EPIC logo

        @@@@  @@@@  @@@  @@@@      @    @     @@@@  @@@@  @@@@@
        @     @  @   @   @        @ @   @     @     @  @    @
        @@@@  @@@    @   @       @@@@@  @     @@@   @@@     @
        @     @      @   @       @   @  @     @     @  @    @
        @@@@  @     @@@  @@@@    @   @  @@@@  @@@@  @   @   @
    Volume 9.15                                     August 9, 2002
                             Published by the
               Electronic Privacy Information Center (EPIC)
                             Washington, D.C.
Table of Contents

[1] FTC Announces Action Against Microsoft Passport
[2] Court Orders DOJ to Disclose Names of 9/11 Detainees
[3] OECD Announces Computer Security Guidelines
[4] EPIC Files Brief in Online Offender Registry Case
[5] EPIC Argues Police Must Be Present for Online Search
[6] Eli Lilly Settles With States; NTIA to Hold ENUM Forum
[7] EPIC Bookstore - Trust Us, We're Experts
[8] Upcoming Conferences and Events

[1] FTC Announces Action Against Microsoft Passport

The Federal Trade Commission (FTC) yesterday announced a consent
order with Microsoft regarding the Passport identification and
authentication system.  Prompted by a complaint submitted by EPIC and
fourteen leading consumer groups, the FTC's investigation found that
Microsoft had violated federal consumer protection law prohibiting
unfair and deceptive trade practices.

In July and August 2001, EPIC -- joined by groups including
Junkbusters, Consumers Union, US PIRG and the Consumer Federation of
America -- submitted detailed complaints to the Commission.  The
complaints described the serious privacy implications of Microsoft
Windows XP and Microsoft Passport, and alleged that the collection and
use of personal information by the company would violate Section 5 of
the Federal Trade Commission Act.  After the complaints were filed,
the company experienced a series of serious security breaches,
including a vulnerability that would have allowed a person to steal
information within the Microsoft Wallet service.

The FTC yesterday found that Microsoft made a series of false
representations about Passport.  First, the company, despite
guarantees to the contrary, did not employ reasonable methods to
protect the privacy of personal information collected by Passport. 
Second, the company falsely represented that the Passport Wallet
service provided extra security over standard e-commerce transactions.
Third, the company did not disclose that Passport tracked users'
visits to web sites, when in fact a log of user activity was
maintained by the company for months.  Fourth, Kids' Passport failed
to provide parental control over collection of information online.

The order requires Microsoft to implement a new information security
program.  A third-party auditor will check compliance with this
program within one year, and Microsoft must reassess its information
security practices every two years.  Further, Microsoft is prohibited
from making future false representations about the Passport service.
Microsoft is bound by the order for 20 years, and fines can be levied
for non-compliance.

The FTC will accept public comment on the order until September 9,

FTC Consent Order:


FTC Complaint:


EPIC's Sign Out of Passport Page:


EPIC's Passport Investigation Docket Page:


[2] Court Orders DOJ to Disclose Names of 9/11 Detainees

In a decision issued on August 2, U.S. District Judge Gladys Kessler
directed the Justice Department to disclose, no later than August 19,
the identities of more than 1,000 individuals detained in connection
with the government's September 11 terrorist investigation. Under the
order, detainees desiring confidentiality of their identities can file
statements requesting non-disclosure.  The judicial decision marks a
significant defeat for government secrecy in the wake of the terrorist
attacks.  EPIC joined with a coalition of other groups in seeking the
disclosure of the information under the Freedom of Information Act
(FOIA) and serves as co-counsel in the case.

The Justice Department had argued that releasing the detainees' names
and other information could undermine the September 11 investigation
and harm national security.  Disclosure would subject the detainees to
possible intimidation or coercion, the government argued, and provide
terrorists with a potential "road map" of the investigation.  Judge
Kessler found the government's argument "unpersuasive" and concluded
that "the public's interest in learning the identities of those
arrested and detained is essential to verifying whether the government
is operating within the bounds of the law."

The FOIA lawsuit was filed by the Center for National Security
Studies, EPIC, and 21 other organizations, including the American
Civil Liberties Union, Human Rights Watch and Amnesty International
USA.  The plaintiffs argued that the detentions constituted secret
arrests that violated longstanding legal requirements compelling the
government to account for the individuals it incarcerates.

