EPIC logo

        @@@@  @@@@  @@@  @@@@      @    @     @@@@  @@@@  @@@@@
        @     @  @   @   @        @ @   @     @     @  @    @
        @@@@  @@@    @   @       @@@@@  @     @@@   @@@     @
        @     @      @   @       @   @  @     @     @  @    @
        @@@@  @     @@@  @@@@    @   @  @@@@  @@@@  @   @   @
    Volume 9.06                                     March 28, 2002
                             Published by the
               Electronic Privacy Information Center (EPIC)
                             Washington, D.C.
Table of Contents

[1] FBI Ordered to Locate Carnivore Documents in EPIC FOIA Case
[2] ACLU, EPIC, Library Groups Challenge Internet Filtering Law
[3] Congress Holds Hearing on Surveillance Cameras in Washington, DC
[4] Bush Administration Reneges On Medical Privacy Guarantees
[5] EPIC FOIA Request Seeks Homeland Security Documents
[6] Updated EPIC Public Opinion Page; Industry Privacy Reports Biased
[7] EPIC Bookstore - Free as in Freedom
[8] Upcoming Conferences and Events

[1] FBI Ordered to Locate Carnivore Documents in EPIC FOIA Case

EPIC has won another round in its effort to compel the disclosure of
information about the FBI's controversial Carnivore Internet
surveillance system.  In an order issued on March 25, U.S. District
Judge James Robertson denied a government motion for summary judgment
and directed the Bureau to expand its search for records about
Carnivore.  The judge ordered the FBI to complete within 60 days "a
further search" for records pertaining to the system.

EPIC filed its Freedom of Information Act suit against the FBI and the
Justice Department in July 2000, after the agencies failed to respond
to a request to expedite the processing of documents relating to
Carnivore.  The FBI subsequently agreed to expedite its search (which
otherwise would have taken several years), and made its "final"
release of documents in January 2001.  The Bureau then prepared an
itemized accounting of withheld material in support of its motion for
summary judgment, which was filed last summer.  The accounting
indicated that approximately 2000 pages of material were located at
two Bureau components -- the Electronic Surveillance Technology
Section (ESTS) in Quantico, Virginia, and the Contracts Unit at FBI
Headquarters -- but no other locations.

In response to the government's motion, EPIC noted that the released
documents dealt only with technical aspects of Carnivore, rather than
the legal and policy implications of the surveillance technique.  EPIC
further noted that no documents had yet been located at key FBI and
DOJ components, including the FBI's Office of General Counsel.  Judge
Robertson agreed, finding that EPIC "has raised a 'positive
indication' that the FBI may have overlooked documents in other FBI
divisions, most notably the offices of the General Counsel and
Congressional and Public Affairs."

Public disclosure of information concerning Carnivore is particularly
important in the aftermath of September 11, as such investigative
techniques are likely to increase in use.  The controversial USA
PATRIOT Act, quickly passed by Congress last fall, expressly
authorizes the use of Carnivore and imposes certain reporting
requirements when it is used by investigators.

Judge Robertson's order is available at:


Background information on EPIC's Carnivore FOIA litigation, including
scanned images of selected documents, is available at:


[2] ACLU, EPIC, Library Groups Challenge Internet Filtering Law

Trial commenced Monday in Philadelphia challenging the
constitutionality of the Children's Internet Protection Act (CIPA),
the federal law that would require libraries to install Internet
filtering software in order to continue receiving federal technology
funding.  Congress approved CIPA in December 2000 even after its own
18-member committee rejected the proposal because of the risk that
"protected, harmless, or innocent speech would be accidentally or
inappropriately blocked."

The law -- the third attempt by Congress to control information
available to minors on the Internet -- is being challenged by the
American Civil Liberties Union (ACLU), the American Library
Association (ALA) and numerous individual plaintiffs.  EPIC is
participating in the case as co-counsel.

The plaintiffs argue that the law will arbitrarily restrict access to
a wide range of information on sex, health and social issues, with no
guarantee that children will actually be protected from obscenity or
pornography.  Critiques and studies have documented the negative
impact of content blocking systems, particularly noting that filtering
and rating systems can be viewed as fundamental architectural changes
that may facilitate the suppression of speech far more effectively
than national laws alone.  Experts testified during the first days of
trial that current Internet filtering software is so imprecise that it
would block sites discussing topics such as homosexuality, breast
cancer, and menstruation.  Although libraries would have the ability
to override filters if requested, librarians have testified that most
patrons would be too embarrassed to make such requests -- even for
legitimate medical information -- and that this would be an invasion
of patrons' privacy.

