============================================================== @@@@ @@@@ @@@ @@@@ @ @ @@@@ @@@@ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @@@ @ @ @@@@@ @ @@@ @@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @ @@@ @@@@ @ @ @@@@ @@@@ @ @ @ ============================================================== Volume 8.07 April 18, 2001 -------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org/alert/EPIC_Alert_8.07.html ======================================================================= Table of Contents ======================================================================= [1] Medical Privacy Regulations Go Forward [2] High Court Urged Not to Review Censorship Ruling [3] Group Explains and Examines Financial Privacy Notices [4] ChoicePoint Sells Personal Data to FBI [5] Study Examines Public Opinion on Privacy and FOI [6] EPIC Bill-Track: New Bills in Congress [7] EPIC Bookstore - Digital Copyright [8] Upcoming Conferences and Events ======================================================================= [1] Medical Privacy Regulations Go Forward ======================================================================= Last week, President George W. Bush and Health and Human Services (HHS) Secretary Tommy Thompson announced that there will be no delay in the implementation of the medical privacy regulations issued in the final weeks of the Clinton presidency. The development of the regulations was mandated by the Health Insurance Portability and Accountability Act (HIPAA), a 1996 bill that provided for the specification of standards to facilitate the transfer of electronic medical data. At the time, a bi-partisan consensus recognized that the ease of communicating medical data could result in violations of privacy. Accordingly, HIPAA called for privacy protections to be formulated by Congress or HHS. The regulations provide the first baseline federal protection for the privacy of medical information, whether communicated electronically, by paper, or orally. When fully implemented in 2003, patients will have the right to notice of privacy policies, request restrictions on disclosure, amend their records, receive an accounting of disclosures, and file a complaint with the Secretary of Health and Human Services. Certain provisions of the regulations fail to adequately protect patients' privacy. For instance, one section allows law enforcement agents to gain access to medical information without court oversight. Another allows marketers to contact individual patients about their conditions in order to send commercial solicitations. Patients must "opt-out" of these solicitations after they are contacted by the marketer. In March, over a dozen members of the Privacy Coalition sent a letter urging that implementation of the privacy regulations go forward without further delay and that the Secretary close the law enforcement and marketing loopholes. The Bush administration has indicated that some provisions of the regulations are likely to be changed. EPIC along with other groups will monitor these changes as they occur. Privacy Coalition Letter to Secretary Thompson: http://www.privacypledge.org/hipaa.html The HIPAA Privacy Regulations are available at: http://www.hhs.gov/ocr/hipaa/ ======================================================================= [2] High Court Urged Not to Review Censorship Ruling ======================================================================= EPIC has joined with the American Civil Liberties Union and the Electronic Frontier Foundation in asking the U.S. Supreme Court not to disturb a lower court ruling that found the Child Online Protection Act (COPA) to be unconstitutional. In a brief filed on April 16, the groups oppose a petition for certiorari submitted by the Justice Department seeking Supreme Court review of the June 2000 decision of the U.S. Court of Appeals for the Third Circuit in Philadelphia. In that opinion, a unanimous three-judge panel expressed its belief that the 1998 censorship law is fatally flawed. The legislation was introduced in Congress after an earlier effort to regulate children's access to "indecent" material, the Communications Decency Act (CDA), was held unconstitutional by a unanimous U.S. Supreme Court in 1997. To date, every federal judge to consider the legality of either CDA or COPA has found that the Internet content regulation laws violate the First Amendment. COPA would make it a federal crime to "knowingly" communicate "for commercial purposes" material considered "harmful to minors" to anyone under the age of 17. Penalties include fines of up to $50,000 for each day of violation and up to six months in prison. Compliance with COPA would require websites to obtain identification and age verification from visitors, a feature of the law that EPIC has argued threatens online privacy and anonymity. In arguing against Supreme Court review, the free speech groups tell the Court that COPA suffers from the very same fundamental defects that caused this Court to strike down the CDA as unconstitutional. Both statutes, in their attempt to deny minors access to certain speech, "effectively suppress[] a large amount of speech that adults have a constitutional right to receive and to address to one another" and are therefore unconstitutionally overbroad. Complete information on the COPA litigation, including the text of the brief