EPIC logo
        @@@@  @@@@  @@@  @@@@      @    @     @@@@  @@@@  @@@@@
        @     @  @   @   @        @ @   @     @     @  @    @
        @@@@  @@@    @   @       @@@@@  @     @@@   @@@     @
        @     @      @   @       @   @  @     @     @  @    @
        @@@@  @     @@@  @@@@    @   @  @@@@  @@@@  @   @   @
    Volume 8.16                                  September 6, 2001
                             Published by the
               Electronic Privacy Information Center (EPIC)
                             Washington, D.C.
Table of Contents
[1] Government Says Details of Keystroke Monitor are "Classified"
[2] EPIC Urges Federal Judiciary to End Workplace Monitoring
[3] Friday, September 7 - Day of Action Against Video Surveillance
[4] Subpoenaed Bookstores Defend Customer Privacy
[5] New Privacy Reports by PRI and Privacy Foundation
[6] Privacytown: Online Guide to Protecting Consumer Privacy
[7] EPIC Bookstore - Privacy Law Sourcebook 2001
[8] Upcoming Conferences and Events
[1] Government Says Details of Keystroke Monitor are "Classified"
Attempting to conceal the details of keystroke monitoring technology
used in a criminal investigation, the U.S. government has invoked the
Classified Information Procedures Act (CIPA) in a high-profile case
pending in federal court in New Jersey.  The invocation of CIPA came
in response to an order issued on August 7 by U.S. District Judge
Nicholas Politan, directing the government to produce a report
"detailing how the key logger device functions."  To date, the
technique has only been described publicly as "specialized computer
software, firmware and/or hardware."  The FBI surreptitiously
installed the keystroke monitor on the computer of defendant Nicodemo
Scarfo and used it to capture his PGP encryption passphrase during the
course of a gambling investigation.
In a motion filed on August 23, the government asserts that
"information concerning the underlying functionality of the FBI's Key
Logger System is classified" and that, even if Scarfo can show that
the information would be helpful to his defense, "overriding national
security concerns may trump the defendant's need for the information."
The defense has argued that the Fourth Amendment implications of the
technique cannot be assessed unless its details are disclosed.  In his
August 7 decision, Judge Politan agreed, noting that "the court cannot
make a determination as to the lawfulness of the government's search
... without knowing specifically how the search was effectuated.  This
requires an understanding of how the key logger device functions."
A hearing on the government's CIPA motion is scheduled for September 7
in federal court in Newark, New Jersey.
In a related development, the U.S. Court of Appeals for the Third
Circuit on August 27 reversed a gag order Judge Politan imposed on
attorneys in the Scarfo case last December.  Noting that there is "an
important legal issue about to be raised before the court," the
appeals court said that counsels' "comments on an interesting legal
issue did not pose a threat to the fairness of the trial or to the
jury pool ... [nor has there been any] identifiable prejudice or risk
of prejudice."
Selected court documents on the Scarfo case, including the
government's motion to invoke CIPA, are available at:
[2] EPIC Urges Federal Judiciary to End Workplace Monitoring
EPIC Executive Director Marc Rotenberg today wrote to the Judicial
Conference of the United States urging the body to end the practice of
monitoring computer terminals of employees of the federal judiciary.
The Judicial Conference is a 27-member board of judges that sets policy
for the federal courts.  The judges will meet on September 11 to
approve policies affecting workplace monitoring and the privacy
implications of providing electronic access to court files.
Rotenberg argued that monitoring of Web sites visited by judges and
their staff without notice could constitute a violation of the
Electronic Communications Privacy Act of 1986 (ECPA).  ECPA prohibits
the intentional interception of electronic communications, and it is
the primary statute relied upon by employees to challenge invasive
workplace monitoring.
Furthermore, merely providing notice would not address the underlying
Fourth Amendment issues raised by monitoring of judicial networks.
As Professor Anthony Amsterdam wrote in 1974, "each person's
subjective expectation [could be rendered meaningless if the
government were to announce] half-hourly on television that 1984 was
being advanced by a decade and that we were all forthwith being
placed under comprehensive electronic surveillance."
