============================================================== @@@@ @@@@ @@@ @@@@ @ @ @@@@ @@@@ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @@@ @ @ @@@@@ @ @@@ @@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @ @@@ @@@@ @ @ @@@@ @@@@ @ @ @ ============================================================== Volume 8.06 March 29, 2001 -------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org/alert/EPIC_Alert_8.06.html ======================================================================= Table of Contents ======================================================================= [1] EU Privacy Leaders: Cybercrime Treaty May Violate Rights [2] Future of Medical Privacy Regulations Uncertain [3] Annenberg Releases Report on Kids Privacy Compliance [4] Bush Administration Criticizes EU Privacy Rules [5] Public Voice Submits Dot Force Report [6] EPIC Bill-Track: New Bills in Congress [7] EPIC Bookstore - The Internet, Law and Society [8] Upcoming Conferences and Events ======================================================================= [1] EU Privacy Leaders: Cybercrime Treaty May Violate Rights ======================================================================= The controversial Council of Europe (CoE) draft Cybercrime Convention has encountered new opposition from an important quarter. In a formal opinion released on March 22, the European Union's independent Advisory Body on Data Protection and Privacy criticized the proposed international treaty as providing inadequate protections for personal privacy. The advisory group, also known as the Article 29 Working Party, includes the national privacy commissioners of the EU member states. The group said it wanted to send "a strong message that a fair balance must be struck between anti-cyber-crime efforts and the fundamental rights to privacy and personal data protection of individuals." Noting that the CoE proposal makes reference to several international human rights documents, the Working Party found that "the draft Convention does not harmonise the safeguards and conditions" envisioned in those treaties, nor does it "require such safeguards and conditions effectively being in place." The Working Party concluded that the provisions contained in the draft treaty "are not sufficient to fully safeguard the fundamental rights to privacy and personal data protection." On one issue, the advisory group noted an improvement over earlier drafts of the cybercrime treaty. The Working Party "welcomes" the fact that the current version of the Convention (Version 25) no longer includes a "general surveillance obligation consisting in the routine retention of all traffic data." But despite that one change, the group found that the draft's "wording is often too vague and confusing," a shortcoming that is particularly problemmatic in a document containing "mandatory measures that are intended to lawfully limit fundamental rights and freedoms." The Working Party also criticizes "the very late release of relevant documents," referring to the fact that no public version of the draft treaty was released until Version 19 last year. While the CoE drafters are seeking to conclude deliberations on the Convention this spring, the EU advisory group recommends that "the public debate be prolonged" and that it include "all parties concerned (human rights organisations, industry, etc.)," and not just the police and law enforcement officials (including the U.S. Department of Justice) who have dominated the drafting process. The Article 29 Working Party opinion is available at: http://www.epic.org/security/cybercrime/data_wp_3_01.pdf The current draft of the CoE Convention on Cybercrime is available at: http://conventions.coe.int/treaty/EN/projets/cybercrime25.htm ======================================================================= [2] Future of Medical Privacy Regulations Uncertain ======================================================================= Implementation of the first federal health privacy regulations have been delayed by the Bush administration and are almost certain to be weakened by Health and Human Services (HHS) Secretary Tommy Thompson. Although health care industry lobbyists have pressured lawmakers to oppose the regulations, there is still significant support in Congress to implement the rules immediately. Last week, sixty-one lawmakers signed a letter urging Thompson to implement the regulations. The lack of support for medical privacy protections represents an abrupt change in the Bush Administration's stance on privacy (see item [4] below). In statements reported in the Wall Street Journal and the Bureau of National Affairs Health Care Daily Report, Thompson promised to "simplify" the regulations and lessen the financial burden to health care providers. It remains unclear how the rules will be "simplified." The rules