============================================================== @@@@ @@@@ @@@ @@@@ @ @ @@@@ @@@@ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @@@ @ @ @@@@@ @ @@@ @@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @ @@@ @@@@ @ @ @@@@ @@@@ @ @ @ ============================================================== Volume 8.16 September 6, 2001 -------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org/alert/EPIC_Alert_8.16.html ======================================================================= Table of Contents ======================================================================= [1] Government Says Details of Keystroke Monitor are "Classified" [2] EPIC Urges Federal Judiciary to End Workplace Monitoring [3] Friday, September 7 - Day of Action Against Video Surveillance [4] Subpoenaed Bookstores Defend Customer Privacy [5] New Privacy Reports by PRI and Privacy Foundation [6] Privacytown: Online Guide to Protecting Consumer Privacy [7] EPIC Bookstore - Privacy Law Sourcebook 2001 [8] Upcoming Conferences and Events ======================================================================= [1] Government Says Details of Keystroke Monitor are "Classified" ======================================================================= Attempting to conceal the details of keystroke monitoring technology used in a criminal investigation, the U.S. government has invoked the Classified Information Procedures Act (CIPA) in a high-profile case pending in federal court in New Jersey. The invocation of CIPA came in response to an order issued on August 7 by U.S. District Judge Nicholas Politan, directing the government to produce a report "detailing how the key logger device functions." To date, the technique has only been described publicly as "specialized computer software, firmware and/or hardware." The FBI surreptitiously installed the keystroke monitor on the computer of defendant Nicodemo Scarfo and used it to capture his PGP encryption passphrase during the course of a gambling investigation. In a motion filed on August 23, the government asserts that "information concerning the underlying functionality of the FBI's Key Logger System is classified" and that, even if Scarfo can show that the information would be helpful to his defense, "overriding national security concerns may trump the defendant's need for the information." The defense has argued that the Fourth Amendment implications of the technique cannot be assessed unless its details are disclosed. In his August 7 decision, Judge Politan agreed, noting that "the court cannot make a determination as to the lawfulness of the government's search ... without knowing specifically how the search was effectuated. This requires an understanding of how the key logger device functions." A hearing on the government's CIPA motion is scheduled for September 7 in federal court in Newark, New Jersey. In a related development, the U.S. Court of Appeals for the Third Circuit on August 27 reversed a gag order Judge Politan imposed on attorneys in the Scarfo case last December. Noting that there is "an important legal issue about to be raised before the court," the appeals court said that counsels' "comments on an interesting legal issue did not pose a threat to the fairness of the trial or to the jury pool ... [nor has there been any] identifiable prejudice or risk of prejudice." Selected court documents on the Scarfo case, including the government's motion to invoke CIPA, are available at: http://www.epic.org/crypto/scarfo.html ======================================================================= [2] EPIC Urges Federal Judiciary to End Workplace Monitoring ======================================================================= EPIC Executive Director Marc Rotenberg today wrote to the Judicial Conference of the United States urging the body to end the practice of monitoring computer terminals of employees of the federal judiciary. The Judicial Conference is a 27-member board of judges that sets policy for the federal courts. The judges will meet on September 11 to approve policies affecting workplace monitoring and the privacy implications of providing electronic access to court files. Rotenberg argued that monitoring of Web sites visited by judges and their staff without notice could constitute a violation of the Electronic Communications Privacy Act of 1986 (ECPA). ECPA prohibits the intentional interception of electronic communications, and it is the primary statute relied upon by employees to challenge invasive workplace monitoring. Furthermore, merely providing notice would not address the underlying Fourth Amendment issues raised by monitoring of judicial networks. As Professor Anthony Amsterdam wrote in 1974, "each person's subjective expectation [could be rendered meaningless if the government were to announce] half-hourly on television that 1984 was being advanced by a decade and that we were all forthwith being placed under