============================================================== @@@@ @@@@ @@@ @@@@ @ @ @@@@ @@@@ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @@@ @ @ @@@@@ @ @@@ @@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @ @@@ @@@@ @ @ @@@@ @@@@ @ @ @ ============================================================== Volume 9.08 April 25, 2002 -------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org/alert/EPIC_Alert_9.08.html ======================================================================= Table of Contents ======================================================================= [1] Senate Considers Internet Privacy Legislation [2] Observing Surveillance: Public Protests, April 2002 [3] Groups Oppose National ID Standards, Medical Privacy Rule Changes [4] EPIC and Other Free Speech Groups Cite Post-9/11 Info Restrictions [5] Privacy International Announces U.S. Big Brother Awards [6] EPIC Bill-Track: New Bills in Congress [7] EPIC Bookstore - Body of Secrets [8] Upcoming Conferences and Events ======================================================================= [1] Senate Considers Internet Privacy Legislation ======================================================================= EPIC's Executive Director Marc Rotenberg testified at a full Senate Commerce Committee hearing today on bipartisan legislation to protect privacy online. He testified that "the Online Personal Privacy Act is an important step forward in the advancement of privacy law in the United States." The Act, which has ten committee sponsors, follows a hybrid approach to privacy regulation adopted by the European Union by supporting an opt-in requirement for "sensitive personally identifiable information" and a weaker opt-out standard for other personal information. The bill follows most other fair information practices, including robust notice, access requirements, security obligations, and opportunities for enforcement. Among the most significant concessions to industry groups is that the Act will preempt state legislation on online privacy. EPIC's testimony focused on a few key areas of concern. The bill as currently drafted gives too much power to law enforcement agencies that seek access personally identifiable information by not requiring judicial review of such requests. From a consumer perspective, the bill is too narrow in providing access only to information that the consumer knows he or she has given to the company, rather than all the information the company has collected about the consumer. The Act places a great deal of faith in the ability of the Federal Trade Commission (FTC) to pursue privacy violations; while this approach can potentially work, it will require extensive public oversight. Rotenberg argued that the private right of action that industry opposes is actually a severely watered down provision and that it needs to be strengthened. He also suggested broadening categories of sensitive personal information to include intellectual freedom and political beliefs, along with the protection of religious beliefs and party affiliation already contained in the bill. Finally, he encouraged research into genuine privacy enhancing technologies that enable online transactions while minimizing privacy risks. Frank Torres of Consumers Union testified that his organization supports the bill as currently drafted and is willing to live with the federal preemption if the opt-in requirement for sensitive personal information remains robust. The representatives from Amazon.com and the financial services industry raised the question of why online and offline collection of data should be treated differently. They suggested that either there should be privacy legislation for both worlds, or no legislation at all. The financial services industry argued that it is already regulated under the Gramm-Leach-Bliley law and that is sufficiently restrictive. They also argued that industry self-regulation is working successfully. Hewlett Packard urged inclusion of a safe harbor provision in the Act to insulate companies from enforcement if they are members of a certified seal program such as BBBOnline or TrustE. The Committee was receptive to the concerns expressed by the witnesses, but as one Senator commented, recent polling data shows there is overwhelming public support for stronger privacy protection on the Internet. The Online Personal Privacy Act seeks to establish trust and confidence in the disclosure of personal information in the online environment. This is central to the growth of electronic commerce and the online marketplace. EPIC also participated in the public announcement of a new bill introduced by Rep. Bob Barr (R-GA) titled the Federal Agency Protection of Privacy Act. Rep. Barr's bill, which enjoys bipartisan support, would require federal