Plaintiffs include libraries and library associations across the
country, individual library patrons, and authors of Web sites such as
AfraidtoAsk.com, a medical information Web site offering photographs
of the human body, including such things as size and shape of
genitalia, hair and skin characteristics, and stature.  These Web
sites, as well as many prevalent informational and educational sites
(including the EPIC web site), are frequently blocked by Internet

Testimony is expected to run through next Wednesday, with a ruling
expected by early May.  Should the law be upheld, libraries nationwide
would have to prepare to comply with it by July 1.



EPIC Publication, Filters & Freedom 2.0: Free Speech Perspectives on
Internet Content Controls:


Peacefire, an organization that advocates the right to free speech,
sells T-shirts that list the names of some often-blocked sites:


[3] Congress Holds Hearing on Surveillance Cameras in Washington, DC

The House Committee on Government Reform held a hearing last week on
the use of video surveillance in the Nation's capital.  Among the
witnesses were representatives of the Council and Government of the
District of Columbia, the Chief of the Metropolitan Police Department
(MPD), experts in video surveillance, and civil liberties activists.
All but one of the federal agencies invited -- the National Parks
Service -- declined the invitation, which included the Department of
Justice and the Federal Bureau of Investigation.

The hearing revealed that video cameras have been installed in DC
since 2000 without notice or prior public consultation, and that no
guidelines exist today to regulate the installation and use of video
cameras.  The public has recently become aware of the ever-increasing
use of video cameras by a growing number of governmental authorities,
including the MPD, the Department of Transportation, and the National
Parks Service, and without any legal guidance.  Of much concern is the
fact that the MPD plans to connect the 1,000 cameras already installed
by various agencies to a single control room that would allow for
continuous and centralized surveillance, which it has already done in
the past during emergency situations (e.g., the 2000 International
Monetary Fund protests and in the wake of 9/11 terrorism threats).
Future plans include the connection of school, traffic, metro,
shopping area and high-crime neighborhood video cameras.

As to the fundamental issues of effectiveness and reliability of video
surveillance for law enforcement purposes, no witnesses could yet
provide clear and definite answers.  Most witnesses agreed that
although much work is still required on these issues, federal
standards or regulations for the use of video cameras are preferable
to leaving law enforcement authorities to come up with state-specific,
self-regulatory guidelines.

EPIC has urged Congress and all parties involved in the planning of
Washington's video surveillance system to address the fundamental
constitutional values at stake: privacy, freedom of movement, and
limitations on law enforcement's capability to collect information
about citizens.  EPIC has also advocated for effective oversight by
Congress and the DC City Council, and recommended that procedures be
put in place to ensure public accountability.

Additionally, EPIC has launched a new Web site, "Observing
Surveillance," to document and record the growth of video surveillance
in the District of Columbia.

Observing Surveillance:


[4] Bush Administration Reneges On Medical Privacy Guarantees

The Department of Health and Human Services (HHS) has proposed changes
to the Health Insurance Portability and Accountability Act (HIPAA)
Privacy Rule that would significantly dilute federal medical privacy
protections.  While the full implications of the proposed changes are
still unclear, the new rule would eliminate the consent requirement
and give parents more power to access children's medical records.  The
proposed changes do improve privacy rights by shifting to an opt-in
system for marketing use of medical records.  However, the proposed
changes exclude many forms of marketing from the opt-in protections.
These changes conflict with President Bush's campaign promises to
create strong protections for medical information.

The Privacy Rule, which became effective in April 2001, provides the
first baseline federal protection for the privacy of medical
information.  It gives patients the right to notice of privacy
policies, a right to request restrictions on disclosure, a right to
amend their records, a right to an accounting of disclosures, and
requires that health care providers obtain consent from a patient
before using health information.  The Privacy Rule has been under
continuous attack by hospitals, health maintenance organizations, and
recently was pegged for revision or rescission by the Office of
Management and Budget's Office of Information and Regulatory Affairs.

