EPIC logo

        @@@@  @@@@  @@@  @@@@      @    @     @@@@  @@@@  @@@@@
        @     @  @   @   @        @ @   @     @     @  @    @
        @@@@  @@@    @   @       @@@@@  @     @@@   @@@     @
        @     @      @   @       @   @  @     @     @  @    @
        @@@@  @     @@@  @@@@    @   @  @@@@  @@@@  @   @   @
    Volume 9.10                                       May 23, 2002
                             Published by the
               Electronic Privacy Information Center (EPIC)
                             Washington, D.C.
Table of Contents

[1] Coalition Urges European Parliament to Vote Against Data Retention
[2] Legislation Moves on Privacy, Spam, Identity Theft, and SSNs
[3] Minnesota Passes ISP Privacy Law
[4] EPIC Files Amicus Brief Contesting Surveillance of TV Use
[5] Supreme Court Retains Ban on COPA Enforcement
[6] Microsoft "Dream" Includes A Passport For Every Person
[7] EPIC Bookstore - Youth, Pornography, and the Internet
[8] Upcoming Conferences and Events

[1] Coalition Urges European Parliament to Vote Against Data Retention

In an open letter sent to all Members of the European Parliament
("EP"), more than 40 civil liberties organizations from 15 countries
around the world strongly recommended that Members vote against
general data retention of communications by law enforcement
authorities.  The vote, scheduled for May 29 in Brussels, is critical,
as it constitutes the major step before the final adoption of the new
EU Telecommunications Directive.  It may have serious consequences on
the manner in which data retention is currently regulated in the
United States and other countries around the world.

On May 29, the EP must vote to accept language already agreed upon by
its parliamentary committees that opposes data retention, but it also
has to vote on new amendments pushed by the Council and some EP
Members that favor data retention and generalized surveillance of
communications.  The upcoming vote is one of the last chances for the
Council of the EU and some EU Member State governments to try to
oppose the EP’s position on data retention by pressuring Members to
support compromise language that would allow for data retention.  Thus
far, the EP has always opposed data retention and general and
exploratory surveillance of electronic communications.

The letter recommends that EP Members strongly oppose data retention
and take a vigorous stand against the repeated post-9/11 attempts by
European law enforcement authorities, the Council, and some EU Member
State governments to pressure the European Parliament into accepting
data retention as a necessary measure to achieve the “right balance
between security and privacy."  Those governmental institutions
would like to compel communications service providers to routinely
capture and archive information detailing traffic and localization
data of telephone calls, e-mail, and other communications of their
users, without the need for a judge and in a preventive and
generalized fashion.

The international coalition’s statement asserts that such a position
is contrary to the most respected international human rights
conventions and case law (e.g. the European Convention on Human
Rights, the European Union Charter of Fundamental Rights, and the case
law of the European Court of Human Rights).  These instruments fully
support the letter’s position, and specify that, when permitted, data
retention must be a necessary, appropriate, proportionate and
temporary measure.  This is inconsistent with the Council’s position,
which would allow the preventive and general control of electronic
communications for future and hypothetical criminal investigations.

The statement also refers to the opinions adopted by key players in
the legislative process.  The EP Committee on Citizens' Freedoms and
Rights, Justice and Home Affairs, and EU privacy commissioners have
consistently opposed data retention, affirming that, except for
billing and other business-related purposes, it should be prohibited,
unless used in exceptional cases and authorized by judicial or other
competent authorities on a case-by-case basis.  If not limited to such
strictures, data retention would violate the fundamental rights of
privacy and data protection, freedom of expression, and presumption of

The letter further emphasizes the importance of the upcoming vote.
Until now, no major industrialized country in the world has ever
allowed government-imposed retention requirements for electronic
communications.  Because of the cross-border nature of Internet
communications, a pro-data retention vote at the EP would likely have
negative repercussions for Americans and citizens of other countries.
In the United States, current regulations do not require data
retention, even after the enactment of sweeping anti-terrorism
legislation known as the USA PATRIOT Act.

The coalition's letter is available on the Global Internet Liberty
Campaign (GILC) Web site at:


Individuals are also encouraged to endorse the letter, and may do
so on until May 28:


EPIC's new Data Retention Web page lists the latest news, the
international instruments referred to in the letter, and the most
current documents subject to the May 29 EP vote:


Verbatim reports of the May 29 EP vote will be available the next
day at:


[2] Legislation Moves on Privacy, Spam, Identity Theft, and SSNs

Congress has been active in moving bills on online privacy, spam,
identity theft, and Social Security numbers (SSNs) in recent weeks.

