============================================================== @@@@ @@@@ @@@ @@@@ @ @ @@@@ @@@@ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @@@ @ @ @@@@@ @ @@@ @@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @ @@@ @@@@ @ @ @@@@ @@@@ @ @ @ ============================================================== Volume 9.06 March 28, 2002 -------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org/alert/EPIC_Alert_9.06.html ======================================================================= Table of Contents ======================================================================= [1] FBI Ordered to Locate Carnivore Documents in EPIC FOIA Case [2] ACLU, EPIC, Library Groups Challenge Internet Filtering Law [3] Congress Holds Hearing on Surveillance Cameras in Washington, DC [4] Bush Administration Reneges On Medical Privacy Guarantees [5] EPIC FOIA Request Seeks Homeland Security Documents [6] Updated EPIC Public Opinion Page; Industry Privacy Reports Biased [7] EPIC Bookstore - Free as in Freedom [8] Upcoming Conferences and Events ======================================================================= [1] FBI Ordered to Locate Carnivore Documents in EPIC FOIA Case ======================================================================= EPIC has won another round in its effort to compel the disclosure of information about the FBI's controversial Carnivore Internet surveillance system. In an order issued on March 25, U.S. District Judge James Robertson denied a government motion for summary judgment and directed the Bureau to expand its search for records about Carnivore. The judge ordered the FBI to complete within 60 days "a further search" for records pertaining to the system. EPIC filed its Freedom of Information Act suit against the FBI and the Justice Department in July 2000, after the agencies failed to respond to a request to expedite the processing of documents relating to Carnivore. The FBI subsequently agreed to expedite its search (which otherwise would have taken several years), and made its "final" release of documents in January 2001. The Bureau then prepared an itemized accounting of withheld material in support of its motion for summary judgment, which was filed last summer. The accounting indicated that approximately 2000 pages of material were located at two Bureau components -- the Electronic Surveillance Technology Section (ESTS) in Quantico, Virginia, and the Contracts Unit at FBI Headquarters -- but no other locations. In response to the government's motion, EPIC noted that the released documents dealt only with technical aspects of Carnivore, rather than the legal and policy implications of the surveillance technique. EPIC further noted that no documents had yet been located at key FBI and DOJ components, including the FBI's Office of General Counsel. Judge Robertson agreed, finding that EPIC "has raised a 'positive indication' that the FBI may have overlooked documents in other FBI divisions, most notably the offices of the General Counsel and Congressional and Public Affairs." Public disclosure of information concerning Carnivore is particularly important in the aftermath of September 11, as such investigative techniques are likely to increase in use. The controversial USA PATRIOT Act, quickly passed by Congress last fall, expressly authorizes the use of Carnivore and imposes certain reporting requirements when it is used by investigators. Judge Robertson's order is available at: http://www.epic.org/privacy/carnivore/court_order.html Background information on EPIC's Carnivore FOIA litigation, including scanned images of selected documents, is available at: http://www.epic.org/privacy/carnivore/ ======================================================================= [2] ACLU, EPIC, Library Groups Challenge Internet Filtering Law ======================================================================= Trial commenced Monday in Philadelphia challenging the constitutionality of the Children's Internet Protection Act (CIPA), the federal law that would require libraries to install Internet filtering software in order to continue receiving federal technology funding. Congress approved CIPA in December 2000 even after its own 18-member committee rejected the proposal because of the risk that "protected, harmless, or innocent speech would be accidentally or inappropriately blocked." The law -- the third attempt by Congress to control information available to minors on the Internet -- is being challenged by the American Civil Liberties Union (ACLU), the American Library Association (ALA) and numerous individual plaintiffs. EPIC is participating in the case as co-counsel. The plaintiffs argue that the law will arbitrarily restrict access to a wide range of information on sex, health and social issues, with no guarantee that children will actually be protected from obscenity or pornography. Critiques and studies have documented the negative impact of content blocking systems, particularly noting that filtering and rating systems can be viewed as fundamental architectural changes that may facilitate the suppression of speech far more effectively than national laws alone. Experts testified during the first days of trial that current Internet filtering software is so imprecise that it would block sites discussing topics such as homosexuality, breast cancer, and menstruation. Although libraries would have the ability to override