as formulated by the Clinton administration would have given patients the right to clear notice of privacy practices, the right to limit disclosures of medical records, the right to access records and amend inaccurate information, and the right to file complaints with HHS. However, the rules did contain significant exemptions that could have compromised patients' privacy rights. For instance, health care information could have been used for marketing purposes, and patients would have been required to opt-out of such marketing. In addition, law enforcement officials could have accessed health information without judicial review under the rules. HHS will continue to accept comments on the privacy regulations through its website until Friday, March 30 at 5 p.m. (ET). A template letter supporting the medical privacy rules is available from the Health Privacy Project: http://www.healthprivacy.org/ The Department of Health and Human Services (HHS) Electronic Comment Submission Form is available at: http://aspe.hhs.gov/admnsimp/ ======================================================================= [3] Annenberg Releases Report on Kids Privacy Compliance ======================================================================= On March 28, the Annenberg Public Policy Center at the University of Pennsylvania released a report, "Privacy Policies on Children's Websites: Do They Play By the Rules?," analyzing current levels of compliance with the Children's Online Privacy Protection Act (COPPA). COPPA was enacted by Congress in 1998 and its rules became effective a year ago in April 2000. The Act is enforced by the Federal Trade Commission (FTC). The study reviewed 162 websites that are among the most popular for Internet users under the age of thirteen. Of those 162 websites, 114 displayed a privacy policy on the homepage and 90 of those sites collected personal information from minors. Fourteen other sites collecting personal information did not display any privacy policy, clearly violating COPPA. In addition, the content of those privacy policies were often found not to alert parents to all of COPPA's privacy protections. Only 55 percent of privacy policies told parents that websites could not collect more information than what is "reasonably necessary" and only 62 percent of those statements told parents that they could review personal information already collected from their children. The study did not examine the extent to which these websites complied with COPPA in practice, apart from privacy policies. Unlike most websites, sites targeted at minors must provide the privacy provisions as outlined in COPPA regardless of the content of their privacy policies. In the conclusion of the report, the researchers suggest requiring websites to display a prominent icon that indicates COPPA compliance and greater efforts to standardize privacy policies. The study also notes that the easiest way to comply with COPPA is not to collect any personal information from minors. "Privacy Policies on Children's Websites: Do They Play By the Rules?": http://www.asc.upenn.edu/usr/jturow/PrivacyReport.pdf More information about the Children's Online Privacy Protection Act (COPPA) is available at: http://www.kidzprivacy.org/ ======================================================================= [4] Bush Administration Criticizes EU Privacy Rules ======================================================================= On March 23, representatives of the Bush administration sent a letter to the European Commission Internal Market Directorate criticizing proposed European standards for protecting the privacy of transborder data flows. The letter concerns the model contractual clauses that have been proposed by the European Commission to govern the exchange of consumer information between EU and U.S. companies, such as financial institutions, that are not covered by the previously negotiated "Safe Harbor" agreement. As Article 25 of the 1995 EU Data Protection Directive prohibits European data processors from "exporting" the personal information of European citizens to countries that do not have adequate privacy protection laws in place, these contracts are necessary to ensure the continued flow of information between Europe and the United States. The EU Data Protection Directive's protections only apply to information collected from EU citizens. According to the letter sent from the Departments of Commerce and Treasury, the contracts would require U.S. companies to follow higher standards of privacy protection than are currently required by U.S. law. As a result, the officials warn that "there is a serious danger the adoption of the standard clauses as drafted will create a de facto standard that would raise the bar for U.S firms." They continue that the requirements are "unduly burdensome" and "incompatible with