============================================================== @@@@ @@@@ @@@ @@@@ @ @ @@@@ @@@@ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @@@ @ @ @@@@@ @ @@@ @@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @ @@@ @@@@ @ @ @@@@ @@@@ @ @ @ ============================================================== Volume 8.11 June 15, 2001 -------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org/alert/EPIC_Alert_8.11.html ======================================================================= Table of Contents ======================================================================= [1] Supreme Court Rules on Thermal Imaging Case [2] Court of Appeals Asks: Is Computer Code Speech? [3] ICANN Conducts Survey on Whois Policy [4] Experts Discuss Internet Issues at National Press Club [5] Groups Urge FTC to Pursue Privacy Protection [6] EPIC Bill-Track: New Bills in Congress [7] EPIC Bookstore - Invasion of Privacy [8] Upcoming Conferences and Events ======================================================================= [1] Supreme Court Rules on Thermal Imaging Case ======================================================================= In a 5-4 opinion written by Justice Scalia, the U.S. Supreme Court held in Kyllo v. United States that the warrantless use of a thermal imaging device to detect heat emanating from a person's residence constituted an illegal search under the Fourth Amendment. In 1992, Danny Lee Kyllo was arrested after Oregon police searched his home and found more than 100 marijuana plants growing inside. The search warrant was obtained after the police scanned the roofs and walls of Kyllo's home with a thermal imager to detect the infrared rays radiating from the halide lamps typically used to grow marijuana. Kyllo pleaded guilty to the charges, conditioned on his ability to challenge the constitutionality of the search. Although the District Court and Ninth Circuit rejected his Fourth Amendment claim, the Supreme Court reversed, stating that "[w]here, as here, the government uses a device that is not in general public use, to explore details of the home that would previously have been unknowable without physical intrusion, the surveillance is a 'search' and is presumptively unreasonable without a warrant." In an unusual, ideologically diverse faction, Justices Thomas, Souter, Ginsburg and Breyer joined Scalia's opinion. Upholding classic Fourth Amendment jurisprudence, the majority found that the Fourth Amendment protects that over which an individual has a subjective expectation of privacy that society would deem reasonable. Rejecting the dissent's proposition that the scan was not a search because the device did not penetrate the walls of the home but instead merely read "off the wall," Scalia asserted that any and all details about one's home - including so mundane a detail as the infrared rays emitted from within - are intimate not because they are important but because they are private, and thus are protected by the Fourth Amendment. Chief Justice Rehnquist and Justices O'Connor and Kennedy joined Justice Stevens's dissent, which characterized the majority opinion as both too narrow and too broad. Making the traditional distinction between information kept within the home and that which escapes the home and is exposed to "plain view," over which there is no further expectation of privacy, the dissent found Kyllo's privacy interest to be "trivial," especially given that he made no attempt to prevent the heat from escaping his home. Further, Stevens found the majority's emphasis on protection of the home to be a misconstruction of Fourth Amendment jurisprudence, in which the protection is generally granted more broadly to "people, not places." On June 14, House Majority Leader Dick Armey (R-TX) sent a letter to Attorney General John Ashcroft drawing a parallel between the Supreme Court's majority opinion in Kyllo v. United States and the FBI's controversial continued use of the Carnivore Internet surveillance system. In the letter, Rep. Armey asks whether, similar to thermal imaging, Carnivore "undermines the minimum expectation that individuals have that their personal electronic communications will not be examined by law enforcement devices unless a specific court warrant has been issued." According to news reports, Attorney General Ashcroft is reviewing the FBI's use of Carnivore and will soon respond to Rep. Armey directly. Kyllo v. United States, Certiorari to the United States Court of Appeals for the Ninth Circuit, No. 99-8508: http://www.supremecourtus.gov/opinions/00pdf/99-8508.pdf June 14 Letter from House Majority Leader Armey to Attorney General Ashcroft regarding Carnivore (DCS-1000): http://www.freedom.gov/library/technology/ashcroftletter.asp For more information about thermal imaging devices, visit the website of FLIR Systems, Inc.: http://www.flir.com/ ======================================================================= [2] Court of Appeals Asks: Is Computer Code Speech? ======================================================================= The Second Circuit Court of Appeals is considering the question of whether computer code is protected speech under the First Amendment. At issue is a case brought by eight motion picture companies against 2600 Magazine to enjoin it from publishing or linking to DeCSS, a