============================================================== @@@@ @@@@ @@@ @@@@ @ @ @@@@ @@@@ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @@@ @ @ @@@@@ @ @@@ @@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @ @@@ @@@@ @ @ @@@@ @@@@ @ @ @ ============================================================== Volume 8.14 July 31, 2001 -------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org/alert/EPIC_Alert_8.14.html ======================================================================= Table of Contents ======================================================================= [1] Privacy Groups File FTC Complaint About Windows XP [2] Court Hears Arguments on Use of Secret Keystroke Monitor [3] House Adopts Carnivore Reporting Requirements [4] FBI Nominee Questioned on Computer Privacy Issues [5] Groups Petition Agencies to Improve Financial Privacy [6] EPIC Bill-Track: New Bills in Congress [7] EPIC Bookstore - Striking a Balance: ePrivacy in the Workplace [8] Upcoming Conferences and Events ======================================================================= [1] Privacy Groups File FTC Complaint About Windows XP ======================================================================= On July 26, EPIC and thirteen other public interest groups filed a formal complaint with the Federal Trade Commission regarding Windows XP, Microsoft's new operating system. The complaint alleges that this system and associated services such as Hailstorm, Passport, and E-Wallet, are intended to profile, track, and monitor millions of Internet users, and therefore Microsoft is engaging in unfair and deceptive trade practices in violation of Section 5 of the Federal Trade Commission Act. The complaint examines in detail the privacy threats of Passport, Hailstorm, Hotmail, the MSN network of Web sites, and the product activation and registration procedures for Windows XP. It examines how each of these services collects and discloses detailed personal information about users without sufficient guarantees of privacy or security, and often without any real knowledge or consent. It demonstrates how Passport account information is shared among third party Web-sites; how Windows XP users are forced to create a Passport account to use Internet communications features (such as instant messaging); how Hailstorm essentially strips users of their right to control their personal information; how Hotmail users are automatically signed up for a Passport account without notice or even an opt-out facility; and how Microsoft misleads consumers when it says that information gathered through product activation will not be linked to personally identifiable information. The complaint concludes that the far-reaching and inter-connected nature of these Internet business activities, coupled with the extraordinary market dominance of Microsoft, constitutes a unique threat to the privacy of computer users. In terms of relief, the complainants request the FTC to initiate an investigation into the information collection practices of Windows XP and other services, and to order Microsoft to revise XP registration procedures; to block the sharing of Passport information among Microsoft properties absent explicit consent; to allow users of Windows XP to gain access to Microsoft web sites without disclosing their actual identity; and to enable users of Windows XP to easily integrate services provided by non-Microsoft companies for online payment, electronic commerce, and other Internet-based commercial activity. The complaint is available at: http://www.epic.org/privacy/consumer/MS_complaint.pdf ======================================================================= [2] Court Hears Arguments on Use of Secret Keystroke Monitor ======================================================================= In a case that could have a significant impact on the conduct of high-tech police investigations, a federal judge in Newark, New Jersey heard arguments on July 30 on a motion to disclose information concerning the FBI's surreptitious installation of a "key logger" on a suspect's computer. The mechanism was used to capture the suspect's PGP encryption passphrase. In the first known case of its kind, the defense is seeking discovery that would allow analysis of the technique, which has only been described publicly as "specialized computer software, firmware and/or hardware." The government is vigorously opposing disclosure. U.S. District Court Judge Nicholas Politan directed attorneys for defendant Nicodemo Scarfo, Jr. to file a supplemental brief addressing their need for information describing the secret technique by August 1; the government was ordered to respond by August 3. The details are important for two reasons. First, the FBI installed the logger with a standard search warrant rather than a wiretap authorization. FBI pen register records, however, indicate that Scarfo accessed his online account numerous times while his computer was subject to monitoring. The defense argues that the logging mechanism must be evaluated to determine whether it could have captured online activity (which would have required a wiretap order). The defense also argues that the technique may have violated the Fourth Amendment by facilitating a "general search." While the court order authorizing the installation specified that Scarfo's encryption passphrase was the target of the search, it appears that all information entered into the computer was subject to capture. The technique employed in the case is similar to procedures that would