In the Senate, the Commerce Committee has reported out S. 2201, the
Online Privacy Protection Act.  The bill, introduced by Sen. Ernest
Hollings (D-SC), is a compromise measure that is significantly weaker
than Sen. Hollings' prior Internet privacy bill, the Consumer Privacy
Protection Act, which was introduced in May 2000.  The current bill
contains strong provisions for privacy, including opt-in protections
for "sensitive information," a right to access dossiers assembled on
consumers, and a private right of action that allows individuals to
sue wrongdoers in their local small claims court.  However, the bill
does have some weaknesses: Web sites could still collect personally
identifying information, such as name and address, by only giving
notice and providing the ability to opt-out.  The bill also contains a
safe harbor provision that would immunize some Web sites from
accountability.  Additionally, the bill would preempt state efforts to
provide greater privacy protections.

The Senate Commerce Committee also approved S. 630, the Controlling
the Assault of Non-Solicited Pornography and Marketing Act of 2001
(CAN SPAM Act of 2001).  The legislation, introduced by Sen. Conrad
Burns (R-MT), would create an opt-out regime for unsolicited
commercial e-mail.  The bill creates criminal penalties for the
falsification of commercial e-mail headers, and prohibits "misleading"
subject lines.  Enforcement of the Act would lie with the Federal
Trade Commission, State Attorneys General, and Internet Service

The Senate Judiciary Committee reported out S. 1742, the Restore Your
Identity Act of 2001.  The bill was introduced by Sen. Maria Cantwell
(D-WA), and includes important protections for victims of identity
theft.  It requires companies to provide business records regarding
extension of credit and other transactions to individuals who have
been victimized.  Additionally, the bill allows victims to place a
block on their credit report so that information relating to the
identity theft does not become part of their credit file.

The Senate Judiciary Committee also approved S. 848, Sen. Dianne
Feinstein's (D-CA) Social Security Number Misuse Prevention Act of
2001.  The legislation essentially codifies business practices that
lead to unnecessary use of the SSN and identity theft.  It also allows
broad uses of the identifier by law enforcement and by health care
providers. Effective legislation would curb common uses of the SSN.
Sen. Feinstein's legislation would legitimize these common uses.

The Online Personal Privacy Act (S. 2201):


EPIC Testimony on the Online Personal Privacy Act:


The Controlling the Assault of Non-Solicited Pornography and
Marketing Act of 2001 (S. 630):


The Social Security Number Misuse Prevention Act of 2001 (S. 848):


The Restore Your Identity Act of 2001 (S. 1742):


[3] Minnesota Passes ISP Privacy Law

Minnesota Governor Jesse Ventura has signed into law S.F. 2908, a bill
that limits Internet Service Providers' (ISPs) use of personal
information and regulates the transmission of unsolicited commercial
e-mail.  S.F. 2908 was sponsored by State Sen. Steve Kelley and passed
by unanimous vote in the Minnesota Senate, despite vigorous lobbying
campaigns by ISP giant America Online and others.

The bill brings Minnesota into the forefront on the debate over
whether federal legislation should override state attempts to protect
privacy.  States have been more successful in passing privacy
legislation in recent years, as anti-privacy lobbyists have paralyzed
federal legislators.  Over 20 states have enacted anti-spam laws, and
others have established opt-in financial privacy regimes and
protections against identity theft that surpass federal law.

Article one of the Minnesota bill requires ISPs to give notice and
obtain user authorization before disclosing customer contact
information, browsing history, or the contents of data-storage
services.  The bill allows this authorization to be based on either an
opt-in or opt-out regime, as long as the user is given conspicuous
notice of how to exercise the option in the service agreement.
Exemptions for disclosure exist where there is a warrant or
administrative subpoena.  Litigants in civil court actions can obtain
user information where the requestor can demonstrate a "compelling
need" for disclosure.

Article two of the bill places limits on the transmission of spam.  It
prohibits the falsification of unsolicited commercial e-mail headers,
requires that the subject line carry an "ADV" label, and that the
message include either a toll-free phone number or accurate e-mail
address that permits removal from the mailing list.

Both articles of the bill provide for a private right of action,
attorney's fees, and liquidated damages.  The bill takes effect in
March 2003.

S.F. 2908:


[4] EPIC Files Amicus Brief Contesting Surveillance of TV Use

On May 13, EPIC (joined by several other civil liberties and consumer
groups) filed an amicus brief in federal court for the Central
District of California arguing that a court order requiring SONICblue
to electronically spy on its "personal television" customers was
procedurally and substantively improper.  "Personal television," also
known as a Digital Video Recorder (DVR) or Personal Video Recorder
(PVR), is a box very similar to a VCR.  The added features of a DVR or
PVR, such as an ad-skipping button, are particularly upsetting to the
television studios, who have sued SONICblue on a variety of copyright
infringement theories.