computer program used to circumvent the encryption used in DVDs. The movie studios contend that DeCSS is an unlawful circumvention device and that, as such, the defendants are prohibited by the anti-trafficking provisions of the Digital Millennium Copyright Act (DMCA) from distributing it. The Court heard oral arguments in Universal City Studios, Inc. v. Reimerdes on May 1. A week later it sent written requests to both parties for further clarification on the question of whether DeCSS is itself a form of speech. This question will determine the level of scrutiny the Court will apply when examining the DMCA's restrictions on its dissemination and use. In its reply brief, the Electronic Frontier Foundation, on behalf of the defendant, argues that "DeCSS itself has no non-speech elements" and similarly that its "dissemination .. by a member of the media covering an issue of public concern is pure speech." They liken the computer program to "blueprints and instructions for a photocopier, recipes, books about fixing cars, and videos on baby care" and argue that just because somebody "might use [it] to do something" does not mean that it is any less protected as speech. The movie studios, on the other hand, deny that DeCSS involves any form of speech referring to it as a "digital crowbar" designed to deliberately circumvent copyright protection technologies. They continue that the prohibition on its distribution is just the same as measures prohibiting "the provision of gambling devices, trafficking in satellite theft devices, and trafficking in cable signal theft devices" and is not a content based restriction on speech. Courts have previously ruled that computer source code can be considered speech. Last year, in the case of Junger v. Daley, the Sixth Circuit Court of Appeals held that encryption source code was protected by the Constitution as "an expressive means for the exchange of information and ideas about computer programming" (see EPIC Alert 7.07). The movie studios' brief is available at: http://216.110.42.179/docs/mpaa.appeals.brief.053001.html The Electronic Frontier Foundation (EFF) brief is available at: http://www.eff.org/IP/Video/MPAA_DVD_cases/ 20010530_ny_eff_supl_brief.html The Sixth Circuit decision in Junger v. Daley is available at: http://pacer.ca6.uscourts.gov/cgi-bin/getopn.pl?OPINION=00a0117p.06 ======================================================================= [3] ICANN Conducts Survey on Whois Policy ======================================================================= The Internet Corporation for Assigned Names and Numbers (ICANN) is currently conducting a survey of the Internet community's views on the Whois database and related data protection issues. ICANN is the international organization charged with the management of the Domain Name System (DNS) and other technical functions related to Internet infrastructure. The Whois database provides contact information, through publicly- accessible websites, for all Internet users who have registered domain names. The contact information required for the domain name registration process includes names, mailing addresses, email addresses, fax numbers and telephone numbers. The original and most important purpose of the Whois database is to provide contact information for Internet users in case of network or security problems. Earlier this year, EPIC sent a letter to Congress urging members to closely examine the privacy issues implicated in the Whois database and other privacy practices of registrars, companies that register domain names for individuals and companies. The letter highlights three privacy issues affected by registrar data handling practices. The first is the Whois database that makes contact information publicly available for all domain name registrants. The letter points out that many people who now register domain names do so for personal use or for use in a small business setting and thus may reveal home addresses and phone numbers. The second privacy issue is the current ability of registrars to sell bulk access to domain name registrant data for a fee; thus resulting in the aggressive marketing of such information by registrars like Network Solutions, Inc. (NSI). The third privacy issue is that requirements to provide contact information eliminate the possibility of anonymous registration of domain names. As the letter discusses, anonymous speech is an important element of free expression and should be fostered on the Internet. The letter concludes by urging ICANN and registrars to limit the amount of information required and displayed through domain name registration, to end the sale of domain name registrant data and to promote anonymous registration of domain names. The survey distributed by ICANN is open to the entire Internet community and provides an opportunity to establish a higher level of privacy protection than currently available. The survey is currently only available in English and Spanish but more translations should be forthcoming. Responses will be accepted until July 31st. ICANN Whois Survey: http://www.icann.org/dnso/whois-survey-en-10jun01.htm EPIC Letter on Privacy of Domain Name Registration Data: http://www.epic.org/privacy/internet/ICANN_privacy.html ======================================================================= [4] Experts Discuss