real world operations" and urge the European Commission to defer further consideration of them. Consumer organizations, such as the Trans Atlantic Consumer Dialogue (TACD), have previously raised questions about the adequacy of privacy protection in the United States. The Bush Administration's resistance to strengthening consumer privacy protection is seemingly inconsistent with many pro-privacy statements made by, or on behalf, of candidate Bush during the recent presidential election campaign. For example, in a May 19 interview with BusinessWeek, then-Governor Bush stated that "I'm a privacy-rights person. The marketplace can function without sacrificing the privacy of individuals. Customers should be allowed to opt in . . . the company has got to ask permission." Later, in an October 17 debate sponsored by George Washington University, then-domestic policy advisor Stephen Goldsmith stated on behalf of Bush that "There is a role for Congress ... in requiring that there be provisions for an opt-in on medical and financial information." The draft version of the European Commission's Model Contract Provisions and comments of the U.S. Department of Commerce: http://www.export.gov/safeharbor/Model_Contract.htm March 23 Letter sent from the Departments of Commerce and Treasury to the European Commission: http://www.epic.org/privacy/intl/mogg_letter_0301.html ======================================================================= [5] Public Voice Submits Digital Divide Report ======================================================================= The Public Voice is a project of EPIC that seeks to promote the participation of NGOs in international decision-making bodies that address Internet policy. As part of that project, EPIC solicited comments from the public, in cooperation with the Association for Progressive Communications (APC), on the Digital Divide (see EPIC Alert 8.02). "The Public Voice and the Digital Divide: A Report to the DOT Force" is a compilation of the public's ideas and views on the Digital Divide and will be submitted to the Digital Opportunities Task Force (DOT Force), a Digital Divide initiative of the G-8. The DOT Force was created by the G-8 in July 2000. The Public Voice report addresses four different topics: what are the best approaches to address the digital divide?; what are the current barriers to greater Internet access?; what organizations are currently working on the Digital Divide?; how should groups narrow the Digital Divide? A wide variety of approaches were recommended such as the use of free or open-source software, greater emphasis on education and training and the creation of more local content. Unlike most policy papers, the Public Voice report is largely made up of direct quotations from public comments. The DOT Force will release its final action plan at the next G-8 meeting to take place in Genoa, Italy this July. A draft version of its report is currently available through the DOT Force website. "The Public Voice and the Digital Divide: A Report to the DOT Force" is available at: http://www.thepublicvoice.org/dotforce/report_0301.html For more information about the Digital Opportunities Task Force: http://www.dotforce.org/ ======================================================================= [6] EPIC Bill-Track: New Bills in Congress ======================================================================= *House* H.R.972 Parent Act of 2001. To amend the Elementary and Secondary Education Act of 1965 to strengthen the involvement of parents in the education of their children, and for other purposes. Sponsor: Rep Woolsey, Lynn C (D-CA). Latest Major Action: 3/8/2001 Referred to House committee: House Education and the Workforce. H.R.1152 Human Rights Information Act. To promote human rights, democracy, and the rule of law by providing a process for executive agencies for declassifying on an expedited basis and disclosing certain documents relating to human rights abuses in countries other than the United States. Sponsor: Rep Lantos, Tom (D-CA). Latest Major Action: 3/21/2001 Referred to House Committee on Government Reform. H.R.1158 National Homeland Security Agency Act. To establish the National Homeland Security Agency. Sponsor: Rep Thornberry, William (Mac) (R-TX). Latest Major Action: 3/21/2001 Referred to House committee Committees: House Government Reform. H.R.1176 Fair Credit Reporting Act Amendments of 2001. To amend the Fair Credit Reporting Act to protect consumers from the adverse consequences of incomplete and inaccurate consumer credit reports, and for other purposes. Sponsor: Rep Ford, Harold, Jr. (D-TN). Latest Major Action: 3/22/2001 Referred to House committee: House Financial Services. H. J. RES. 38. Disapproving the rule submitted by the Department of Health and Human Services on December 28, 2000, relating to standards