============================================================== @@@@ @@@@ @@@ @@@@ @ @ @@@@ @@@@ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @@@ @ @ @@@@@ @ @@@ @@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @ @@@ @@@@ @ @ @@@@ @@@@ @ @ @ ============================================================== Volume 9.07 April 11, 2002 -------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org/alert/EPIC_Alert_9.07.html ======================================================================= Table of Contents ======================================================================= [1] Microsoft Backs Down, Privacy & Security Risks Bury Hailstorm [2] Colorado Upholds Rights of Anonymity, Privacy in Bookseller Records [3] EPIC Files Suit Against Office of Homeland Security [4] EPIC Files Comments on the Telemarketing Sales Rule [5] Anti-Consumer DoubleClick Settlement Proposed [6] EPIC Advocates Anonymity in Internet Broadcast Listening [7] EPIC Bookstore - Fahrenheit 451 [8] Upcoming Conferences and Events ======================================================================= [1] Microsoft Backs Down, Privacy & Security Risks Bury Hailstorm ======================================================================= As of today, Microsoft has abandoned its Hailstorm or "My Services" platform because of privacy and security risks inherent in centralized storage of personal information. Additionally, Microsoft was unable to find partner companies that were willing to use the Hailstorm system for collecting information on consumers. Microsoft's Hailstorm is a system of remotely accessible services that were dependent upon identification of Internet users and storage of their personal data. In July and August 2001, EPIC and fifteen leading consumer organizations filed complaints with the Federal Trade Commission (FTC) alleging that Hailstorm and its related services violated federal consumer protection laws. The groups argued that Microsoft's system would give the company unprecedented ability to track and profile over 200 million Passport accounts as users browsed the internet and engaged in e-commerce. Despite Microsoft's claims to the contrary, user privacy and security were not protected by Hailstorm. After filing the complaints, security problems with Hailstorm's services emerged continuously. Now, Microsoft plans to sell Hailstorm to individual companies, allowing decentralized building of "data centers." EPIC will continue to monitor the development of Hailstorm and pursue actions with federal authorities if necessary. EPIC Sign Out of Passport Page: http://www.epic.org/privacy/consumer/microsoft/ Microsoft Has Shelved Its Internet 'Persona' Service, New York Times, Apr. 11, 2002: http://www.nytimes.com/2002/04/11/technology/ebusiness/11NET.html ======================================================================= [2] Colorado Upholds Rights of Anonymity, Privacy in Bookseller Records ======================================================================= In a First Amendment case with national significance, the Colorado Supreme Court ruled this week that a Denver bookstore does not have to give sales records to police seeking information in a drug investigation. The case arose after Tattered Cover, a Denver-based bookstore, challenged a court order for book purchase records. The local drug task force police sought the records after finding a Tattered Cover Book Store envelope containing a methamphetamine lab and drug-making "how-to" books outside a mobile home they raided in Denver. The envelope was printed with an invoice number and the trailer's address, but no name. The investigators requested a list of the customer's book purchases over a 30-day period as well as information about the specific invoice. A Denver district judge initially ordered Tattered Cover Book Store owner Joyce Meskis to tell police who purchased two books on drug manufacturing from her store. Tattered Cover argued that requiring booksellers to turn over this information would chill speech by making customers afraid to purchase controversial titles. The bookstore urged the court to follow the lead of a federal court in Washington, DC, which ruled in 1998 -- when independent counsel Kenneth Starr subpoenaed Monica Lewinsky's book buying records while investigating President Bill Clinton's relationship with the former intern -- that customer records enjoy First Amendment protection and can be subpoenaed only if the police demonstrate a “compelling need” for them. The state Supreme Court, in a 51-page opinion overturning the district court opinion, recognized that the First Amendment and a section of the Colorado Constitution "protect an individual's fundamental right to purchase books anonymously, free from governmental interference." Customer purchase records enjoy First Amendment protection and may only be disclosed to the police if there is a "compelling need" that outweighs the interests of the customers. The court concluded that, in this case, the law enforcement need was not sufficiently compelling to outweigh the harm threatened, in part because law enforcement officials sought the purchase record for reasons related to the contents of the books that the suspect may have purchased, and in part because the police had reasonable alternative measures