EPIC logo

        @@@@  @@@@  @@@  @@@@      @    @     @@@@  @@@@  @@@@@
        @     @  @   @   @        @ @   @     @     @  @    @
        @@@@  @@@    @   @       @@@@@  @     @@@   @@@     @
        @     @      @   @       @   @  @     @     @  @    @
        @@@@  @     @@@  @@@@    @   @  @@@@  @@@@  @   @   @
    Volume 9.08                                     April 25, 2002
                             Published by the
               Electronic Privacy Information Center (EPIC)
                             Washington, D.C.
Table of Contents

[1] Senate Considers Internet Privacy Legislation
[2] Observing Surveillance: Public Protests, April 2002
[3] Groups Oppose National ID Standards, Medical Privacy Rule Changes
[4] EPIC and Other Free Speech Groups Cite Post-9/11 Info Restrictions
[5] Privacy International Announces U.S. Big Brother Awards
[6] EPIC Bill-Track: New Bills in Congress
[7] EPIC Bookstore - Body of Secrets
[8] Upcoming Conferences and Events

[1] Senate Considers Internet Privacy Legislation

EPIC's Executive Director Marc Rotenberg testified at a full Senate
Commerce Committee hearing today on bipartisan legislation to protect
privacy online.  He testified that "the Online Personal Privacy Act is
an important step forward in the advancement of privacy law in the
United States."  The Act, which has ten committee sponsors, follows a
hybrid approach to privacy regulation adopted by the European Union by
supporting an opt-in requirement for "sensitive personally
identifiable information" and a weaker opt-out standard for other
personal information.  The bill follows most other fair information
practices, including robust notice, access requirements, security
obligations, and opportunities for enforcement.  Among the most
significant concessions to industry groups is that the Act will
preempt state legislation on online privacy.

EPIC's testimony focused on a few key areas of concern.  The bill as
currently drafted gives too much power to law enforcement agencies
that seek access personally identifiable information by not requiring
judicial review of such requests.  From a consumer perspective, the
bill is too narrow in providing access only to information that the
consumer knows he or she has given to the company, rather than all the
information the company has collected about the consumer.  The Act
places a great deal of faith in the ability of the Federal Trade
Commission (FTC) to pursue privacy violations; while this approach can
potentially work, it will require extensive public oversight. 
Rotenberg argued that the private right of action that industry
opposes is actually a severely watered down provision and that it
needs to be strengthened. He also suggested broadening categories of
sensitive personal information to include intellectual freedom and
political beliefs, along with the protection of religious beliefs and
party affiliation already contained in the bill.  Finally, he
encouraged research into genuine privacy enhancing technologies that
enable online transactions while minimizing privacy risks.

Frank Torres of Consumers Union testified that his organization
supports the bill as currently drafted and is willing to live with the
federal preemption if the opt-in requirement for sensitive personal
information remains robust.  The representatives from Amazon.com and
the financial services industry raised the question of why online and
offline collection of data should be treated differently.  They
suggested that either there should be privacy legislation for both
worlds, or no legislation at all.  The financial services industry
argued that it is already regulated under the Gramm-Leach-Bliley law
and that is sufficiently restrictive.  They also argued that industry
self-regulation is working successfully. Hewlett Packard urged
inclusion of a safe harbor provision in the Act to insulate companies
from enforcement if they are members of a certified seal program such
as BBBOnline or TrustE.

The Committee was receptive to the concerns expressed by the
witnesses, but as one Senator commented, recent polling data shows
there is overwhelming public support for stronger privacy protection
on the Internet.  The Online Personal Privacy Act seeks to establish
trust and confidence in the disclosure of personal information in the
online environment.  This is central to the growth of electronic
commerce and the online marketplace.