Internet Issues at National Press Club ======================================================================= On June 4, EPIC and the Harvard Information Infrastructure Project (HIIP) held an event at the National Press Club titled "Policy Briefing: Emerging Cyberspace Issues." Bringing together legal and technical experts, the event examined Internet Jurisdiction and Global Privacy Protection. The first panel on Internet Jurisdiction included: Professor Julie E. Cohen of Georgetown University Law Center, Professor James Boyle of the Duke University School of Law, Professor David J. Farber of the University of Pennsylvania Computer and Information Science Department, Professor Michael Geist of the University of Ottawa Law School, Professor Pamela Samuelson of the University of California at Berkeley School of Information Management and Systems and School of Law, and Dr. Barbara Simons, Fellow of the American Association for the Advancement of Science. Many of the speakers on the first panel challenged the notion that jurisdiction does not apply to the Internet and said that existing legal standards have not kept up with changes in technology. Professor Geist argued that other factors (such as the use of contracts, geographic-identifying technology and knowledge of parties involved in a dispute that their actions would impact people in a certain forum) should be considered when establishing jurisdiction. Professor Farber added that policy makers should consider the entire communications system rather than just focusing on the Internet. Dr. Simons urged more policy makers to examine the impact and implications of new technology. The second panel on Global Privacy Protection included: Simon Davies of Privacy International, Dr. Whitfield Diffie of Sun Microsystems, Professor Oscar H. Gandy Jr. of the Annenberg School of Communications at the University of Pennsylvania, Austin Hill of Zero-Knowledge Systems, Professor Paul M. Schwartz of Brooklyn Law School and Robert Ellis Smith, publisher of Privacy Journal. Many speakers on the second panel agreed that U.S. privacy laws would have to be strengthened in order to meet the standards set by other countries around the world. Mr. Davies provided an overview of new emerging technologies, such as biometrics and smart cards, that would likely impact privacy in the future. Professor Schwartz discussed recent developments in the Safe Harbor arrangement that provides a framework for data transfers between the European Union and the United States. More information about the event and speakers is available at: http://www.epic.org/events/policy_briefing_2001/ ======================================================================= [5] Groups Urge FTC to Pursue Privacy Protection ======================================================================= Privacy Coalition members have called upon Federal Trade Commission to make privacy protection a top priority for the agency in the Bush Administration. In a letter addressed to the new FTC Chairman, Timothy Muris, Privacy Coalition members wrote that the FTC failed to take action in cases where major companies either unilaterally changed their privacy policies or engaged in improper collection of individuals' data. In light of these lapses, the FTC should take affirmative steps to strengthen privacy protection. Specific steps outlined by Privacy Coalition members include: improving the processing of privacy complaints, submitting an annual FTC report to Congress on the number and nature of privacy complaints received by the agency, entering complaints in the Consumer Sentinel database, reevaluating the protection of consumer privacy under the "unfair and deceptive trade practices" regime, meeting regularly with privacy groups on policy issues, and encouraging the development of Privacy Enhancing Technologies. In recent years, former FTC Chairman Robert Pitofsky increased the agency's involvement in privacy protection. Under Pitofsky's direction, FTC held several public workshops on privacy but has only pursued a handful of privacy cases under its authority to prosecute unfair and deceptive trade practices. These efforts culminated in a May 2000 report to Congress where a majority of FTC Commissioners recommended the adoption of legislation to protect individuals' privacy. In related privacy news, on June 12, Sen. Tom Harkin (D-IA) and Sen. Jim Bunning (R-KY) introduced the Social Security Number Privacy and Identity Theft Prevention Act "to ban the sale or unauthorized publication of an individual's Social Security number." The press release accompanying the introduction of the bill cites the need for protections given the growing incidence of identity theft and promises future hearings on Social Security number privacy. Privacy Coalition Letter to FTC Chair Muris: http://www.privacypledge.org/ftcmuris.html EPIC's May 2001 Testimony before the House Subcommittee on Social Security on privacy issues: http://www.epic.org/privacy/ssn/testimony_0501.html EPIC Social Security Numbers and Privacy Page: http://www.epic.org/privacy/ssn/ ======================================================================= [6] EPIC Bill-Track: New Bills in Congress ======================================================================= *House* H.R.1971 Voting Rights Protection Act of 2001. To amend the