comprehensive electronic surveillance." A series of commentators and judges have criticized monitoring of judicial networks in recent weeks. The issue attracted public attention after judges from the Ninth Circuit disabled content monitoring systems on a judicial Internet gateway. In deciding to disable the monitoring system, the judges cited privacy, confidentiality, and the risk that content monitoring may run afoul of ECPA. Officials from the Administrative Offices of the United States Courts have insisted that the monitoring continue. EPIC Letter to the Judicial Conference: http://www.epic.org/privacy/workplace/judicialmonitoring.html ======================================================================= [3] Friday, September 7 - Day of Action Against Video Surveillance ======================================================================= On Friday, September 7, a variety of groups are staging a day of action against surveillance cameras. The event is inspired by the Surveillance Camera Players, an international group of demonstrators who have been "acting up" for surveillance cameras ever since they first began to be installed around New York City. The proposal for the day of action reads as follows: "We propose -- 1. that an international day of action against video surveillance -- specifically: the constant, indiscriminate and technologically sophisticated video surveillance of public places by both businesses and law enforcement agencies -- take place on Friday, 7 September 2001; 2. that people who wish to intensify the struggle to protect and strengthen the right to privacy (a fundamental human right) should undertake autonomous actions at the local level and in a completely de-centralized fashion; 3. that, if and when possible, at least some of these actions should be undertaken in front of webcams that have already been installed in public places by private companies that are insensitive or even hostile to privacy concerns (in addition to disrupting "business as usual" for these companies, the use of webcams will allow the entire world to see anti-video surveillance actions as they take place); 4. that all individuals and groups participating in the day of action keep in touch with at least one of the groups listed below and/or each other; 5. that at least one Web site links to or actually displays images from these actions as they take place; 6. that this proposal should be posted on-line and sent to as many people as possible and as soon as possible; and 7. that this proposal be translated into as many foreign languages as possible, but especially French, German, and Italian, for it is in France, Belgium, Germany and Italy that the anti-video surveillance struggle is the most visible at the moment." Protests will take the form of short skits and plays enacted in front of surveillance cameras around the world. Many of these skits will be broadcast via the Internet so they can be watched worldwide. On a related note: In late August, Borders was reportedly considering installing face recognition cameras in two of its United Kingdom bookstores, but decided not to do so until further examination of human rights issues associated with such surveillance. This comes as no surprise, as public debate has recently opened up regarding the use of these cameras for law enforcement purposes, both in the UK and the United States. To get involved in the day of action, visit the Surveillance Camera Players Web site: http://www.surveillancecameraplayers.org/ For more information, see EPIC's Face Recognition Web page: http://www.epic.org/privacy/facerecognition/ ======================================================================= [4] Subpoenaed Bookstores Defend Customer Privacy ======================================================================= The federal government agreed this week to drop a production request for customer records contained within subpoenas issued to three bookstores in connection with a probe of New Jersey Democratic Senator Robert G. Torricelli. The government's decision was made after local counsel representing the bookstores informed the Justice Department that they would move to quash the subpoenas on First Amendment grounds. The American Booksellers Foundation for Free Expression (ABFFE) agreed to assist the bookstores, Books & Books (Coral Gables, Florida), Olsson's Books and Records (Washington, D.C.), and Arundel Books (Los Angeles, CA), after they received subpoenas on August 16th seeking records dating back to January 1, 1995 for purchases made by Torricelli and 7 other customers. The government probe has focused on Torricelli's $9 million 1996 Senate campaign, particularly whether New Jersey businessman David Chang gave Torricelli undisclosed gifts such as antiques, suits and cash in exchange for Torricelli's help in business dealings that involved the North Korean and South Korean governments. Chang, now a cooperating witness, pleaded guilty