EPIC logo

        @@@@  @@@@  @@@  @@@@      @    @     @@@@  @@@@  @@@@@
        @     @  @   @   @        @ @   @     @     @  @    @
        @@@@  @@@    @   @       @@@@@  @     @@@   @@@     @
        @     @      @   @       @   @  @     @     @  @    @
        @@@@  @     @@@  @@@@    @   @  @@@@  @@@@  @   @   @
    Volume 9.07                                     April 11, 2002
                             Published by the
               Electronic Privacy Information Center (EPIC)
                             Washington, D.C.
Table of Contents

[1] Microsoft Backs Down, Privacy & Security Risks Bury Hailstorm
[2] Colorado Upholds Rights of Anonymity, Privacy in Bookseller Records
[3] EPIC Files Suit Against Office of Homeland Security
[4] EPIC Files Comments on the Telemarketing Sales Rule
[5] Anti-Consumer DoubleClick Settlement Proposed
[6] EPIC Advocates Anonymity in Internet Broadcast Listening
[7] EPIC Bookstore - Fahrenheit 451
[8] Upcoming Conferences and Events

[1] Microsoft Backs Down, Privacy & Security Risks Bury Hailstorm

As of today, Microsoft has abandoned its Hailstorm or "My Services"
platform because of privacy and security risks inherent in centralized
storage of personal information.  Additionally, Microsoft was unable
to find partner companies that were willing to use the Hailstorm
system for collecting information on consumers.  Microsoft's Hailstorm
is a system of remotely accessible services that were dependent upon
identification of Internet users and storage of their personal data.

In July and August 2001, EPIC and fifteen leading consumer
organizations filed complaints with the Federal Trade Commission (FTC)
alleging that Hailstorm and its related services violated federal
consumer protection laws.  The groups argued that Microsoft's system
would give the company unprecedented ability to track and profile over
200 million Passport accounts as users browsed the internet and
engaged in e-commerce.

Despite Microsoft's claims to the contrary, user privacy and security
were not protected by Hailstorm.  After filing the complaints,
security problems with Hailstorm's services emerged continuously.

Now, Microsoft plans to sell Hailstorm to individual companies,
allowing decentralized building of "data centers."  EPIC will continue
to monitor the development of Hailstorm and pursue actions with
federal authorities if necessary.

EPIC Sign Out of Passport Page:


Microsoft Has Shelved Its Internet 'Persona' Service, New York Times,
Apr. 11, 2002:


[2] Colorado Upholds Rights of Anonymity, Privacy in Bookseller Records

In a First Amendment case with national significance, the Colorado
Supreme Court ruled this week that a Denver bookstore does not have to
give sales records to police seeking information in a drug

The case arose after Tattered Cover, a Denver-based bookstore,
challenged a court order for book purchase records.  The local drug
task force police sought the records after finding a Tattered Cover
Book Store envelope containing a methamphetamine lab and drug-making
"how-to" books outside a mobile home they raided in Denver. The
envelope was printed with an invoice number and the trailer's address,
but no name.  The investigators requested a list of the customer's
book purchases over a 30-day period as well as information about the
specific invoice.

A Denver district judge initially ordered Tattered Cover Book Store
owner Joyce Meskis to tell police who purchased two books on drug
manufacturing from her store.  Tattered Cover argued that requiring
booksellers to turn over this information would chill speech by making
customers afraid to purchase controversial titles.  The bookstore
urged the court to follow the lead of a federal court in Washington,
DC, which ruled in 1998 -- when independent counsel Kenneth Starr
subpoenaed Monica Lewinsky's book buying records while investigating
President Bill Clinton's relationship with the former intern -- that
customer records enjoy First Amendment protection and can be
subpoenaed only if the police demonstrate a “compelling need” for them.

The state Supreme Court, in a 51-page opinion overturning the district
court opinion, recognized that the First Amendment and a section of
the Colorado Constitution "protect an individual's fundamental right
to purchase books anonymously, free from governmental interference."
Customer purchase records enjoy First Amendment protection and may
only be disclosed to the police if there is a "compelling need" that
outweighs the interests of the customers.  The court concluded that,
in this case, the law enforcement need was not sufficiently compelling
to outweigh the harm threatened, in part because law enforcement
officials sought the purchase record for reasons related to the
contents of the books that the suspect may have purchased, and in part
because the police had reasonable alternative measures of
investigation at their disposal.