for privacy of individually identifiable health information. Sponsor: Rep Paul, Ron (R-TX). Referred to House Committees on Education and the Workforce, Energy and Commerce and Ways and Means. EPIC Bill Track: Tracking Privacy, Speech, and Cyber-Liberties Bills in the 107th Congress, is available at: http://www.epic.org/privacy/bill_track.html ======================================================================= [7] EPIC Bookstore - The Internet, Law and Society ======================================================================= The Internet, Law and Society. Edited by Yaman Akdeniz, Clive Walker, and David Wall. The advent of a global information society demands a new understanding of the complexities of the architecture of that society and its implications for existing social institutions such as law and government. This authoritative and innovative book takes as its theme the Internet within the settings of law, politics and society. It relates and analyses their interactions and draw out the implications of "cyberspace" for law and society. It therefore has a wider and more critical agenda that existing, more technical expositions of computer or Internet law. It is about the "law in action" and not just the "law in books." It examines Internet activity that takes place in the shadow of law where there is a fascinating range of regulatory responses and governance strategies. The book covers, in four Parts: the Internet, law and society; governance and the Internet; legal institutions and professions and the Internet; and, legal controversies in cyberspace. For other books recommended by EPIC, browse the EPIC Bookshelf at: http://www.powells.com/features/epic/epic.html ================================ EPIC Publications: "The Consumer Law Sourcebook 2000: Electronic Commerce and the Global Economy," Sarah Andrews, editor (EPIC 2000). Price: $40. http://www.epic.org/cls/ The Consumer Law Sourcebook provides a basic set of materials for consumers, policy makers, practitioners and researchers who are interested in the emerging field of electronic commerce. The focus is on framework legislation that articulates basic rights for consumers and the basic responsibilities for businesses in the online economy. ================================ "Privacy & Human Rights 2000: An International Survey of Privacy Laws and Developments," David Banisar, author (EPIC 2000). Price: $20. http://www.epic.org/phr/ This survey, by EPIC and Privacy International, reviews the state of privacy in over fifty countries around the world. The survey examines a wide range of privacy issues including, data protection, telephone tapping, genetic databases, ID systems and freedom of information laws. ================================ "The Privacy Law Sourcebook 2000: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2000). Price: $40. http://www.epic.org/pls/ The "Physicians Desk Reference of the privacy world." An invaluable resource for students, attorneys, researchers and journalists who need an up-to-date collection of U.S. and International privacy law, as well as a comprehensive listing of privacy resources. ================================ "Cryptography and Liberty 2000: An International Survey of Encryption Policy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price: $20. http://www.epic.org/crypto&/ EPIC's third survey of encryption policies around the world. The results indicate that the efforts to reduce export controls on strong encryption products have largely succeeded, although several governments are gaining new powers to combat the perceived threats of encryption to law enforcement. ================================ "Filters and Freedom: Free Speech Perspectives on Internet Content Controls," David Sobel, editor (EPIC 1999). Price: $20. http://www.epic.org/filters&freedom/ A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ Additional titles on privacy, open government, free expression, computer security, and crypto, as well as films and DVDs can be ordered through the EPIC Bookstore: http://www.epic.org/bookstore/ ======================================================================= [8] Upcoming Conferences and Events ======================================================================= Online, Offshore and Cross-Border: Regulating Global E-Commerce. Washington College of Law, American University. March 30, 2001. Washington, DC. For more information: http://www.wcl.american.edu Call For Papers - March 31, 2001 (prizes available for graduate student papers). The 29th Research Conference on Communication, Information and Internet Policy. October 27-29, 2001. Alexandria, VA. For more information: http://www.tprc.org BNA Public Policy Forum: Cybersecurity and Privacy. Pike and Fischer, Inc. April 4, 2001. Washington, DC. For more information: http://www.pf.com/ First International