to charges that he made $53,700 in illegal contributions to Torricelli's campaign. Torricelli stated he never accepted any illegal gifts from Chang, and that any help he gave him was routine constituent service. ABFFE president Chris Finan stated that complying with the subpoenas, which would require turning over personal information such as the titles of all books purchased, would have a chilling effect on the First Amendment rights of all customers. This is the fourth recent attempt by law enforcement authorities to gain access to titles of works purchased by bookstore customers. All prior similar efforts have resulted in the request being dropped, or by having the subpoena quashed or narrowed by the courts on First Amendment grounds. Finan called the government's decision a victory for privacy and the First Amendment. Visit the American Booksellers Foundation for Free Expression website: http://www.abffe.org/ ======================================================================= [5] New Privacy Reports by PRI and Privacy Foundation ======================================================================= The Pacific Research Institute (PRI) and the Privacy Foundation (PF) unveiled new studies on privacy. The PRI report, entitled "Consumer Privacy: A Free Choice Approach," stands for the proposition that the free market and technology will sufficiently protect individuals' privacy. PRI argues that privacy should be a matter of individual choice, and that individuals can use technology to protect privacy consistent with their preferences. Privacy regulation would actually harm protections, as individuals would be lulled into a sense of security and the technology industry would be less inclined to produce privacy-enhancing technologies. PRI actually cites the Toysmart.com case as an example of free market success in privacy protection. In that case, Toysmart.com attempted to sell its customer lists as a bankruptcy asset in violation of the company's privacy policy. After public outcry and FTC involvement, the bankruptcy judge allowed the sale of the data to a company willing to protect the information with the same privacy policy as Toysmart.com. Ultimately, Toysmart's parent company bought the database and destroyed it to avoid further public scrutiny. The report concludes that consumer privacy legislation will not improve e-commerce, and that such legislation would restrict free speech. Legislators should not pursue privacy protection in law absent an inquiry into whether risks exist to individuals and whether the marketplace can provide a solution to the problem. The Privacy Foundation, a non-profit research center based in Denver, CO, released a study entitled "Click, you're hired. Or tracked..." The study focuses on the privacy practices of Monster.com, an online job-finding service. The Monster.com web site allows job seekers and employers to post resumes and job announcements. Monster.com maintains 8.6 million resumes with personal information. The Privacy Foundation found in interviews with former Monster employees that the company schemed to sell personal information from posted resumes. Job seekers who decided to delete their resume on Monster.com cannot eliminate their personal information from the company's internal database. The Privacy Foundation report found that Monster.com can save and mine personal data after a resume has been deleted. The report notes that the same privacy risks exist on other job search web sites besides Monster.com. Pacific Research Institute report on consumer privacy: http://www.pacificresearch.org/issues/tech/privacy/privacy_home.html Privacy Foundation report on Monster.com: http://www.privacyfoundation.org/privacywatch/monster.asp ======================================================================= [6] Privacytown: Online Guide to Protecting Consumer Privacy ======================================================================= Privacytown is an online consumer privacy guide recently developed by Industry Canada. The Privacytown Web site is dedicated to protecting consumer privacy and personal information in the age of electronic commerce and new information technologies. Although Privacytown was developed for Canadian consumers, it is also a valuable learning tool for consumers living outside of Canada, as it provides a good introduction to basic consumer privacy issues. This useful resource provides information about privacy issues that consumers might encounter in the various places they go, including hospitals, liquor stores, video stores, department stores, convenience stores, and schools. A Privacy Protection Guide and a Privacy Checklist is provided for each location. The Privacytown Web site has both a full-graphics and a text-only interface. The entire site is available in both English and French. Privacytown (English): http://strategis.ic.gc.ca/SSG/ca01298e.html La Ville Privee (Francais): http://strategis.ic.gc.ca/SSGF/ca01298f.html ======================================================================= [7] EPIC Bookstore - Privacy Law Sourcebook 2001 ======================================================================= * JUST PUBLISHED! * The Privacy Law Sourcebook 2001, edited by Marc Rotenberg http://www.powells.com/cgi-bin/partner?partner_id=24075&cgi=biblio&show=trade%20paper:new:1131377346:40.00 The Privacy Law Sourcebook is the leading resource for students, attorneys, researchers and journalists interested in privacy law in the United States and around the world. Includes the full texts of major privacy laws and directives such as the FCRA, the Privacy Act, FOIA, Family Educational Rights and Privacy Act, Right to Financial Privacy Act, Privacy Protection Act, Cable Communications Policy Act, ECPA, Video Privacy Protection Act, OECD Privacy Guidelines, OECD Cryptography Guidelines, and European Union Directives for both Data Protection and Telecommunications, as well as a fully up-to-date section on recent developments. The Privacy Law Sourcebook is updated and expanded for 2001 with information about the EU Standard Contract Clauses for Transfers of Personal Data, recent privacy legislation in Eastern Europe, and new summaries of key statutes for the non-specialist. Also included is an extensive section on privacy resources with useful web sites and contact information for privacy agencies, organizations, and publications. The Privacy Law Sourcebook has received much public acclaim: "The Physicians Desk Reference of the privacy world." -Evan Hendricks, Privacy Times "A handy compilation of privacy law instruments and a 'must' for anyone seeking guidance about the location and content of the key statutes, treaties, and recent developments." -American Society of International Law "The Privacy Law Sourcebook belongs front and center on the desk of every Information Age lawyer. It provides an indispensable map to the maze that is modern privacy law." -Prof. Paul M. Schwartz, Brooklyn Law School ================================ EPIC Publications: "The Privacy Law Sourcebook 2001: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2001). Price: $40. http://www.epic.org/pls2001/ The "Physicians Desk Reference of the privacy world." An invaluable resource for students, attorneys, researchers and journalists who need an up-to-date collection of U.S. and International privacy law, as well as a comprehensive listing of privacy resources. ================================ "Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20. http://www.epic.org/bookstore/filters2.0/ A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ "The Consumer Law Sourcebook 2000: Electronic Commerce and the Global Economy," Sarah Andrews, editor (EPIC 2000). Price: $40. http://www.epic.org/cls/ The Consumer Law Sourcebook provides a basic set of materials for consumers, policy makers, practitioners and researchers who are interested in the emerging field of electronic commerce. The focus is on framework legislation that articulates basic rights for consumers and the basic responsibilities for businesses in the online economy. ================================ "Privacy & Human Rights 2000: An International Survey of Privacy Laws and Developments," David Banisar, author (EPIC 2000). Price: $20. http://www.epic.org/phr/ This survey, by EPIC and Privacy International, reviews the state of privacy in over fifty countries around the world. The survey examines a wide range of privacy issues including, data protection, telephone tapping, genetic databases, ID systems and freedom of information laws. ================================ "Cryptography and Liberty 2000: An International Survey of Encryption Policy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price: $20. http://www.epic.org/crypto&/ EPIC's third survey of encryption policies around the world. The results indicate that the efforts to reduce export controls on strong encryption products have largely succeeded, although several governments are gaining new powers to combat the perceived threats of encryption to law enforcement. ================================ Additional titles on privacy, open government, free expression, computer security, and crypto, as well as films and DVDs can be ordered through the EPIC Bookstore: http://www.epic.org/bookstore/ ======================================================================= [8] Upcoming Conferences and Events ======================================================================= Call for Committee Nominations - September 7, 2001. Study on Privacy in the Information Age. National Research Council, Computer Science and Telecommunications Board. For more information: http://www.cstb.org/ The Broadband Economy: The Emerging Market System in Bandwidth. Columbia Institute for Tele-Information (CITI). September 14, 2001. New York, NY. For more information: http://www.citi.columbia.edu/ Privacy Compliance. UC Berkeley