============================================================== @@@@ @@@@ @@@ @@@@ @ @ @@@@ @@@@ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @@@ @ @ @@@@@ @ @@@ @@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @ @@@ @@@@ @ @ @@@@ @@@@ @ @ @ ============================================================== Volume 8.15 August 17, 2001 -------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org/alert/EPIC_Alert_8.15.html ======================================================================= Table of Contents ======================================================================= [1] Groups Update Microsoft XP and Passport Complaint [2] EPIC Challenges Adequacy of FBI Search for Carnivore Documents [3] Court Orders Report on Use of Secret Keystroke Monitor [4] Judiciary Protects Privacy of Electronic Court Filings [5] Tampa Narrowly Approves Face Recognition Spy Cameras [6] EPIC Bill-Track: New Bills in Congress [7] EPIC Bookstore - In Code: A Mathematical Journey [8] Upcoming Conferences and Events ======================================================================= [1] Groups Update Microsoft XP and Passport Complaint ======================================================================= EPIC and a coalition of 13 civil liberties and consumer advocacy groups have filed a supplement to a complaint filed last month with the Federal Trade Commission (FTC). The supplement adds to allegations that Microsoft has engaged in unfair and deceptive trade practices by linking the Passport identification and authentication system to the Windows XP operating system. The submission includes additional information regarding technical flaws in the Passport design and contains allegations that the system is not compliant with the Children's Online Privacy Protection Act (COPPA). The new filing also addresses recent changes that Microsoft has made to the Passport system. In the wake of the earlier FTC complaint, Microsoft reduced the amount of information required to register for Passport. However, the system still requires that users identify their e-mail address, country, state, and zip code. Since e-mail addresses are personally identifiable, this change does not address privacy risks presented by the creation of a centralized database of individuals' information. Microsoft also asserts that the integration of the Platform for Privacy Preferences (P3P) will increase privacy protections in Internet Explorer 6. The supplement addresses this issue, demonstrating that P3P does not address even basic Fair Information Practices such as access and security. The complaint identifies flaws in Kids Passport and asserts that investigation is warranted into whether the system is compliant with COPPA. Microsoft has not complied with the most basic requirements of the children's privacy law, such as presenting a prominent link to a privacy policy for sites targeted to children. In addition, the Kids Passport system unnecessarily collects personal information from children. Other popular children's sites collect only a username and password. However, Microsoft continues to require a personally- identifiable e-mail address from children. A number of other privacy risks associated with the Passport system are addressed in the supplement. For instance, Passport does not allow users to delete their personal information from the system. Passport also has a privacy policy that is subject to change at the whim of Microsoft. The absence of strong privacy protection, coupled with the risks inherent in centrally storing millions of users' personal information, could likely result in severe privacy violations. EPIC and the other groups allege that Microsoft's guarantees of privacy and security in light of these flaws constitutes a violation of federal consumer protection law. The supplement concludes with a request for an investigation into Microsoft and an injunction against Microsoft to prevent further unfair and deceptive practices. Supplemental Materials in Support of Pending Complaint and Request for Injunction, Request for Investigation and for Other Relief: http://www.epic.org/privacy/consumer/MS_complaint2.pdf Original complaint to the FTC alleging unfair and deceptive trade practices: http://www.epic.org/privacy/consumer/MS_complaint.pdf ======================================================================= [2] EPIC Challenges Adequacy of FBI Search for Carnivore Documents ======================================================================= In motion papers filed in U.S. District Court in Washington on August 9, EPIC asserts that the FBI has violated the Freedom of Information Act (FOIA) by conducting an inadequate search for internal records concerning the controversial Carnivore surveillance system. EPIC's submission alleges that the Bureau failed to seek relevant documents from various legal and policy offices likely to possess information on Carnivore, and requests discovery designed to fully examine the adequacy of the document search. EPIC filed suit against the FBI and the Justice Department over a year ago, after the agencies failed to respond to a request to expedite the processing of documents relating to Carnivore. The FBI subsequently agreed to expedite its search (which otherwise would have taken several years), and made its "final" release of documents in January 2001. Since that