============================================================== @@@@ @@@@ @@@ @@@@ @ @ @@@@ @@@@ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @@@ @ @ @@@@@ @ @@@ @@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @ @@@ @@@@ @ @ @@@@ @@@@ @ @ @ ============================================================== Volume 8.13 July 18, 2001 -------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org/alert/EPIC_Alert_8.13.html ======================================================================= Table of Contents ======================================================================= [1] Appeals Court Decision Protects Anonymous Online Speech [2] Consumer and Privacy Groups Outline FTC Priorities [3] HHS Clarifies Privacy Rule, May Change Minors' Rights [4] EPIC Testifies before Congress on Internet Privacy [5] Florida Court Blocks Access to Autopsy Photos [6] EPIC Bill-Track: New Bills in Congress [7] EPIC Bookstore - Dmitri Sklyarov Reading List [8] Upcoming Conferences and Events ======================================================================= [1] Appeals Court Decision Protects Anonymous Online Speech ======================================================================= In the first appellate court decision to consider the issue, a New Jersey court on July 11 rejected a company's attempt to obtain the identities of anonymous Internet critics. A three-judge panel of the New Jersey Superior Court, Appellate Division, ruled that the company, Dendrite International, failed to meet the stringent legal standards required to obtain subpoenas for the disclosure of the identities of people who post comments on Internet message boards. The decision affirms a lower court ruling issued last November (see EPIC Alert 7.21). Dendrite had sued four people who anonymously posted messages critical of the company on a Yahoo! message board, alleging that the posters had made false statements, had violated employment agreements, and/or had published secret information. Noting that "[i]t is well- established that rights afforded by the First Amendment remain protected even when engaged in anonymously," the appeals court adopted a four-part test to ensure that the right to speak anonymously can be lost only if the plaintiff can show that it has a valid case against the speakers that could not be pursued without identifying the speakers. Under this standard, a court should first require the plaintiff to attempt to notify the anonymous posters that their identities are being sought and give the "John Doe" defendants an opportunity to oppose the request. Second, the plaintiffs must identify the exact statements alleged to be unlawful. Third, the court must then determine both whether the complaint states a valid claim for relief and whether the plaintiff has enough evidence to support its claim. Finally, if the first three criteria are met, the court must balance the defendant's First Amendment right of anonymous free speech against the strength of the case and the necessity for identifying the poster. The appeals court upheld the lower court ruling that Dendrite had not met this standard, because there was no proof that the messages had caused its stock price to fall or had otherwise caused it harm. The procedures adopted by the court had been proposed in an amicus brief filed by Public Citizen Litigation Group and the American Civil Liberties Union of New Jersey Foundation. The decision is likely to be influential in other cases, which are growing in frequency; Yahoo! recently told a judge in another case that it has received thousands of subpoenas like Dendrite's. The appeals court decision is available at: http://www.judiciary.state.nj.us/opinions/A2774-00.htm The Public Citizen/ACLUNJF amicus brief is available at http://www.citizen.org/litigation/briefs/dendwebamicus.htm ======================================================================= [2] Consumer and Privacy Groups Outline FTC Priorities ======================================================================= On July 17, members of the Privacy Coalition, a non-partisan coalition of consumer, civil liberties, educational, library, labor, and family-based groups, met with Federal Trade Commission (FTC) Chairman Timothy Muris. The Coalition presented a letter to the Chairman with recommendations for future FTC action on privacy issues. This is the second meeting that the Privacy Coalition has had with the Chairman. Chairman Muris says that he has devoted more time to privacy than any other issue since taking over at the FTC. In the meeting, Coalition members stressed that a top priority for the Commission should be to develop a better complaint handling system that would make it easier to receive, process and respond to privacy complaints from individual members of the