As part of that lawsuit, the television studios sought discovery from
SONICblue, requesting all usage data that the company had on its
customers, such as what shows were recorded, watched, forwarded to
friends, etc.  Because the ReplayTV 4000 product does not transmit
this sort of data back to the company, SONICblue had no data to
provide to the plaintiffs.  At the studios' request, the court ordered
SONICblue to re-engineer its product so that software will be
installed in the ReplayTV box in users' homes, where it will silently
record TV usage data and transmit that data back to SONICblue.  As
part of the court order, SONICblue is then required to turn that data
over the entertainment studios.

SONICblue filed objections to the court order on May 10.  The company
also requested, and was granted, a stay of the ordered surveillance
while the lead judge considers the issue.  EPIC, joined by the Center
for Digital Democracy (CDD), Computer Professionals for Social
Responsibility (CPSR), Consumer Action, Electronic Frontier Foundation
(EFF), Media Access Project (MAP), Public Knowledge, and the Privacy
Foundation, filed an amicus brief, joining SONICblue in those

In its brief, EPIC argued that the court order exceeds the scope of
permissible discovery in litigation.  In particular, a party is
entitled to discover only that information which is already in a
party's possession -- there is no provision mandating prospective
collection of data, especially if such collection results in product
re-engineering.  Moreover, the order infringes on individuals' privacy
rights and intellectual freedom.  Historically, a person's home has
been deemed to be an especially private place, where third parties may
not intrude.  By compelling the installation of software in a person's
home, that seclusion will be violated.  The compelled surveillance
also invades intellectual freedom -- people would be chilled from
watching certain programs, whether unpopular, controversial, or
sexually explicit -- if they knew that an electronic record would be
created, in perpetuity, about their viewing choices.

Additional information about the case, including a copy of EPIC's
amicus brief, is available online at:


EPIC maintains a Web page on Digital Rights Management and its
implications for privacy at:


[5] Supreme Court Retains Ban on COPA Enforcement

The Supreme Court has preserved an injunction barring enforcement of
the Child Online Protection Act (COPA), ruling that the controversial
law raises unresolved free speech questions that must be decided by
the lower courts before the law's constitutionality can be fully

COPA, signed into law in October 1998, makes it a federal crime to use
the Internet to communicate "for commercial purposes" material
considered "harmful to minors," with penalties of up to $150,000 for
each day of violation and up to six months in prison.  Civil liberties
groups, including the American Civil Liberties Union (ACLU) and EPIC,
challenged the law shortly after its passage, arguing that COPA
violates the First Amendment.

In February 1999, the federal district court in Philadelphia issued an
injunction preventing the government from enforcing COPA.  That court
held that COPA was invalid because there is no way for Web speakers to
prevent minors from accessing "harmful" material on the Web without
also burdening adults seeking access to protected speech.  Although
COPA provides a defense if Web speakers restrict access by requiring a
credit card or adult access code, either option was held to burden
free speech.

The Third Circuit Court of Appeals affirmed in June 2000, finding that
COPA was unconstitutional on a different ground.  "Because of the
peculiar geography-free nature of cyberspace, [COPA's] community
standards test would essentially require every Web communication to
abide by the most restrictive community's standards."

The Supreme Court questioned the validity of the only conclusion
reached by the appellate court -- that COPA's reliance on "community
standards" renders the law unconstitutional -- but did not
conclusively resolve the issue.  It is now up to the Third Circuit to
decide whether to rule based on the facts the lower court used, or to
send the case back down for a full trial before the district court.

Ann Beeson, Litigation Director of ACLU's Technology and Liberty
Program, who argued the case before the Supreme Court in November,
said that "the Court clearly had enough doubts about this broad
censorship law to leave in place the ban."

Supreme Court Decision (May 13, 2002):




[6] Microsoft "Dream" Includes A Passport For Every Person

According to a business plan introduced into evidence in the Microsoft
antitrust trial, the company's "dream" with the Passport online
identification and authentication system was to "create the largest
and most leveragable database of profiles on the planet" and "[a]
subscription relationship with every user on the Internet."  Microsoft
already claims the existence of 200 million Passport accounts.

Testimony of Microsoft Vice President David Cole indicated that while
they were urging individuals to reveal personal information, the
company had no idea of how it was going to provide promised Hailstorm
services.  Responding to a June 2001 e-mail from his supervisor
regarding provision of a base set of Hailstorm services, Cole stated
that "there's nobody that really knew how that was going to work or
how that could possibly work."