EPIC also participated in the public announcement of a new bill
introduced by Rep. Bob Barr (R-GA) titled the Federal Agency
Protection of Privacy Act.  Rep. Barr's bill, which enjoys bipartisan
support, would require federal agencies to issue privacy impact
analyses when promulgating rules.  The impact statements follow Fair
Information Practices and require agencies to evaluate the notice
provided to individuals, access to personal information affected,
limitations on use of the data, and limitations on collection of
information to maximize privacy.  Rep. Barr plans to hold a hearing on
this bill next week.

EPIC's testimony is available at:


The "Online Privacy Protection Act," Senate Bill 2201 is available at:


A section-by-section analysis of the bill is available at:


Witness testimony is available at:


The Federal Agency Protection of Privacy Act is available at:


[2] Observing Surveillance: Public Protests, April 2002

EPIC has updated the Observing Surveillance Web site to include a map
of camera locations in areas of downtown Washington, D.C.  The map
shows icons that indicate both the locations of surveillance cameras
installed by the D.C. Metropolitan Police Department (MPD) and the
projected surveillance radius of those cameras, as reported in a March
22 Washington Post article.  Additionally, the site contains many
photos of cameras, taken with different levels of zoom to show the
surrounding area where each camera is situated, as well as close-up
images of the cameras.

Additionally, the D.C. MPD recently released preliminary guidelines
for the usage of Closed Circuit Television (CCTV) cameras in the
District. The guidelines state that:

     The CCTV systems represent a valid use of a government's
     power to protect its citizens and will be activated as
     needed during special events in which there is a potential
     threat to public safety, critical incidents, heightened
     states of alert or for traffic control.

It is also noted that the cameras "[will not be] operated where there
is a reasonable expectation of privacy," and that "[i]f any CCTV
systems are mounted in residential areas, public notice will be given
with the exception of those utilized pursuant to a court order."  EPIC
submitted a series of FOIA requests (see Alert 9.04) for details about
the camera system before these draft guidelines were released, and has
yet to receive any responsive documents.

MPD's Draft General Order on CCTV Cameras is available at:


Observing Surveillance:


[3] Groups Oppose National ID Standards, Medical Privacy Rule Changes

On April 15, EPIC submitted a letter for the record of a hearing in
the Senate Subcommittee on Oversight of Government Management,
Restructuring, and the District of Columbia, advising against adopting
plans to standardize the state driver's license system.  The letter
draws attention to recent polling data that highlights the public's
growing reluctance to establish a national identification system. A
recent poll conducted by Gartner, Inc. reveals that only 26 percent of
the population supports a card, while 41 percent are opposed to it. 
The poll also shows that state motor vehicle departments, along with
the IRS, are seen by the public to be among the least trustworthy
government agencies to administer such a system if it were developed. 
Another poll, by the Washington Post, found that 44 percent of
Americans think that a national identification card -- even if it is
voluntary -- is "a way to keep track of people and is an invasion of
people's civil liberties and privacy."

The National Research Council has released a new study that calls for
a "serious and sustained analysis and discussion of the complex
constellation of issues presented by nationwide identity systems." The
report stresses that understanding the goals of such a system is
critical, and cautions the public and policymakers that "before any
decisions can be made about whether to attempt some kind of nationwide
identity system, the question of what is being discussed (and why)
must be answered."  EPIC has advocated that there needs to be greater
public discussion about the desirability and feasibility of these
proposals, and released a policy report earlier this year, entitled
"Your Papers, Please," which details how such proposals create a
national identification system that raises significant privacy and
security risks (see Alert 9.03).