The changes, proposed by HHS Secretary Tommy Thompson, were based upon
an overbroad reading of the Privacy Rule and false statements about
its implications.  For instance, Thompson claimed that the changes
were necessary to guarantee patient access to health care, citing the
notion that sick patients would be prevented from sending friends or
relatives to pharmacies in order to obtain filled prescriptions.
However, the Privacy Rule specifically allows pharmacies to exercise
professional judgment and release filled prescriptions to friends and

While privacy advocates have acknowledged that HIPAA's consent
provisions have weaknesses, HHS' proposed changes would eliminate the
consent requirement rather than amend it to address valid concerns.

The proposed changes would also give parents greater access to their
children's medical files.  The regulations allow disclosure based on
professional judgment of the physician where state law is silent on
the issue of disclosing minors' information.  This change was sought
by special interests that advocate the dilution of children's privacy
so that parents can obtain more information about minors' access to
birth control and abortion.

The proposed changes represent a significant departure from prior
policy positions held by President Bush.  On numerous occasions during
his presidential campaign, Bush expressed the view that privacy was a
"fundamental right" and said he supported opt-in protections for
medical and financial data.

Individuals are encouraged to comment on the proposed changes, and can
do so on the HHS web site (see below) until April 26, 2002.

Health and Human Services Privacy Rule Site and Proposed Changes:


Health Privacy Project:


EPIC's Medical Records Privacy Page:


[5] EPIC FOIA Request Seeks Homeland Security Documents

EPIC filed a Freedom of Information Act (FOIA) request last week with
the Office of Homeland Security asking for detailed information on
Director Tom Ridge's proposal to create a new biometric identity card
for air travelers.  Director Ridge said in his February 24th speech to
the National Governor's Association, "I do think that this might be a
great opportunity for us to do some work with biometrics, and get a
trusted flier program," and that he would be working closely with the
new Transportation Security Agency (TSA) in developing this program.

In a related matter, EPIC has filed a lawsuit to obtain information
from the TSA on its biometric identity card proposal (see EPIC Alert
9.05).  EPIC is also seeking further information about draft
legislation that would link the driver's license expiration date to
visa status, which the Office of Homeland Security is reported to be
preparing for various states to adopt.

Both proposals from the Office of Homeland Security implicate serious
privacy and security risks.  One proposal contemplates creating a new
federally-issued identity card using biometric identification that has
significant privacy implications; the other aims at expanding the
purpose of a driver's license into a realm that has nothing to do with
road safety.  There is a strong public interest in understanding how
these proposals are being formulated, and assessing the potential
privacy implications of such proposals requires full and informed
public debate on the design and purpose of the new systems.  EPIC
believes that substantive proposals from the Office of Homeland
Security involving important constitutional values and rights should
be subject to public oversight.

Office of Homeland Security:


"Ridge: Link Driver's License, Visa," Federal Computer Week, March 15,


EPIC's DOT/TSA lawsuit:


[6] Updated EPIC Public Opinion Page; Industry Privacy Reports Biased

EPIC has released a newly updated version of its Public Opinion and
Privacy Page to reflect survey data that shows such trends as strong
support for opt-in privacy protections, as well as the opinion that
the current self-regulatory framework is insufficient to protect
privacy.  Polls from the past few years have increasingly shown that
the public wants control over their data; that they believe their
privacy would be better protected by comprehensive legislation, not
self-regulation; that they value their anonymity on the Internet; and
that they fear both government and public-sector abuses of their

In related developments, a new report by independent privacy
consultant Robert Gellman, entitled "Privacy, Consumers, and Costs:
How The Lack of Privacy Costs Consumers and Why Business Studies of
Privacy Costs are Biased and Incomplete," critiques business studies
of privacy and finds that they ignore the costs imposed on consumers
and on society by self-regulatory systems for protecting privacy.

EPIC Public Opinion and Privacy Page:


Privacy, Consumers, and Costs: How The Lack of Privacy Costs Consumers
and Why Business Studies of Privacy Costs are Biased and Incomplete:


[7] EPIC Bookstore - Free as in Freedom

FREE AS IN FREEDOM: Richard Stallman's Crusade for Free Software, by
Sam Williams (O'Reilly 2002).