A series of commentators and judges have criticized monitoring of
judicial networks in recent weeks.  The issue attracted public
attention after judges from the Ninth Circuit disabled content
monitoring systems on a judicial Internet gateway.  In deciding to
disable the monitoring system, the judges cited privacy,
confidentiality, and the risk that content monitoring may run afoul
of ECPA.  Officials from the Administrative Offices of the United
States Courts have insisted that the monitoring continue.
EPIC Letter to the Judicial Conference:
[3] Friday, September 7 - Day of Action Against Video Surveillance
On Friday, September 7, a variety of groups are staging a day of
action against surveillance cameras.  The event is inspired by the
Surveillance Camera Players, an international group of demonstrators
who have been "acting up" for surveillance cameras ever since they
first began to be installed around New York City.
The proposal for the day of action reads as follows:
     "We propose --
     1. that an international day of action against video
        surveillance -- specifically: the constant, indiscriminate
        and technologically sophisticated video surveillance of
        public places by both businesses and law enforcement
        agencies -- take place on Friday, 7 September 2001;
     2. that people who wish to intensify the struggle to protect
        and strengthen the right to privacy (a fundamental human
        right) should undertake autonomous actions at the local
        level and in a completely de-centralized fashion;
     3. that, if and when possible, at least some of these
        actions should be undertaken in front of webcams that have
        already been installed in public places by private
        companies that are insensitive or even hostile to privacy
        concerns (in addition to disrupting "business as usual" for
        these companies, the use of webcams will allow the entire
        world to see anti-video surveillance actions as they take
     4. that all individuals and groups participating in the day
        of action keep in touch with at least one of the groups
        listed below and/or each other;
     5. that at least one Web site links to or actually displays
        images from these actions as they take place;
     6. that this proposal should be posted on-line and sent to
        as many people as possible and as soon as possible; and
     7. that this proposal be translated into as many foreign
        languages as possible, but especially French, German, and
        Italian, for it is in France, Belgium, Germany and Italy
        that the anti-video surveillance struggle is the most
        visible at the moment."
Protests will take the form of short skits and plays enacted in front
of surveillance cameras around the world.  Many of these skits will be
broadcast via the Internet so they can be watched worldwide.
On a related note: In late August, Borders was reportedly considering
installing face recognition cameras in two of its United Kingdom
bookstores, but decided not to do so until further examination of
human rights issues associated with such surveillance.  This comes as
no surprise, as public debate has recently opened up regarding the use
of these cameras for law enforcement purposes, both in the UK and the
United States.
To get involved in the day of action, visit the Surveillance Camera
Players Web site:
For more information, see EPIC's Face Recognition Web page:
[4] Subpoenaed Bookstores Defend Customer Privacy
The federal government agreed this week to drop a production request
for customer records contained within subpoenas issued to three
bookstores in connection with a probe of New Jersey Democratic
Senator Robert G. Torricelli.  The government's decision was made
after local counsel representing the bookstores informed the Justice
Department that they would move to quash the subpoenas on First
Amendment grounds.  The American Booksellers Foundation for Free
Expression (ABFFE) agreed to assist the bookstores, Books & Books
(Coral Gables, Florida), Olsson's Books and Records (Washington,
D.C.), and Arundel Books (Los Angeles, CA), after they received
subpoenas on August 16th seeking records dating back to January 1,
1995 for purchases made by Torricelli and 7 other customers.
The government probe has focused on Torricelli's $9 million 1996
Senate campaign, particularly whether New Jersey businessman David
Chang gave Torricelli undisclosed gifts such as antiques, suits and
cash in exchange for Torricelli's help in business dealings that
involved the North Korean and South Korean governments.  Chang, now a
cooperating witness, pleaded guilty to charges that he made $53,700 in
illegal contributions to Torricelli's campaign.  Torricelli stated he
never accepted any illegal gifts from Chang, and that any help he gave
him was routine constituent service.