agencies to issue privacy impact analyses when promulgating rules. The impact statements follow Fair Information Practices and require agencies to evaluate the notice provided to individuals, access to personal information affected, limitations on use of the data, and limitations on collection of information to maximize privacy. Rep. Barr plans to hold a hearing on this bill next week. EPIC's testimony is available at: http://www.epic.org/privacy/internet/s2201_testimony.html The "Online Privacy Protection Act," Senate Bill 2201 is available at: http://thomas.loc.gov/cgi-bin/bdquery/z?d107:s.02201: A section-by-section analysis of the bill is available at: http://www.epic.org/redirect/techlaw_redirect.html Witness testimony is available at: http://commerce.senate.gov/hearings/hearings0202.htm The Federal Agency Protection of Privacy Act is available at: http://www.politechbot.com/docs/barr.privacy.bill.042302.pdf ======================================================================= [2] Observing Surveillance: Public Protests, April 2002 ======================================================================= EPIC has updated the Observing Surveillance Web site to include a map of camera locations in areas of downtown Washington, D.C. The map shows icons that indicate both the locations of surveillance cameras installed by the D.C. Metropolitan Police Department (MPD) and the projected surveillance radius of those cameras, as reported in a March 22 Washington Post article. Additionally, the site contains many photos of cameras, taken with different levels of zoom to show the surrounding area where each camera is situated, as well as close-up images of the cameras. Additionally, the D.C. MPD recently released preliminary guidelines for the usage of Closed Circuit Television (CCTV) cameras in the District. The guidelines state that: The CCTV systems represent a valid use of a government's power to protect its citizens and will be activated as needed during special events in which there is a potential threat to public safety, critical incidents, heightened states of alert or for traffic control. It is also noted that the cameras "[will not be] operated where there is a reasonable expectation of privacy," and that "[i]f any CCTV systems are mounted in residential areas, public notice will be given with the exception of those utilized pursuant to a court order." EPIC submitted a series of FOIA requests (see Alert 9.04) for details about the camera system before these draft guidelines were released, and has yet to receive any responsive documents. MPD's Draft General Order on CCTV Cameras is available at: http://www.dcwatch.com/police/020404.htm Observing Surveillance: http://www.observingsurveillance.org/ ======================================================================= [3] Groups Oppose National ID Standards, Medical Privacy Rule Changes ======================================================================= On April 15, EPIC submitted a letter for the record of a hearing in the Senate Subcommittee on Oversight of Government Management, Restructuring, and the District of Columbia, advising against adopting plans to standardize the state driver's license system. The letter draws attention to recent polling data that highlights the public's growing reluctance to establish a national identification system. A recent poll conducted by Gartner, Inc. reveals that only 26 percent of the population supports a card, while 41 percent are opposed to it. The poll also shows that state motor vehicle departments, along with the IRS, are seen by the public to be among the least trustworthy government agencies to administer such a system if it were developed. Another poll, by the Washington Post, found that 44 percent of Americans think that a national identification card -- even if it is voluntary -- is "a way to keep track of people and is an invasion of people's civil liberties and privacy." The National Research Council has released a new study that calls for a "serious and sustained analysis and discussion of the complex constellation of issues presented by nationwide identity systems." The report stresses that understanding the goals of such a system is critical, and cautions the public and policymakers that "before any decisions can be made about whether to attempt some kind of nationwide identity system, the question of what is being discussed (and why) must be answered." EPIC has advocated that there needs to be greater public discussion about the desirability and feasibility of these proposals, and released a policy report earlier this year, entitled "Your Papers, Please," which details how such proposals create a national identification system that raises significant privacy and security risks (see Alert 9.03). In medical privacy