The court also set a high standard for similar cases in the future by
ruling that bookstores "must be afforded an opportunity for a hearing
prior to the execution of any search warrant" seeking customers'
book-buying records.

Although the decision applies only to the Colorado courts, it will
have national significance, as the opinion has been the strongest
statement by any court to date on the importance of protecting
customer privacy in bookstores.

Tattered Cover, Inc. v. City of Thornton, Colorado Supreme Court

EPIC’s Page on Free Speech and Anonymity:


[3] EPIC Files Suit Against Office of Homeland Security

EPIC filed suit last week against the Office of Homeland Security
(OHS), seeking the expedited release of documents concerning the
development of a national identification system.  These documents were
the subject of a Freedom of Information Act (FOIA) request in March
(see Alert 9.06).  The suit is filed in the District Court for the
District of Columbia (EPIC v. OHS, Civil Action No. 02-0620).  At
issue is a critical test of open government.  Under well-established
open record laws, an organization with the policymaking powers of the
Office of Homeland Security has an obligation to the American people
to ensure that their decision-making is subject to public oversight. 
The administration will shortly need to take a position on whether the
OHS is subject to FOIA.

In a related effort, congressional leaders have been battling the
administration to have OHS Director Tom Ridge testify before the
appropriations committees.  The nation is being asked to spend $38
billion on homeland security, and there is an urgent need to install a
proper structure of accountability and oversight so that this money is
spent appropriately.  A number of potentially privacy-invasive schemes
might receive support in the budget, and it is vital that the public
have the opportunity to participate in an informed debate before new
measures are approved.  EPIC has written to Senate and House leaders
in support of their efforts to exercise oversight over Ridge's new
office, and to apprise them of the EPIC lawsuit.

EPIC's new page on Government Oversight and Homeland Security:


EPIC v. Office of Homeland Security, filed April 2, 2002, D.C. Dist.


[4] EPIC Files Comments on the Telemarketing Sales Rule

EPIC and thirteen leading consumer advocacy groups have filed comments
with the Federal Trade Commission (FTC) on proposed changes to the
Telemarketing Sales Rule (TSR).  The TSR governs how many
telemarketers make calls to individuals' homes.  The proposed changes
to the TSR would create a national do-not-call (DNC) list, a
prohibition on the purchase of pre-acquired account data, new
restrictions on blocking or altering Caller ID, and many new consumer
protections for individuals who make purchases from telemarketers.

EPIC's comments advocate the creation of a DNC list that would allow
individuals to opt-out from telemarketing.  Enrollment in this list
should be possible by postal mail, a toll-free call, or by submission
of telephone numbers over the Internet.  This national DNC list would
supplement state lists rather than replace them.

The comments also argue forcefully for placing an affirmative
obligation on telemarketers to send accurate Caller ID information
with each sales call.  Currently, most telemarketers do not block or
alter Caller ID information.  Instead, they purchase a phone service
that ordinarily does not transmit Caller ID information.  The FTC's
proposed change would not address this common method of circumventing
the transmission of Caller ID.

Unfortunately, the FTC's regulation of telemarketers will not apply to
common carriers (such as phone companies and airlines), banks, or
insurance companies.  To remedy this, EPIC has commented that the FTC
should coordinate with other federal agencies to broaden the scope of
protections against telemarketing for individuals.

Individuals can comment on the proposed changes to the TSR until April
15, 2002.  Instructions for submitting comments are available on the
EPIC Telemarketing Page.

EPIC's Comments on Proposed Changes to the Telemarketing Sales Rule:


EPIC Telemarketing Page:


[5] Anti-Consumer DoubleClick Settlement Proposed

On March 28, Internet advertising company DoubleClick Inc, agreed to
settle federal and state class action lawsuits pending against it for
online privacy violations.  Under the proposed settlement issued by a
New York federal district court, DoubleClick will, among other things,
be required to provide easy-to-read explanations of its online
collection practices in its privacy policy; to conduct a public
information banner ad campaign, consisting of 300 million banner
advertisements containing information on how to protect privacy; to
set their cookies to expire within five years; and to institute
policies for the protection and routine purging of personal
information. DoubleClick also agreed to pay up to $1.8 million in
costs and fees to the 31 law firms representing the plaintiffs.  The
settlement class includes "[a]ll persons in the United States who have
had any information about their computers or about them gathered by
DoubleClick as a result of their Internet activity or who have had
DoubleClick cookies placed upon their computers or browsers from
January 1, 1996 through and including March 28, 2002."  A Court
hearing to approve the settlement will be held on May 21, 2002. 
Persons who wish to object to the terms of the settlement must file a
written submission with the Court no later than May 6, 2002.