of investigation at their disposal. The court also set a high standard for similar cases in the future by ruling that bookstores "must be afforded an opportunity for a hearing prior to the execution of any search warrant" seeking customers' book-buying records. Although the decision applies only to the Colorado courts, it will have national significance, as the opinion has been the strongest statement by any court to date on the importance of protecting customer privacy in bookstores. Tattered Cover, Inc. v. City of Thornton, Colorado Supreme Court Opinion: http://www.cobar.org/CFwebFiles/Content/dspOpinion.cfm?OpinionID=560 EPIC’s Page on Free Speech and Anonymity: http://www.epic.org/free_speech/default.html#anonymity ======================================================================= [3] EPIC Files Suit Against Office of Homeland Security ======================================================================= EPIC filed suit last week against the Office of Homeland Security (OHS), seeking the expedited release of documents concerning the development of a national identification system. These documents were the subject of a Freedom of Information Act (FOIA) request in March (see Alert 9.06). The suit is filed in the District Court for the District of Columbia (EPIC v. OHS, Civil Action No. 02-0620). At issue is a critical test of open government. Under well-established open record laws, an organization with the policymaking powers of the Office of Homeland Security has an obligation to the American people to ensure that their decision-making is subject to public oversight. The administration will shortly need to take a position on whether the OHS is subject to FOIA. In a related effort, congressional leaders have been battling the administration to have OHS Director Tom Ridge testify before the appropriations committees. The nation is being asked to spend $38 billion on homeland security, and there is an urgent need to install a proper structure of accountability and oversight so that this money is spent appropriately. A number of potentially privacy-invasive schemes might receive support in the budget, and it is vital that the public have the opportunity to participate in an informed debate before new measures are approved. EPIC has written to Senate and House leaders in support of their efforts to exercise oversight over Ridge's new office, and to apprise them of the EPIC lawsuit. EPIC's new page on Government Oversight and Homeland Security: http://www.epic.org/open_gov/homeland/ EPIC v. Office of Homeland Security, filed April 2, 2002, D.C. Dist. Ct.: http://www.epic.org/open_gov/foia/ohs_complaint.pdf ======================================================================= [4] EPIC Files Comments on the Telemarketing Sales Rule ======================================================================= EPIC and thirteen leading consumer advocacy groups have filed comments with the Federal Trade Commission (FTC) on proposed changes to the Telemarketing Sales Rule (TSR). The TSR governs how many telemarketers make calls to individuals' homes. The proposed changes to the TSR would create a national do-not-call (DNC) list, a prohibition on the purchase of pre-acquired account data, new restrictions on blocking or altering Caller ID, and many new consumer protections for individuals who make purchases from telemarketers. EPIC's comments advocate the creation of a DNC list that would allow individuals to opt-out from telemarketing. Enrollment in this list should be possible by postal mail, a toll-free call, or by submission of telephone numbers over the Internet. This national DNC list would supplement state lists rather than replace them. The comments also argue forcefully for placing an affirmative obligation on telemarketers to send accurate Caller ID information with each sales call. Currently, most telemarketers do not block or alter Caller ID information. Instead, they purchase a phone service that ordinarily does not transmit Caller ID information. The FTC's proposed change would not address this common method of circumventing the transmission of Caller ID. Unfortunately, the FTC's regulation of telemarketers will not apply to common carriers (such as phone companies and airlines), banks, or insurance companies. To remedy this, EPIC has commented that the FTC should coordinate with other federal agencies to broaden the scope of protections against telemarketing for individuals. Individuals can comment on the proposed changes to the TSR until April 15, 2002. Instructions for submitting comments are available on the EPIC Telemarketing Page. EPIC's Comments on Proposed Changes to the Telemarketing Sales Rule: http://www.epic.org/privacy/telemarketing/tsrcomments.html EPIC Telemarketing Page: http://www.epic.org/privacy/telemarketing/ ======================================================================= [5] Anti-Consumer DoubleClick Settlement Proposed ======================================================================= On March 28, Internet advertising company DoubleClick Inc, agreed to settle federal and state class action lawsuits pending against it for online privacy violations. Under the proposed settlement issued by a New York federal district court, DoubleClick will, among other things, be required to provide easy-to-read