have been authorized in legislation proposed by the Clinton Administration in 1999. The draft legislation, known as the Cyberspace Electronic Security Act (CESA), would have amended current law to authorize "the alteration of hardware or software that allows plaintext to be obtained even if attempts were made to protect it through encryption." The CESA proposal, which was dropped in the face of strong public opposition, would have given law enforcement officials the power to enter private premises surreptitiously to install a "recovery device." (See EPIC Alert 6.13). Selected court documents on the Scarfo case are available at: http://www.epic.org/crypto/scarfo.html ======================================================================= [3] House Adopts Carnivore Reporting Requirements ======================================================================= Following a recommendation made by EPIC last year in Congressional testimony, the House of Representatives has established new reporting requirements for the use of the Carnivore Internet surveillance device (also known as DCS 1000) and other similar systems by law enforcement agents. These requirements were outlined in an amendment offered by Rep. Bob Barr (R-GA), which passed as part of the Department of Justice's annual appropriations bill, H.R. 2215. The Barr Amendment requires the Attorney General and the Director of the FBI to submit annual reports to Congress, detailing such information as the number of times Carnivore was used in the past fiscal year and the criteria and procedures for submitting, reviewing, and approving requests to use Carnivore. Carnivore was developed to monitor e-mail and other online activities of suspected criminals. Privacy advocates argue that the system is too invasive, and fear that it grants the government too much power in monitoring citizens' private online activities by requiring Internet service providers to give law enforcement full access to their data traffic. A spokesman for Rep. Dick Armey (R-TX) said that the legislation "sends a message [to the FBI] that Congress is watching and there will be accountability if this system is used." The bill was referred to the Senate Judiciary Committee on July 24. If it passes the Senate, the Attorney General and the FBI Director will be required to submit their first report to Congress no later than 30 days after the end of Fiscal Year 2001. For background information on Carnivore, see: http://www.epic.org/privacy/carnivore/ Proposed Carnivore reporting requirements, as specified in H.R. 2215: http://www.epic.org/privacy/carnivore/reporting.html ======================================================================= [4] FBI Nominee Questioned on Computer Privacy Issues ======================================================================= The Senate Judiciary Committee today concluded the second and final day of hearings on the nomination of Robert S. Mueller to be the next Director of the FBI. Several days prior to the confirmation hearings, EPIC sent a letter to the Committee, urging it to question the nominee on his views on privacy and freedom of information issues. Several of the issues addressed in the letter were raised during the hearings. On the first day of the confirmation hearings, in response to a question from Sen. Orrin Hatch (R-UT), Mr. Mueller laid out a four-tier hierarchy for the investigation of computer crimes. In priority order, Mr. Mueller said he would like to see the FBI focus most heavily on computer intrusions and denial of service attacks; theft of intellectual property and corporate espionage; fraud and child pornography; and finally, the theft of high-tech hardware. On the second day of the hearings, Sen. Maria Cantwell (D-WA) directly asked Mr. Mueller about the FBI's high-tech investigative techniques and the potentially invasive implications of systems such as Carnivore and the FBI's "key logger" system (specifically referring to the Scarfo case). Mr. Mueller stated that the FBI's newest technological "investigative tools" are "cutting edge" and "second to none." He went on to say that the "rapid advances" of these investigative tools have led to "privacy concerns that we have to address." Stating that he is "sensitive to the concerns relating to privacy," Mr. Mueller noted that he has "already had meetings with privacy groups" concerning Carnivore and that he hopes that "technology overtakes the necessity for using" such systems in the future. Committee Chairman Patrick Leahy (D-VT) picked up where Sen. Cantwell left off, questioning Mr. Mueller about the recent Supreme Court decision in Kyllo v. U.S., where the warrantless use of thermal imaging devices was found to violate the Fourth Amendment (see EPIC Alert 8.11). Mr. Mueller said that this was an area where "law enforcement needed guidance from the Supreme Court," although he pointed out that the Kyllo decision was "not a unanimous decision." Mr. Mueller went on to say that regarding issues "where there is a law enforcement tool, [and] there are privacy issues implicated . . . we do have to look at each of those issues and be cognizant of the privacy interests involved." The nominee said that in the future, he would like to be "sit down and get the input from a number of different people with different concerns . . . [and be] responsive to those concerns and do so without the necessity of perhaps going to a court or a third party." EPIC's letter to the Senate Judiciary Committee is available at: http://www.epic.org/privacy/jud_comm_mueller.html ======================================================================= [5] Groups Petition Agencies to Improve Financial Privacy ======================================================================= EPIC and a coalition of consumer and civil liberties groups have petitioned federal agencies to improve financial privacy protections under the Gramm-Leach-Bliley Act (GLBA). The petition requests that the agencies begin a new rulemaking to ensure that consumers receive clear and concise notice and convenient methods of opting-out of information sharing. In recent months, consumers received GLBA privacy notices that contained information describing the opt-out process. However, the notices were often lengthy and difficult to read. Many employed language rife with double-negatives and confusing sentence structure. A study conducted by a readability expert concluded that most policies were written at a third or fourth-year college reading level. As a result of confusing privacy notices and the burden placed on consumers by opt-out mechanisms, the American Banking Association has estimated that less than one percent of consumers have opted-out under the GLBA. In order to inform consumers fully of their rights and to encourage opting-out, the petition suggests specific language to clarify rights and mechanisms that will facilitate opting out. EPIC will continue to follow developments surrounding the GLBA and financial privacy, and advocate the adoption of an opt-in standard for privacy. Coalition Petition to Federal Agencies to Improve GLBA Privacy Requirements: http://www.epic.org/privacy/consumer/glbpetition.pdf ======================================================================= [6] EPIC Bill-Track: New Bills in Congress ======================================================================= *House* H.R.2215 21st Century Department of Justice Appropriations Authorization Act. To authorize appropriations for the Department of Justice for fiscal year 2002, and for other purposes. Sponsor: Rep Sensenbrenner, F. James, Jr. (R-WI). Latest Major Action: 7/24/2001 Referred to Senate committee: House Judiciary; Senate Judiciary *Senate* S.1215 Dpartments of Commerce, Justice, and State, the Judiciary, and Related Agencies Appropriations Act, 2002. An original bill making appropriations for the Departments of Commerce, Justice, and State, the Judiciary, and related agencies for the fiscal year ending September 30, 2002, and for other purposes. Sponsor: Sen Hollings, Ernest F. (D-SC). Latest Major Action: 7/20/2001 Placed on Senate Legislative Calendar under General Orders. Calendar No. 95. Committees: Senate Appropriations. S.1234. A bill to amend title 18, United States Code, to provide that certain sexual crimes against children are predicate crimes for the interception of communications, and for other purposes. Sponsor: Sen Hatch, Orrin G. (R-UT). Latest Major Action: 7/25/2001 Referred to Senate committee: Senate Judiciary. S.1242. A bill to amend the Fair Credit Reporting Act to provide for disclosure of credit-scoring information by creditors and consumer reporting agencies. Sponsor: Sen Schumer, Charles E. (D-NY). Latest Major Action: 7/25/2001 Referred to Senate committee: Senate Banking, Housing, and Urban Affairs. EPIC Bill Track: Tracking Privacy, Speech, and Cyber-Liberties Bills in the 107th Congress, is available at: http://www.epic.org/privacy/bill_track.html ======================================================================= [7] EPIC Bookstore - Striking a Balance: e-Privacy in the Workplace ======================================================================= Striking a Balance: e-Privacy in the Workplace by the Business for Social Responsibility Education Fund http://store.bsr.org/product.cfm?product=16521 With the American Management Association finding that nearly 3/4 of major businesses monitor their employees, the Business for Social Responsibility Education Fund has released a report arguing that employers should accommodate workers' privacy. The report finds that not accommodating privacy in the workplace can result in a lack of employee trust, creativity, and health. Accordingly, the study recommends that employers accommodate some fundamental privacy rights for their employees. These include notice, employee participation in drafting a monitoring policy, and employee access to information collected under the policy. ================================ EPIC Publications: "Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls," (EPIC 2001). Price: $20. http://www.epic.org/bookstore/filters2.0/ A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ "The Consumer Law Sourcebook 2000: Electronic Commerce and the Global Economy," Sarah Andrews, editor (EPIC 2000). Price: $40. http://www.epic.org/cls/ The Consumer Law Sourcebook provides a basic set of materials for consumers, policy makers, practitioners and researchers who are interested in the emerging field of electronic commerce. The focus is on framework legislation that articulates basic rights for consumers and the basic responsibilities for businesses in the online economy. ================================ "Privacy & Human Rights 2000: An International Survey of Privacy Laws and Developments," David Banisar, author (EPIC 2000). Price: $20. http://www.epic.org/phr/ This survey, by EPIC and Privacy International, reviews the state of privacy in over fifty countries around the world. The survey examines a wide range of privacy issues including, data protection, telephone tapping, genetic databases, ID systems