"The Court fully understands and appreciates that the first priority
of the executive branch in a time of crisis is to ensure the physical
security of its citizens," Judge Kessler wrote.  "By the same token,
the first priority of the judicial branch must be to ensure that our
government always operates within the statutory and constitutional
constraints which distinguish a democracy from a dictatorship."

The Justice Department has appealed the ruling and asked Judge Kessler
to delay enforcement of her order pending resolution of the appeal.

The court's decision is available at:


EPIC has produced a resource page with background on the litigation:


[3] OECD Announces Computer Security Guidelines

The Organization for Economic Cooperation and Development (OECD) has
released principles for computer security that emphasize democracy,
transparency, privacy, and education.  The OECD principles are
intended to protect important civil society values as countries and
private sector organizations go forward with computer security plans.

EPIC Research Director Sarah Andrews served on the OECD expert panel
as the civil society representative, and consulted with computer
security experts, public policy experts, and NGO participants in the
Public Voice project during the year-long development of the

The OECD, based in Paris, is a thirty-member organization of leading
industrial nations in North America, Europe and East Asia.  Over the
years, the OECD has produced several important policy frameworks for
information technology in such areas as privacy, cryptography, and
electronic commerce.

The original OECD Security Guidelines were promulgated in 1992. The
new Guidelines seek to take account of the development of network
computing and the growth of commercial services, as well as the
response of governments to the events of September 11.

The OECD Security Guidelines set out nine principles: Awareness,
Responsibility, Response, Ethics, Democracy, Risk Assessment, Security
Design and Implementation, Security Management, and Reassessment. 
Each principle is followed by a definition and then a one paragraph
description.  Taken as a whole, the principles emphasize the joint
responsibility of all participants to promote network security.  The
Guidelines also draw attention to important democratic goals in the
design of security policy, including and specifically stating that:

     Security should be implemented in a manner consistent with
     the values recognised by democratic societies including the
     freedom to exchange thoughts and ideas, the free flow of
     information, the confidentiality of information and
     communication, the appropriate protection of personal
     information, openness and transparency.

The OECD also adopted a principle on Risk Assessment that states:

     Risk assessment identifies threats and vulnerabilities and
     should be sufficiently broad-based to encompass key internal
     and external factors, such as technology, physical and human
     factors, policies and third-party services with security
     implications.  Risk assessment will allow determination of
     the acceptable level of risk and assist the selection of
     appropriate controls to manage the risk of potential harm to
     information systems and networks in light of the nature and
     importance of the information to be protected.  Because of
     the growing interconnectivity of information systems, risk
     assessment should include consideration of the potential
     harm that may originate from others or be caused to others.

A similar proposal was under consideration by the OECD in 1992 but was
not adopted at that time.

Regrettably, the OECD adopted the authoritarian "culture of security"
as the tagline for its most recent effort.  But overall the Guidelines
are a welcome contribution to the computer security field, and should
promote policies that are more responsive to civil society interests
than some of the recent proposals of national governments.

OECD Guidelines for the Security of Information Systems and Networks:


OECD Governments Launch Drive to Improve Security of Online Networks:

The Public Voice:


[4] EPIC Files Brief in Online Offender Registry Case

EPIC filed an amicus brief with the Supreme Court on August 5, urging
the Court to uphold a circuit court ruling that the Alaska "Megan's
Law" statute violates the Constitution.  EPIC argues that the
mandatory online dissemination of a sex offender registry is excessive
when weighed against the statutory purpose of protecting people in the
geographic vicinity of released offenders.

The Alaska law is the state's adaptation of federal legislation
requiring public notification of the locations of convicted sex
offenders upon their release.  Commonly called "Megan's Law," the
federal law directing such notification was enacted in 1996 after the
slaying of Megan Kanka, a seven-year-old New Jersey girl, by a
neighbor who had been released after serving time for sex offenses.

The federal appellate court determined that that the Alaska law,
permitting inclusion of names, addresses, descriptions, and other
private information in a sex offender registry to be posted on the
Internet, violated the ex post facto clause of the Constitution
because the information included in the registry was too broad and the
methods of gathering that information were extremely burdensome.  Most
importantly, the appeals court found that the intent of protecting
those in the geographical area from individuals required to register
was not furthered by allowing people all over the world to access the
personal data included in the registry.