news, EPIC has joined the Health Privacy Project in urging the Department of Health and Human Services to reject many recently proposed changes to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. These changes, proposed by Secretary of Health Tommy Thompson, would diminish patient protections by eliminating the consent requirement for access to health information, increasing the ability to market products based on health conditions, and giving parents more power to access children's medical records. The comments cover a broad range of changes to the Privacy Rule, including a provision that would allow the collection and use of protected health information related to the "quality, safety, or effectiveness" of Food and Drug Administration regulated products and activities. The plain language of this provision would allow the collection and use of personal information for purposes completely unrelated to health care, including product satisfaction surveys. Additionally, the proposed changes alter the definition of marketing so that individuals cannot opt-out of targeted advertising. The comments oppose these changes, and advocate a rule that would establish an opt-in standard for medical marketing to patients. Individuals are also encouraged to comment on the proposed changes, and can do so by visiting the Health Privacy Project website until April 26, 2002. EPIC's Letter to the Senate Subcommittee is available at: http://www.epic.org/privacy/id-cards/durbin_letter_4_15_02.html National Research Council Report, "IDs -- Not That Easy: Questions About Nationwide Identity Systems," is available at: http://books.nap.edu/html/id_questions/ EPIC Report, "Your Papers, Please: From the State Drivers License to a National Identification System" ("Watching the Watchers" series): http://www.epic.org/privacy/id_cards/yourpapersplease.pdf Health Privacy Project (to comment, click "Send Comments to HHS"): http://www.healthprivacy.org/ EPIC's Medical Privacy Page: http://www.epic.org/privacy/medical/ ======================================================================= [4] EPIC and Other Free Speech Groups Cite Post-9/11 Info Restrictions ======================================================================= EPIC today joined with other free expression and open government advocates in a statement marking the six-month anniversary of Congress' passage of the USA PATRIOT Act. The statement details the legislation's chilling effect on speech, as well as other government efforts to restrict public access to information. The statement was released by the Free Expression Network (FEN) at a Capitol Hill press conference that featured Sen. Russell Feingold and Rep. Patsy Mink, both vocal critics of the legislation. The USA PATRIOT Act is the anti-terrorism legislation rushed through Congress in the aftermath of September 11. Because of the emotional fervor of the time and the pressure surrounding efforts to remedy and prevent terrorist actions, the legislation was enacted after little debate or review by either house of Congress, with little dissent: only 66 Representatives and one Senator voted against the Act. Speaking at today's press conference were two of the Act's most vocal critics: Senator Russell Feingold (D-WI) -- the only dissenting member of the Senate -- and Representative Patsy Mink (D-HI). Both stressed their confidence, six months after the Act's passage, that their controversial decisions to vote against the USA PATRIOT were correct. Feingold stated, "The need for vigilance against the excesses of unbridled governmental power is greater than ever as the fight against terrorism continues." Mink, a third-generation Japanese-American whose family lived through the ill-conceived Japanese internment camps following the bombing of Pearl Harbor, referred to the terrorist attacks as "anesthesia foisted upon the Constitution," which acted to subdue and silence dissent. But, she stated, "anesthesia wears off," and it is now time to take a serious look at the effects and consequences of the Act's passage. Mink cited the restrictions placed by the Administration on release of documents under the Freedom of Information Act (FOIA) as a threat to civil liberties and open government following September 11 (Rep. Mink helped draft the FOIA). Sen. Feingold's remarks emphasized his concern about the Act's "business records" provision, which gives the FBI broad new power to subpoena records in terrorism investigations, even where the records aren't directly connected to a suspect in such an investigation. The FEN statement details other specific instances of government secrecy, surveillance, and encroachment upon the freedoms of association and speech in the past six months, and concludes that "the hasty measures that were taken in the immediate