and freedom of information laws. ================================ "The Privacy Law Sourcebook 2000: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2000). Price: $40. http://www.epic.org/pls/ The "Physicians Desk Reference of the privacy world." An invaluable resource for students, attorneys, researchers and journalists who need an up-to-date collection of U.S. and International privacy law, as well as a comprehensive listing of privacy resources. ================================ "Cryptography and Liberty 2000: An International Survey of Encryption Policy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price: $20. http://www.epic.org/crypto&/ EPIC's third survey of encryption policies around the world. The results indicate that the efforts to reduce export controls on strong encryption products have largely succeeded, although several governments are gaining new powers to combat the perceived threats of encryption to law enforcement. ================================ Additional titles on privacy, open government, free expression, computer security, and crypto, as well as films and DVDs can be ordered through the EPIC Bookstore: http://www.epic.org/bookstore/ ======================================================================= [8] Upcoming Conferences and Events ======================================================================= Healthcare Transactions and Code Sets, Privacy, Data Security and HIPAA/GLB Compliance: The Future of Technology, the Internet and EDI in Healthcare. The Health Colloquium at Harvard and the HIPAA Summit Conference Series. August 19-22, 2001. Cambridge, MA. For more information: http://www.ehc-info.com/ The Broadband Economy: The Emerging Market System in Bandwidth. Columbia Institute for Tele-Information (CITI). September 14, 2001. New York, NY. For more information: http://www.citi.columbia.edu/ Key Drivers for 3G Wireless: Will 3G Deliver its Promise? Columbia Institute for Tele-Information (CITI). September 20, 2001. New York, NY. For more information: http://www.citi.columbia.edu/ Health Information Privacy: Dialogue with the Stakeholders. Riley Information Services, Inc. September 28, 2001. Ottawa, Canada. For more information: http://www.rileyis.com/seminars/ Call For Submissions - August 3, 2001. Workshop on Security and Privacy in Digital Rights Management 2001. Eighth Association for Computing Machinery (ACM) Conference on Computer and Communications Security. November 5, 2001. Philadelphia, PA. For more information: http://www.star-lab.com/sander/spdrm/ Privacy2001: Information, Security & Ethics for the New Century. Technology Policy Group. October 3-4, 2001. Cleveland, OH. For more information: http://www.privacy2000.org/ Privacy: The New Management Imperative - Chief Privacy Officer Training Program. Southern Methodist University and Privacy Council. October 15-17, 2001. Dallas, TX. For more information: http://execdev.cox.smu.edu/ Nurturing the Cybercommons, 1981-2001. Computer Professionals for Social Responsibility (CPSR) 20th Annual Meeting. October 19-21, 2001. Ann Arbor, MI. For more information: http://www.cpsr.org/conferences/annmtg01/ The Third National HIPAA Summit: From Theory to Practice - From Planning to Implementation. October 24-26, 2001. Washington, DC. For more information: http://www.hipaasummit.com/ The 29th Research Conference on Communication, Information and Internet Policy. Telecommunications Policy Research Conference. October 27-29, 2001. Alexandria, VA. For more information: http://www.tprc.org The 8th Annual Centre for Applied Cryptographic Research (CACR) Information Security Workshop: The Human Face of Privacy Technology. University of Waterloo and Information and Privacy Commission/Ontario. November 1-2, 2001. Toronto, Ontario. For more information: http://www.cacr.math.uwaterloo.ca/ Privacy: The New Management Imperative - Chief Privacy Officer Training Program. Cambridge University and Privacy Council. November 5-8, 2001. Cambridge, England. For more information: kturner@privacycouncil.com Learning for the Future. Business for Social Responsibility's Ninth Annual Conference. November 7-9, 2001. Seattle, WA. For more information: http://www.bsr.org/events/2001.asp ======================================================================= Subscription Information ======================================================================= The EPIC Alert is a free biweekly publication of the Electronic Privacy Information Center. A Web-based form is available for subscribing or unsubscribing at: http://www.epic.org/alert/subscribe.html To subscribe or unsubscribe using email, send email to epic-news@epic.org with the subject: "subscribe" (no quotes) or "unsubscribe". Back issues are available at: http://www.epic.org/alert/ ======================================================================= Privacy Policy ======================================================================= The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your email address from this list, please follow the above instructions under "subscription information". Please contact info@epic.org if you have any other questions. ======================================================================= About EPIC ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, e-mail info@epic.org, http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at http://www.guidestar.org/aol/search/report/report.adp?ein=52-2225921 Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ---------------------- END EPIC Alert 8.14 ----------------------- .