filters if requested, librarians have testified that most patrons would be too embarrassed to make such requests -- even for legitimate medical information -- and that this would be an invasion of patrons' privacy. Plaintiffs include libraries and library associations across the country, individual library patrons, and authors of Web sites such as AfraidtoAsk.com, a medical information Web site offering photographs of the human body, including such things as size and shape of genitalia, hair and skin characteristics, and stature. These Web sites, as well as many prevalent informational and educational sites (including the EPIC web site), are frequently blocked by Internet filters. Testimony is expected to run through next Wednesday, with a ruling expected by early May. Should the law be upheld, libraries nationwide would have to prepare to comply with it by July 1. EPIC's CIPA Page: http://www.epic.org/free_speech/cipa.html EPIC Publication, Filters & Freedom 2.0: Free Speech Perspectives on Internet Content Controls: http://www.epic.org/bookstore/filters2.0/ Peacefire, an organization that advocates the right to free speech, sells T-shirts that list the names of some often-blocked sites: http://www.peacefire.org/t-shirts/ ======================================================================= [3] Congress Holds Hearing on Surveillance Cameras in Washington, DC ======================================================================= The House Committee on Government Reform held a hearing last week on the use of video surveillance in the Nation's capital. Among the witnesses were representatives of the Council and Government of the District of Columbia, the Chief of the Metropolitan Police Department (MPD), experts in video surveillance, and civil liberties activists. All but one of the federal agencies invited -- the National Parks Service -- declined the invitation, which included the Department of Justice and the Federal Bureau of Investigation. The hearing revealed that video cameras have been installed in DC since 2000 without notice or prior public consultation, and that no guidelines exist today to regulate the installation and use of video cameras. The public has recently become aware of the ever-increasing use of video cameras by a growing number of governmental authorities, including the MPD, the Department of Transportation, and the National Parks Service, and without any legal guidance. Of much concern is the fact that the MPD plans to connect the 1,000 cameras already installed by various agencies to a single control room that would allow for continuous and centralized surveillance, which it has already done in the past during emergency situations (e.g., the 2000 International Monetary Fund protests and in the wake of 9/11 terrorism threats). Future plans include the connection of school, traffic, metro, shopping area and high-crime neighborhood video cameras. As to the fundamental issues of effectiveness and reliability of video surveillance for law enforcement purposes, no witnesses could yet provide clear and definite answers. Most witnesses agreed that although much work is still required on these issues, federal standards or regulations for the use of video cameras are preferable to leaving law enforcement authorities to come up with state-specific, self-regulatory guidelines. EPIC has urged Congress and all parties involved in the planning of Washington's video surveillance system to address the fundamental constitutional values at stake: privacy, freedom of movement, and limitations on law enforcement's capability to collect information about citizens. EPIC has also advocated for effective oversight by Congress and the DC City Council, and recommended that procedures be put in place to ensure public accountability. Additionally, EPIC has launched a new Web site, "Observing Surveillance," to document and record the growth of video surveillance in the District of Columbia. Observing Surveillance: http://www.observingsurveillance.org/ ======================================================================= [4] Bush Administration Reneges On Medical Privacy Guarantees ======================================================================= The Department of Health and Human Services (HHS) has proposed changes to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule that would significantly dilute federal medical privacy protections. While the full implications of the proposed changes are still unclear, the new rule would eliminate the consent requirement and give parents more power to access children's medical records. The proposed changes do improve privacy rights by shifting to an opt-in system for marketing use of medical records. However, the proposed changes exclude many forms of marketing from the opt-in protections. These changes conflict with President Bush's campaign promises to create strong protections for medical information. The Privacy Rule, which became effective in April 2001, provides the first baseline federal protection for the privacy of medical information. It gives patients the right to notice of privacy policies, a right to request restrictions on disclosure, a right to amend their records, a right to an accounting of disclosures, and requires that health care providers obtain consent from a patient before using health information. The Privacy Rule has been under continuous attack by hospitals, health maintenance