Few who have met Richard Stallman will forget the experience.
Passionate, brilliant, and purposeful without bounds, Stallman turns
virtually every human interaction into a quest for perfection.  His
writing in essays such as "The Road to Tycho," a haunting story of a
future with perfect copyright control, can be as clear and as
exquisite as emacs, the popular word processing program he helped

Sam Williams' "Free as in Freedom" captures in substance and form the
elegance and precision of Stallman's crusade for Free Software.  This
is a book that moves with economy through the life of the world's most
famous hacker.  The love of Chinese food, folk dance, and clever
phrases punctuate a quest driven by an unwavering belief that computer
code should not be controlled, that innovation requires cooperation.

Williams draws on Steven Levy's "Hackers," the 1984 book that helped
popularize the culture of the MIT railway club and the AI lab of the
1970s and early 1980s.  Williams, like Levy, helps explain a world of
all-nighters, brilliant code, and new frontiers.  Many of the young
coders today would fit very comfortably in that world, though they
would probably require MP3 players and more bandwidth.

Williams provides an interesting glimpse of Richard's early years. His
gentle and illuminating description of the relationship between
Stallman and his mother contrasts sharply with another famous story of
a mother and her child prodigy.  Bobby Fischer's mother was filled
with rage and a fierce anti-semitism that she passed on to her son.
Fischer's career was almost the antithesis of the John Nash character
portrayed in "A Beautiful Mind."  Fischer battled real enemies during
the Cold War, when the Russians feared the loss of their chess
dominance, but he never earned the same level of regard from his
colleagues as Nash would with the receipt of the Nobel Prize.  In the
end, Fischer's achievement was well established in the chess world,
but his life's work lacked the humanism which has so clearly made
Stallman a folk hero in the computer world.

More than any person, Stallman came to exemplify the spirit of
brilliant programmer and political crusader.  Stallman's philosophy
also gave way to the General Public License, a wonderfully subversive
legal contract that prevents free software from being bound to
proprietary software.

In the lore of American technical prowess, Henry Ford, Alexander
Graham Bell, and Thomas Edison stand as giants for their contributions
to scientific invention and the American economy.  But perhaps it is
Richard Stallman who found in the freedom to innovate not only a path
to progress, but also a political philosophy that stretches back to
Benjamin Franklin and Thomas Jefferson, the true American inventor.

- Marc Rotenberg

The Right to Read (The Road to Tycho)
EPIC Publications:
"Privacy & Human Rights 2001: An International Survey of Privacy Laws
and Developments," (EPIC 2001). Price: $20.
This survey, by EPIC and Privacy International, reviews the state of
privacy in over fifty countries around the world.  The survey examines
a wide range of privacy issues including, data protection, telephone
tapping, genetic databases, ID systems and freedom of information
"The Privacy Law Sourcebook 2001: United States Law, International
Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2001).
Price: $40. http://www.epic.org/bookstore/pls2001/
The "Physicians Desk Reference of the privacy world." An invaluable
resource for students, attorneys, researchers and journalists who need
an up-to-date collection of U.S. and International privacy law, as
well as a comprehensive listing of privacy resources.
"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.
A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.
"The Consumer Law Sourcebook 2000: Electronic Commerce and the Global
Economy," Sarah Andrews, editor (EPIC 2000). Price: $40.
The Consumer Law Sourcebook provides a basic set of materials for
consumers, policy makers, practitioners and researchers who are
interested in the emerging field of electronic commerce.  The focus is
on framework legislation that articulates basic rights for consumers
and the basic responsibilities for businesses in the online economy.
"Cryptography and Liberty 2000: An International Survey of Encryption
Policy," Wayne Madsen and David Banisar, authors (EPIC 2000).
Price: $20. http://www.epic.org/crypto&/
EPIC's third survey of encryption policies around the world. The
results indicate that the efforts to reduce export controls on strong
encryption products have largely succeeded, although several
governments are gaining new powers to combat the perceived threats of
encryption to law enforcement.
EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:
     EPIC Bookstore
     "EPIC Bookshelf" at Powell's Books
[8] Upcoming Conferences and Events

Music and Theft: Sampling, Technology, and the Law. Duke Law School,
with funding from the Ford Foundation and the Center for the Public
Domain. March 30, 2002. For more information:

The International Security, Trust and Privacy Alliance (ISTPA) Annual
Members Meeting: Digital Identity Services - Issues & Challenges.
April 8-10, 2002. Santa Clara, CA. For more information:

Consumer Protection Issues in 2002 and Beyond. Association of the Bar
of the City of New York, Committee on Consumer Affairs. April 11,
2002. New York, NY. For more information: avernick@fgkks.com