wake of the attacks of September 11 should now be reconsidered, and we should reaffirm the right to free expression, open government, discussion and debate that have kept us strong and free for more than two hundred years." The FEN statement is available at: http://www.freeexpression.org/patriotstmt.htm Sen. Feingold's Senate floor statement on the USA PATRIOT Act (October 25, 2001) is available at: http://www.senate.gov/~feingold/releases/01/10/102501at.html ======================================================================= [5] Privacy International Announces U.S. Big Brother Awards ======================================================================= At last week's Computers, Freedom & Privacy (CFP) conference in San Francisco, Privacy International announced the winners of the Fourth Annual United States Big Brother Awards. Winners were selected by a judging panel made up of lawyers, academics, consultants, journalists, and civil rights activists. Candidates for the awards were initially nominated by the public and experts in the field. The award for "Most Invasive Proposal" went to the Expanded Computer Assisted Passenger Screening Program's plan to profile and spy on travelers. Runners-up included the Washington, D.C. video surveillance system (see EPIC's Face Recognition page) and the American Association of Motor Vehicle Administrators for their national ID scheme (see EPIC's National ID Card page). The title of "Greatest Corporate Invader" was given to Larry Ellison, CEO of Oracle, for backing a national ID card plan using his software. "Worst Public Official" was awarded to Attorney General John Ashcroft, for attacking privacy and freedom of information, and the "Lifetime Menace" award went to Admiral John Poindexter and the new Office of Information Awareness. "Brandeis" awards, named after U.S. Supreme Court Justice Louis Brandeis, were awarded to state Senator Jackie Speier, for leading the fight for financial privacy and consumer rights in California; Warren Leach, for "exposing the dirty deeds of the credit bureaus for over thirty years;" and a special mention was given to the San Francisco Chronicle Editorial Page. The Brandeis awards are given to entities that have done excellent work to protect and champion privacy. For more information, see PI's Big Brother Awards Page: http://www.privacyinternational.org/bigbrother/us2002/ EPIC's National ID Card Page: http://www.epic.org/privacy/id_cards/ EPIC's Face Recognition Page: http://www.epic.org/privacy/facerecognition/ ======================================================================= [6] EPIC Bill-Track: New Bills in Congress ======================================================================= *House* H.R.3983 Maritime Transportation Antiterrorism Act of 2002. To ensure the security of maritime transportation in the United States against acts of terrorism, and for other purposes. Sponsor: Rep Young, Don (R-AK). Latest Major Action: 3/20/2002 House committee/subcommittee actions: Ordered to be Reported (Amended). Committees: House Transportation and Infrastructure. H.R.4043 To bar Federal agencies from accepting for any identification-related purpose and State-issued driver's license, or other comparable identification document, unless the State requires licenses or comparable documents issued to nonimmigrant aliens to expire upon the expiration of the aliens' nonimmigrant visas, and for other purposes. Sponsor: Rep Flake, Jeff (R-AZ) Latest Major Action: 3/20/2002 Referred to House committee: House Government Reform; House Administration; House Judiciary; House Armed Services. *Senate* S.2048 Consumer Broadband and Digital Television Promotion Act. A bill to regulate interstate commerce in certain devices by providing for private sector development of technological protection measures to be implemented and enforced by Federal regulations to protect digital content and promote broadband as well as the transition to digital television, and for other purposes. Sponsor: Sen Hollings, Ernest F. (D-SC). Latest Major Action: 3/21/2002 Referred to Senate committee: Senate Commerce, Science, and Transportation. EPIC Bill Track: Tracking Privacy, Speech, and Cyber-Liberties Bills in the 107th Congress, is available at: http://www.epic.org/privacy/bill_track.html ======================================================================= [7] EPIC Bookstore - Body of Secrets ======================================================================= Body of Secrets: Anatomy of the Ultra-Secret National Security Agency - From the Cold War Through the Dawn of a New Century, by James Bamford. http://www.epic.org/bookstore/powells/redirect/alert908.html The NSA is the largest, most secretive, and most powerful intelligence agency in the world. With a staff of 38,000 people, it