============================================================== @@@@ @@@@ @@@ @@@@ @ @ @@@@ @@@@ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @@@ @ @ @@@@@ @ @@@ @@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @ @@@ @@@@ @ @ @@@@ @@@@ @ @ @ ============================================================== Volume 9.10 May 23, 2002 -------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org/alert/EPIC_Alert_9.10.html ======================================================================= Table of Contents ======================================================================= [1] Coalition Urges European Parliament to Vote Against Data Retention [2] Legislation Moves on Privacy, Spam, Identity Theft, and SSNs [3] Minnesota Passes ISP Privacy Law [4] EPIC Files Amicus Brief Contesting Surveillance of TV Use [5] Supreme Court Retains Ban on COPA Enforcement [6] Microsoft "Dream" Includes A Passport For Every Person [7] EPIC Bookstore - Youth, Pornography, and the Internet [8] Upcoming Conferences and Events ======================================================================= [1] Coalition Urges European Parliament to Vote Against Data Retention ======================================================================= In an open letter sent to all Members of the European Parliament ("EP"), more than 40 civil liberties organizations from 15 countries around the world strongly recommended that Members vote against general data retention of communications by law enforcement authorities. The vote, scheduled for May 29 in Brussels, is critical, as it constitutes the major step before the final adoption of the new EU Telecommunications Directive. It may have serious consequences on the manner in which data retention is currently regulated in the United States and other countries around the world. On May 29, the EP must vote to accept language already agreed upon by its parliamentary committees that opposes data retention, but it also has to vote on new amendments pushed by the Council and some EP Members that favor data retention and generalized surveillance of communications. The upcoming vote is one of the last chances for the Council of the EU and some EU Member State governments to try to oppose the EP’s position on data retention by pressuring Members to support compromise language that would allow for data retention. Thus far, the EP has always opposed data retention and general and exploratory surveillance of electronic communications. The letter recommends that EP Members strongly oppose data retention and take a vigorous stand against the repeated post-9/11 attempts by European law enforcement authorities, the Council, and some EU Member State governments to pressure the European Parliament into accepting data retention as a necessary measure to achieve the “right balance between security and privacy." Those governmental institutions would like to compel communications service providers to routinely capture and archive information detailing traffic and localization data of telephone calls, e-mail, and other communications of their users, without the need for a judge and in a preventive and generalized fashion. The international coalition’s statement asserts that such a position is contrary to the most respected international human rights conventions and case law (e.g. the European Convention on Human Rights, the European Union Charter of Fundamental Rights, and the case law of the European Court of Human Rights). These instruments fully support the letter’s position, and specify that, when permitted, data retention must be a necessary, appropriate, proportionate and temporary measure. This is inconsistent with the Council’s position, which would allow the preventive and general control of electronic communications for future and hypothetical criminal investigations. The statement also refers to the opinions adopted by key players in the legislative process. The EP Committee on Citizens' Freedoms and Rights, Justice and Home Affairs, and EU privacy commissioners have consistently opposed data retention, affirming that, except for billing and other business-related purposes, it should be prohibited, unless used in exceptional cases and authorized by judicial or other competent authorities on a case-by-case basis. If not limited to such strictures, data retention would violate the fundamental rights of privacy and data protection, freedom of expression, and presumption of innocence. The letter further emphasizes the importance of the upcoming vote. Until now, no major industrialized country in the world has ever allowed government-imposed retention requirements for electronic communications. Because of the cross-border nature of Internet communications, a pro-data retention vote at the EP would likely have negative repercussions for Americans and citizens of other countries. In the United States, current regulations do not require data retention, even after the enactment of sweeping anti-terrorism legislation known as the USA PATRIOT Act. The coalition's letter is available on the Global Internet Liberty Campaign (GILC) Web site at: http://www.gilc.org/cox_en.html Individuals are also encouraged to endorse the letter, and may do so on until May 28: http://www.stop1984.com/index2.php?lang=en&text=letter.txt EPIC's new Data Retention Web page lists the latest news, the international instruments referred to in the letter, and the most current documents subject to the May 29 EP vote: http://www.epic.org/privacy/intl/data_retention.html Verbatim reports of the May 29 EP vote will be available the next day at: http://www3.europarl.eu.int/omk/omnsapir.so/calendar?APP=CRE ======================================================================= [2] Legislation Moves on Privacy, Spam, Identity Theft, and SSNs ======================================================================= Congress