National Voter Registration Act of 1993 to require States to give notice and an opportunity for review prior to removing individuals from the official list of eligible voters in elections for Federal office by reason of criminal conviction, and for other purposes. Sponsor: Rep Meek, Carrie P. (D-FL). Latest Major Action: 5/23/2001 Referred to House committee: House Administration. H.R.2031 Consumer Credit Report Accuracy and Privacy Act of 2001. To amend the Fair Credit Reporting Act to allow any consumer to receive a free credit report annually from any consumer reporting agency. Sponsor: Rep Roybal-Allard, Lucille (D-CA). Latest Major Action: 5/25/2001 Referred to House committee: House Financial Services. H.R.2036 Social Security Number Privacy and Identity Theft Prevention Act of 2001. To amend the Social Security Act to enhance privacy protections for individuals, to prevent fraudulent misuse of the Social Security account number, and for other purposes. Sponsor: Rep Shaw, E. Clay, Jr. R-FL). Latest Major Action: 5/25/2001 Referred to House committee: House Financial Services; House Energy and Commerce; House Ways and Means. H.RES.159. Expressing the sense of the House of Representatives that machine-readable privacy policies and the Platform for Privacy Preferences Project specification, commonly known as the P3P specification, are important tools in protecting the privacy of Internet users, and for other purposes. Sponsor: Rep Smith, Adam (D-WA). Latest Major Action: 6/7/2001 Referred to House committee: House Government Reform; House Administration; House Energy and Commerce. *Senate* S.918 Child Support Distribution Act of 2001. A bill to provide more child support money to families leaving welfare, to simplify the rules governing the assignment and distribution of child support collected by States on behalf of children, to improve the collection of child support, and for other purposes. Sponsor: Sen Snowe, Olympia J. (R-ME). Latest Major Action: 5/21/2001 Referred to Senate committee: Senate Finance. S.1014 Social Security Number Privacy and Identity Theft Prevention Act of 2001. A bill to amend the Social Security Act to enhance privacy protections for individuals, to prevent fraudulent misuse of the Social Security account number, and for other purposes. Sponsor: Sen Bunning, Jim (R-KY). Latest Major Action: 6/12/2001 Referred to Senate committee: Senate Finance. EPIC Bill Track: Tracking Privacy, Speech, and Cyber-Liberties Bills in the 107th Congress, is available at: http://www.epic.org/privacy/bill_track.html ======================================================================= [7] EPIC Bookstore - Invasion of Privacy ======================================================================= Invasion of Privacy: How to Protect Yourself in the Computer Age by Michael Hyatt http://www.powells.com/cgi-bin/partner?partner_id=24075&cgi=search/ search&searchtype=isbn&searchfor=0895262878 From best-selling author and leading consumer advocate Michael Hyatt comes a startling report of how the government, industry, individuals, and interest groups have access to personal information about you. Fortunately, "Invasion of Privacy: How to Protect Yourself in the Digital Age" contains valuable information about what you can do to protect yourself. For other books recommended by EPIC, browse the EPIC Bookshelf at: http://www.powells.com/features/epic/epic.html ================================ EPIC Publications: "Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls," (EPIC 2001). Price: $20. http://www.epic.org/bookstore/filters2.0/ A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ "The Consumer Law Sourcebook 2000: Electronic Commerce and the Global Economy," Sarah Andrews, editor (EPIC 2000). Price: $40. http://www.epic.org/cls/ The Consumer Law Sourcebook provides a basic set of materials for consumers, policy makers, practitioners and researchers who are interested in the emerging field of electronic commerce. The focus is on framework legislation that articulates basic rights for consumers and the basic responsibilities for businesses in the online economy. ================================ "Privacy & Human Rights 2000: An International Survey of Privacy Laws and Developments," David Banisar, author (EPIC 2000). Price: $20. http://www.epic.org/phr/ This survey, by EPIC and Privacy International, reviews the state of privacy in over fifty countries around the world. The survey examines a wide range of privacy issues including, data protection, telephone tapping, genetic databases, ID systems and freedom of information laws. ================================ "The Privacy Law Sourcebook 2000: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2000). Price: $40. http://www.epic.org/pls/ The "Physicians Desk Reference of the privacy world." An invaluable resource for students, attorneys, researchers and journalists who need an up-to-date collection of U.S. and International privacy law, as well as a comprehensive listing of privacy resources. ================================ "Cryptography and Liberty 2000: An International Survey of Encryption Policy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price: $20. http://www.epic.org/crypto&/ EPIC's third survey of encryption policies around the world. The results indicate that the efforts to reduce