time, the Bureau has prepared an itemized accounting of withheld material in support of a motion for summary judgment, which was filed on August 1. The accounting indicates that approximately 2000 pages of material were located at two Bureau components -- the Electronic Surveillance Technology Section (ESTS) in Quantico, Virginia, and the Contracts Unit at FBI Headquarters -- but no other locations. In support of its motion, EPIC cites the Congressional testimony of several FBI and Justice Department officials who stated that Carnivore had been the subject of substantial "internal review" within the FBI and DOJ, and that the two agencies had "briefed many members of the Congressional staff" prior to Carnivore's public exposure. Despite that testimony, the FBI has failed to account for any documents relating to such internal reviews or staff briefings. In fact, the released documents deal only with technical aspects of Carnivore, rather than the legal and policy implications of the surveillance technique. EPIC notes in its motion that no documents have yet been located at key FBI and DOJ components, including the FBI's Office of General Counsel. The FBI's report on the results of its search effort leads to only two potential conclusions. Either the Bureau has failed to meet its legal obligation under FOIA to conduct a comprehensive search for relevant documents, or the agency never evaluated the legal and policy implications of the Carnivore system before it was deployed. More information on EPIC's Carnivore FOIA litigation, including the recent challenge to the FBI's document search, is available at: http://www.epic.org/privacy/carnivore/ ======================================================================= [3] Court Orders Report on Use of Secret Keystroke Monitor ======================================================================= In the first case of its kind, a federal court in New Jersey has ordered the FBI to disclose information concerning the surreptitious installation of a keystroke monitor used to capture a suspect's PGP encryption passphrase. In an order issued on August 7, U.S. District Judge Nicholas Politan directed the government to produce a report "detailing how the key logger device functions" by August 31. To date, the technique has only been described publicly as "specialized computer software, firmware and/or hardware." The government has vigorously opposed disclosure of any specific details. Judge Politan said he "harbors serious concerns" about the legality of the FBI's use of the system, noting that the information provided by the government thus far is so sketchy that understanding the technique "defies the human experience of this Court." He continued: In this new age of rapidly evolving technology, the court cannot make a determination as to the lawfulness of the government's search ... without knowing specifically how the search was effectuated. This requires an understanding of how the key logger device functions. In most, if not all search and seizure cases, the court ... understands the particular method by which the search is executed. ... Because of the advanced technology used the Court does not have the benefit of such an understanding. The government had argued that revealing the details of the system would jeopardize national security and endanger FBI personnel. In an affidavit filed with the court, Donald Kerr, the director of the FBI laboratory, said "there are only a limited number of effective techniques available to the FBI to cope with encrypted data, one of which is the 'key logger system.'" If investigative targets learn how the system works, they could circumvent it, he said. Selected court documents on the Scarfo case, including Judge Politan's August 7 order, are available at: http://www.epic.org/crypto/scarfo.html ======================================================================= [4] Judiciary Protects Privacy of Electronic Court Filings ======================================================================= The Judicial Conference Committee on Court Administration and Case Management has released a recommended policy on electronic access to court files. The recommendation includes many protections to enhance individuals' privacy with respect to personal identifiers that appear in case files. These identifiers, including Social Security numbers (SSNs), dates of birth, and financial account numbers, are regularly mined by information brokers who sell the information to private investigators, law enforcement, and others. The recommended policy includes provisions for notice to litigants of the Internet accessibility of their case files and the need to redact certain information through the use of court process. Civil case files will be redacted for personal data identifiers, including SSNs, dates of birth, financial account numbers, and names of minor children. The Judicial Conference committee decided to delay development of public remote access to documents in criminal cases, as accessibility to these documents present safety and law enforcement risks. The body will re-examine the treatment of criminal case files in the upcoming two years. In regards to bankruptcy cases, the committee recommended redaction of the SSN and account numbers. In addition, the body recommended an amendment to bankruptcy statutes to allow for more liberal