed resistant strains of bacteria, Edward Tenner offers a virtual encyclopedia of what he calls "revenge effects" -- the unintended consequences of the mechanical, chemical, biological, and medical forms of ingenuity that have been hallmarks of the progressive, improvement-obsessed modern age. Tenner shows why our confidence in technological solutions may be misplaced, and explores ways in which we can better survive in a world where despite technology's advances -- and often because of them -- "reality is always gaining on us." For anyone hoping to understand the ways in which society and technology interact, Why Things Bite Back is indispensable reading. For other books recommended by EPIC, browse the EPIC Bookshelf at: http://www.powells.com/features/epic/epic.html ================================ EPIC Publications: "The Consumer Law Sourcebook 2000: Electronic Commerce and the Global Economy," Sarah Andrews, editor (EPIC 2000). Price: $40. http://www.epic.org/cls/ The Consumer Law Sourcebook provides a basic set of materials for consumers, policy makers, practitioners and researchers who are interested in the emerging field of electronic commerce. The focus is on framework legislation that articulates basic rights for consumers and the basic responsibilities for businesses in the online economy. ================================ "Privacy & Human Rights 2000: An International Survey of Privacy Laws and Developments," David Banisar, author (EPIC 2000). Price: $20. http://www.epic.org/phr/ This survey, by EPIC and Privacy International, reviews the state of privacy in over fifty countries around the world. The survey examines a wide range of privacy issues including, data protection, telephone tapping, genetic databases, ID systems and freedom of information laws. ================================ "The Privacy Law Sourcebook 2000: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2000). Price: $40. http://www.epic.org/pls/ The "Physicians Desk Reference of the privacy world." An invaluable resource for students, attorneys, researchers and journalists who need an up-to-date collection of U.S. and International privacy law, as well as a comprehensive listing of privacy resources. ================================ "Cryptography and Liberty 2000: An International Survey of Encryption Policy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price: $20. http://www.epic.org/crypto&/ EPIC's third survey of encryption policies around the world. The results indicate that the efforts to reduce export controls on strong encryption products have largely succeeded, although several governments are gaining new powers to combat the perceived threats of encryption to law enforcement. ================================ "Filters and Freedom: Free Speech Perspectives on Internet Content Controls," David Sobel, editor (EPIC 1999). Price: $20. http://www.epic.org/filters&freedom/ A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ Additional titles on privacy, open government, free expression, computer security, and crypto, as well as films and DVDs can be ordered through the EPIC Bookstore: http://www.epic.org/bookstore/ ======================================================================= [8] Upcoming Conferences and Events ======================================================================= Privacy and Technologies of Information: The Problem of Privacy in Public. University of Maryland, School of Public Affairs. February 15, 2001. College Park, MD. For more information: http://www.puaf.umd.edu/cp4newschedule.html Nominations - February 16, 2001. MIT Sloan eBusiness Awards: Recognizing Successful Innovation in eBusiness. For more information: http://www.mitawards.org/ Privacy in the New Environments: What the Personal Information Protection and Electronic Documents Act Means to Your Organization. Riley Information Services. February 19, 2001. Ottawa, Canada. For more information: http://www.rileyis.com/seminars/ The Second National HIPAA Summit: The Leading Forum on Healthcare Privacy, Confidentiality, Data Security and HIPAA Compliance. March 1-2, 2001. Washington, DC. For more information: http://www.hipaasummit.com/ CFP 2001: the Eleventh Conference on Computers, Freedom and Privacy. March 6-9, 2001. Cambridge, MA. For more information: http://www.cfp2001.org/ Consumer Assembly 2001: New Issues in a New Political and Economic Era. Consumer Federation of America. March 8-9, 2001. Washington, DC. For more information: http://www.consumerfed.org/events.html Freedom of Expression: New and Existing Challenges. Organization for Security and Co-operation in Europe, Office for Democratic Institutions and Human Rights. March 12-13, 2001. Vienna, Austria. For more information: http://www.osce.org/odihr/meetings.htm The Information Marketplace: Merging and Exchanging Consumer Data. Federal Trade Commission. March 13, 2001. Washington, DC. For more information: http://www.ftc.gov/bcp/workshops/infomktplace/ EUROSEC 2001: Forum sur la Sécurité des Systèmes d'Information. XP Conseil. March 13-15, 2001. Paris, France. For more information: http://www.xpconseil.com/eurosec2001/ Online, Offshore and Cross-Border: Regulating Global E-Commerce. Washington College of Law, American University. March 30, 2001. Washington, DC. For more information: http://www.wcl.american.edu Call For Papers - March 31, 2001 (prizes available for graduate student papers). The 29th Research Conference on Communication, Information and Internet Policy. October 27-29, 2001. Alexandria, VA. For more information: http://www.tprc.org BNA Public Policy Forum: Cybersecurity and Privacy. Pike and Fischer, Inc. April 4, 2001. Washington, DC. For more information: http://www.pf.com/ First International Conference on Human Aspects of the Information Society. Information Management Research Institute, University of Northumbria at Newcastle. April 9-11, 2001. Newcastle upon Tyne, England. For more information: http://is.northumbria.ac.uk/imri Corporate Privacy Officers Program 2001: Washington Briefing and Peer Workshop. Privacy and American Business. April 11-12, 2001. Washington, DC. For more information: http://www.pandab.org/ National Summit on Electronic Privacy. The National Institute for Government Innovation. April 23-24, 2001. Washington, DC. For more information: http://www.nigi.org/ The 26th Annual AAAS Colloquium on Science and Technology Policy. American Association for the Advancement of Science. May 3-4, 2001. Washington, DC. For more information: http://www.aaas.org/spp/dspp/rd/colloqu.htm The Internet Security Conference (TISC) 2001. Core Competence, Inc. June 4-8, 2001. Los Angeles, CA. For more information: http://www.tisc2001.com/ INET 2001: A Net Odyssey, Mobility and the Internet. The 11th Annual Internet Society Conference. June 5-8, 2001. Stockholm, Sweden. For more information: http://www.isoc.org/inet2001/ Call For Submissions - August 3, 2001. Workshop on Security and Privacy in Digital Rights Management 2001. Eighth Association for Computing Machinery (ACM) Conference on Computer and Communications Security. November 5, 2001. For more information: http://www.star-lab.com/sander/spdrm/ Privacy2001: Information, Security & Ethics for the New Century. Technology Policy Group. October 3-4, 2001. Cleveland, Ohio. For more information: http://www.privacy2000.org/ ======================================================================= Subscription Information ======================================================================= The EPIC Alert is a free biweekly publication of the Electronic Privacy Information Center. A Web-based form is available for subscribing or unsubscribing at: http://www.epic.org/alert/subscribe.html To subscribe or unsubscribe using email, send email to epic-news@epic.org with the subject: "subscribe" (no quotes) or "unsubscribe". Back issues are available at: http://www.epic.org/alert/ ======================================================================= Privacy Policy ======================================================================= The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your email address from this list, please follow the above instructions under "subscription information". Please contact info@epic.org if you have any other questions. ======================================================================= About EPIC ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, e-mail info@epic.org, http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at http://www.guidestar.org/aol/search/report/report.adp?ein=52-2225921 Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ---------------------- END EPIC Alert 8.03 ----------------------- .