ABFFE president Chris Finan stated that complying with the subpoenas,
which would require turning over personal information such as the
titles of all books purchased, would have a chilling effect on the
First Amendment rights of all customers.  This is the fourth recent
attempt by law enforcement authorities to gain access to titles of
works purchased by bookstore customers.  All prior similar efforts
have resulted in the request being dropped, or by having the subpoena
quashed or narrowed by the courts on First Amendment grounds.
Finan called the government's decision a victory for privacy and the
First Amendment.
Visit the American Booksellers Foundation for Free Expression website:
[5] New Privacy Reports by PRI and Privacy Foundation
The Pacific Research Institute (PRI) and the Privacy Foundation (PF)
unveiled new studies on privacy.  The PRI report, entitled "Consumer
Privacy: A Free Choice Approach," stands for the proposition that the
free market and technology will sufficiently protect individuals'
PRI argues that privacy should be a matter of individual choice, and
that individuals can use technology to protect privacy consistent
with their preferences.  Privacy regulation would actually harm
protections, as individuals would be lulled into a sense of security
and the technology industry would be less inclined to produce
privacy-enhancing technologies.
PRI actually cites the Toysmart.com case as an example of free market
success in privacy protection.  In that case, Toysmart.com attempted
to sell its customer lists as a bankruptcy asset in violation of the
company's privacy policy.  After public outcry and FTC involvement,
the bankruptcy judge allowed the sale of the data to a company willing
to protect the information with the same privacy policy as
Toysmart.com.  Ultimately, Toysmart's parent company bought the
database and destroyed it to avoid further public scrutiny.
The report concludes that consumer privacy legislation will not
improve e-commerce, and that such legislation would restrict free
speech.  Legislators should not pursue privacy protection in law
absent an inquiry into whether risks exist to individuals and whether
the marketplace can provide a solution to the problem.
The Privacy Foundation, a non-profit research center based in Denver,
CO, released a study entitled "Click, you're hired.  Or tracked..."
The study focuses on the privacy practices of Monster.com, an online
job-finding service.  The Monster.com web site allows job seekers and
employers to post resumes and job announcements.
Monster.com maintains 8.6 million resumes with personal information.
The Privacy Foundation found in interviews with former Monster
employees that the company schemed to sell personal information from
posted resumes.
Job seekers who decided to delete their resume on Monster.com cannot
eliminate their personal information from the company's internal
database.  The Privacy Foundation report found that Monster.com can
save and mine personal data after a resume has been deleted.
The report notes that the same privacy risks exist on other job search
web sites besides Monster.com.
Pacific Research Institute report on consumer privacy:
Privacy Foundation report on Monster.com:
[6] Privacytown: Online Guide to Protecting Consumer Privacy
Privacytown is an online consumer privacy guide recently developed by
Industry Canada.  The Privacytown Web site is dedicated to protecting
consumer privacy and personal information in the age of electronic
commerce and new information technologies.
Although Privacytown was developed for Canadian consumers, it is also
a valuable learning tool for consumers living outside of Canada, as it
provides a good introduction to basic consumer privacy issues.
This useful resource provides information about privacy issues that
consumers might encounter in the various places they go, including
hospitals, liquor stores, video stores, department stores, convenience
stores, and schools.  A Privacy Protection Guide and a Privacy
Checklist is provided for each location.
The Privacytown Web site has both a full-graphics and a text-only
interface.  The entire site is available in both English and French.
Privacytown (English):
La Ville Privee (Francais):
[7] EPIC Bookstore - Privacy Law Sourcebook 2001
The Privacy Law Sourcebook 2001, edited by Marc Rotenberg
The Privacy Law Sourcebook is the leading resource for students,
attorneys, researchers and journalists interested in privacy law in
the United States and around the world. Includes the full texts of
major privacy laws and directives such as the FCRA, the Privacy Act,
FOIA, Family Educational Rights and Privacy Act, Right to Financial
Privacy Act, Privacy Protection Act, Cable Communications Policy Act,
ECPA, Video Privacy Protection Act, OECD Privacy Guidelines, OECD
Cryptography Guidelines, and European Union Directives for both Data
Protection and Telecommunications, as well as a fully up-to-date
section on recent developments. The Privacy Law Sourcebook is updated
and expanded for 2001 with information about the EU Standard Contract
Clauses for Transfers of Personal Data, recent privacy legislation in
Eastern Europe, and new summaries of key statutes for the
non-specialist. Also included is an extensive section on privacy
resources with useful web sites and contact information for privacy
agencies, organizations, and publications.