Cole later testified that Microsoft's goal was to encourage "users to
consume personalized content and services and therefore they need to
sign up for a Passport" [sic].  After collecting personal information,
Microsoft's strategy was to leverage "contextual understanding for
emergence."  That is, Microsoft intends to use the personal data in
order to improve profiling for ad targeting, and eventually to upgrade
the individual to a paid membership account.

Last week, Eastside Journal and Newsbytes reported that Microsoft
changed the privacy preferences of Hotmail users by adding new
information sharing options to the e-mail system.  Users reported that
two boxes had appeared in the Hotmail preferences section that were
set to enable e-mail and demographic information sharing.

EPIC and a coalition of consumer groups have filed a series of
complaints with the FTC alleging that Microsoft's Passport service is
designed to profile users and target them for unwanted advertising and
spam.  EPIC has advised individuals to "Sign Out" of Passport -- that
is, individuals should avoid using the service altogether.

Microsoft Antitrust Trial Transcript, Volume 21, Morning Session,
April 22, 2002:


EPIC's "Sign Out of Passport" Page:


[7] EPIC Bookstore - Youth, Pornography, and the Internet

Youth, Pornography, and the Internet. Edited by Dick Thornburgh and
Herbert S. Lin, National Research Council.


On May 2, the National Academies released this comprehensive study,
which examines different approaches to protecting underage persons
from pornography on the World Wide Web, online sexual predators, and
other material on the Internet that may be considered inappropriate.
The report notes that the Internet is a valuable educational tool, and
that certain methods of "protection" have dire consequences, such as a
severe limitation of online resources, for children and adults alike. 
It attests that, despite the existence of restrictive technologies
such as filters that block certain Web sites, the most important and
effective tool for protecting children from online threats is parental
involvement and supervision.

The study, chaired by Herb Lin and former Attorney General Dick
Thornburgh, also raises questions about the ambiguity of terms such as
"pornography" and "children," which can be subjectively applied in
different ways.  To solve the dilemma of conflicting definitions of
"pornography," the report uses the term "inappropriate sexually
explicit material."  As for whether a six-year-old and a
sixteen-year-old both classify as "children" when it comes to their
exposure to information online, the report contests that higher
education requires access to a larger amount of information, and thus
children of different ages have different online needs.

There is also the question of the impact of public policy on
protecting children from material that is considered to be harmful.
The study concludes that the most effective regulation of this
material would not be to get rid of it entirely, but rather to create
incentives for providers of such material to take action to ensure
that minors cannot access that material.  The report also mentions
that a different approach would be to use public policy to promote
Internet safety education and awareness for parents and children.

"Youth, Pornography, and the Internet" discusses these and other
issues, plus strategies, technological tools, and policy options that
will help children and parents learn to make safe and appropriate
decisions when it comes to their experiences online.

More information on the report:


Related EPIC Publication, Filters & Freedom 2.0: Free Speech
Perspectives on Internet Content Controls:

EPIC Publications:
"Privacy & Human Rights 2001: An International Survey of Privacy Laws
and Developments," (EPIC 2001). Price: $20.
This survey, by EPIC and Privacy International, reviews the state of
privacy in over fifty countries around the world.  The survey examines
a wide range of privacy issues including, data protection, telephone
tapping, genetic databases, ID systems and freedom of information
"The Privacy Law Sourcebook 2001: United States Law, International
Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2001).
Price: $40. http://www.epic.org/bookstore/pls2001/
The "Physicians Desk Reference of the privacy world." An invaluable
resource for students, attorneys, researchers and journalists who need
an up-to-date collection of U.S. and International privacy law, as
well as a comprehensive listing of privacy resources.
"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.
A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.
"The Consumer Law Sourcebook 2000: Electronic Commerce and the Global
Economy," Sarah Andrews, editor (EPIC 2000). Price: $40.
The Consumer Law Sourcebook provides a basic set of materials for
consumers, policy makers, practitioners and researchers who are
interested in the emerging field of electronic commerce.  The focus is
on framework legislation that articulates basic rights for consumers
and the basic responsibilities for businesses in the online economy.
"Cryptography and Liberty 2000: An International Survey of Encryption
Policy," Wayne Madsen and David Banisar, authors (EPIC 2000).
Price: $20. http://www.epic.org/crypto&/
EPIC's third survey of encryption policies around the world. The
results indicate that the efforts to reduce export controls on strong
encryption products have largely succeeded, although several
governments are gaining new powers to combat the perceived threats of
encryption to law enforcement.
EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:
     EPIC Bookstore
     "EPIC Bookshelf" at Powell's Books
[8] Upcoming Conferences and Events