organizations, and recently was pegged for revision or rescission by the Office of Management and Budget's Office of Information and Regulatory Affairs. The changes, proposed by HHS Secretary Tommy Thompson, were based upon an overbroad reading of the Privacy Rule and false statements about its implications. For instance, Thompson claimed that the changes were necessary to guarantee patient access to health care, citing the notion that sick patients would be prevented from sending friends or relatives to pharmacies in order to obtain filled prescriptions. However, the Privacy Rule specifically allows pharmacies to exercise professional judgment and release filled prescriptions to friends and relatives. While privacy advocates have acknowledged that HIPAA's consent provisions have weaknesses, HHS' proposed changes would eliminate the consent requirement rather than amend it to address valid concerns. The proposed changes would also give parents greater access to their children's medical files. The regulations allow disclosure based on professional judgment of the physician where state law is silent on the issue of disclosing minors' information. This change was sought by special interests that advocate the dilution of children's privacy so that parents can obtain more information about minors' access to birth control and abortion. The proposed changes represent a significant departure from prior policy positions held by President Bush. On numerous occasions during his presidential campaign, Bush expressed the view that privacy was a "fundamental right" and said he supported opt-in protections for medical and financial data. Individuals are encouraged to comment on the proposed changes, and can do so on the HHS web site (see below) until April 26, 2002. Health and Human Services Privacy Rule Site and Proposed Changes: http://www.hhs.gov/ocr/hipaa/ Health Privacy Project: http://www.healthprivacy.org/ EPIC's Medical Records Privacy Page: http://www.epic.org/privacy/medical/ ======================================================================= [5] EPIC FOIA Request Seeks Homeland Security Documents ======================================================================= EPIC filed a Freedom of Information Act (FOIA) request last week with the Office of Homeland Security asking for detailed information on Director Tom Ridge's proposal to create a new biometric identity card for air travelers. Director Ridge said in his February 24th speech to the National Governor's Association, "I do think that this might be a great opportunity for us to do some work with biometrics, and get a trusted flier program," and that he would be working closely with the new Transportation Security Agency (TSA) in developing this program. In a related matter, EPIC has filed a lawsuit to obtain information from the TSA on its biometric identity card proposal (see EPIC Alert 9.05). EPIC is also seeking further information about draft legislation that would link the driver's license expiration date to visa status, which the Office of Homeland Security is reported to be preparing for various states to adopt. Both proposals from the Office of Homeland Security implicate serious privacy and security risks. One proposal contemplates creating a new federally-issued identity card using biometric identification that has significant privacy implications; the other aims at expanding the purpose of a driver's license into a realm that has nothing to do with road safety. There is a strong public interest in understanding how these proposals are being formulated, and assessing the potential privacy implications of such proposals requires full and informed public debate on the design and purpose of the new systems. EPIC believes that substantive proposals from the Office of Homeland Security involving important constitutional values and rights should be subject to public oversight. Office of Homeland Security: http://www.whitehouse.gov/homeland/ "Ridge: Link Driver's License, Visa," Federal Computer Week, March 15, 2002: http://www.fcw.com/geb/articles/2002/0311/web-driver-03-15-02.asp EPIC's DOT/TSA lawsuit: http://www.epic.org/open_gov/foia/DOT_complaint.pdf ======================================================================= [6] Updated EPIC Public Opinion Page; Industry Privacy Reports Biased ======================================================================= EPIC has released a newly updated version of its Public Opinion and Privacy Page to reflect survey data that shows such trends as strong support for opt-in privacy protections, as well as the opinion that the current self-regulatory framework is insufficient to protect privacy. Polls from the past few years have increasingly shown that the public wants control over their data; that they believe their privacy would be better protected by comprehensive legislation, not self-regulation; that they value their anonymity on the Internet; and that they fear both government and public-sector abuses of their privacy. In related developments, a new report by independent privacy consultant Robert Gellman, entitled "Privacy, Consumers, and Costs: How The Lack of Privacy Costs Consumers and Why Business Studies of Privacy Costs are Biased and Incomplete," critiques business studies of privacy and finds that they ignore the costs imposed on consumers and on society by self-regulatory systems for protecting privacy. EPIC Public Opinion