public. They also recommended that the resulting statistics be published in an annual report similar to that submitted by the Administrative Office of the U.S. Courts each year on federal and state applications for wiretaps. Considerable discussion was devoted to the enforcement of existing privacy laws in the offline sector, such as the Fair Credit Reporting Act and the Telemarketing Sales Rule, as well as the need for reforms and increased oversight in the online sector. The Coalition urged the FTC to promote the principles of Fair Information Practices, rather than simply "notice and choice," when investigating companies that routinely change their privacy policies or when endorsing industry guidelines such as last year's agreement with the Network Advertising Initiative on online profiling. Finally, the Coalition encouraged the Commission to continue to hold public workshops on privacy and security related issues and to establish contact with the national data protection commissions that have been established in many other countries around the world. A copy of the letter presented to the Chairman is available at: http://www.epic.org/privacy/muris_letter.html For more information on the Privacy Coalition, see: http://www.privacypledge.org/ ======================================================================= [3] HHS Clarifies Privacy Rule, May Change Minors' Rights ======================================================================= The Department of Health and Human Services (HHS) has released guidelines clarifying the Privacy Rule, a framework of new protections for patient information developed pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Privacy Rule sets the first federal standards for protection of individually identifiable health information. The new HHS guidelines on the Privacy Rule indicate that HHS will "reassess" the rights of parents to access the medical records of their minor children. The agency will also change certain rules to accommodate common practices in the health care industry. Generally, the Privacy Rule assumes that parents are the "personal representatives" of their minor children, and that they can receive protected health information without consent of the child. The Privacy Rule contains two exemptions to this assumption. The first allows a parent to permit a direct confidential relationship between the care provider and child for treatment. The second permits the provider to withhold information from the parent where the child may be endangered as a result of the disclosure. The guidelines specify that HHS Secretary Thompson will reassess these exemptions. HHS has indicated that the Privacy Rule will be changed to accommodate certain common practices in delivery of health care. For instance, HHS will modify provisions to allow pharmacists to accept phoned-in prescription orders without first obtaining written consent from the patient. In addition, contrary to arguments made by opponents of the Privacy Rule, hospitals and other medical facilities will not have to build soundproof rooms to prevent others from overhearing patient information. The HHS clarification specifies that reasonable safeguards, such as lowering the volume of one's voice, can be used to prevent inappropriate disclosure of patient information. Before HHS is able to change aspects of the Privacy Rule, the agency must first publish a notice in the Federal Register and accept comments from the public. EPIC will track these developments as they occur. Standards for Privacy of Individually Identifiable Health Information: http://www.hhs.gov/ocr/hipaa/finalmaster.html HHS Fact Sheet describing the Privacy Rule protections: http://www.hhs.gov/news/press/2001pres/01fsprivacy.html ======================================================================= [4] EPIC Testifies before Congress on Internet Privacy ======================================================================= On July 11, 2001, the Senate Committee on Commerce, Science, and Transportation held a hearing on the need for privacy legislation. During the hearing, the Committee examined existing laws protecting privacy, in the U.S. and abroad, to determine what kind of privacy legislation might be appropriate for the Internet. The hearing consisted of two panels. The first panel included EPIC Executive Director Marc Rotenberg, Indiana University School of Law Professor Fred Cate, and Brooklyn Law School Professor Paul Schwartz, Ph.D. The second panel included Amazon.com Vice President of Global Public Policy, Paul Misener, author Hans Peter Brondmo, VP and Chief Privacy Officer of Earthlink Inc., Les Seagraves, Associate General Counsel for Microsoft Corporation, Ira Rubinstein, and Jason Catlett, President of Junkbusters. Marc Rotenberg of EPIC testified that