sealing of cases. Many of the committee's recommendations had been suggested in EPIC's formal comments filed with the Judicial Conference and testimony presented to the committee with oversight of electronic case files earlier this year. EPIC recommended that certain sensitive personal information should be redacted from civil case files. Court officers and litigants in civil cases would have access to the complete file. In the context of criminal cases, the public would have access to the indictment and final disposition of the court. However, pre-indictment information, unexecuted warrants, and presentence reports would be limited to court officers and parties. In the context of bankruptcy files, EPIC advocated a system where sensitive information would be segregated and collected on separate forms protected from public access. In September, the full Judicial Conference will meet and consider the policy and its recommendations. Report on Privacy and Public Access to Electronic Case Files: http://www.uscourts.gov/Press_Releases/att81501.pdf EPIC's comments on electronic public access to case files: http://www.epic.org/open_gov/ecfcomments.html ======================================================================= [5] Tampa Narrowly Approves Face Recognition Spy Cameras ======================================================================= On August 2, 2001, the City Council of Tampa, Florida voted 4-3 against a motion requesting that the city terminate its contract with Visionics, makers of the "Face-It" face recognition software installed in cameras in the Ybor City district. The vote allows the city to continue using the Visionics system, which scans the faces of people in public areas and compares facial features to those stored in a database of mugshots. Earlier this year, face recognition technology was surreptitiously used to scan faces in this year's Super Bowl crowd. Since then, there has been much public opposition to the technology and other related methods of surveillance, in Tampa and elsewhere. Ever since June, when the software and cameras were first installed in Ybor City, many people have protested this technology by wearing masks and making obscene gestures in front of the cameras. Other U.S. cities have also been considering incorporating face recognition technology as one of their law enforcement techniques. The city of Virginia Beach recently received a $150,000 grant from the Virginia Department of Criminal Justice Services and is now seeking an additional $50,000 from taxpayers to put towards the installation of this software at the oceanfront. Virginia Beach police are especially interested in using the technology to find criminals with outstanding warrants, sex offenders, and missing children. Opposition and privacy issues associated with the technology have caused public officials to be reticent about using it. The Tampa City Council vote was not unanimous by any means, nor have public officials in Virginia Beach shown strong support for installing face recognition technology in their city. Use of the technology was also considered but ultimately rejected by the organizers of the 2002 Winter Olympics in Salt Lake City, Utah. One of the main privacy issues raised by face recognition technology is that there is no regulation for how captured data is stored; who has access to the information; and how long it is kept in the system. Without regulation, those with access to the system have the potential to abuse information in the system without accountability. A number of privacy groups and the International Biometric Group (an industry group) have advocated protections in law for this data. For the latest news and information on face recognition and related surveillance technology, see: http://www.epic.org/privacy/facerecognition/ ======================================================================= [6] EPIC Bill-Track: New Bills in Congress ======================================================================= *House* H.R.2615 Patient Privacy Act of 2001. To repeal sections 1173(b) and 1177(a)(1) of the Social Security Act, and for other purposes. Sponsor: Rep Paul, Ron (R-TX). Latest Major Action: 7/24/2001 Referred to House committee: House Ways and Means; House Government Reform. H.R.2680 To authorize the grant program for elimination of the nationwide backlog in analyses of DNA samples at the level necessary to completely eliminate the backlog and obtain a DNA sample from every person convicted of a qualifying offense. Sponsor: Rep Andrews, Robert E. (D-NJ). Latest Major Action: 7/31/2001 Referred to House committee: House Judiciary. H.R.2720 To amend the privacy provisions of the Gramm-Leach-Bliley Act.. Sponsor: Rep Markey, Edward J. (D-MA). Latest Major Action: 8/2/2001 Referred to House committee: House Financial Services. H.R.2730 To amend the Gramm-Leach-Bliley Act to provide for uniform national financial privacy standards for financial institutions, and for other purposes. Sponsor: Rep Sessions, Pete (R-TX). Latest Major Action: 8/2/2001 Referred to House committee: House Financial Services. H.R.2738 To amend title 5, United States Code, to clarify that all protections offered under the Freedom of Information Act and Privacy Act apply to members of the uniformed services to the same extent and in the same manner as to any other individual. Sponsor: Rep Boucher, Rick (D-VA). Latest Major Action: 8/2/2001 Referred to House committee: House Government Reform. H.R.2752 To protect school web pages from fraud and related activity. Sponsor: Rep Ferguson, Mike (R-NJ). Latest Major Action: 8/2/2001 Referred to House committee: House Judiciary. H.R.2778 To protect ability of law enforcement to effectively investigate and prosecute illegal gun sales and protect the privacy of the American people. Sponsor: Rep McCarthy, Carolyn (D-NY). Latest Major Action: 8/2/2001 Referred to House committee: House Judiciary. *Senate* S.1253 Gun Sale Anti-Fraud and Privacy Protection Act. A bill to protect ability of law enforcement to effectively investigate and prosecute illegal gun sales and protect the privacy of the American people. Sponsor: Sen Schumer, Charles E. (D-NY). Latest Major Action: 7/26/2001 Referred to Senate committee: Senate Judiciary. S.1276 To provide for the establishment of a new counterintelligence polygraph program for the Department of Energy, and for other purposes. A bill to provide for the establishment of a new counterintelligence polygraph program for the Department of Energy, and for other purposes. Sponsor: Sen Domenici, Pete V. (R-NM). Latest Major Action: 7/31/2001 Referred to Senate committee: Senate Armed Services. EPIC Bill Track: Tracking Privacy, Speech, and Cyber-Liberties Bills in the 107th Congress, is available at: http://www.epic.org/privacy/bill_track.html ======================================================================= [7] EPIC Bookstore - In Code: A Mathematical Journey ======================================================================= In Code: A Mathematical Journey, by Sarah Flannery with David Flannery http://www.powells.com/cgi-bin/partner?partner_id=24075&cgi=search/ search&searchtype=isbn&searchfor=0761123849 In this remarkable book, Sarah Flannery, an Irish cryptographer, mathematician, and teenager, writes about a ground-breaking encryption system that she developed, called the Cayley-Purser algorithm. The system, which is a fast and secure public-key encryption system for encoding data on the Internet, won Sarah the Irish Young Scientist of the Year award in 1999, when she was just 16. A security flaw has since been identified in the system; however, this only caused Sarah to work harder and conduct further research to try to find a patch for the flaw. "In Code" has been described as a fresh, modest, and inspiring account of a mathematical education that offers many insights into cryptography. Sarah interweaves mathematical puzzles with a personal narrative, making her story intellectual, engaging, and adventurous. ================================ EPIC Publications: "Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls," (EPIC 2001). Price: $20. http://www.epic.org/bookstore/filters2.0/ A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ "The Consumer Law Sourcebook 2000: Electronic Commerce and the Global Economy," Sarah Andrews, editor (EPIC 2000). Price: $40. http://www.epic.org/cls/ The Consumer Law Sourcebook provides a basic set of materials for consumers, policy makers, practitioners and researchers who are interested in the emerging field of electronic commerce. The focus is on framework legislation that articulates basic rights for consumers and the basic responsibilities for businesses in the online economy. ================================ "Privacy & Human Rights 2000: An International Survey of Privacy Laws and Developments," David Banisar, author (EPIC 2000). Price: $20. http://www.epic.org/phr/ This survey, by EPIC and Privacy International, reviews the state of privacy in over fifty countries around the world. The survey examines a wide range of privacy issues including, data protection, telephone tapping, genetic databases, ID systems and freedom of information laws. ================================ "The Privacy Law Sourcebook 2000: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2000). Price: $40. http://www.epic.org/pls/ The "Physicians Desk Reference of the privacy world." An invaluable resource for students, attorneys, researchers and journalists who need an up-to-date collection of U.S. and International privacy law, as well as a comprehensive listing of privacy resources. ================================ "Cryptography and Liberty 2000: An International Survey of Encryption Policy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price: $20. http://www.epic.org/crypto&/ EPIC's third survey of encryption policies around the world. The results indicate that the efforts to reduce export controls on strong encryption products have largely succeeded, although several governments are gaining new powers to combat the perceived threats of encryption to law enforcement. ================================ Additional titles on privacy, open government, free expression, computer security, and crypto, as well as films and DVDs can be ordered through the EPIC Bookstore: http://www.epic.org/bookstore/ ======================================================================= [8] Upcoming Conferences and Events ======================================================================= Healthcare Transactions and Code Sets, Privacy, Data Security and HIPAA/GLB Compliance: The Future of Technology, the Internet and EDI in Healthcare. The Health Colloquium at Harvard and the HIPAA