opposing Supreme Court review, is available at: http://www.epic.org/free_speech/copa/ ======================================================================= [3] Group Explains and Examines Financial Privacy Notices ======================================================================= Over the next several months, millions of Americans will begin receiving notices concerning the protection of their personal financial information. Part of the Gramm-Leach-Bliley Act (GLB) requires financial institutions to send consumers yearly notices on how their personal financial data is used. Despite the length of most of the notices, financial institutions are only legally required to provide an opt-out before sharing information with unaffiliated third parties. By July 1, 2001, every financial institution should have sent a notice to every one of its account holders. Most of these notices will probably be included with monthly account statements. The Privacy Rights Clearinghouse (PRC) has developed a number of fact sheets on these financial privacy notices. "Financial Privacy: How to Read Your 'Opt-Out' Notices" helps break down some of the key terms likely to be used in the privacy notices. It also provides a sample opt-out letter so that consumers can prevent unwanted information sharing. PRC has also released "Lost in the Fine Print: Readability of Financial Privacy Notices," a study examining the clarity of the financial privacy notices. The study found that the privacy notices, in terms of ease of understanding, were short of current state readability requirements for other types of documents such as insurance policies. In other privacy news, the U.S. General Accounting Office (GAO) and the Progressive Policy Institute have recently released reports on data protection issues. On April 12, GAO posted a report looking at "Record Linkage and Privacy: Issues in Creating New Federal Research and Statistical Information." The report examines issues such as how de-identified data may become re-identified as describing a particular person and how various techniques may help address the privacy concerns. At an April 16 event hosted by George Washington University, the Progressive Policy Institute issued "Online Privacy and a Free Internet Striking a Balance," a report containing its recommendation for Congressional treatment of Internet privacy. The report recommended limited legislation that requires websites to provide only notice and an opt-out and would pre-empt the states' abilities to enact stronger privacy laws on their own. Privacy Rights Clearinghouse Fact Sheets (some fact sheets also available in Spanish): http://www.privacyrights.org/fs/ "Lost in the Fine Print: Readability of Financial Privacy Notices": http://www.privacyrights.org/ar/GLB-Reading.htm ======================================================================= [4] ChoicePoint Sells Personal Data to FBI ======================================================================= As reported in the Wall Street Journal on April 13, the FBI, the IRS and other government agencies frequently purchase information concerning U.S. citizens from private companies. The Privacy Act of 1974 places restrictions on the collection, use and dissemination of personal information by government agencies only and places no limitations on the private sector. Therefore government agencies have begun to rely on the huge databases that are freely maintained by private companies in order to retrieve information -- such as birthdates, Social Security numbers, credit histories, purchasing habits, financial and medical records -- that they could not otherwise legally collect. One of the largest providers of these kinds of services is ChoicePoint, Inc. This publicly-owned company offers easy searching and "look-up" services for government officials. It even maintains customized Web sites for the FBI, the INS and the Department of Housing and Urban Development. These activities (and its role in the Presidential election controversy in Florida last year) have earned ChoicePoint a special kind of notoriety. At Privacy International's Big Brother Award ceremony held in Cambridge, MA on March 7, ChoicePoint received the "Greatest Corporate Invader" award "for massive selling of records, accurate and inaccurate to cops, direct marketers and election officials." Information about Privacy International's Third Annual Big Brother Awards is available at: http://www.privacyinternational.org/bigbrother/us2001/ ======================================================================= [5] Study Examines Public Opinion on Privacy and FOI ======================================================================= On April 3, the American Society of Newspaper Editors and the First Amendment Center released "Freedom of Information in the Digital Age," a study examining the public's attitudes towards privacy and open government. The study concludes that further efforts to ensure open government must take into account the public's growing focus on privacy issues. In one of the first series of questions, the survey found that 61 percent of those polled were very concerned about privacy. In comparison, 65 percent were very concerned about crime and 63 percent were very concerned about access to health care. In addition, the report also found that 60 percent of those questioned thought that public