and Privacy Page: http://www.epic.org/privacy/survey/ Privacy, Consumers, and Costs: How The Lack of Privacy Costs Consumers and Why Business Studies of Privacy Costs are Biased and Incomplete: http://www.epic.org/reports/dmfprivacy.html ======================================================================= [7] EPIC Bookstore - Free as in Freedom ======================================================================= FREE AS IN FREEDOM: Richard Stallman's Crusade for Free Software, by Sam Williams (O'Reilly 2002). http://www.epic.org/bookstore/powells/redirect/alert906.html Few who have met Richard Stallman will forget the experience. Passionate, brilliant, and purposeful without bounds, Stallman turns virtually every human interaction into a quest for perfection. His writing in essays such as "The Road to Tycho," a haunting story of a future with perfect copyright control, can be as clear and as exquisite as emacs, the popular word processing program he helped create. Sam Williams' "Free as in Freedom" captures in substance and form the elegance and precision of Stallman's crusade for Free Software. This is a book that moves with economy through the life of the world's most famous hacker. The love of Chinese food, folk dance, and clever phrases punctuate a quest driven by an unwavering belief that computer code should not be controlled, that innovation requires cooperation. Williams draws on Steven Levy's "Hackers," the 1984 book that helped popularize the culture of the MIT railway club and the AI lab of the 1970s and early 1980s. Williams, like Levy, helps explain a world of all-nighters, brilliant code, and new frontiers. Many of the young coders today would fit very comfortably in that world, though they would probably require MP3 players and more bandwidth. Williams provides an interesting glimpse of Richard's early years. His gentle and illuminating description of the relationship between Stallman and his mother contrasts sharply with another famous story of a mother and her child prodigy. Bobby Fischer's mother was filled with rage and a fierce anti-semitism that she passed on to her son. Fischer's career was almost the antithesis of the John Nash character portrayed in "A Beautiful Mind." Fischer battled real enemies during the Cold War, when the Russians feared the loss of their chess dominance, but he never earned the same level of regard from his colleagues as Nash would with the receipt of the Nobel Prize. In the end, Fischer's achievement was well established in the chess world, but his life's work lacked the humanism which has so clearly made Stallman a folk hero in the computer world. More than any person, Stallman came to exemplify the spirit of brilliant programmer and political crusader. Stallman's philosophy also gave way to the General Public License, a wonderfully subversive legal contract that prevents free software from being bound to proprietary software. In the lore of American technical prowess, Henry Ford, Alexander Graham Bell, and Thomas Edison stand as giants for their contributions to scientific invention and the American economy. But perhaps it is Richard Stallman who found in the freedom to innovate not only a path to progress, but also a political philosophy that stretches back to Benjamin Franklin and Thomas Jefferson, the true American inventor. - Marc Rotenberg The Right to Read (The Road to Tycho) http://www.gnu.org/philosophy/right-to-read.html ================================ EPIC Publications: "Privacy & Human Rights 2001: An International Survey of Privacy Laws and Developments," (EPIC 2001). Price: $20. http://www.epic.org/bookstore/phr2001/ This survey, by EPIC and Privacy International, reviews the state of privacy in over fifty countries around the world. The survey examines a wide range of privacy issues including, data protection, telephone tapping, genetic databases, ID systems and freedom of information laws. ================================ "The Privacy Law Sourcebook 2001: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2001). Price: $40. http://www.epic.org/bookstore/pls2001/ The "Physicians Desk Reference of the privacy world." An invaluable resource for students, attorneys, researchers and journalists who need an up-to-date collection of U.S. and International privacy law, as well as a comprehensive listing of privacy resources. ================================ "Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20. http://www.epic.org/bookstore/filters2.0/ A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ "The Consumer Law Sourcebook 2000: Electronic Commerce and the Global Economy," Sarah Andrews, editor (EPIC 2000). Price: $40. http://www.epic.org/cls/ The Consumer Law Sourcebook provides a basic set of materials for consumers, policy makers, practitioners and researchers who are interested in the emerging field of electronic commerce. The focus is on framework legislation that articulates basic rights for consumers and the basic responsibilities for businesses in the online economy. ================================ "Cryptography and Liberty 2000: An International Survey of Encryption Policy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price: $20. http://www.epic.org/crypto&/ EPIC's third survey of encryption policies around the world. The results indicate that the efforts to reduce export controls on strong encryption products have largely succeeded, although several