legislation to protect privacy on the Internet is necessary for many reasons. For one, it has been the legal tradition to introduce new legislation when new electronic services are provided, whereas privacy on the Internet has heretofore been self-regulated. Legislation to protect Internet privacy would help users bypass the various problems encountered with self- regulation. Rotenberg stated that good Internet privacy legislation would include provisions on such issues as openness and accountability, meaningful consent, and private right of action, and that weak legislation that failed to properly safeguard personal information would merely increase public backlash. Rotenberg also argued that current public opinion shows the majority of Internet users want the ability to control the collection and use of personal data and users would like data collection and usage to be regulated by legislation. In a recent Gallup Poll, 66% of e-mail users said that the federal government should pass laws to protect privacy online. The poll found that support for legislation increased as the level of experience increased. Frequent Internet users (those who spend 15 hours or more online each week) are more likely to favor the passage of new laws (75%) than infrequent users (63%). In related news, on July 12, the House Subcommittee on Courts, the Internet, and Intellectual Property held a hearing on "The Whois Database: Privacy and Intellectual Property Issues." At the hearing, the Electronic Privacy Information Center (EPIC) issued a letter to the Subcommittee outlining the free speech and anonymity arguments for supporting only voluntary submission of information to the Whois database. The Internet Corporation for Assigned Names and Numbers (ICANN) is currently conducting a survey of the Internet community's attitudes on proper requirements and uses of the Whois database (see EPIC Alert 8.11). ICANN will be accepting responses until the end of July. EPIC's Testimony on Internet Privacy is available at: http://www.epic.org/privacy/internet/testimony_0701.html Written testimony from the witnesses is available at: http://www.senate.gov/~commerce/hearings/hearings.htm EPIC Letter to the House Subcommittee on Courts, the Internet, and Intellectual Property on the Whois database: http://www.epic.org/privacy/internet/whois_0701.html ======================================================================= [5] Florida Court Blocks Access to Autopsy Photos ======================================================================= Applying a recently-enacted state law sealing autopsy photographs absent judicial authorization, a Florida judge has blocked media access to autopsy images of racecar driver Dale Earnhardt, who was killed in a last-lap crash during the Daytona 500 in February. Citing the family's privacy interest, Earnhardt's widow filed a lawsuit seeking to block access to the autopsy records on February 22, just four days after the racing legend died. Initially, access was sought by the Orlando Sentinel to confirm NASCAR statements that a broken seatbelt contributed to Earnhardt's death, an assertion hotly contested by both paramedics on the scene and the seatbelt's manufacturer. These allegations were ultimately refuted after a settlement between Teresa Earnhardt and the Sentinel, in which an independent medical examiner was appointed to examine the autopsy photographs and issue a report as to the cause of death. However, in the subsequent four-month legal battle, attorneys for the Independent Florida Alligator, a student-run newspaper at the University of Florida, and websitecity.com (neither parties to the settlement) argued that public review of the photographs was necessary to prevent future racing fatalities and to ensure that the county coroner did an adequate job assessing the cause of death. Teresa Earnhardt urged the judge to personally examine the photographs, so that he could better understand their graphic nature. She vehemently opposed access to the pictures, stating that the photographs were "humiliating, disgusting, and negative," and that dissemination would cause the family extreme emotional distress. In a final order issued July 9, following months of heated arguments between attorneys for all parties, Circuit Judge Joseph Will ruled that the new statute is constitutional. Although Judge Will did not rule, as urged by the family's attorney, that Teresa Earnhardt had a protected constitutional right to privacy in the photographs under the U.S. Constitution, his opinion contains language defending such a right. "Modern times have witnessed an erosion of the individual expectation of privacy to a pathetic point . . . Nosiness has become the order of the day -- so long as it is amusing or entertaining." Judge Will's opinion states