In medical privacy news, EPIC has joined the Health Privacy Project in
urging the Department of Health and Human Services to reject many
recently proposed changes to the Health Insurance Portability and
Accountability Act (HIPAA) Privacy Rule.  These changes, proposed by
Secretary of Health Tommy Thompson, would diminish patient protections
by eliminating the consent requirement for access to health
information, increasing the ability to market products based on health
conditions, and giving parents more power to access children's medical

The comments cover a broad range of changes to the Privacy Rule,
including a provision that would allow the collection and use of
protected health information related to the "quality, safety, or
effectiveness" of Food and Drug Administration regulated products and
activities.  The plain language of this provision would allow the
collection and use of personal information for purposes completely
unrelated to health care, including product satisfaction surveys. 
Additionally, the proposed changes alter the definition of marketing
so that individuals cannot opt-out of targeted advertising. The
comments oppose these changes, and advocate a rule that would
establish an opt-in standard for medical marketing to patients.

Individuals are also encouraged to comment on the proposed changes,
and can do so by visiting the Health Privacy Project website until
April 26, 2002.

EPIC's Letter to the Senate Subcommittee is available at:


National Research Council Report, "IDs -- Not That Easy: Questions
About Nationwide Identity Systems," is available at:


EPIC Report, "Your Papers, Please: From the State Drivers License to
a National Identification System" ("Watching the Watchers" series):


Health Privacy Project (to comment, click "Send Comments to HHS"):


EPIC's Medical Privacy Page:


[4] EPIC and Other Free Speech Groups Cite Post-9/11 Info Restrictions

EPIC today joined with other free expression and open government
advocates in a statement marking the six-month anniversary of
Congress' passage of the USA PATRIOT Act.  The statement details the
legislation's chilling effect on speech, as well as other government
efforts to restrict public access to information.  The statement was
released by the Free Expression Network (FEN) at a Capitol Hill press
conference that featured Sen. Russell Feingold and Rep. Patsy Mink,
both vocal critics of the legislation.

The USA PATRIOT Act is the anti-terrorism legislation rushed through
Congress in the aftermath of September 11.  Because of the emotional
fervor of the time and the pressure surrounding efforts to remedy and
prevent terrorist actions, the legislation was enacted after little
debate or review by either house of Congress, with little dissent:
only 66 Representatives and one Senator voted against the Act.

Speaking at today's press conference were two of the Act's most vocal
critics: Senator Russell Feingold (D-WI) -- the only dissenting member
of the Senate -- and Representative Patsy Mink (D-HI).  Both stressed
their confidence, six months after the Act's passage, that their
controversial decisions to vote against the USA PATRIOT were correct.
Feingold stated, "The need for vigilance against the excesses of
unbridled governmental power is greater than ever as the fight against
terrorism continues."  Mink, a third-generation Japanese-American
whose family lived through the ill-conceived Japanese internment camps
following the bombing of Pearl Harbor, referred to the terrorist
attacks as "anesthesia foisted upon the Constitution," which acted to
subdue and silence dissent.  But, she stated, "anesthesia wears off,"
and it is now time to take a serious look at the effects and
consequences of the Act's passage.

Mink cited the restrictions placed by the Administration on release of
documents under the Freedom of Information Act (FOIA) as a threat to
civil liberties and open government following September 11 (Rep. Mink
helped draft the FOIA).  Sen. Feingold's remarks emphasized his
concern about the Act's "business records" provision, which gives the
FBI broad new power to subpoena records in terrorism investigations,
even where the records aren't directly connected to a suspect in such
an investigation.

The FEN statement details other specific instances of government
secrecy, surveillance, and encroachment upon the freedoms of
association and speech in the past six months, and concludes that "the
hasty measures that were taken in the immediate wake of the attacks of
September 11 should now be reconsidered, and we should reaffirm the
right to free expression, open government, discussion and debate that
have kept us strong and free for more than two hundred years."

The FEN statement is available at:


Sen. Feingold's Senate floor statement on the USA PATRIOT Act (October
25, 2001) is available at:


[5] Privacy International Announces U.S. Big Brother Awards

At last week's Computers, Freedom & Privacy (CFP) conference in San
Francisco, Privacy International announced the winners of the Fourth
Annual United States Big Brother Awards.  Winners were selected by a
judging panel made up of lawyers, academics, consultants, journalists,
and civil rights activists.  Candidates for the awards were initially
nominated by the public and experts in the field.