dwarfs the CIA in budget, manpower, and influence. Recent headlines have linked it to the economic espionage throughout Europe and to the ongoing hunt for the terrorist leader Osama bin Laden. James Bamford first penetrated the wall of silence surrounding the NSA in 1982, with the much-talked-about bestseller The Puzzle Palace. In Body of Secrets, he offers shocking new details about the inner workings of the agency, gathered through unique access to thousands of internal documents and interviews with current and former officials. Unveiling extremely sensitive information for the first time, Bamford exposes the role the NSA played in numerous Soviet bloc Cold War conflicts and discusses its undercover involvement in the Vietnam War. His investigation into the NSA's technological advances during the last fifteen years brings to light a network of global surveillance ranging from on-line listening posts to sophisticated intelligence- gathering satellites. In a hard-hitting conclusion, he warns that the NSA is a two-edged sword. While its worldwide eavesdropping activities offer the potential for tracking down terrorists and uncovering nuclear weapons deals, it also has the capability to listen on global personal communications. [Review originally printed in EPIC Alert 8.08, May 2, 2001.] **James Bamford will be coming to Barnes & Noble Booksellers in Georgetown, Washington, D.C. for a discussion and signing of "Body of Secrets." Event details: Wednesday, May 1, 7:30-8:30 P.M., 3040 M Street, NW. Call 202-965-9880 for more information. ================================ EPIC Publications: "Privacy & Human Rights 2001: An International Survey of Privacy Laws and Developments," (EPIC 2001). Price: $20. http://www.epic.org/bookstore/phr2001/ This survey, by EPIC and Privacy International, reviews the state of privacy in over fifty countries around the world. The survey examines a wide range of privacy issues including, data protection, telephone tapping, genetic databases, ID systems and freedom of information laws. ================================ "The Privacy Law Sourcebook 2001: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2001). Price: $40. http://www.epic.org/bookstore/pls2001/ The "Physicians Desk Reference of the privacy world." An invaluable resource for students, attorneys, researchers and journalists who need an up-to-date collection of U.S. and International privacy law, as well as a comprehensive listing of privacy resources. ================================ "Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20. http://www.epic.org/bookstore/filters2.0/ A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ "The Consumer Law Sourcebook 2000: Electronic Commerce and the Global Economy," Sarah Andrews, editor (EPIC 2000). Price: $40. http://www.epic.org/cls/ The Consumer Law Sourcebook provides a basic set of materials for consumers, policy makers, practitioners and researchers who are interested in the emerging field of electronic commerce. The focus is on framework legislation that articulates basic rights for consumers and the basic responsibilities for businesses in the online economy. ================================ "Cryptography and Liberty 2000: An International Survey of Encryption Policy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price: $20. http://www.epic.org/crypto&/ EPIC's third survey of encryption policies around the world. The results indicate that the efforts to reduce export controls on strong encryption products have largely succeeded, although several governments are gaining new powers to combat the perceived threats of encryption to law enforcement. ================================ EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at: EPIC Bookstore http://www.epic.org/bookstore/ "EPIC Bookshelf" at Powell's Books http://www.powells.com/features/epic/epic.html ======================================================================= [8] Upcoming Conferences and Events ======================================================================= 4th National HIPAA Summit: The Leading Forum on Healthcare Privacy, Confidentiality, Data Security and HIPAA Compliance. April 24-26, 2002. Washington, DC. For more information: http://www.hipaasummit.com/ Education and Technological Consciousness. Center for Educational Outreach & Innovation, Teachers College, Columbia University. May 3-4, 2002. New York, NY. For more information: http://www.tc.columbia.edu/ceoi/ First Amendment In Transition: Has Settled Law Become Unsettled? Freedom Forum. May 8, 2002. Arlington, VA. For more information: ebrooks@freedomforum.org Conference on Cyber Security and Disclosure. Stanford Law School Center for Internet and Society. May 9, 2002. Stanford, CA. For more information: http://cyberlaw.stanford.edu/ 2002 IEEE