EPIC's amicus brief focuses on the effect of Internet dissemination of
stigmatizing information collected by the government.  EPIC argues
that the government has a duty to impose safeguards and limitations
upon its dissemination of private, stigmatizing information that it
collects, especially when such information would otherwise be
effectively unavailable but is made readily accessible worldwide
through government action.

EPIC's resource page with background information on the case:


EPIC's amicus brief is available at:


[5] EPIC Argues Police Must Be Present for Online Search

On July 26, EPIC filed an amicus brief in the Eighth Circuit arguing
that police officer presence is required during the service of a
warrant on an ISP.  EPIC argues that the service of a search warrant
by fax machine doesn't adequately safeguard Fourth Amendment guarantee
of a "reasonable" search.  EPIC's brief details the history of U.S.
search and seizure law, which has mandated officer presence at the
service of a warrant since the 1700s.

The case arose in October 2000, when police officers in Minnesota
began investigating Dale Robert Bach for potential child pornography
crimes.  As part of the investigation, an officer obtained a search
warrant to be served upon Yahoo, an Internet service provider in
California.  Minnesota requires that an officer be present at the
service of a search warrant.  However, rather than adhering to the
requirements provided by Minnesota law, the officer investigating Bach
served the search warrant on Yahoo by fax.  Upon receiving the fax,
Yahoo employees retrieved all data from Bach's account, including
deleted email messages.  Yahoo then mailed the disk to Minnesota,
where the data became evidence in Bach's federal criminal trial.

At trial, Bach moved to have the evidence suppressed, citing
violations of the Minnesota statute as well as a federal statute.  The
district court held that the evidence should be suppressed as the
search was illegal under both federal and state laws.  EPIC's brief
urges the appellate court to uphold this ruling, because officer
presence is a historical and crucial procedural safeguard guaranteeing
Fourth Amendment protections.

There are more than 140 million Internet users in the United States;
thus, the court's resolution of this case could potentially affect the
privacy interests of millions of citizens.

EPIC's Bach Page:


EPIC's amicus brief is available at:


[6] Eli Lilly Settles With States; NTIA to Hold ENUM Forum

New York and seven other states have settled an investigation of
pharmaceutical company Eli Lilly, which accidentally disclosed over
600 personally-identifiable e-mail addresses of individuals who signed
up for an online messaging service.  The messaging service sent
subscribers a daily reminder to take Prozac, a prescription
anti-depressant.  In July 2001, the ACLU alerted federal authorities
to the privacy violation.

Under the settlement agreement, the company agreed to improve internal
information security standards.  The company will issue information
security reports, and undergo independent compliance reviews.  The
company also paid $160,000 to the eight states for attorney fees and
investigative costs.  In January 2002, Eli Lilly settled a federal
investigation of the same matter, but was not required to pay monetary
damages.  Individuals who were harmed by the disclosure may still
bring suit against the company.


The Department of Commerce's National Telecommunications Information
Agency (NTIA) will hold a roundtable on Electronic Numbering (ENUM) on
August 14, 2002.  ENUM is a technology that enables a user to store
contact information that can be accessed by another person through the
use of a single number.  For instance, a person could store fax,
voice, and voicemail numbers, as well as e-mail and home addresses,
all in a single ENUM account.  By using the ENUM associated with the
account, another person could access all the personal contact
information contained within that account.

ENUM may become a widely-used technology to facilitate convenient
communications.  However, its privacy implications have not been
adequately addressed.  The ENUM database would be public and
searchable by anyone.  It is likely that marketers, spammers, and
malicious actors will mine the database for personal contact
information.  Since there are no statutory protections in place
regulating the use of ENUM contact information, marketers and spammers
may use the contact information for junk mail, unsolicited commercial
e-mail, and other forms of commercial solicitations.

Lilly's Multi-State Settlement Agreement:


The ACLU's Complaint:


EPIC's ENUM resource page:


NTIA ENUM Public Meeting Notice:


[7] EPIC Bookstore - Trust Us, We're Experts

Trust Us, We're Experts: How Industry Manipulates Science and Gambles
With Your Future, by Sheldon Rampton and John Stauber (Putnam 2001).