The award for "Most Invasive Proposal" went to the Expanded Computer
Assisted Passenger Screening Program's plan to profile and spy on
travelers.  Runners-up included the Washington, D.C. video
surveillance system (see EPIC's Face Recognition page) and the
American Association of Motor Vehicle Administrators for their
national ID scheme (see EPIC's National ID Card page).  The title of
"Greatest Corporate Invader" was given to Larry Ellison, CEO of
Oracle, for backing a national ID card plan using his software. 
"Worst Public Official" was awarded to Attorney General John Ashcroft,
for attacking privacy and freedom of information, and the "Lifetime
Menace" award went to Admiral John Poindexter and the new Office of
Information Awareness.

"Brandeis" awards, named after U.S. Supreme Court Justice Louis
Brandeis, were awarded to state Senator Jackie Speier, for leading the
fight for financial privacy and consumer rights in California; Warren
Leach, for "exposing the dirty deeds of the credit bureaus for over
thirty years;" and a special mention was given to the San Francisco
Chronicle Editorial Page.  The Brandeis awards are given to entities
that have done excellent work to protect and champion privacy.

For more information, see PI's Big Brother Awards Page:


EPIC's National ID Card Page:


EPIC's Face Recognition Page:

[6] EPIC Bill-Track: New Bills in Congress


H.R.3983 Maritime Transportation Antiterrorism Act of 2002. To ensure
the security of maritime transportation in the United States against
acts of terrorism, and for other purposes. Sponsor: Rep Young, Don
(R-AK). Latest Major Action: 3/20/2002 House committee/subcommittee
actions: Ordered to be Reported (Amended). Committees: House
Transportation and Infrastructure.

H.R.4043 To bar Federal agencies from accepting for any
identification-related purpose and State-issued driver's license, or
other comparable identification document, unless the State requires
licenses or comparable documents issued to nonimmigrant aliens to
expire upon the expiration of the aliens' nonimmigrant visas, and for
other purposes. Sponsor: Rep Flake, Jeff (R-AZ) Latest Major Action:
3/20/2002 Referred to House committee: House Government Reform; House
Administration; House Judiciary; House Armed Services.


S.2048 Consumer Broadband and Digital Television Promotion Act. A bill
to regulate interstate commerce in certain devices by providing for
private sector development of technological protection measures to be
implemented and enforced by Federal regulations to protect digital
content and promote broadband as well as the transition to digital
television, and for other purposes. Sponsor: Sen Hollings, Ernest F.
(D-SC). Latest Major Action: 3/21/2002 Referred to Senate committee:
Senate Commerce, Science, and Transportation.

EPIC Bill Track: Tracking Privacy, Speech, and Cyber-Liberties Bills
in the 107th Congress, is available at:


[7] EPIC Bookstore - Body of Secrets

Body of Secrets: Anatomy of the Ultra-Secret National Security Agency -
From the Cold War Through the Dawn of a New Century, by James Bamford.


The NSA is the largest, most secretive, and most powerful intelligence
agency in the world.  With a staff of 38,000 people, it dwarfs the CIA
in budget, manpower, and influence.  Recent headlines have linked it
to the economic espionage throughout Europe and to the ongoing hunt
for the terrorist leader Osama bin Laden.

James Bamford first penetrated the wall of silence surrounding the NSA
in 1982, with the much-talked-about bestseller The Puzzle Palace.  In
Body of Secrets, he offers shocking new details about the inner
workings of the agency, gathered through unique access to thousands of
internal documents and interviews with current and former officials.
Unveiling extremely sensitive information for the first time, Bamford
exposes the role the NSA played in numerous Soviet bloc Cold War
conflicts and discusses its undercover involvement in the Vietnam War.
His investigation into the NSA's technological advances during the
last fifteen years brings to light a network of global surveillance
ranging from on-line listening posts to sophisticated intelligence-
gathering satellites.  In a hard-hitting conclusion, he warns that the
NSA is a two-edged sword.  While its worldwide eavesdropping
activities offer the potential for tracking down terrorists and
uncovering nuclear weapons deals, it also has the capability to listen
on global personal communications.