explanations of its online collection practices in its privacy policy; to conduct a public information banner ad campaign, consisting of 300 million banner advertisements containing information on how to protect privacy; to set their cookies to expire within five years; and to institute policies for the protection and routine purging of personal information. DoubleClick also agreed to pay up to $1.8 million in costs and fees to the 31 law firms representing the plaintiffs. The settlement class includes "[a]ll persons in the United States who have had any information about their computers or about them gathered by DoubleClick as a result of their Internet activity or who have had DoubleClick cookies placed upon their computers or browsers from January 1, 1996 through and including March 28, 2002." A Court hearing to approve the settlement will be held on May 21, 2002. Persons who wish to object to the terms of the settlement must file a written submission with the Court no later than May 6, 2002. The class action lawsuits focused on DoubleClick's plans to link personally identifiable information to the detailed profiles it had created on Internet users by relying on tracking technologies such as cookies and web bugs. These plans were revealed in January 2000 and led EPIC to file a formal complaint with the Federal Trade Commission. The complaint alleged that DoubleClick's intention to merge these two databases violated its previous assurances that information collected on Internet users would remain anonymous, and therefore amounted to an unfair and deceptive practice. EPIC does not regard the proposed settlement as sufficient to ensure the protection of personal information online, and believes that legislation is needed to prevent companies from abusing their customers' data in the future. In the absence of progress at the federal level, there are indications that this kind of legislation may be coming from the states. A bill is currently pending before the Minnesota legislature which would prohibit Internet Service Providers (ISPs) from disclosing their customers' personal information to third parties. This would make it the first state in the country to restrict the sale of information about Internet users. Proposed DoubleClick settlement: http://settlement.doubleclick.net/settlement/ Background on EPIC's complaint about DoubleClick: http://www.epic.org/doubletrouble/ News coverage of the Minnesota bill is available at: http://www.startribune.com/stories/535/2218646.html ======================================================================= [6] EPIC Advocates Anonymity in Internet Broadcast Listening ======================================================================= On April 5, EPIC joined the Electronic Frontier Foundation (EFF) in submitting comments to the U.S. Copyright Office on changes to copyright regulation that would endanger the privacy of Internet radio listeners. The proposed regulations would require webcasting services to collect and share listeners' information, including the country location, time zone, log-in time, channel, and the unique identifier assigned to the listener. EFF, EPIC, the Fresno Free College Foundation, KFCF (88.1 FM), and KPFA radio argue that no collection of personal data is required by the law or in practice for the purposes of determining the number and type of songs consumed by listeners. The goals sought by the Copyright Office could be met by simply collecting aggregate data on listeners' consumption. Content providers increasingly are using copyright restrictions as justification for tracking individuals and their choices in media consumption. In addition to tracking and reporting requirements, content owners have developed new digital restriction technologies that tie individuals' identities to the music, books, and video that they consume. These technologies can enable unprecedented profiling of individuals and their tastes in music, books, and ideas themselves. Individuals can file reply comments until April 26, 2002 on the ability of individuals to hear webcasts anonymously by visiting the U.S. Copyright Office page linked below. Joint Comments on Internet Broadcasts and Anonymity: http://www.eff.org/IP/Audio/20020405_joint_co_comments.html EPIC's Digital Rights Management and Privacy Page: http://www.epic.org/privacy/drm/ U.S. Copyright Office: Notice and Recordkeeping for Use of Sound Recordings Under Statutory License: http://www.loc.gov/copyright/carp/114/comments.html ======================================================================= [7] EPIC Bookstore - Fahrenheit 451 ======================================================================= Fahrenheit 451, by Ray Bradbury. http://www.epic.org/bookstore/powells/redirect/alert907.html It seemed both appropriate and ironical to review Ray Bradbury's Fahrenheit 451 at this point in time. Earlier this month the US Congress began consideration of a bill that would ban the unauthorized reproduction of digital works. At almost the same time, federal prosecutors urged a court in Philadelphia to require technology in public libraries that would block access to information that some consider offensive. There is no kerosene dripping from the pages of books in Washington or Philadelphia, but digital words would not burn. The methods of