has been active in moving bills on online privacy, spam, identity theft, and Social Security numbers (SSNs) in recent weeks. In the Senate, the Commerce Committee has reported out S. 2201, the Online Privacy Protection Act. The bill, introduced by Sen. Ernest Hollings (D-SC), is a compromise measure that is significantly weaker than Sen. Hollings' prior Internet privacy bill, the Consumer Privacy Protection Act, which was introduced in May 2000. The current bill contains strong provisions for privacy, including opt-in protections for "sensitive information," a right to access dossiers assembled on consumers, and a private right of action that allows individuals to sue wrongdoers in their local small claims court. However, the bill does have some weaknesses: Web sites could still collect personally identifying information, such as name and address, by only giving notice and providing the ability to opt-out. The bill also contains a safe harbor provision that would immunize some Web sites from accountability. Additionally, the bill would preempt state efforts to provide greater privacy protections. The Senate Commerce Committee also approved S. 630, the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2001 (CAN SPAM Act of 2001). The legislation, introduced by Sen. Conrad Burns (R-MT), would create an opt-out regime for unsolicited commercial e-mail. The bill creates criminal penalties for the falsification of commercial e-mail headers, and prohibits "misleading" subject lines. Enforcement of the Act would lie with the Federal Trade Commission, State Attorneys General, and Internet Service Providers. The Senate Judiciary Committee reported out S. 1742, the Restore Your Identity Act of 2001. The bill was introduced by Sen. Maria Cantwell (D-WA), and includes important protections for victims of identity theft. It requires companies to provide business records regarding extension of credit and other transactions to individuals who have been victimized. Additionally, the bill allows victims to place a block on their credit report so that information relating to the identity theft does not become part of their credit file. The Senate Judiciary Committee also approved S. 848, Sen. Dianne Feinstein's (D-CA) Social Security Number Misuse Prevention Act of 2001. The legislation essentially codifies business practices that lead to unnecessary use of the SSN and identity theft. It also allows broad uses of the identifier by law enforcement and by health care providers. Effective legislation would curb common uses of the SSN. Sen. Feinstein's legislation would legitimize these common uses. The Online Personal Privacy Act (S. 2201): http://thomas.loc.gov/cgi-bin/bdquery/z?d107:s.2201: EPIC Testimony on the Online Personal Privacy Act: http://www.epic.org/privacy/internet/s2201_testimony.html The Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2001 (S. 630): http://thomas.loc.gov/cgi-bin/bdquery/z?d107:s.00630: The Social Security Number Misuse Prevention Act of 2001 (S. 848): http://thomas.loc.gov/cgi-bin/bdquery/z?d107:s.00848: The Restore Your Identity Act of 2001 (S. 1742): http://thomas.loc.gov/cgi-bin/bdquery/z?d107:s.01742: ======================================================================= [3] Minnesota Passes ISP Privacy Law ======================================================================= Minnesota Governor Jesse Ventura has signed into law S.F. 2908, a bill that limits Internet Service Providers' (ISPs) use of personal information and regulates the transmission of unsolicited commercial e-mail. S.F. 2908 was sponsored by State Sen. Steve Kelley and passed by unanimous vote in the Minnesota Senate, despite vigorous lobbying campaigns by ISP giant America Online and others. The bill brings Minnesota into the forefront on the debate over whether federal legislation should override state attempts to protect privacy. States have been more successful in passing privacy legislation in recent years, as anti-privacy lobbyists have paralyzed federal legislators. Over 20 states have enacted anti-spam laws, and others have established opt-in financial privacy regimes and protections against identity theft that surpass federal law. Article one of the Minnesota bill requires ISPs to give notice and obtain user authorization before disclosing customer contact information, browsing history, or the contents of data-storage services. The bill allows this authorization to be based on either an opt-in or opt-out regime, as long as the user is given conspicuous notice of how to exercise the option in the service agreement. Exemptions for disclosure exist where there is a warrant or administrative subpoena. Litigants in civil court actions can obtain user information where the requestor can demonstrate a "compelling need" for disclosure. Article two of the bill places limits on the transmission of spam. It prohibits the falsification of unsolicited commercial e-mail headers, requires that the subject line carry an "ADV" label, and that the message include either a toll-free phone number or accurate e-mail address that permits removal from the mailing list. Both articles of the bill provide for a private right of action, attorney's fees, and liquidated damages. The bill takes effect in March 2003. S.F. 2908: http://www.epic.org/redirect/mn_senate_redirect.html ======================================================================= [4] EPIC Files Amicus Brief Contesting Surveillance of TV Use ======================================================================= On May 13, EPIC (joined by several other civil liberties and consumer groups) filed an amicus brief in federal court for the Central District of California arguing that a court order requiring SONICblue to electronically spy on its "personal television" customers was procedurally and substantively improper. "Personal