[Review originally printed in EPIC Alert 8.08, May 2, 2001.]

**James Bamford will be coming to Barnes & Noble Booksellers in
  Georgetown, Washington, D.C. for a discussion and signing of "Body
  of Secrets."  Event details: Wednesday, May 1, 7:30-8:30 P.M.,
  3040 M Street, NW.  Call 202-965-9880 for more information.
EPIC Publications:
"Privacy & Human Rights 2001: An International Survey of Privacy Laws
and Developments," (EPIC 2001). Price: $20.
This survey, by EPIC and Privacy International, reviews the state of
privacy in over fifty countries around the world.  The survey examines
a wide range of privacy issues including, data protection, telephone
tapping, genetic databases, ID systems and freedom of information
"The Privacy Law Sourcebook 2001: United States Law, International
Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2001).
Price: $40. http://www.epic.org/bookstore/pls2001/
The "Physicians Desk Reference of the privacy world." An invaluable
resource for students, attorneys, researchers and journalists who need
an up-to-date collection of U.S. and International privacy law, as
well as a comprehensive listing of privacy resources.
"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.
A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.
"The Consumer Law Sourcebook 2000: Electronic Commerce and the Global
Economy," Sarah Andrews, editor (EPIC 2000). Price: $40.
The Consumer Law Sourcebook provides a basic set of materials for
consumers, policy makers, practitioners and researchers who are
interested in the emerging field of electronic commerce.  The focus is
on framework legislation that articulates basic rights for consumers
and the basic responsibilities for businesses in the online economy.
"Cryptography and Liberty 2000: An International Survey of Encryption
Policy," Wayne Madsen and David Banisar, authors (EPIC 2000).
Price: $20. http://www.epic.org/crypto&/
EPIC's third survey of encryption policies around the world. The
results indicate that the efforts to reduce export controls on strong
encryption products have largely succeeded, although several
governments are gaining new powers to combat the perceived threats of
encryption to law enforcement.
EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:
     EPIC Bookstore
     "EPIC Bookshelf" at Powell's Books
[8] Upcoming Conferences and Events

4th National HIPAA Summit: The Leading Forum on Healthcare Privacy,
Confidentiality, Data Security and HIPAA Compliance. April 24-26,
2002. Washington, DC. For more information:

Education and Technological Consciousness. Center for Educational
Outreach & Innovation, Teachers College, Columbia University. May 3-4,
2002. New York, NY. For more information:

First Amendment In Transition: Has Settled Law Become Unsettled?
Freedom Forum. May 8, 2002. Arlington, VA. For more information:

Conference on Cyber Security and Disclosure. Stanford Law School
Center for Internet and Society. May 9, 2002. Stanford, CA. For more
information: http://cyberlaw.stanford.edu/

2002 IEEE Symposium on Security and Privacy. IEEE and the
International Association for Cryptologic Research. May 12-15, 2002.
Oakland, CA. For more information:

O'Reilly Emerging Technology Conference. O'Reilly and Associates. May
13-16, 2002. Santa Clara, CA. For more information:

Information Integrity World Summit. The Hands-On Summit to Protect
Your Organization: Overcoming Cyber-security and E-Privacy Threats.
Information Integrity. May 15-16, 2002. Washington, DC. For more
information: http://www.411integrity.com/live/80/events/80II102

Privacy Law: Emerging Issues in Employee and Consumer Relations. CLE
International. May 16-17, 2002. Los Angeles, CA. For more information:

Personal Privacy in the Digital Age: The Challenge for State and Local
Governments. Joint Center for eGovernance. May 19-21, 2002. Arlington,
VA. For more information: http://www.conted.vt.edu/privacy/agenda.htm