eradication must be more subtle, the technique more sophisticated. It is tempting when reading Bradbury's classic work on censorship to draw parallels to book burnings from an earlier era, to make the obvious connection between the firemen in Bradbury's novel who set aflame houses that contained the printed word and those who gathered not so long ago to burn the words of Albert Einstein, Thomas Mann, Marcel Proust, Margaret Sanger, and H.G. Wells. But Fahrenheit 451 is not simply about book burning. This is a world where the culture of censorship has permeated the public and the private. There is no intellectual life. There is no political life. Interactive broadband technology provides endless entertainment through the full-screen images that appear on the walls of a parlor room. Words of meaning cannot be transmitted in any physical media. They must be memorized and passed on as they were before the printing press, before the written word. The protagonist Guy Montag, a fireman who will disavow his profession, confronts this reality in a series of encounters. First with a young woman who asks questions he cannot answer. Then with an old teacher who recalls a past that cannot be recorded. And finally with his boss, the Chief Firefighter who can quote Pope, Milton and Shaw, and then smile as a house and its contents are engulfed in flames. Montag's future is not without hope. He will fare better than Orwell's Winston, Kafka's K, or the Prisoner before Dostoevsky's Grand Inquisitor. Still, the reconstruction of culture, literature, and history once recorded words are banished cannot be assumed. When a single person can recall only one essay of Thoreau's or a chapter from Bertrand Russell, the unique quality of information -- its ability to flow without bounds -- is effectively exterminated. Perhaps it is unfair to compare the current legislative efforts to protect copyright interests or to prevent children from being exposed to images and words that are beyond their years with the unambiguous horror of burning a book because of the ideas contained inside. But technology does not make such distinctions, and capability creates opportunity. Already software filters have been turned on controversial ideas and unpopular organizations. And new copyright techniques will digitally incinerate recorded words that might otherwise be widely available. In this year when many city mayors are urging residents to share the experience of reading a common book, Los Angeles Mayor Jim Hahn has asked those in L.A. to read Fahrenheit 451. And Ray Bradbury's presence last week at a new mid-Wilshire bookstore, more than fifty years after the first publication of Fahrenheit 451, is a powerful reminder of the value of the written word. - Marc Rotenberg ================================ EPIC Publications: "Privacy & Human Rights 2001: An International Survey of Privacy Laws and Developments," (EPIC 2001). Price: $20. http://www.epic.org/bookstore/phr2001/ This survey, by EPIC and Privacy International, reviews the state of privacy in over fifty countries around the world. The survey examines a wide range of privacy issues including, data protection, telephone tapping, genetic databases, ID systems and freedom of information laws. ================================ "The Privacy Law Sourcebook 2001: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2001). Price: $40. http://www.epic.org/bookstore/pls2001/ The "Physicians Desk Reference of the privacy world." An invaluable resource for students, attorneys, researchers and journalists who need an up-to-date collection of U.S. and International privacy law, as well as a comprehensive listing of privacy resources. ================================ "Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20. http://www.epic.org/bookstore/filters2.0/ A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ "The Consumer Law Sourcebook 2000: Electronic Commerce and the Global Economy," Sarah Andrews, editor (EPIC 2000). Price: $40. http://www.epic.org/cls/ The Consumer Law Sourcebook provides a basic set of materials for consumers, policy makers, practitioners and researchers who are interested in the emerging field of electronic commerce. The focus is on framework legislation that articulates basic rights for consumers and the basic responsibilities for businesses in the online economy. ================================ "Cryptography and Liberty 2000: An International Survey of Encryption Policy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price: $20. http://www.epic.org/crypto&/ EPIC's third survey of encryption policies around the world. The results indicate that the efforts to reduce export controls on strong encryption products have largely succeeded, although several governments are gaining new powers to combat the perceived threats of encryption to law enforcement. ================================ EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at: EPIC Bookstore http://www.epic.org/bookstore/ "EPIC Bookshelf" at Powell's Books http://www.powells.com/features/epic/epic.html ======================================================================= [8] Upcoming Conferences and Events ======================================================================= Public Workshop: Your Freedom of Information and Privacy Rights: How to use Canadian laws to get access to information and protect your privacy. BC Freedom of Information and Privacy Association. April 11, 2002. Vancouver, BC, Canada. For more information: info@fipa.bc.ca Public Forum: Access to Legal and Government Information in the "New Era." BC Freedom of Information and Privacy Association. April 12, 2002. Vancouver, BC, Canada. For more information: office@bcla.bc.ca The 27th Annual AAAS Colloquium on Science and Technology Policy: Science and Technology in a Vulnerable World: Rethinking Our Roles. American Association for the Advancement of Science. April 11-12, 2002. Washington, DC. For more information: http://www.aaas.org/spp/dspp/rd/colloqu.htm Workshop on Privacy Enhancing Technologies. April 14-15, 2002. San Francisco, CA. For more information: http://www.pet2002.org/ CFP 2002: The Twelfth Conference on Computers, Freedom & Privacy. April 16-19, 2002. San Francisco, CA. For more information: http://www.cfp2002.org/ 4th Annual MIT Sloan eBusiness Awards. Massachusetts Institute of Technology, Sloan School of Management. April 17, 2002. Cambridge, MA. For more information: http://www.mitawards.org/home.asp Digital Landscapes: Redrawing the Boundaries in Entertainment, Media and the Law. Stanford Law & Technology Association, Stanford Entertainment & Sports Law Association, and Stanford Technology Law Review. April 20, 2002. Stanford, CA. For more information: http://www.law.stanford.edu/slata/digital_landscapes/ 4th National HIPAA Summit: The Leading Forum on Healthcare Privacy, Confidentiality, Data Security and HIPAA Compliance. April 24-26, 2002. Washington, DC. For more information: http://www.hipaasummit.com/ Conference on Cyber Security and Disclosure. Stanford Law School Center for Internet and Society. May 9, 2002. Stanford, CA. For more information: http://cyberlaw.stanford.edu/ 2002 IEEE Symposium on Security and Privacy. IEEE and the International Association for Cryptologic Research. May 12-15, 2002. Oakland, CA. For more information: http://www.ieee-security.org/TC/SP02/sp02index.html Information Integrity World Summit. The Hands-On Summit to Protect Your Organization: Overcoming Cyber-security and E-Privacy Threats. Information Integrity. May 15-16, 2002. Washington, DC. For more information: http://www.411integrity.com/live/80/events/80II102 Privacy Law: Emerging Issues in Employee and Consumer Relations. CLE International. May 16-17, 2002. Los Angeles, CA. For more information: http://www.cle.com/upcoming/laxpri02.shtml Personal Privacy in the Digital Age: The Challenge for State and Local Governments. Joint Center for eGovernance. May 19-21, 2002. Arlington, VA. For more information: http://www.conted.vt.edu/privacy/agenda.htm Call For Papers - June 1, 2002 (special recognition for outstanding student papers). 18th Annual Computer Security Applications Conference (ACSAC): Practical Solutions to Real Security Problems. Applied Computer Security Associates. December 9-13, 2002. Las Vegas, Nevada. For more information: http://www.acsac.org/ INET 2002. Internet Crossroads: Where Technology and Policy Intersect. Internet Society. June 18-21, 2002. Washington, DC. For more information: http://www.inet2002.org/ IViR International Copyright Law Summer Course. Royal Netherlands Academy of Arts and Sciences. July 8-12, 2002. Amsterdam, Netherlands. For more information: http://www.ivir.nl/ Privacy2002. Technology Policy Group. September 24-26, 2002. Cleveland, OH. For more information: http://www.privacy2000.org/privacy02/index.shtml ======================================================================= Subscription Information ======================================================================= Subscribe/unsubscribe via Web interface: http://mailman.epic.org/cgi-bin/mailman/listinfo/epic_news Subscribe/unsubscribe via email: To: epic_news-request@mailman.epic.org Subject line: "subscribe" or "unsubscribe" (no quotes) Help with subscribing/unsubscribing: To: epic_news-request@mailman.epic.org Subject: "help" (no quotes) Back issues are available at: http://www.epic.org/alert/ The EPIC Alert displays best in a fixed-width font, such as Courier. ======================================================================= Privacy Policy ======================================================================= The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your email address from this list, please follow the above instructions under "subscription information". Please contact info@epic.org if you would like to change your subscription email address, or if you have any other questions. ======================================================================= About EPIC ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, e-mail info@epic.org, http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at: http://www.epic.org/donate/ ======================================================================= Drink coffee, support civil liberties, get a tax deduction, and learn Latin at the same time! Receive a free epic.org "sed quis custodiet ipsos custodes?" coffee mug with donation of $75 or more. ======================================================================= Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ---------------------- END EPIC Alert 9.07 ----------------------- .