The Privacy Law Sourcebook has received much public acclaim:
"The Physicians Desk Reference of the privacy world."
     -Evan Hendricks, Privacy Times
"A handy compilation of privacy law instruments and a 'must' for
anyone seeking guidance about the location and content of the key
statutes, treaties, and recent developments."
      -American Society of International Law
"The Privacy Law Sourcebook belongs front and center on the desk of
every Information Age lawyer. It provides an indispensable map to the
maze that is modern privacy law."
     -Prof. Paul M. Schwartz, Brooklyn Law School
EPIC Publications:
"The Privacy Law Sourcebook 2001: United States Law, International
Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2001).
Price: $40. http://www.epic.org/pls2001/
The "Physicians Desk Reference of the privacy world." An invaluable
resource for students, attorneys, researchers and journalists who need
an up-to-date collection of U.S. and International privacy law, as
well as a comprehensive listing of privacy resources.
"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.
A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.
"The Consumer Law Sourcebook 2000: Electronic Commerce and the Global
Economy," Sarah Andrews, editor (EPIC 2000). Price: $40.
The Consumer Law Sourcebook provides a basic set of materials for
consumers, policy makers, practitioners and researchers who are
interested in the emerging field of electronic commerce.  The focus is
on framework legislation that articulates basic rights for consumers
and the basic responsibilities for businesses in the online economy.
"Privacy & Human Rights 2000: An International Survey of Privacy Laws
and Developments," David Banisar, author (EPIC 2000). Price: $20.
This survey, by EPIC and Privacy International, reviews the state of
privacy in over fifty countries around the world.  The survey examines
a wide range of privacy issues including, data protection, telephone
tapping, genetic databases, ID systems and freedom of information
"Cryptography and Liberty 2000: An International Survey of Encryption
Policy," Wayne Madsen and David Banisar, authors (EPIC 2000).
Price: $20. http://www.epic.org/crypto&/
EPIC's third survey of encryption policies around the world. The
results indicate that the efforts to reduce export controls on strong
encryption products have largely succeeded, although several
governments are gaining new powers to combat the perceived threats of
encryption to law enforcement.
Additional titles on privacy, open government, free expression,
computer security, and crypto, as well as films and DVDs can be
ordered through the EPIC Bookstore: http://www.epic.org/bookstore/
[8] Upcoming Conferences and Events
Call for Committee Nominations - September 7, 2001. Study on Privacy
in the Information Age. National Research Council, Computer Science
and Telecommunications Board. For more information:
The Broadband Economy: The Emerging Market System in Bandwidth.
Columbia Institute for Tele-Information (CITI). September 14, 2001.
New York, NY. For more information: http://www.citi.columbia.edu/
Privacy Compliance. UC Berkeley Extension. September 18, 2001. San
Francisco, CA. For more information:
Key Drivers for 3G Wireless: Will 3G Deliver its Promise? Columbia
Institute for Tele-Information (CITI). September 20, 2001. New York,
NY. For more information: http://www.citi.columbia.edu/
WorkSurv: A Seminar on the Technical, Legal & Business Issues of
Workplace Surveillance. Privacy Foundation. September 25, 2001.
Denver, CO. For more information:
Health Information Privacy: Dialogue with the Stakeholders. Riley
Information Services, Inc. September 28, 2001. Ottawa, Canada. For
more information: http://www.rileyis.com/seminars/
Privacy2001: Information, Security & Ethics for the New Century.
Technology Policy Group. October 3-4, 2001. Cleveland, OH. For more
information: http://www.privacy2000.org/
Consumers and Utilities. Residential Utilities Services: Meeting
Consumer Energy and Communications Needs in a Dynamic Marketplace.