Summit Conference Series. August 19-22, 2001. Cambridge, MA. For more information: http://www.ehc-info.com/ Call for Committee Nominations - September 7, 2001. Study on Privacy in the Information Age. National Research Council, Computer Science and Telecommunications Board. For more information: http://www.cstb.org/ The Broadband Economy: The Emerging Market System in Bandwidth. Columbia Institute for Tele-Information (CITI). September 14, 2001. New York, NY. For more information: http://www.citi.columbia.edu/ Privacy Compliance. UC Berkeley Extension. September 18, 2001. San Francisco, CA. For more information: http://www.unex.berkeley.edu/eng/br350/3-1.html Key Drivers for 3G Wireless: Will 3G Deliver its Promise? Columbia Institute for Tele-Information (CITI). September 20, 2001. New York, NY. For more information: http://www.citi.columbia.edu/ WorkSurv: A Seminar on the Technical, Legal & Business Issues of Workplace Surveillance. Privacy Foundation. September 25, 2001. Denver, CO. For more information: http://www.privacyfoundation.org/worksurv.asp Health Information Privacy: Dialogue with the Stakeholders. Riley Information Services, Inc. September 28, 2001. Ottawa, Canada. For more information: http://www.rileyis.com/seminars/ Privacy2001: Information, Security & Ethics for the New Century. Technology Policy Group. October 3-4, 2001. Cleveland, OH. For more information: http://www.privacy2000.org/ Call for Proposals - October 15, 2001. CFP 2002: The Twelfth Conference on Computers, Freedom & Privacy. April 16-19, 2002. San Francisco, CA. For more information: http://www.cfp2002.org/ Privacy: The New Management Imperative - Chief Privacy Officer Training Program. Southern Methodist University and Privacy Council. October 15-17, 2001. Dallas, TX. For more information: http://execdev.cox.smu.edu/ Nurturing the Cybercommons, 1981-2021. Computer Professionals for Social Responsibility (CPSR) 20th Anniversary Conference and Wiener Award Dinner. October 19-21, 2001. Ann Arbor, MI. For more information: http://www.cpsr.org/ The New HIPAA Privacy Rule: Guiding Your Clients Through the Implementation Process. Practising Law Institute. October 24, 2001. New York, NY. For more information: http://www.pli.edu/ The Third National HIPAA Summit: From Theory to Practice - From Planning to Implementation. October 24-26, 2001. Washington, DC. For more information: http://www.hipaasummit.com/ The 29th Research Conference on Communication, Information and Internet Policy. Telecommunications Policy Research Conference. October 27-29, 2001. Alexandria, VA. For more information: http://www.tprc.org/ The 8th Annual Centre for Applied Cryptographic Research (CACR) Information Security Workshop: The Human Face of Privacy Technology. University of Waterloo and Information and Privacy Commission/Ontario. November 1-2, 2001. Toronto, Ontario. For more information: http://www.cacr.math.uwaterloo.ca/ Workshop on Security and Privacy in Digital Rights Management 2001. Eighth Association for Computing Machinery (ACM) Conference on Computer and Communications Security. November 5, 2001. Philadelphia, PA. For more information: http://www.star-lab.com/sander/spdrm/ Privacy: The New Management Imperative - Chief Privacy Officer Training Program. Cambridge University and Privacy Council. November 5-8, 2001. Cambridge, England. For more information: kturner@privacycouncil.com Learning for the Future. Business for Social Responsibility's Ninth Annual Conference. November 7-9, 2001. Seattle, WA. For more information: http://www.bsr.org/events/2001.asp Information Operations: Applying Power in the Information Age. Jane's Information Group. November 14-15, 2001. Washington, DC. For more information: http://www.janes.com/security/conference/info_op/info_op.shtml Call for Papers - December 1, 2001. 11th Annual EICAR & 3rd European Anti-Malware Conference. European Institute for Computer Anti-Virus Research (EICAR). June 8-11, 2002. Berlin, Germany. For more information: http://conference.eicar.org/ ======================================================================= Subscription Information ======================================================================= The EPIC Alert is a free biweekly publication of the Electronic Privacy Information Center. A Web-based form is available for subscribing or unsubscribing at: http://www.epic.org/alert/subscribe.html To subscribe or unsubscribe using email, send email to epic-news@epic.org with the subject: "subscribe" (no quotes) or "unsubscribe". Back issues are available at: http://www.epic.org/alert/ ======================================================================= Privacy Policy ======================================================================= The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your email address from this list, please follow the above instructions under "subscription information". Please contact info@epic.org if you have any other questions. ======================================================================= About EPIC ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, e-mail info@epic.org, http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at http://www.guidestar.org/aol/search/report/report.adp?ein=52-2225921 Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ---------------------- END EPIC Alert 8.15 ----------------------- .