governments are gaining new powers to combat the perceived threats of encryption to law enforcement. ================================ EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at: EPIC Bookstore http://www.epic.org/bookstore/ "EPIC Bookshelf" at Powell's Books http://www.powells.com/features/epic/epic.html ======================================================================= [8] Upcoming Conferences and Events ======================================================================= Music and Theft: Sampling, Technology, and the Law. Duke Law School, with funding from the Ford Foundation and the Center for the Public Domain. March 30, 2002. For more information: http://www.law.duke.edu/musicandtheft/ The International Security, Trust and Privacy Alliance (ISTPA) Annual Members Meeting: Digital Identity Services - Issues & Challenges. April 8-10, 2002. Santa Clara, CA. For more information: http://www.istpa.org/ Consumer Protection Issues in 2002 and Beyond. Association of the Bar of the City of New York, Committee on Consumer Affairs. April 11, 2002. New York, NY. For more information: avernick@fgkks.com The 27th Annual AAAS Colloquium on Science and Technology Policy: Science and Technology in a Vulnerable World: Rethinking Our Roles. American Association for the Advancement of Science. April 11-12, 2002. Washington, DC. For more information: http://www.aaas.org/spp/dspp/rd/colloqu.htm Workshop on Privacy Enhancing Technologies. April 14-15, 2002. San Francisco, CA. For more information: http://www.pet2002.org/ CFP 2002: The Twelfth Conference on Computers, Freedom & Privacy. April 16-19, 2002. San Francisco, CA. For more information: http://www.cfp2002.org/ 4th Annual MIT Sloan eBusiness Awards. Massachusetts Institute of Technology, Sloan School of Management. April 17, 2002. Cambridge, MA. For more information: http://www.mitawards.org/home.asp 4th National HIPAA Summit: The Leading Forum on Healthcare Privacy, Confidentiality, Data Security and HIPAA Compliance. April 24-26, 2002. Washington, DC. For more information: http://www.hipaasummit.com/ 2002 IEEE Symposium on Security and Privacy. IEEE and the International Association for Cryptologic Research. May 12-15, 2002. Oakland, CA. For more information: http://www.ieee-security.org/TC/SP02/sp02index.html Information Integrity World Summit. The Hands-On Summit to Protect Your Organization: Overcoming Cyber-security and E-Privacy Threats. Information Integrity. May 15-16, 2002. Washington, DC. For more information: http://www.411integrity.com/live/80/events/80II102 Privacy Law: Emerging Issues in Employee and Consumer Relations. CLE International. May 16-17, 2002. Los Angeles, CA. For more information: http://www.cle.com/upcoming/laxpri02.shtml Personal Privacy in the Digital Age: The Challenge for State and Local Governments. Joint Center for eGovernance. May 19-21, 2002. Arlington, VA. For more information: http://www.conted.vt.edu/privacy/agenda.htm Call For Papers - June 1, 2002 (special recognition for outstanding student papers). 18th Annual Computer Security Applications Conference (ACSAC): Practical Solutions to Real Security Problems. Applied Computer Security Associates. December 9-13, 2002. Las Vegas, Nevada. For more information: http://www.acsac.org/ INET 2002. Internet Crossroads: Where Technology and Policy Intersect. Internet Society. June 18-21, 2002. Washington, DC. For more information: http://www.inet2002.org/ IViR International Copyright Law Summer Course. Royal Netherlands Academy of Arts and Sciences. July 8-12, 2002. Amsterdam, Netherlands. For more information: http://www.ivir.nl/ Privacy2002. Technology Policy Group. September 24-26, 2002. Cleveland, OH. For more information: http://www.privacy2000.org/privacy02/index.shtml ======================================================================= Subscription Information ======================================================================= Subscribe/unsubscribe via Web interface: http://mailman.epic.org/cgi-bin/mailman/listinfo/epic_news Subscribe/unsubscribe via email: To: epic_news-request@mailman.epic.org Subject line: "subscribe" or "unsubscribe" Back issues are available at: http://www.epic.org/alert/ The EPIC Alert displays best in a fixed-width font, such as Courier. ======================================================================= Privacy Policy ======================================================================= The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your email address from this list, please follow the above instructions under "subscription information". Please contact info@epic.org if you would like to change your subscription email address, or if you have any other questions. ======================================================================= About EPIC ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, e-mail info@epic.org, http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at: http://www.epic.org/donate/ ======================================================================= Drink coffee, support civil liberties, get a tax deduction, and learn Latin at the same time! Receive a free epic.org "sed quis custodiet ipsos custodes?" coffee mug with donation of $75 or more. ======================================================================= Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ---------------------- END EPIC Alert 9.06 ----------------------- .