television," also known as a Digital Video Recorder (DVR) or Personal Video Recorder (PVR), is a box very similar to a VCR. The added features of a DVR or PVR, such as an ad-skipping button, are particularly upsetting to the television studios, who have sued SONICblue on a variety of copyright infringement theories. As part of that lawsuit, the television studios sought discovery from SONICblue, requesting all usage data that the company had on its customers, such as what shows were recorded, watched, forwarded to friends, etc. Because the ReplayTV 4000 product does not transmit this sort of data back to the company, SONICblue had no data to provide to the plaintiffs. At the studios' request, the court ordered SONICblue to re-engineer its product so that software will be installed in the ReplayTV box in users' homes, where it will silently record TV usage data and transmit that data back to SONICblue. As part of the court order, SONICblue is then required to turn that data over the entertainment studios. SONICblue filed objections to the court order on May 10. The company also requested, and was granted, a stay of the ordered surveillance while the lead judge considers the issue. EPIC, joined by the Center for Digital Democracy (CDD), Computer Professionals for Social Responsibility (CPSR), Consumer Action, Electronic Frontier Foundation (EFF), Media Access Project (MAP), Public Knowledge, and the Privacy Foundation, filed an amicus brief, joining SONICblue in those objections. In its brief, EPIC argued that the court order exceeds the scope of permissible discovery in litigation. In particular, a party is entitled to discover only that information which is already in a party's possession -- there is no provision mandating prospective collection of data, especially if such collection results in product re-engineering. Moreover, the order infringes on individuals' privacy rights and intellectual freedom. Historically, a person's home has been deemed to be an especially private place, where third parties may not intrude. By compelling the installation of software in a person's home, that seclusion will be violated. The compelled surveillance also invades intellectual freedom -- people would be chilled from watching certain programs, whether unpopular, controversial, or sexually explicit -- if they knew that an electronic record would be created, in perpetuity, about their viewing choices. Additional information about the case, including a copy of EPIC's amicus brief, is available online at: http://www.epic.org/litigation/replaytv/ EPIC maintains a Web page on Digital Rights Management and its implications for privacy at: http://www.epic.org/privacy/drm/ ======================================================================= [5] Supreme Court Retains Ban on COPA Enforcement ======================================================================= The Supreme Court has preserved an injunction barring enforcement of the Child Online Protection Act (COPA), ruling that the controversial law raises unresolved free speech questions that must be decided by the lower courts before the law's constitutionality can be fully assessed. COPA, signed into law in October 1998, makes it a federal crime to use the Internet to communicate "for commercial purposes" material considered "harmful to minors," with penalties of up to $150,000 for each day of violation and up to six months in prison. Civil liberties groups, including the American Civil Liberties Union (ACLU) and EPIC, challenged the law shortly after its passage, arguing that COPA violates the First Amendment. In February 1999, the federal district court in Philadelphia issued an injunction preventing the government from enforcing COPA. That court held that COPA was invalid because there is no way for Web speakers to prevent minors from accessing "harmful" material on the Web without also burdening adults seeking access to protected speech. Although COPA provides a defense if Web speakers restrict access by requiring a credit card or adult access code, either option was held to burden free speech. The Third Circuit Court of Appeals affirmed in June 2000, finding that COPA was unconstitutional on a different ground. "Because of the peculiar geography-free nature of cyberspace, [COPA's] community standards test would essentially require every Web communication to abide by the most restrictive community's standards." The Supreme Court questioned the validity of the only conclusion reached by the appellate court -- that COPA's reliance on "community standards" renders the law unconstitutional -- but did not conclusively resolve the issue. It is now up to the Third Circuit to decide whether to rule based on the facts the lower court used, or to send the case back down for a full trial before the district court. Ann Beeson, Litigation Director of ACLU's Technology and Liberty Program, who argued the case before the Supreme Court in November, said that "the Court clearly had enough doubts about this broad censorship law to leave in place the ban." Supreme Court Decision (May 13, 2002): http://www.supremecourtus.gov/opinions/01pdf/00-1293.pdf EPIC's COPA Page: http://www.epic.org/free_speech/copa/ ======================================================================= [6] Microsoft "Dream" Includes A Passport For Every Person ======================================================================= According to a business plan introduced into evidence in the Microsoft antitrust trial, the company's "dream" with the Passport online identification and authentication system was to "create the largest and most leveragable database of profiles on the planet" and "[a] subscription relationship with every user on the Internet." Microsoft already claims the existence of 200 million Passport accounts. Testimony of Microsoft Vice President David Cole indicated that while