access to government records is crucial to the operation of good government. A variety of opinions were received in response to questions about the types of records that should be publicly available. Sixty-six percent of those polled believed that the salaries of public officials should definitely be made available, while only 18 percent thought the same of divorce records. Also, forty-nine percent of respondents strongly agreed that citizens have no control over personal information in the hands of government. An identical 49 percent strongly agreed that citizens have no control over personal data held by the private sector. "Freedom of Information in the Digital Age" can be downloaded from: http://www.freedomforum.org/templates/document.asp?documentID=13597 ======================================================================= [6] EPIC Bill-Track: New Bills in Congress ======================================================================= *House* H.R.1215 Medical Information Protection and Research Enhancement Act of 2001. To ensure confidentiality with respect to medical records and health care-related information, and for other purposes. Sponsor: Rep Greenwood, James C. (R-PA) Latest Major Action: 3/27/2001 Referred to House committee: House Energy and Commerce; House Judiciary. H.R.1223 Parolee LEADS Public Safety Grant Program Act of 2001. To make grants to States for providing information regarding parolees to local law enforcement agencies, and for other purposes. Sponsor: Rep Baca, Joe (D-CA) Latest Major Action: 3/27/2001 Referred to House committee: House Judiciary. H.R.1259 Computer Security Enhancement Act of 2001. To amend the National Institute of Standards and Technology Act to enhance the ability of the National Institute of Standards and Technology to improve computer security, and for other purposes. Sponsor: Rep Morella, Constance A. (R-MD) Latest Major Action: 3/28/2001 Referred to House committee: House Science. H.R.1292 Homeland Security Strategy Act of 2001. To require the President to develop and implement a strategy for homeland security. Sponsor: Rep Skelton, Ike (D-MO) Latest Major Action: 3/29/2001 Referred to House committee: House Armed Services; House Judiciary; House Transportation and Infrastructure; House Select Committee on Intelligence. H.R.1408 Financial Services Antifraud Network Act of 2001. To safeguard the public from fraud in the financial services industry, to streamline and facilitate the antifraud information-sharing efforts of Federal and State regulators, and for other purposes. Sponsor: Rep Rogers, Mike (R-MI). Latest Major Action: 4/4/2001 Referred to House committee: House Agriculture; House Financial Services; House Judiciary. H.R.1424. To amend the Telemarketing and Consumer Fraud and Abuse Prevention Act to direct the Federal Trade Commission to prescribe rules that prohibit certain deceptive and abusive recovery practices in connection with telemarketing. Sponsor: Rep Baca, Joe (D-CA). Latest Major Action: 4/4/2001 Referred to House committee: House Energy and Commerce. H.R.1478. To protect the privacy of the individual with respect to the Social Security number and other personal information, and for other purposes. Sponsor: Rep Kleczka, Gerald D. (D-WI). Latest Major Action: 4/4/2001 Referred to House committee: House Financial Services; House Ways and Means. *Senate* S.630, The Can Spam Act. A bill to prohibit senders of unsolicited commercial electronic mail from disguising the source of their messages, to give consumers the choice to cease receiving a sender's unsolicited commercial electronic mail messages, and for other purposes. Sponsor: Sen Burns, Conrad R. (R-MT). Latest Major Action: 3/27/2001 Referred to Senate committee: Senate Commerce, Science, and Transportation. S.722. A bill to amend the Communications Act of 1934 to prohibit telemarketers from interfering with the caller identification service of any person to whom a telephone solicitation is made, and for other purposes. Sponsor: Sen Frist, Bill (R-TN) Latest Major Action: 4/5/2001 Referred to Senate committee: Senate Commerce, Science, and Transportation. EPIC Bill Track: Tracking Privacy, Speech, and Cyber-Liberties Bills in the 107th Congress, is available at: http://www.epic.org/privacy/bill_track.html ======================================================================= [7] EPIC Bookstore - Digital Copyright ======================================================================= Digital Copyright : Protecting Intellectual Property on the Internet by Jessica Litman The Internet has been hailed as the most revolutionary social development since the printing press. In many ways its astonishing growth has outstripped any historical analogy we can unearth. What has fueled much of that growth has been the explosion of new possibilities for connections--among people, among different formerly discrete packages of information, among ideas. Digital media and network connections, it is said, are the most democratic of media, promoting free expression and access to information wherever a computer can be hooked up to a telephone line. In this celebration of new possibilities, we tend to emphasize the many things that become feasible when people have ready access to information sources and to other people not practicably available before. The scope and the speed of