Symposium on Security and Privacy. IEEE and the International Association for Cryptologic Research. May 12-15, 2002. Oakland, CA. For more information: http://www.ieee-security.org/TC/SP02/sp02index.html O'Reilly Emerging Technology Conference. O'Reilly and Associates. May 13-16, 2002. Santa Clara, CA. For more information: http://conferences.oreilly.com/etcon/ Information Integrity World Summit. The Hands-On Summit to Protect Your Organization: Overcoming Cyber-security and E-Privacy Threats. Information Integrity. May 15-16, 2002. Washington, DC. For more information: http://www.411integrity.com/live/80/events/80II102 Privacy Law: Emerging Issues in Employee and Consumer Relations. CLE International. May 16-17, 2002. Los Angeles, CA. For more information: http://www.cle.com/upcoming/laxpri02.shtml Personal Privacy in the Digital Age: The Challenge for State and Local Governments. Joint Center for eGovernance. May 19-21, 2002. Arlington, VA. For more information: http://www.conted.vt.edu/privacy/agenda.htm Call For Papers - June 1, 2002 (special recognition for outstanding student papers). 18th Annual Computer Security Applications Conference (ACSAC): Practical Solutions to Real Security Problems. Applied Computer Security Associates. December 9-13, 2002. Las Vegas, Nevada. For more information: http://www.acsac.org/ Third Annual Institute on Privacy Law. Practising Law Institute. June 3-4, 2002, San Francisco, CA; June 24-25, New York, NY. For more information: http://www.pli.edu/ INET 2002. Internet Crossroads: Where Technology and Policy Intersect. Internet Society. June 18-21, 2002. Washington, DC. For more information: http://www.inet2002.org/ The Public Voice in Internet Policy Making. June 22, 2002. Washington, DC. The Electronic Privacy Information Center (EPIC) will host a one-day public symposium to discuss the future of our rights and freedoms in the information age. The event is being hosted in conjunction with INET 2002 and is free and open to the public. For more information: http://www.thepublicvoice.org/events/dc02/ IViR International Copyright Law Summer Course. Royal Netherlands Academy of Arts and Sciences. July 8-12, 2002. Amsterdam, Netherlands. For more information: http://www.ivir.nl/ O'Reilly Open Source Convention. O'Reilly and Associates. July 22-26, 2002. San Diego, CA. For more information: http://conferences.oreilly.com/oscon/ Cyberwar, Netwar and the Revolution in Military Affairs: Real Threats and Virtual Myths. International School on Disarmament and Research on Conflicts (ISODARCO). August 3-13, 2002. Trento, Italy. For more information: http://www.isodarco.it/html/trento02.html ILPF Conference 2002: Security v. Privacy. Internet Law & Policy Forum. September 17-19, 2002. Seattle, WA. For more information: http://www.ilpf.org/conference2002/ Privacy2002. Technology Policy Group. September 24-26, 2002. Cleveland, OH. For more information: http://www.privacy2000.org/privacy02/index.shtml ======================================================================= Subscription Information ======================================================================= Subscribe/unsubscribe via Web interface: http://mailman.epic.org/cgi-bin/mailman/listinfo/epic_news Subscribe/unsubscribe via email: To: epic_news-request@mailman.epic.org Subject line: "subscribe" or "unsubscribe" (no quotes) Help with subscribing/unsubscribing: To: epic_news-request@mailman.epic.org Subject: "help" (no quotes) Back issues are available at: http://www.epic.org/alert/ The EPIC Alert displays best in a fixed-width font, such as Courier. ======================================================================= Privacy Policy ======================================================================= The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your email address from this list, please follow the above instructions under "subscription information". Please contact info@epic.org if you would like to change your subscription email address, if you are experiencing subscription/unsubscription problems, or if you have any other questions. ======================================================================= About EPIC ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, e-mail info@epic.org, http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at: http://www.epic.org/donate/ ======================================================================= Drink coffee, support civil liberties, get a tax deduction, and learn Latin at the same time! Receive a free epic.org "sed quis custodiet ipsos custodes?" coffee mug with donation of $75 or more. ======================================================================= Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ---------------------- END EPIC Alert 9.08 ----------------------- .