At a recent Federal Trade Commission (FTC) workshop on telemarketing,
Jim Miller, former FTC Chairman and now Washington lobbyist, presented
a study showing that predictive dialers, the systems that allow
telemarketers to phone many persons at the same time, should not be
eliminated because they lower costs for consumers.  Miller's report,
sponsored by the "Consumer Choice Coalition,"  glossed over objections
to predictive dialers, which result in hang-up calls to phone
subscribers.  While calculating in detail the costs of new
telemarketing regulations to industry, Miller did not attempt to
account for the lost time and frustration caused by predictive
dialers.  A little digging shows that no consumers seem to be members
of the Consumer Choice Coalition -- rather, it is a "cross-industry
coalition of companies and associations."

In "Trust Us, We're Experts," Sheldon Rampton and John Stauber's
second book on the public relations (PR) industry, the reader is
warned about the role that Miller and other experts play in the public
policy process.  These experts, supported by massive funding from
industry, formulate clever studies that ward off regulators and
legislators.  In some cases, these experts even endanger the public.

The authors illustrate a formula for industry advocacy.  First,
experts are acquired to present the appearance of neutral, third-party
support.  Third-party advocacy is well-recognized as a force for
creating credibility, and in fact, it is the first guideline in a
developing field called "persuasive computing," which seeks to develop
computer interfaces that alter individuals' behavior.  Second,
industry groups grow "astroturf" -- that is, fake grassroots support
for their position.  This usually takes the form of letters to
newspapers and legislators from concerned citizens who are quietly
remunerated for their support.  Third, well-organized PR firms send
out pre-written news stories that are republished by busy journalists,
sometimes in full as original news.

PR techniques are also used to distract the public from public health
hazards.  A typical approach is to deny that the hazard exists at all.
But when denial is no longer tenable, PR experts advise companies to
blame the problem on other hazards, or on the victim himself.  When
blame can no longer be assigned, they claim that assigning
responsibility to the company will result in lost jobs or bankruptcy.

While these approaches sound simple and predictable, they have been
effective in duping the public repeatedly.  The authors illustrate how
they successfully delayed or stopped regulations to protect
individuals from known toxins, including asbestos, tobacco, vinyl
chloride, and conditions such as silicosis.  They were even effective
in stalling the removal of lead from gasoline, despite the fact that
lead has been a known toxin for centuries.

The book is full of surprises, including a description of a software
program called "Outrage" that helps companies manage potential PR
problems.  The software advises companies to "deflect, defer, dismiss,
or defeat" negative attention, depending on the situation.  Companies
can even purchase "crisis management" consulting packages to ward off
negative media attention.

The authors do present solutions to lessen the impact of industry
experts on public policy.  One important practice, which was recently
adopted by the prestigious New England Journal of Medicine, is to
refuse to publish any study where the sponsor has the right to
pre-publication review and veto -- in essence, the ability to withhold
unfavorable results from public view.  The authors also suggest that
research from other countries be relied upon to evaluate public
policy.  Researchers in other countries sometimes have exposed
industrial hazards decades before American experts.  But, most
importantly, the authors urge us to question authority.  Collectively,
whether the issue is privacy, pesticides, or global warming, we need
to pay more attention to the man behind the curtain.

- Chris Hoofnagle

EPIC Publications:
"Privacy & Human Rights 2001: An International Survey of Privacy Laws
and Developments," (EPIC 2001). Price: $20.
This survey, by EPIC and Privacy International, reviews the state of
privacy in over fifty countries around the world.  The survey examines
a wide range of privacy issues including, data protection, telephone
tapping, genetic databases, ID systems and freedom of information
"The Privacy Law Sourcebook 2001: United States Law, International
Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2001).
Price: $40. http://www.epic.org/bookstore/pls2001/
The "Physicians Desk Reference of the privacy world." An invaluable
resource for students, attorneys, researchers and journalists who need
an up-to-date collection of U.S. and International privacy law, as
well as a comprehensive listing of privacy resources.
"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.
A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.
"The Consumer Law Sourcebook 2000: Electronic Commerce and the Global
Economy," Sarah Andrews, editor (EPIC 2000). Price: $40.
The Consumer Law Sourcebook provides a basic set of materials for
consumers, policy makers, practitioners and researchers who are
interested in the emerging field of electronic commerce.  The focus is
on framework legislation that articulates basic rights for consumers
and the basic responsibilities for businesses in the online economy.
"Cryptography and Liberty 2000: An International Survey of Encryption
Policy," Wayne Madsen and David Banisar, authors (EPIC 2000).
Price: $20. http://www.epic.org/crypto&/
EPIC's third survey of encryption policies around the world. The
results indicate that the efforts to reduce export controls on strong
encryption products have largely succeeded, although several
governments are gaining new powers to combat the perceived threats of
encryption to law enforcement.
EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:
     EPIC Bookstore
     "EPIC Bookshelf" at Powell's Books
[8] Upcoming Conferences and Events