interconnected digital networks make conversations easy that before were unimaginable. But the technological marvel that makes this interconnection possible has other potential as well. Digital technology makes it possible to monitor, record and restrict what people look at, listen to, read and hear. Why, in the United States, would one want to do such a thing? To get paid. If someone, let's call him Fred, keeps track of what we see and hear, that enables Fred to ensure that we pay for our sights and sounds. Once information is valuable, an overwhelming temptation arises to appropriate that value, to turn it in to cash. Now that technology permits the dissemination of information on a pay-per-view basis, we've seen the emergence of new way of thinking about copyright: Copyright is now seen as a tool for copyright owners to use to extract all the potential commercial value from works of authorship, even if that means that uses that have long been deemed legal are now brought within the copyright owner's control. In 1998, copyright owners persuaded Congress to enhance their rights with a sheaf of new legal and technological controls. Armed with those copyright improvements, copyright lawyers began a concerted campaign to remodel cyberspace into a digital multiplex and shopping mall for copyright-protected material. The outcome of that effort is still uncertain. If current trends continue unabated, however, we are likely to experience a violent collision between our expectations of freedom of expression and the enhanced copyright law. For other books recommended by EPIC, browse the EPIC Bookshelf at: http://www.powells.com/features/epic/epic.html ================================ EPIC Publications: "The Consumer Law Sourcebook 2000: Electronic Commerce and the Global Economy," Sarah Andrews, editor (EPIC 2000). Price: $40. http://www.epic.org/cls/ The Consumer Law Sourcebook provides a basic set of materials for consumers, policy makers, practitioners and researchers who are interested in the emerging field of electronic commerce. The focus is on framework legislation that articulates basic rights for consumers and the basic responsibilities for businesses in the online economy. ================================ "Privacy & Human Rights 2000: An International Survey of Privacy Laws and Developments," David Banisar, author (EPIC 2000). Price: $20. http://www.epic.org/phr/ This survey, by EPIC and Privacy International, reviews the state of privacy in over fifty countries around the world. The survey examines a wide range of privacy issues including, data protection, telephone tapping, genetic databases, ID systems and freedom of information laws. ================================ "The Privacy Law Sourcebook 2000: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2000). Price: $40. http://www.epic.org/pls/ The "Physicians Desk Reference of the privacy world." An invaluable resource for students, attorneys, researchers and journalists who need an up-to-date collection of U.S. and International privacy law, as well as a comprehensive listing of privacy resources. ================================ "Cryptography and Liberty 2000: An International Survey of Encryption Policy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price: $20. http://www.epic.org/crypto&/ EPIC's third survey of encryption policies around the world. The results indicate that the efforts to reduce export controls on strong encryption products have largely succeeded, although several governments are gaining new powers to combat the perceived threats of encryption to law enforcement. ================================ "Filters and Freedom: Free Speech Perspectives on Internet Content Controls," David Sobel, editor (EPIC 1999). Price: $20. http://www.epic.org/filters&freedom/ A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ Additional titles on privacy, open government, free expression, computer security, and crypto, as well as films and DVDs can be ordered through the EPIC Bookstore: http://www.epic.org/bookstore/ ======================================================================= [8] Upcoming Conferences and Events ======================================================================= Are the Crypto Wars Over?: Privacy, Digital Security and the Future of Encryption Policy. The Cato Institute. April 19, 2001. Washington, DC. For more information: http://www.cato.org/events/010419bf.html Globalizing the Rule of Law Through Information Policy. Washington College of Law, Fund for Constitutional Government and the Government Accountability Project. April 20, 2001. Washington, DC. For more information: http://www.wcl.american.edu/ Beyond the Information Superhighway: Searching for the Next Policy Metaphor. Center for Law, Commerce & Technology, University of Washington School of Law. April 20-22, 2001. Seattle, WA. For more information: http://www.law.washington.edu/lct/ National Summit on Electronic Privacy. The National Institute for Government Innovation. April 23-24, 2001. Washington, DC. For more information: http://www.nigi.org/ Privacy Under Assault: Can Encryption Safeguard the Internet? 