Call For Papers - June 1, 2002 (special recognition for outstanding
student papers). 18th Annual Computer Security Applications Conference
(ACSAC): Practical Solutions to Real Security Problems. Applied
Computer Security Associates. December 9-13, 2002. Las Vegas, Nevada.
For more information: http://www.acsac.org/

Third Annual Institute on Privacy Law. Practising Law Institute. June
3-4, 2002, San Francisco, CA; June 24-25, New York, NY. For more
information: http://www.pli.edu/

INET 2002. Internet Crossroads: Where Technology and Policy Intersect.
Internet Society. June 18-21, 2002. Washington, DC. For more
information: http://www.inet2002.org/

The Public Voice in Internet Policy Making. June 22, 2002. Washington,
DC. The Electronic Privacy Information Center (EPIC) will host a
one-day public symposium to discuss the future of our rights and
freedoms in the information age. The event is being hosted in
conjunction with INET 2002 and is free and open to the public. For
more information: http://www.thepublicvoice.org/events/dc02/

IViR International Copyright Law Summer Course. Royal Netherlands
Academy of Arts and Sciences. July 8-12, 2002. Amsterdam, Netherlands.
For more information: http://www.ivir.nl/

O'Reilly Open Source Convention. O'Reilly and Associates. July 22-26,
2002. San Diego, CA. For more information:

Cyberwar, Netwar and the Revolution in Military Affairs: Real Threats
and Virtual Myths. International School on Disarmament and Research on
Conflicts (ISODARCO). August 3-13, 2002. Trento, Italy. For more
information: http://www.isodarco.it/html/trento02.html

ILPF Conference 2002: Security v. Privacy. Internet Law & Policy
Forum. September 17-19, 2002. Seattle, WA. For more information:

Privacy2002. Technology Policy Group. September 24-26, 2002.
Cleveland, OH. For more information:

Subscription Information
Subscribe/unsubscribe via Web interface:

Subscribe/unsubscribe via email:
     To: epic_news-request@mailman.epic.org
     Subject line: "subscribe" or "unsubscribe" (no quotes)
Help with subscribing/unsubscribing:

     To: epic_news-request@mailman.epic.org
     Subject: "help" (no quotes)
Back issues are available at:

The EPIC Alert displays best in a fixed-width font, such as Courier.
Privacy Policy
The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities.  We do not sell, rent or share our
mailing list.  We also intend to challenge any subpoena or other legal
process seeking access to our mailing list.  We do not enhance (link
to other databases) our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe your email address
from this list, please follow the above instructions under
"subscription information".  Please contact info@epic.org if you would
like to change your subscription email address, if you are
experiencing subscription/unsubscription problems, or if you have any
other questions.
About EPIC
The Electronic Privacy Information Center is a public interest
research center in Washington, DC.  It was established in 1994 to
focus public attention on emerging privacy issues such as the Clipper
Chip, the Digital Telephony proposal, national ID cards, medical
record privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Act
litigation, and conducts policy research.  For more information,
e-mail info@epic.org, http://www.epic.org or write EPIC, 1718
Connecticut Ave., NW, Suite 200, Washington, DC 20009.
+1 202 483 1140 (tel), +1 202 483 1248 (fax).
If you'd like to support the work of the Electronic Privacy
Information Center, contributions are welcome and fully
tax-deductible.  Checks should be made out to "EPIC" and sent to
1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009.
Or you can contribute online at:

Drink coffee, support civil liberties, get a tax deduction, and learn
Latin at the same time!  Receive a free epic.org "sed quis custodiet
ipsos custodes?" coffee mug with donation of $75 or more.
Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the
right of privacy and efforts to oppose government regulation of
encryption and expanding wiretapping powers.
Thank you for your support.
   ---------------------- END EPIC Alert 9.08 -----------------------