they were urging individuals to reveal personal information, the company had no idea of how it was going to provide promised Hailstorm services. Responding to a June 2001 e-mail from his supervisor regarding provision of a base set of Hailstorm services, Cole stated that "there's nobody that really knew how that was going to work or how that could possibly work." Cole later testified that Microsoft's goal was to encourage "users to consume personalized content and services and therefore they need to sign up for a Passport" [sic]. After collecting personal information, Microsoft's strategy was to leverage "contextual understanding for emergence." That is, Microsoft intends to use the personal data in order to improve profiling for ad targeting, and eventually to upgrade the individual to a paid membership account. Last week, Eastside Journal and Newsbytes reported that Microsoft changed the privacy preferences of Hotmail users by adding new information sharing options to the e-mail system. Users reported that two boxes had appeared in the Hotmail preferences section that were set to enable e-mail and demographic information sharing. EPIC and a coalition of consumer groups have filed a series of complaints with the FTC alleging that Microsoft's Passport service is designed to profile users and target them for unwanted advertising and spam. EPIC has advised individuals to "Sign Out" of Passport -- that is, individuals should avoid using the service altogether. Microsoft Antitrust Trial Transcript, Volume 21, Morning Session, April 22, 2002: http://www.epic.org/redirect/microsoft_redirect.html EPIC's "Sign Out of Passport" Page: http://www.epic.org/privacy/consumer/microsoft/ ======================================================================= [7] EPIC Bookstore - Youth, Pornography, and the Internet ======================================================================= Youth, Pornography, and the Internet. Edited by Dick Thornburgh and Herbert S. Lin, National Research Council. http://books.nap.edu/html/youth_internet/ On May 2, the National Academies released this comprehensive study, which examines different approaches to protecting underage persons from pornography on the World Wide Web, online sexual predators, and other material on the Internet that may be considered inappropriate. The report notes that the Internet is a valuable educational tool, and that certain methods of "protection" have dire consequences, such as a severe limitation of online resources, for children and adults alike. It attests that, despite the existence of restrictive technologies such as filters that block certain Web sites, the most important and effective tool for protecting children from online threats is parental involvement and supervision. The study, chaired by Herb Lin and former Attorney General Dick Thornburgh, also raises questions about the ambiguity of terms such as "pornography" and "children," which can be subjectively applied in different ways. To solve the dilemma of conflicting definitions of "pornography," the report uses the term "inappropriate sexually explicit material." As for whether a six-year-old and a sixteen-year-old both classify as "children" when it comes to their exposure to information online, the report contests that higher education requires access to a larger amount of information, and thus children of different ages have different online needs. There is also the question of the impact of public policy on protecting children from material that is considered to be harmful. The study concludes that the most effective regulation of this material would not be to get rid of it entirely, but rather to create incentives for providers of such material to take action to ensure that minors cannot access that material. The report also mentions that a different approach would be to use public policy to promote Internet safety education and awareness for parents and children. "Youth, Pornography, and the Internet" discusses these and other issues, plus strategies, technological tools, and policy options that will help children and parents learn to make safe and appropriate decisions when it comes to their experiences online. More information on the report: http://www.epic.org/redirect/nat_acad_redirect.html Related EPIC Publication, Filters & Freedom 2.0: Free Speech Perspectives on Internet Content Controls: http://www.epic.org/bookstore/filters2.0/ ================================ EPIC Publications: "Privacy & Human Rights 2001: An International Survey of Privacy Laws and Developments," (EPIC 2001). Price: $20. http://www.epic.org/bookstore/phr2001/ This survey, by EPIC and Privacy International, reviews the state of privacy in over fifty countries around the world. The survey examines a wide range of privacy issues including, data protection, telephone tapping, genetic databases, ID systems and freedom of information laws. ================================ "The Privacy Law Sourcebook 2001: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2001). Price: $40. http://www.epic.org/bookstore/pls2001/ The "Physicians Desk Reference of the privacy world." An invaluable resource for students, attorneys, researchers and journalists who need an up-to-date collection of U.S. and International privacy law, as well as a comprehensive listing of privacy resources. ================================ "Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20. http://www.epic.org/bookstore/filters2.0/ A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ "The Consumer Law Sourcebook 2000: Electronic Commerce and the Global Economy," Sarah Andrews, editor (EPIC 2000). Price: $40. http://www.epic.org/cls/ The Consumer Law Sourcebook provides a basic set of materials for consumers, policy makers, practitioners and researchers who are interested in the emerging field of electronic commerce. The