export controls on strong encryption products have largely succeeded, although several governments are gaining new powers to combat the perceived threats of encryption to law enforcement. ================================ Additional titles on privacy, open government, free expression, computer security, and crypto, as well as films and DVDs can be ordered through the EPIC Bookstore: http://www.epic.org/bookstore/ ======================================================================= [8] Upcoming Conferences and Events ======================================================================= ETHICOMP 2001: Systems of the Information Society. Telecommunications and Informatics Technical University of Gdansk, Poland. June 18-20, 2001. Gdansk, Poland. For more information: http://www.ccsr.cse.dmu.ac.uk/conferences/ccsrconf/ethicomp2001/ Computer System Security and Privacy Advisory Board (CSSPAB) Public Meeting. John Marshall Law School. June 19-21, 2001. Chicago, IL. For more information: http://csrc.nist.gov/csspab/ ACS/IEEE International Conference on Computer Systems and Applications 2001: Taking Stock of Existing Technology, Charting Future Trends. Lebanese American University. June 25-29, 2001. Beirut, Lebanon. For more information: http://www.lau.edu.lb/news-events/conferences/aiccsa2001.html Democracy Forum 2001: Democracy and the Information Revolution. International Institute for Democracy and Electoral Assistance. June 27-29, 2001. Stockholm, Sweden. For more information: http://www.idea.int/frontpage_forum2001.htm Call for Papers - June 30, 20001. CEPE2001: Computer Ethics, Philosophical Enquiries. Lancaster University (UK). Centre for Study of Technology in Organizations, Institute for Environment, Philosophy and Public Policy. December 14-16, 2001. For more information: http://www.lancs.ac.uk/depts/philosophy/conferences/ Re-shaping the Culture of Research: People, Participation, Partnerships & Practical Tools - Fourth Annual Community Research Network Conference. The Loka Institute. July 6-8, 2001. Austin, TX. For more information: http://www.loka.org/ The Online Privacy Conference: Integrating Security and Privacy for Data Protection. MIS Training Institute. July 17-18, 2001, Optional Workshops July 16, 2001. Chicago, IL. For more information: http://www.misti.com/conference_show.asp?id=MP1 Privacy: The New Management Imperative - Chief Privacy Officer Training Program. Southern Methodist University and Privacy Council. July 17-19 and October 15-17, 2001. Dallas, TX. For more information: http://execdev.cox.smu.edu/ Health Information Privacy: Dialogue with the Stakeholders. Riley Information Services, Inc. September 28, 2001. Ottawa, Canada. For more information: http://www.rileyis.com/seminars/ Call For Submissions - August 3, 2001. Workshop on Security and Privacy in Digital Rights Management 2001. Eighth Association for Computing Machinery (ACM) Conference on Computer and Communications Security. November 5, 2001. For more information: http://www.star-lab.com/sander/spdrm/ ICSC 2001: International Conference on Social Computing. University of Bremen. October 1-3, 2001. Bremen, Germany. For more information: http://icsc2001.informatik.uni-bremen.de/ Privacy2001: Information, Security & Ethics for the New Century. Technology Policy Group. October 3-4, 2001. Cleveland, Ohio. For more information: http://www.privacy2000.org/ Nurturing the Cybercommons, 1981-2001. Computer Professionals for Social Responsibility (CPSR) 20th Annual Meeting. October 19-21, 2001. Ann Arbor, MI. For more information: http://www.cpsr.org/conferences/annmtg01/ Privacy: The New Management Imperative - Chief Privacy Officer Training Program. Cambridge University and Privacy Council. November 5-8, 2001. Cambridge, England. For more information: kturner@privacycouncil.com Learning for the Future. Business for Social Responsibility's Ninth Annual Conference. November 7-9, 2001. Seattle, WA. For more information: http://www.bsr.org/events/2001.asp ======================================================================= Subscription Information ======================================================================= The EPIC Alert is a free biweekly publication of the Electronic Privacy Information Center. A Web-based form is available for subscribing or unsubscribing at: http://www.epic.org/alert/subscribe.html To subscribe or unsubscribe using email, send email to epic-news@epic.org with the subject: "subscribe" (no quotes) or "unsubscribe". Back issues are available at: http://www.epic.org/alert/ ======================================================================= Privacy Policy ======================================================================= The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your email address from this list, please follow the above instructions under "subscription information". Please contact info@epic.org if you have any other questions. ======================================================================= About EPIC ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, e-mail info@epic.org, http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at http://www.guidestar.org/aol/search/report/report.adp?ein=52-2225921 Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ---------------------- END EPIC Alert 8.11 ----------------------- .