that he was tempted to expand his ruling beyond the state law, but felt that this would overreach his judicial authority. The constitutionality of the law is currently under challenge by news media organizations in a separate case. In a related development, an opinion issued by Florida Attorney General Bob Butterworth on July 11 says that medical examiners can use autopsy photographs in training for public agencies but cannot show them to private parties without a court order. The court opinion denying access to the Earnhardt autopsy photographs is available at: http://www2.epic.org/privacy/medical/earnhardt_op.pdf The Florida Attorney General's opinion is available at: http://www.epic.org/privacy/medical/FL_AG_op_autopsy.html ======================================================================= [6] EPIC Bill-Track: New Bills in Congress ======================================================================= *House* H.R.2336 To make permanent the authority to redact financial disclosure statements of judicial employees and judicial officers. Sponsor: Rep Coble, Howard (R-NC). Latest Major Action: 6/27/2001 Referred to House committee: House Judiciary. H.R.2360 Campaign Reform and Citizen Participation Act of 2001. To amend the Federal Election Campaign Act of 1971 to restrict the use of non-Federal funds by national political parties, to revise the limitations on the amount of certain contributions which may be made under such Act, to promote the availability of information on communications made with respect to campaigns for Federal elections, and for other purposes. Sponsor: Rep Ney, Robert W. (R-OH). Latest Major Action: 6/28/2001 House committee/subcommittee actions Committees: House Administration. H.R.2417 Dot Kids Domain Name Act of 2001. To facilitate the creation of a new global top-level Internet domain that will be a haven for material that will promote positive experiences of children and families using the Internet, to provide a safe online environment for children, and to help prevent children from being exposed to harmful material on the Internet, and for other purposes. Sponsor: Rep Shimkus, John (R-IL). Latest Major Action: 6/28/2001 Referred to House committee: House Energy and Commerce. H.R.2435 Cyber Security Information Act. To encourage the secure disclosure and protected exchange of information about cyber security problems, solutions, test practices and test results, and related matters in connection with critical infrastructure protection. Sponsor: Rep Davis, Tom (R-VA). Latest Major Action: 7/10/2001 Referred to House committee: House Government Reform; House Judiciary. H.R.2458 E-Government Act of 2001 . To enhance the management and promotion of electronic Government services and processes by establishing a Federal Chief Information Officer within the Office of Management and Budget, and by establishing a broad framework of measures that require using Internet-based information technology to enhance citizen access to Government information and services, and for other purposes. Sponsor: Rep Turner, Jim (D-TX). Latest Major Action: 7/11/2001 Referred to House committee: House Government Reform. H.R.2472 Protect Children From E-Mail Smut Act of 2001. To protect children from unsolicited e-mail smut containing sexually oriented advertisements offensive to minors. Sponsor: Rep Lofgren, Zoe (D-CA). Latest Major Action: 7/11/2001 Referred to House committee: House Energy and Commerce; House Judiciary; House Science. H.R.2500 Making appropriations for the Departments of Commerce, Justice, and State, the Judiciary, and related agencies for the fiscal year ending September 30, 2002, and for other purposes. Sponsor: Rep Wolf, Frank R. (R-VA). Latest Major Action: 7/16/2001 House preparation for floor Committees: House Appropriations Departments of Commerce, Justice, and State, the Judiciary, and Related Agencies Appropriations Act, 2002 (Reported in the House). *Senate* S.1014 Social Security Number Privacy and Identity Theft Prevention Act of 2001. A bill to amend the Social Security Act to enhance privacy protections for individuals, to prevent fraudulent misuse of the Social Security account number, and for other purposes. Sponsor: Sen Bunning, Jim (R-KY). Latest Major Action: 6/12/2001 Referred to Senate committee: Senate Finance. S.1065 Inspector General for the Federal Bureau of Investigation Act of 2001. A bill to amend the Inspector General Act of 1978 (5 U.S.C. App.) to establish an Inspector General for the Federal Bureau of Investigation, and for other purposes. Sponsor: Sen Durbin, Richard J. (D-IL). Latest Major Action: 6/20/2001 Referred to Senate committee: Senate Judiciary. S.1074 FBI Reform Commission Act of 2001. A bill to establish a commission to review the Federal Bureau of Investigation. Sponsor: Sen Schumer, Charles E. (D-NY). Latest Major Action: 6/20/2001 Referred to Senate committee: Senate Judiciary. S.1164 Location Privacy Protection Act of 2001. A bill to provide for the enhanced protection of the privacy of location information of users of location-based services and applications, and for other purposes. Sponsor: Sen Edwards, John (D-NC). Latest Major Action: 7/11/2001 Referred to Senate committee: Senate Commerce, Science, and Transportation. S.1165 Juvenile Crime Prevention and Control Act of 2001. A bill to prevent juvenile crime, promote accountability by and rehabilitation of juvenile crime, punish and deter violent gang crime, and for other purposes. Sponsor: Sen Biden Jr., Joseph R. (D-DE) Latest Major Action: 7/11/2001 Referred to Senate committee: Senate Judiciary. EPIC Bill Track: Tracking Privacy, Speech, and Cyber-Liberties Bills in the 107th Congress, is available at: http://www.epic.org/privacy/bill_track.html ======================================================================= [7] EPIC Bookstore - Dmitri Sklyarov Reading List ======================================================================= On July 17, Dmitri Sklyarov, a Russian graduate student, was arrested by the U.S. Attorney's Office of Northern California after presenting a paper on encryption, as used in electronic books, at the DefCon conference in Las Vegas. He was charged with trafficking in software that circumvents copyright protection and aiding and abetting such trafficking. The charges are being brought under the criminal provisions of the Digital Millenium Copyright Act (DMCA) and could result in up to five years in jail and a $500,000 fine. Dmitri Sklyarov is twenty-seven years old and has two children. The First Amendment by Peter H. Irons http://www.powells.com/cgi-bin/partner?partner_id=24075&cgi=search/ search&searchtype=isbn&searchfor=1565843304 This sequel to the bestselling "May it Please the Court" focuses on sixteen key First Amendment cases illustrating the most controversial debates over issues of free speech, freedom of the press, and the right to assemble. Includes actual oral arguments made before the Supreme Court by well-known attorneys, along with transcripts placing speakers and cases in context. Digital Copyright by Jessica Litman http://www.powells.com/cgi-bin/partner?partner_id=24075&cgi=search/ search&searchtype=isbn&searchfor=1573928895 In this enlightening book, law professor Litman questions whether copyright laws really make sense for the majority of people. Should every interaction between consumers and copyright-protected works be restricted by law? Here she argues for reforms that reflect common sense and the way people behave in their daily digital interactions. Crypto by Steven Levy http://www.powells.com/cgi-bin/partner?partner_id=24075&cgi=search/ search&searchtype=isbn&searchfor=0670859508 >From the author who made "hacker" a household word comes a ground- breaking book about the most hotly debated subject of the digital age. "Crypto" concerns privacy in the information age and about the nerds and visionaries who, nearly 20 years ago, predicted that the Internet's greatest virtue - free access to information - was also its most perilous drawback: a possible end to privacy. ================================ EPIC Publications: "Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls," (EPIC 2001). Price: $20. http://www.epic.org/bookstore/filters2.0/ A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ "The Consumer Law Sourcebook 2000: Electronic Commerce and the Global Economy," Sarah Andrews, editor (EPIC 2000). Price: $40. http://www.epic.org/cls/ The Consumer Law Sourcebook provides a basic set of materials for consumers, policy makers, practitioners and researchers who are interested in the emerging field of electronic commerce. The focus is on framework legislation that articulates basic rights for consumers and the basic responsibilities for businesses in the online economy. ================================ "Privacy & Human Rights 2000: An International Survey of Privacy Laws and Developments," David Banisar, author (EPIC 2000). Price: $20. http://www.epic.org/phr/ This survey, by EPIC and Privacy International, reviews the state of privacy in over fifty countries around the world. The survey examines a wide range of privacy issues including, data protection, telephone tapping, genetic databases, ID systems and freedom of information laws. ================================ "The Privacy Law Sourcebook 2000: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2000). Price: $40. http://www.epic.org/pls/ The "Physicians Desk Reference of the privacy world." An invaluable resource for students, attorneys, researchers and journalists who need an up-to-date collection of U.S. and