The 27th Annual AAAS Colloquium on Science and Technology Policy:
Science and Technology in a Vulnerable World: Rethinking Our Roles.
American Association for the Advancement of Science. April 11-12,
2002. Washington, DC. For more information:

Workshop on Privacy Enhancing Technologies. April 14-15, 2002. San
Francisco, CA. For more information: http://www.pet2002.org/

CFP 2002: The Twelfth Conference on Computers, Freedom & Privacy.
April 16-19, 2002. San Francisco, CA. For more information:

4th Annual MIT Sloan eBusiness Awards. Massachusetts Institute of
Technology, Sloan School of Management. April 17, 2002. Cambridge, MA.
For more information: http://www.mitawards.org/home.asp

4th National HIPAA Summit: The Leading Forum on Healthcare Privacy,
Confidentiality, Data Security and HIPAA Compliance. April 24-26,
2002. Washington, DC. For more information:

2002 IEEE Symposium on Security and Privacy. IEEE and the
International Association for Cryptologic Research. May 12-15, 2002.
Oakland, CA. For more information:

Information Integrity World Summit. The Hands-On Summit to Protect
Your Organization: Overcoming Cyber-security and E-Privacy Threats.
Information Integrity. May 15-16, 2002. Washington, DC. For more
information: http://www.411integrity.com/live/80/events/80II102

Privacy Law: Emerging Issues in Employee and Consumer Relations. CLE
International. May 16-17, 2002. Los Angeles, CA. For more information:

Personal Privacy in the Digital Age: The Challenge for State and Local
Governments. Joint Center for eGovernance. May 19-21, 2002. Arlington,
VA. For more information: http://www.conted.vt.edu/privacy/agenda.htm

Call For Papers - June 1, 2002 (special recognition for outstanding
student papers). 18th Annual Computer Security Applications Conference
(ACSAC): Practical Solutions to Real Security Problems. Applied
Computer Security Associates. December 9-13, 2002. Las Vegas, Nevada.
For more information: http://www.acsac.org/

INET 2002. Internet Crossroads: Where Technology and Policy Intersect.
Internet Society. June 18-21, 2002. Washington, DC. For more
information: http://www.inet2002.org/

IViR International Copyright Law Summer Course. Royal Netherlands
Academy of Arts and Sciences. July 8-12, 2002. Amsterdam, Netherlands.
For more information: http://www.ivir.nl/

Privacy2002. Technology Policy Group. September 24-26, 2002.
Cleveland, OH. For more information:

Subscription Information
Subscribe/unsubscribe via Web interface:

Subscribe/unsubscribe via email:
     To: epic_news-request@mailman.epic.org
     Subject line: "subscribe" or "unsubscribe"
Back issues are available at:

The EPIC Alert displays best in a fixed-width font, such as Courier.
Privacy Policy
The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities.  We do not sell, rent or share our
mailing list.  We also intend to challenge any subpoena or other legal
process seeking access to our mailing list.  We do not enhance (link
to other databases) our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe your email address
from this list, please follow the above instructions under
"subscription information".  Please contact info@epic.org if you would
like to change your subscription email address, or if you have any
other questions.
About EPIC
The Electronic Privacy Information Center is a public interest
research center in Washington, DC.  It was established in 1994 to
focus public attention on emerging privacy issues such as the Clipper
Chip, the Digital Telephony proposal, national ID cards, medical
record privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Act
litigation, and conducts policy research.  For more information,
e-mail info@epic.org, http://www.epic.org or write EPIC, 1718
Connecticut Ave., NW, Suite 200, Washington, DC 20009.
+1 202 483 1140 (tel), +1 202 483 1248 (fax).
If you'd like to support the work of the Electronic Privacy
Information Center, contributions are welcome and fully
tax-deductible.  Checks should be made out to "EPIC" and sent to
1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009.
Or you can contribute online at:

Drink coffee, support civil liberties, get a tax deduction, and learn
Latin at the same time!  Receive a free epic.org "sed quis custodiet
ipsos custodes?" coffee mug with donation of $75 or more.
Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the
right of privacy and efforts to oppose government regulation of
encryption and expanding wiretapping powers.
Thank you for your support.
   ---------------------- END EPIC Alert 9.06 -----------------------