The class action lawsuits focused on DoubleClick's plans to link
personally identifiable information to the detailed profiles it had
created on Internet users by relying on tracking technologies such as
cookies and web bugs.  These plans were revealed in January 2000 and
led EPIC to file a formal complaint with the Federal Trade Commission.
The complaint alleged that DoubleClick's intention to merge these two
databases violated its previous assurances that information collected
on Internet users would remain anonymous, and therefore amounted to an
unfair and deceptive practice.  EPIC does not regard the proposed
settlement as sufficient to ensure the protection of personal
information online, and believes that legislation is needed to prevent
companies from abusing their customers' data in the future.

In the absence of progress at the federal level, there are indications
that this kind of legislation may be coming from the states.  A bill
is currently pending before the Minnesota legislature which would
prohibit Internet Service Providers (ISPs) from disclosing their
customers' personal information to third parties.  This would make it
the first state in the country to restrict the sale of information
about Internet users.

Proposed DoubleClick settlement:


Background on EPIC's complaint about DoubleClick:


News coverage of the Minnesota bill is available at:


[6] EPIC Advocates Anonymity in Internet Broadcast Listening

On April 5, EPIC joined the Electronic Frontier Foundation (EFF) in
submitting comments to the U.S. Copyright Office on changes to
copyright regulation that would endanger the privacy of Internet radio
listeners.  The proposed regulations would require webcasting services
to collect and share listeners' information, including the country
location, time zone, log-in time, channel, and the unique identifier
assigned to the listener.

EFF, EPIC, the Fresno Free College Foundation, KFCF (88.1 FM), and
KPFA radio argue that no collection of personal data is required by
the law or in practice for the purposes of determining the number and
type of songs consumed by listeners. The goals sought by the Copyright
Office could be met by simply collecting aggregate data on listeners'

Content providers increasingly are using copyright restrictions as
justification for tracking individuals and their choices in media
consumption.  In addition to tracking and reporting requirements,
content owners have developed new digital restriction technologies
that tie individuals' identities to the music, books, and video that
they consume.  These technologies can enable unprecedented profiling
of individuals and their tastes in music, books, and ideas themselves.

Individuals can file reply comments until April 26, 2002 on the
ability of individuals to hear webcasts anonymously by visiting the
U.S. Copyright Office page linked below.

Joint Comments on Internet Broadcasts and Anonymity:


EPIC's Digital Rights Management and Privacy Page:


U.S. Copyright Office: Notice and Recordkeeping for Use of Sound
Recordings Under Statutory License:


[7] EPIC Bookstore - Fahrenheit 451

Fahrenheit 451, by Ray Bradbury.


It seemed both appropriate and ironical to review Ray Bradbury's
Fahrenheit 451 at this point in time.  Earlier this month the US
Congress began consideration of a bill that would ban the unauthorized
reproduction of digital works.  At almost the same time, federal
prosecutors urged a court in Philadelphia to require technology in
public libraries that would block access to information that some
consider offensive.

There is no kerosene dripping from the pages of books in Washington or
Philadelphia, but digital words would not burn.  The methods of
eradication must be more subtle, the technique more sophisticated.

It is tempting when reading Bradbury's classic work on censorship to
draw parallels to book burnings from an earlier era, to make the
obvious connection between the firemen in Bradbury's novel who set
aflame houses that contained the printed word and those who gathered
not so long ago to burn the words of Albert Einstein, Thomas Mann,
Marcel Proust, Margaret Sanger, and H.G. Wells.

But Fahrenheit 451 is not simply about book burning.  This is a world
where the culture of censorship has permeated the public and the
private.  There is no intellectual life.  There is no political life.
Interactive broadband technology provides endless entertainment
through the full-screen images that appear on the walls of a parlor
room.  Words of meaning cannot be transmitted in any physical media.
They must be memorized and passed on as they were before the printing
press, before the written word.