International privacy law, as well as a comprehensive listing of privacy resources. ================================ "Cryptography and Liberty 2000: An International Survey of Encryption Policy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price: $20. http://www.epic.org/crypto&/ EPIC's third survey of encryption policies around the world. The results indicate that the efforts to reduce export controls on strong encryption products have largely succeeded, although several governments are gaining new powers to combat the perceived threats of encryption to law enforcement. ================================ Additional titles on privacy, open government, free expression, computer security, and crypto, as well as films and DVDs can be ordered through the EPIC Bookstore: http://www.epic.org/bookstore/ ======================================================================= [8] Upcoming Conferences and Events ======================================================================= Healthcare Transactions and Code Sets, Privacy, Data Security and HIPAA/GLB Compliance: The Future of Technology, the Internet and EDI in Healthcare. The Health Colloquium at Harvard and the HIPAA Summit Conference Series. August 19-22, 2001. Cambridge, MA. For more information: http://www.ehc-info.com/ Health Information Privacy: Dialogue with the Stakeholders. Riley Information Services, Inc. September 28, 2001. Ottawa, Canada. For more information: http://www.rileyis.com/seminars/ Call For Submissions - August 3, 2001. Workshop on Security and Privacy in Digital Rights Management 2001. Eighth Association for Computing Machinery (ACM) Conference on Computer and Communications Security. November 5, 2001. Philadelphia, PA. For more information: http://www.star-lab.com/sander/spdrm/ Privacy2001: Information, Security & Ethics for the New Century. Technology Policy Group. October 3-4, 2001. Cleveland, OH. For more information: http://www.privacy2000.org/ Privacy: The New Management Imperative - Chief Privacy Officer Training Program. Southern Methodist University and Privacy Council. October 15-17, 2001. Dallas, TX. For more information: http://execdev.cox.smu.edu/ Nurturing the Cybercommons, 1981-2001. Computer Professionals for Social Responsibility (CPSR) 20th Annual Meeting. October 19-21, 2001. Ann Arbor, MI. For more information: http://www.cpsr.org/conferences/annmtg01/ The Third National HIPAA Summit: From Theory to Practice - From Planning to Implementation. October 24-26, 2001. Washington, DC. For more information: http://www.hipaasummit.com/ The 29th Research Conference on Communication, Information and Internet Policy. Telecommunications Policy Research Conference. October 27-29, 2001. Alexandria, VA. For more information: http://www.tprc.org The 8th Annual Centre for Applied Cryptographic Research (CACR) Information Security Workshop: The Human Face of Privacy Technology. University of Waterloo and Information and Privacy Commission/Ontario. November 1-2, 2001. Toronto, Ontario. For more information: http://www.cacr.math.uwaterloo.ca/ Privacy: The New Management Imperative - Chief Privacy Officer Training Program. Cambridge University and Privacy Council. November 5-8, 2001. Cambridge, England. For more information: kturner@privacycouncil.com Learning for the Future. Business for Social Responsibility's Ninth Annual Conference. November 7-9, 2001. Seattle, WA. For more information: http://www.bsr.org/events/2001.asp ======================================================================= Subscription Information ======================================================================= The EPIC Alert is a free biweekly publication of the Electronic Privacy Information Center. A Web-based form is available for subscribing or unsubscribing at: http://www.epic.org/alert/subscribe.html To subscribe or unsubscribe using email, send email to epic-news@epic.org with the subject: "subscribe" (no quotes) or "unsubscribe". Back issues are available at: http://www.epic.org/alert/ ======================================================================= Privacy Policy ======================================================================= The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your email address from this list, please follow the above instructions under "subscription information". Please contact info@epic.org if you have any other questions. ======================================================================= About EPIC ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, e-mail info@epic.org, http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at http://www.guidestar.org/aol/search/report/report.adp?ein=52-2225921 Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ---------------------- END EPIC Alert 8.13 ----------------------- .