focus is on framework legislation that articulates basic rights for consumers and the basic responsibilities for businesses in the online economy. ================================ "Cryptography and Liberty 2000: An International Survey of Encryption Policy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price: $20. http://www.epic.org/crypto&/ EPIC's third survey of encryption policies around the world. The results indicate that the efforts to reduce export controls on strong encryption products have largely succeeded, although several governments are gaining new powers to combat the perceived threats of encryption to law enforcement. ================================ EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at: EPIC Bookstore http://www.epic.org/bookstore/ "EPIC Bookshelf" at Powell's Books http://www.powells.com/features/epic/epic.html ======================================================================= [8] Upcoming Conferences and Events ======================================================================= ** The Public Voice in Internet Policy Making. June 22, 2002. Washington, DC. The Electronic Privacy Information Center (EPIC) will host a one-day public symposium to discuss the future of our rights and freedoms in the information age. The event is being hosted in conjunction with INET 2002 and is free and open to the public. For more information: http://www.thepublicvoice.org/events/dc02/ ** ======================================================================= 15th Annual Computer and Technology Law Institute. University of Texas School of Law. May 29-31, 2002. Austin, TX. For more information: http://www.utexas.edu/law/cle/conferences/spring2002/PC02/ Call For Papers - June 1, 2002 (special recognition for outstanding student papers). 18th Annual Computer Security Applications Conference (ACSAC): Practical Solutions to Real Security Problems. Applied Computer Security Associates. December 9-13, 2002. Las Vegas, Nevada. For more information: http://www.acsac.org/ Third Annual Institute on Privacy Law. Practising Law Institute. June 3-4, 2002, San Francisco, CA; June 24-25, New York, NY. For more information: http://www.pli.edu/ Big Brother Is Watching: The Independent Policy Forum. The Independent Institute. June 6, 2002. Oakland, CA. For more information: http://www.independent.org/tii/forums/020606ipf.html Save Privacy: Grenzverschiebungen im Digitalen Zeitalter. The Heinrich Böll Foundation. June 7-8, 2002. Berlin, Germany. For more information: http://www.saveprivacy.org/ Second Annual Information, Networks and Technology Institute. Berkeley Center for Law and Technology, University of Texas School of Law. June 13-14, 2002. San Jose, CA. For more information: http://www.utexas.edu/law/cle/conferences/summer2002/TJ02/ Privacy Paradox: The Gain of Security vs. Privacy's Loss. Strategic Research Institute. June 17-18, 2002. Chicago, IL. For more information: http://www.srinstitute.com/ci234/ INET 2002. Internet Crossroads: Where Technology and Policy Intersect. Internet Society. June 18-21, 2002. Washington, DC. For more information: http://www.inet2002.org/ IViR International Copyright Law Summer Course. Royal Netherlands Academy of Arts and Sciences. July 8-12, 2002. Amsterdam, Netherlands. For more information: http://www.ivir.nl/ O'Reilly Open Source Convention. O'Reilly and Associates. July 22-26, 2002. San Diego, CA. For more information: http://conferences.oreilly.com/oscon/ Cyberwar, Netwar and the Revolution in Military Affairs: Real Threats and Virtual Myths. International School on Disarmament and Research on Conflicts (ISODARCO). August 3-13, 2002. Trento, Italy. For more information: http://www.isodarco.it/html/trento02.html ILPF Conference 2002: Security v. Privacy. Internet Law & Policy Forum. September 17-19, 2002. Seattle, WA. For more information: http://www.ilpf.org/conference2002/ Privacy2002. Technology Policy Group. September 24-26, 2002. Cleveland, OH. For more information: http://www.privacy2000.org/privacy02/index.shtml ======================================================================= Subscription Information ======================================================================= Subscribe/unsubscribe via Web interface: http://mailman.epic.org/cgi-bin/mailman/listinfo/epic_news Subscribe/unsubscribe via email: To: epic_news-request@mailman.epic.org Subject line: "subscribe" or "unsubscribe" (no quotes) Help with subscribing/unsubscribing: To: epic_news-request@mailman.epic.org Subject: "help" (no quotes) Back issues are available at: http://www.epic.org/alert/ The EPIC Alert displays best in a fixed-width font, such as Courier. ======================================================================= Privacy Policy ======================================================================= The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your email address from this list, please follow the above instructions under "subscription information". Please contact info@epic.org if you would like to change your subscription email address, if you are experiencing subscription/unsubscription problems, or if you have any other questions. ======================================================================= About EPIC ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, e-mail info@epic.org, http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at: http://www.epic.org/donate/ ======================================================================= Drink coffee, support civil liberties, get a tax deduction, and learn Latin at the same time! Receive a free epic.org "sed quis custodiet ipsos custodes?" coffee mug with donation of $75 or more. ======================================================================= Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ---------------------- END EPIC Alert 9.10 ----------------------- .