Consumer Federation of America. October 4-5, 2001. Washington, D.C.
For more information: http://www.consumerfed.org/
Call for Proposals - October 15, 2001. CFP 2002: The Twelfth
Conference on Computers, Freedom & Privacy. April 16-19, 2002. San
Francisco, CA. For more information: http://www.cfp2002.org/
Privacy: The New Management Imperative - Chief Privacy Officer
Training Program. Southern Methodist University and Privacy Council.
October 15-17, 2001. Dallas, TX. For more information:
Nurturing the Cybercommons, 1981-2021. Computer Professionals for
Social Responsibility (CPSR) 20th Anniversary Conference and Wiener
Award Dinner. October 19-21, 2001. Ann Arbor, MI. For more
information: http://www.cpsr.org/
The New HIPAA Privacy Rule: Guiding Your Clients Through the
Implementation Process. Practising Law Institute. October 24, 2001.
New York, NY. For more information: http://www.pli.edu/
The Third National HIPAA Summit: From Theory to Practice - From
Planning to Implementation. October 24-26, 2001. Washington, DC. For
more information: http://www.hipaasummit.com/
The 29th Research Conference on Communication, Information and
Internet Policy. Telecommunications Policy Research Conference.
October 27-29, 2001. Alexandria, VA. For more information:
The 8th Annual Centre for Applied Cryptographic Research (CACR)
Information Security Workshop: The Human Face of Privacy Technology.
University of Waterloo and Information and Privacy Commission/Ontario.
November 1-2, 2001. Toronto, Ontario. For more information:
Workshop on Security and Privacy in Digital Rights Management 2001.
Eighth Association for Computing Machinery (ACM) Conference on
Computer and Communications Security. November 5, 2001. Philadelphia,
PA. For more information: http://www.star-lab.com/sander/spdrm/
Privacy: The New Management Imperative - Chief Privacy Officer
Training Program. Cambridge University and Privacy Council. November
5-8, 2001. Cambridge, England. For more information:
Learning for the Future. Business for Social Responsibility's Ninth
Annual Conference. November 7-9, 2001. Seattle, WA. For more
information: http://www.bsr.org/events/2001.asp
Information Operations: Applying Power in the Information Age. Jane's
Information Group. November 14-15, 2001. Washington, DC. For more
Call for Papers - December 1, 2001. 11th Annual EICAR & 3rd European
Anti-Malware Conference. European Institute for Computer Anti-Virus
Research (EICAR). June 8-11, 2002. Berlin, Germany. For more
information: http://conference.eicar.org/
Subscription Information
Subscribe/unsubscribe via Web interface:
Subscribe/unsubscribe via email: epic_news-request@mailman.epic.org
subject line: "subscribe" or "unsubscribe"
Back issues are available at:
Privacy Policy
The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities.  We do not sell, rent or share our
mailing list.  We also intend to challenge any subpoena or other legal
process seeking access to our mailing list.  We do not enhance (link
to other databases) our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe your email address
from this list, please follow the above instructions under
"subscription information".  Please contact info@epic.org if you have
any other questions.
About EPIC
The Electronic Privacy Information Center is a public interest
research center in Washington, DC.  It was established in 1994 to
focus public attention on emerging privacy issues such as the Clipper
Chip, the Digital Telephony proposal, national ID cards, medical
record privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Act
litigation, and conducts policy research.  For more information,
e-mail info@epic.org, http://www.epic.org or write EPIC, 1718
Connecticut Ave., NW, Suite 200, Washington, DC 20009.
+1 202 483 1140 (tel), +1 202 483 1248 (fax).
If you'd like to support the work of the Electronic Privacy
Information Center, contributions are welcome and fully
tax-deductible.  Checks should be made out to "EPIC" and sent to
1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009.
Or you can contribute online at
Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the
right of privacy and efforts to oppose government regulation of
encryption and expanding wiretapping powers.
Thank you for your support.
   ---------------------- END EPIC Alert 8.16 -----------------------