2001 Marconi Forum on Internet Privacy, Columbia University. April 24, 2001. New York, NY. For more information: http://www.seas.columbia.edu/marconi/PrivacyForum.html Technology and Us - A Vision for the Future. Center for Science, Technology & Society, Santa Clara University. April 26, 2001. Santa Clara, CA. For more information: http://sts.scu.edu/150th/ The First Annual Privacy and Data Protection Summit. Privacy Officers Association. May 2-4, 2001. Arlington, VA. For more information: http://www.privacyassociation.org The 26th Annual AAAS Colloquium on Science and Technology Policy. American Association for the Advancement of Science. May 3-4, 2001. Washington, DC. For more information: http://www.aaas.org/spp/dspp/rd/colloqu.htm Surveillance, Risk, and Social Categorization. The Surveillance Project, Queen's University. May 3-5, 2001. Kingston, Ontario CANADA. For more information: http://qsilver.queensu.ca/sociology/ Surveillance/Workshops_Conferences.htm Future of the Internet: Preserving the Internet's Openness, Freedom, and Diversity. Center for Media Education and Center for Digital Democracy. May 9, 2001. Washington, DC. For more information: agoldman@cme.org The Internet and State Security Forum (ISSF). Cambridge Review of International Affairs. May 19, 2001. Cambridge, England. For more information: http://www.cria.org.uk/ Communication Research and Policy Workshop. Ford Foundation and Computer Professionals for Social Responsibility (CPSR). May 24, 2001. Washington, DC. For more information: http://www.cpsr.org/ICA_workshop It's the Public's Right. National Freedom of Information Coalition. May 25-27, 2001. Newport Beach, CA. For more information: http://www.reporters.net/nfoic/ Call for Papers - June 1, 2001. Summer 2001 Issue on Cybermedicine. John Marshall Journal of Computer and Information Law. For more information: 5simondo@stu.jmls.edu The Internet Security Conference (TISC) 2001. Core Competence, Inc. June 4-8, 2001. Los Angeles, CA. For more information: http://www.tisc2001.com/ INET 2001: A Net Odyssey, Mobility and the Internet. The 11th Annual Internet Society Conference. June 5-8, 2001. Stockholm, Sweden. For more information: http://www.isoc.org/inet2001/ ETHICOMP 2001: Systems of the Information Society. Telecommunications and Informatics Technical University of Gdansk, Poland. June 18-20, 2001. Gdansk, Poland. For more information: http://www.ccsr.cse.dmu.ac.uk/conferences/ccsrconf/ethicomp2001/ Democracy Forum 2001: Democracy and the Information Revolution. International Institute for Democracy and Electoral Assistance. June 27-29, 2001. Stockholm, Sweden. For more information: http://www.idea.int/frontpage_forum2001.htm Call for Papers - June 30, 20001. CEPE2001: Computer Ethics, Philosophical Enquiries. Lancaster University (UK). Centre for Study of Technology in Organizations, Institute for Environment, Philosophy and Public Policy. December 14-16, 2001. For more information: http://www.lancs.ac.uk/depts/philosophy/conferences/ Re-shaping the Culture of Research: People, Participation, Partnerships & Practical Tools - Fourth Annual Community Research Network Conference. The Loka Institute. July 6-8, 2001. Austin, TX. For more information: http://www.loka.org/ Call For Submissions - August 3, 2001. Workshop on Security and Privacy in Digital Rights Management 2001. Eighth Association for Computing Machinery (ACM) Conference on Computer and Communications Security. November 5, 2001. For more information: http://www.star-lab.com/sander/spdrm/ ICSC 2001: International Conference on Social Computing. University of Bremen. October 1-3, 2001. Bremen, Germany. For more information: http://icsc2001.informatik.uni-bremen.de/ Privacy2001: Information, Security & Ethics for the New Century. Technology Policy Group. October 3-4, 2001. Cleveland, Ohio. For more information: http://www.privacy2000.org/ Nurturing the Cybercommons, 1981-2001. Computer Professionals for Social Responsibility (CPSR) 20th Annual Meeting. October 19-21, 2001. Ann Arbor, MI. For more information: http://www.cpsr.org/conferences/annmtg01/ Learning for the Future. Business for Social Responsibility's Ninth Annual Conference. November 7-9, 2001. Seattle, WA. For more information: http://www.bsr.org/events/2001.asp ======================================================================= Subscription Information ======================================================================= The EPIC Alert is a free biweekly publication of the Electronic Privacy Information Center. A Web-based form is available for subscribing or unsubscribing at: http://www.epic.org/alert/subscribe.html To subscribe or unsubscribe using email, send email to epic-news@epic.org with the subject: "subscribe" (no quotes) or "unsubscribe". Back issues are available at: http://www.epic.org/alert/ ======================================================================= Privacy Policy ======================================================================= The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your email address from this list, please follow the above instructions under "subscription information". Please contact info@epic.org if you have any other questions. ======================================================================= About EPIC ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, e-mail info@epic.org, http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at http://www.guidestar.org/aol/search/report/report.adp?ein=52-2225921 Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ---------------------- END EPIC Alert 8.07 ----------------------- .