The protagonist Guy Montag, a fireman who will disavow his profession,
confronts this reality in a series of encounters.  First with a young
woman who asks questions he cannot answer.  Then with an old teacher
who recalls a past that cannot be recorded.  And finally with his
boss, the Chief Firefighter who can quote Pope, Milton and Shaw, and
then smile as a house and its contents are engulfed in flames.

Montag's future is not without hope.  He will fare better than
Orwell's Winston, Kafka's K, or the Prisoner before Dostoevsky's Grand
Inquisitor.  Still, the reconstruction of culture, literature, and
history once recorded words are banished cannot be assumed.  When a
single person can recall only one essay of Thoreau's or a chapter from
Bertrand Russell, the unique quality of information -- its ability to
flow without bounds -- is effectively exterminated.

Perhaps it is unfair to compare the current legislative efforts to
protect copyright interests or to prevent children from being exposed
to images and words that are beyond their years with the unambiguous
horror of burning a book because of the ideas contained inside.  But
technology does not make such distinctions, and capability creates
opportunity.  Already software filters have been turned on
controversial ideas and unpopular organizations.  And new copyright
techniques will digitally incinerate recorded words that might
otherwise be widely available.

In this year when many city mayors are urging residents to share the
experience of reading a common book, Los Angeles Mayor Jim Hahn has
asked those in L.A. to read Fahrenheit 451.  And Ray Bradbury's
presence last week at a new mid-Wilshire bookstore, more than fifty
years after the first publication of Fahrenheit 451, is a powerful
reminder of the value of the written word.

 - Marc Rotenberg
EPIC Publications:
"Privacy & Human Rights 2001: An International Survey of Privacy Laws
and Developments," (EPIC 2001). Price: $20.
This survey, by EPIC and Privacy International, reviews the state of
privacy in over fifty countries around the world.  The survey examines
a wide range of privacy issues including, data protection, telephone
tapping, genetic databases, ID systems and freedom of information
"The Privacy Law Sourcebook 2001: United States Law, International
Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2001).
Price: $40. http://www.epic.org/bookstore/pls2001/
The "Physicians Desk Reference of the privacy world." An invaluable
resource for students, attorneys, researchers and journalists who need
an up-to-date collection of U.S. and International privacy law, as
well as a comprehensive listing of privacy resources.
"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.
A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.
"The Consumer Law Sourcebook 2000: Electronic Commerce and the Global
Economy," Sarah Andrews, editor (EPIC 2000). Price: $40.
The Consumer Law Sourcebook provides a basic set of materials for
consumers, policy makers, practitioners and researchers who are
interested in the emerging field of electronic commerce.  The focus is
on framework legislation that articulates basic rights for consumers
and the basic responsibilities for businesses in the online economy.
"Cryptography and Liberty 2000: An International Survey of Encryption
Policy," Wayne Madsen and David Banisar, authors (EPIC 2000).
Price: $20. http://www.epic.org/crypto&/
EPIC's third survey of encryption policies around the world. The
results indicate that the efforts to reduce export controls on strong
encryption products have largely succeeded, although several
governments are gaining new powers to combat the perceived threats of
encryption to law enforcement.
EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:
     EPIC Bookstore
     "EPIC Bookshelf" at Powell's Books
[8] Upcoming Conferences and Events

Public Workshop: Your Freedom of Information and Privacy Rights: How
to use Canadian laws to get access to information and protect your
privacy. BC Freedom of Information and Privacy Association. April 11,
2002. Vancouver, BC, Canada. For more information: info@fipa.bc.ca

Public Forum: Access to Legal and Government Information in the "New
Era." BC Freedom of Information and Privacy Association. April 12,
2002. Vancouver, BC, Canada. For more information: office@bcla.bc.ca

The 27th Annual AAAS Colloquium on Science and Technology Policy:
Science and Technology in a Vulnerable World: Rethinking Our Roles.
American Association for the Advancement of Science. April 11-12,
2002. Washington, DC. For more information:

Workshop on Privacy Enhancing Technologies. April 14-15, 2002. San
Francisco, CA. For more information: http://www.pet2002.org/

CFP 2002: The Twelfth Conference on Computers, Freedom & Privacy.
April 16-19, 2002. San Francisco, CA. For more information:

4th Annual MIT Sloan eBusiness Awards. Massachusetts Institute of
Technology, Sloan School of Management. April 17, 2002. Cambridge, MA.
For more information: http://www.mitawards.org/home.asp

Digital Landscapes: Redrawing the Boundaries in Entertainment, Media
and the Law. Stanford Law & Technology Association, Stanford
Entertainment & Sports Law Association, and Stanford Technology Law
Review. April 20, 2002. Stanford, CA. For more information:

4th National HIPAA Summit: The Leading Forum on Healthcare Privacy,
Confidentiality, Data Security and HIPAA Compliance. April 24-26,
2002. Washington, DC. For more information:

Conference on Cyber Security and Disclosure. Stanford Law School
Center for Internet and Society. May 9, 2002. Stanford, CA. For more
information: http://cyberlaw.stanford.edu/

2002 IEEE Symposium on Security and Privacy. IEEE and the
International Association for Cryptologic Research. May 12-15, 2002.
Oakland, CA. For more information:

Information Integrity World Summit. The Hands-On Summit to Protect
Your Organization: Overcoming Cyber-security and E-Privacy Threats.
Information Integrity. May 15-16, 2002. Washington, DC. For more
information: http://www.411integrity.com/live/80/events/80II102

Privacy Law: Emerging Issues in Employee and Consumer Relations. CLE
International. May 16-17, 2002. Los Angeles, CA. For more information:

Personal Privacy in the Digital Age: The Challenge for State and Local
Governments. Joint Center for eGovernance. May 19-21, 2002. Arlington,
VA. For more information: http://www.conted.vt.edu/privacy/agenda.htm

Call For Papers - June 1, 2002 (special recognition for outstanding
student papers). 18th Annual Computer Security Applications Conference
(ACSAC): Practical Solutions to Real Security Problems. Applied
Computer Security Associates. December 9-13, 2002. Las Vegas, Nevada.
For more information: http://www.acsac.org/

INET 2002. Internet Crossroads: Where Technology and Policy Intersect.
Internet Society. June 18-21, 2002. Washington, DC. For more
information: http://www.inet2002.org/

IViR International Copyright Law Summer Course. Royal Netherlands
Academy of Arts and Sciences. July 8-12, 2002. Amsterdam, Netherlands.
For more information: http://www.ivir.nl/

Privacy2002. Technology Policy Group. September 24-26, 2002.
Cleveland, OH. For more information:

Subscription Information
Subscribe/unsubscribe via Web interface:

Subscribe/unsubscribe via email:
     To: epic_news-request@mailman.epic.org
     Subject line: "subscribe" or "unsubscribe" (no quotes)
Help with subscribing/unsubscribing:

     To: epic_news-request@mailman.epic.org
     Subject: "help" (no quotes)
Back issues are available at:

The EPIC Alert displays best in a fixed-width font, such as Courier.
Privacy Policy
The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities.  We do not sell, rent or share our
mailing list.  We also intend to challenge any subpoena or other legal
process seeking access to our mailing list.  We do not enhance (link
to other databases) our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe your email address
from this list, please follow the above instructions under
"subscription information".  Please contact info@epic.org if you would
like to change your subscription email address, or if you have any
other questions.
About EPIC
The Electronic Privacy Information Center is a public interest
research center in Washington, DC.  It was established in 1994 to
focus public attention on emerging privacy issues such as the Clipper
Chip, the Digital Telephony proposal, national ID cards, medical
record privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Act
litigation, and conducts policy research.  For more information,
e-mail info@epic.org, http://www.epic.org or write EPIC, 1718
Connecticut Ave., NW, Suite 200, Washington, DC 20009.
+1 202 483 1140 (tel), +1 202 483 1248 (fax).
If you'd like to support the work of the Electronic Privacy
Information Center, contributions are welcome and fully
tax-deductible.  Checks should be made out to "EPIC" and sent to
1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009.
Or you can contribute online at:

Drink coffee, support civil liberties, get a tax deduction, and learn
Latin at the same time!  Receive a free epic.org "sed quis custodiet
ipsos custodes?" coffee mug with donation of $75 or more.
Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the
right of privacy and efforts to oppose government regulation of
encryption and expanding wiretapping powers.
Thank you for your support.
   ---------------------- END EPIC Alert 9.07 -----------------------