Conference on Human Aspects of the Information Society. Information Management Research Institute, University of Northumbria at Newcastle. April 9-11, 2001. Newcastle upon Tyne, England. For more information: http://is.northumbria.ac.uk/imri Corporate Privacy Officers Program 2001: Washington Briefing and Peer Workshop. Privacy and American Business. April 11-12, 2001. Washington, DC. For more information: http://www.pandab.org/ National Summit on Electronic Privacy. The National Institute for Government Innovation. April 23-24, 2001. Washington, DC. For more information: http://www.nigi.org/ The First Annual Privacy and Data Protection Summit. Privacy Officers Association. May 2-4, 2001. Arlington, VA. For more information: http://www.privacyassociation.org The 26th Annual AAAS Colloquium on Science and Technology Policy. American Association for the Advancement of Science. May 3-4, 2001. Washington, DC. For more information: http://www.aaas.org/spp/dspp/rd/colloqu.htm Future of the Internet: Preserving the Internet's Openness, Freedom, and Diversity. Center for Media Education and Center for Digital Democracy. May 9, 2001. Washington, DC. For more information: agoldman@cme.org The Internet and State Security Forum (ISSF). Cambridge Review of International Affairs. May 19, 2001. Cambridge, England. For more information: http://www.cria.org.uk/ Communication Research and Policy Workshop. Ford Foundation and Computer Professionals for Social Responsibility (CPSR). May 24, 2001. Washington, DC. For more information: http://www.cpsr.org/ICA_workshop The Internet Security Conference (TISC) 2001. Core Competence, Inc. June 4-8, 2001. Los Angeles, CA. For more information: http://www.tisc2001.com/ INET 2001: A Net Odyssey, Mobility and the Internet. The 11th Annual Internet Society Conference. June 5-8, 2001. Stockholm, Sweden. For more information: http://www.isoc.org/inet2001/ ETHICOMP 2001: Systems of the Information Society. Telecommunications and Informatics Technical University of Gdansk, Poland. June 18-20, 2001. Gdansk, Poland. For more information: http://www.ccsr.cse.dmu.ac.uk/conferences/ccsrconf/ethicomp2001/ Democracy Forum 2001: Democracy and the Information Revolution. International Institute for Democracy and Electoral Assistance. June 27-29, 2001. Stockholm, Sweden. For more information: http://www.idea.int/frontpage_forum2001.htm Call for Papers - June 30, 20001. CEPE2001: Computer Ethics, Philosophical Enquiries. Lancaster University (UK). Centre for Study of Technology in Organizations, Institute for Environment, Philosophy and Public Policy. December 14-16, 2001. For more information: http://www.lancs.ac.uk/depts/philosophy/conferences/ Call For Submissions - August 3, 2001. Workshop on Security and Privacy in Digital Rights Management 2001. Eighth Association for Computing Machinery (ACM) Conference on Computer and Communications Security. November 5, 2001. For more information: http://www.star-lab.com/sander/spdrm/ ICSC 2001: International Conference on Social Computing. University of Bremen. October 1-3, 2001. Bremen, Germany. For more information: http://icsc2001.informatik.uni-bremen.de/ Privacy2001: Information, Security & Ethics for the New Century. Technology Policy Group. October 3-4, 2001. Cleveland, Ohio. For more information: http://www.privacy2000.org/ Learning for the Future. Business for Social Responsibility's Ninth Annual Conference. November 7-9, 2001. Seattle, WA. For more information: http://www.bsr.org/events/2001.asp ======================================================================= Subscription Information ======================================================================= The EPIC Alert is a free biweekly publication of the Electronic Privacy Information Center. A Web-based form is available for subscribing or unsubscribing at: http://www.epic.org/alert/subscribe.html To subscribe or unsubscribe using email, send email to epic-news@epic.org with the subject: "subscribe" (no quotes) or "unsubscribe". Back issues are available at: http://www.epic.org/alert/ ======================================================================= Privacy Policy ======================================================================= The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your email address from this list, please follow the above instructions under "subscription information". Please contact info@epic.org if you have any other questions. ======================================================================= About EPIC ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, e-mail info@epic.org, http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at http://www.guidestar.org/aol/search/report/report.adp?ein=52-2225921 Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ---------------------- END EPIC Alert 8.06 ----------------------- .