** The Public Voice in Internet Policy Making. June 22, 2002.
Washington, DC. The Electronic Privacy Information Center (EPIC) will
host a one-day public symposium to discuss the future of our rights
and freedoms in the information age. The event is being hosted in
conjunction with INET 2002 and is free and open to the public. For
more information: http://www.thepublicvoice.org/events/dc02/ **


15th Annual Computer and Technology Law Institute. University of Texas
School of Law. May 29-31, 2002. Austin, TX. For more information:

Call For Papers - June 1, 2002 (special recognition for outstanding
student papers). 18th Annual Computer Security Applications Conference
(ACSAC): Practical Solutions to Real Security Problems. Applied
Computer Security Associates. December 9-13, 2002. Las Vegas, Nevada.
For more information: http://www.acsac.org/

Third Annual Institute on Privacy Law. Practising Law Institute. June
3-4, 2002, San Francisco, CA; June 24-25, New York, NY. For more
information: http://www.pli.edu/

Big Brother Is Watching: The Independent Policy Forum. The Independent
Institute. June 6, 2002. Oakland, CA. For more information:

Save Privacy: Grenzverschiebungen im Digitalen Zeitalter. The Heinrich
Böll Foundation. June 7-8, 2002. Berlin, Germany. For more
information: http://www.saveprivacy.org/

Second Annual Information, Networks and Technology Institute. Berkeley
Center for Law and Technology, University of Texas School of Law. June
13-14, 2002. San Jose, CA. For more information:

Privacy Paradox: The Gain of Security vs. Privacy's Loss. Strategic
Research Institute. June 17-18, 2002. Chicago, IL. For more
information: http://www.srinstitute.com/ci234/

INET 2002. Internet Crossroads: Where Technology and Policy Intersect.
Internet Society. June 18-21, 2002. Washington, DC. For more
information: http://www.inet2002.org/

IViR International Copyright Law Summer Course. Royal Netherlands
Academy of Arts and Sciences. July 8-12, 2002. Amsterdam, Netherlands.
For more information: http://www.ivir.nl/

O'Reilly Open Source Convention. O'Reilly and Associates. July 22-26,
2002. San Diego, CA. For more information:

Cyberwar, Netwar and the Revolution in Military Affairs: Real Threats
and Virtual Myths. International School on Disarmament and Research on
Conflicts (ISODARCO). August 3-13, 2002. Trento, Italy. For more
information: http://www.isodarco.it/html/trento02.html

ILPF Conference 2002: Security v. Privacy. Internet Law & Policy
Forum. September 17-19, 2002. Seattle, WA. For more information:

Privacy2002. Technology Policy Group. September 24-26, 2002.
Cleveland, OH. For more information:

Subscription Information
Subscribe/unsubscribe via Web interface:

Subscribe/unsubscribe via email:
     To: epic_news-request@mailman.epic.org
     Subject line: "subscribe" or "unsubscribe" (no quotes)
Help with subscribing/unsubscribing:

     To: epic_news-request@mailman.epic.org
     Subject: "help" (no quotes)
Back issues are available at:

The EPIC Alert displays best in a fixed-width font, such as Courier.
Privacy Policy
The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities.  We do not sell, rent or share our
mailing list.  We also intend to challenge any subpoena or other legal
process seeking access to our mailing list.  We do not enhance (link
to other databases) our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe your email address
from this list, please follow the above instructions under
"subscription information".  Please contact info@epic.org if you would
like to change your subscription email address, if you are
experiencing subscription/unsubscription problems, or if you have any
other questions.
About EPIC
The Electronic Privacy Information Center is a public interest
research center in Washington, DC.  It was established in 1994 to
focus public attention on emerging privacy issues such as the Clipper
Chip, the Digital Telephony proposal, national ID cards, medical
record privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Act
litigation, and conducts policy research.  For more information,
e-mail info@epic.org, http://www.epic.org or write EPIC, 1718
Connecticut Ave., NW, Suite 200, Washington, DC 20009.
+1 202 483 1140 (tel), +1 202 483 1248 (fax).
If you'd like to support the work of the Electronic Privacy
Information Center, contributions are welcome and fully
tax-deductible.  Checks should be made out to "EPIC" and sent to
1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009.
Or you can contribute online at:

Drink coffee, support civil liberties, get a tax deduction, and learn
Latin at the same time!  Receive a free epic.org "sed quis custodiet
ipsos custodes?" coffee mug with donation of $75 or more.
Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the
right of privacy and efforts to oppose government regulation of
encryption and expanding wiretapping powers.
Thank you for your support.
   ---------------------- END EPIC Alert 9.10 -----------------------