Extension. September 18, 2001. San Francisco, CA. For more information: http://www.unex.berkeley.edu/eng/br350/3-1.html Key Drivers for 3G Wireless: Will 3G Deliver its Promise? Columbia Institute for Tele-Information (CITI). September 20, 2001. New York, NY. For more information: http://www.citi.columbia.edu/ WorkSurv: A Seminar on the Technical, Legal & Business Issues of Workplace Surveillance. Privacy Foundation. September 25, 2001. Denver, CO. For more information: http://www.privacyfoundation.org/worksurv.asp Health Information Privacy: Dialogue with the Stakeholders. Riley Information Services, Inc. September 28, 2001. Ottawa, Canada. For more information: http://www.rileyis.com/seminars/ Privacy2001: Information, Security & Ethics for the New Century. Technology Policy Group. October 3-4, 2001. Cleveland, OH. For more information: http://www.privacy2000.org/ Consumers and Utilities. Residential Utilities Services: Meeting Consumer Energy and Communications Needs in a Dynamic Marketplace. Consumer Federation of America. October 4-5, 2001. Washington, D.C. For more information: http://www.consumerfed.org/ Call for Proposals - October 15, 2001. CFP 2002: The Twelfth Conference on Computers, Freedom & Privacy. April 16-19, 2002. San Francisco, CA. For more information: http://www.cfp2002.org/ Privacy: The New Management Imperative - Chief Privacy Officer Training Program. Southern Methodist University and Privacy Council. October 15-17, 2001. Dallas, TX. For more information: http://execdev.cox.smu.edu/ Nurturing the Cybercommons, 1981-2021. Computer Professionals for Social Responsibility (CPSR) 20th Anniversary Conference and Wiener Award Dinner. October 19-21, 2001. Ann Arbor, MI. For more information: http://www.cpsr.org/ The New HIPAA Privacy Rule: Guiding Your Clients Through the Implementation Process. Practising Law Institute. October 24, 2001. New York, NY. For more information: http://www.pli.edu/ The Third National HIPAA Summit: From Theory to Practice - From Planning to Implementation. October 24-26, 2001. Washington, DC. For more information: http://www.hipaasummit.com/ The 29th Research Conference on Communication, Information and Internet Policy. Telecommunications Policy Research Conference. October 27-29, 2001. Alexandria, VA. For more information: http://www.tprc.org/ The 8th Annual Centre for Applied Cryptographic Research (CACR) Information Security Workshop: The Human Face of Privacy Technology. University of Waterloo and Information and Privacy Commission/Ontario. November 1-2, 2001. Toronto, Ontario. For more information: http://www.cacr.math.uwaterloo.ca/ Workshop on Security and Privacy in Digital Rights Management 2001. Eighth Association for Computing Machinery (ACM) Conference on Computer and Communications Security. November 5, 2001. Philadelphia, PA. For more information: http://www.star-lab.com/sander/spdrm/ Privacy: The New Management Imperative - Chief Privacy Officer Training Program. Cambridge University and Privacy Council. November 5-8, 2001. Cambridge, England. For more information: kturner@privacycouncil.com Learning for the Future. Business for Social Responsibility's Ninth Annual Conference. November 7-9, 2001. Seattle, WA. For more information: http://www.bsr.org/events/2001.asp Information Operations: Applying Power in the Information Age. Jane's Information Group. November 14-15, 2001. Washington, DC. For more information: http://www.janes.com/security/conference/info_op/info_op.shtml Call for Papers - December 1, 2001. 11th Annual EICAR & 3rd European Anti-Malware Conference. European Institute for Computer Anti-Virus Research (EICAR). June 8-11, 2002. Berlin, Germany. For more information: http://conference.eicar.org/ ======================================================================= Subscription Information ======================================================================= Subscribe/unsubscribe via Web interface: https://mailman.epic.org/cgi-bin/mailman/listinfo/epic_news Subscribe/unsubscribe via email: epic_news-request@mailman.epic.org subject line: "subscribe" or "unsubscribe" Back issues are available at: http://www.epic.org/alert/ ======================================================================= Privacy Policy ======================================================================= The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your email address from this list, please follow the above instructions under "subscription information". Please contact info@epic.org if you have any other questions. ======================================================================= About EPIC ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, e-mail info@epic.org, http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at http://www.guidestar.org/aol/search/report/report.adp?ein=52-2225921 Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ---------------------- END EPIC Alert 8.16 ----------------------- .