IT and Law. University of Geneva, University of Bern, Swiss
Association of IT and Law. September 9-10, 2002. Geneva, Switzerland.
For more information: http://www.informatiquejuridique.ch/

ILPF Conference 2002: Security v. Privacy. Internet Law & Policy
Forum. September 17-19, 2002. Seattle, WA. For more information:

Privacy2002: Information, Security & New Global Realities. Technology
Policy Group. September 24-26, 2002. Cleveland, OH. For more
information: http://www.privacy2000.org/privacy2002/

Privacy in Ubicomp 2002: Workshop on Socially-informed Design of
Privacy-enhancing Solutions in Ubiquitous Computing. Held as part of
UBICOMP 2002. September 29, 2002. Goeteborg, Sweden. For more
information: http://guir.berkeley.edu/privacyworkshop2002/

Shrinking World, Expanding Net. Computer Professionals for Social
Responsibility (CPSR). October 5, 2002. Cambridge, MA. For more
information: http://www.cpsr.org/conferences/annmtg02/

Bridging the Digital Divide: Challenge and Opportunities. 3rd World
Summit on Internet and Multimedia. October 8-11, 2002. Montreux,
Switzerland. For more information: http://www.internetworldsummit.org/

2002 WSEAS International Conference on Information Security (ICIS
'02). World Scientific and Engineering Academy and Society. October
14-17, 2002. Rio de Janeiro, Brazil. For more information:

IAPO Privacy & Security Conference. International Association of
Privacy Officers. October 16-18, 2002. Chicago, IL. For more
information: http://www.privacyassociation.org/html/conferences.html

Privacy Trends: Complying With New Demands. Riley Information Services
Inc. and the Commonwealth Centre for Electronic Governance. October
22, 2002. Ottawa, Canada. For more information:

3rd Annual Privacy and Security Workshop: Privacy & Security: Totally
Committed. Centre for Applied Cryptographic Research, University of
Waterloo and the Information and Privacy Commissioner/Ontario.
University of Toronto. November 7-8, 2002. Toronto, Canada. For more
information: http://www.epic.org/redirect/cacr.html

First Hawaii Biometrics Conference. Windward Community College,
Pacific Center for Advanced Technology Training (PCATT). November
10-13, 2002. Waikiki, HI. For more information:

Transformations in Politics, Culture and Society. Inter-
Disciplinary.Net. December 6-8, 2002. Brussels, Belgium. For more
information: http://www.inter-disciplinary.net/tpcs1.htm

18th Annual Computer Security Applications Conference (ACSAC):
Practical Solutions to Real Security Problems. Applied Computer
Security Associates. December 9-13, 2002. Las Vegas, NV. For more
information: http://www.acsac.org/

Third Annual Privacy Summit. International Association of Privacy
Officers. February 26-28, 2003. Washington, DC. For more information:

CFP2003: 13th Annual Conference on Computers, Freedom, and Privacy.
Association for Computing Machinery (ACM). April 1-4, 2003. New York,
NY. For more information: http://www.cfp.org/

Subscription Information
Subscribe/unsubscribe via Web interface:

Subscribe/unsubscribe via email:
     To: epic_news-request@mailman.epic.org
     Subject line: "subscribe" or "unsubscribe" (no quotes)
Help with subscribing/unsubscribing:

     To: epic_news-request@mailman.epic.org
     Subject: "help" (no quotes)
Back issues are available at:

The EPIC Alert displays best in a fixed-width font, such as Courier.
Privacy Policy
The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities.  We do not sell, rent or share our
mailing list.  We also intend to challenge any subpoena or other legal
process seeking access to our mailing list.  We do not enhance (link
to other databases) our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe your email address
from this list, please follow the above instructions under
"subscription information".  Please contact info@epic.org if you would
like to change your subscription email address, if you are
experiencing subscription/unsubscription problems, or if you have any
other questions.
About EPIC
The Electronic Privacy Information Center is a public interest
research center in Washington, DC.  It was established in 1994 to
focus public attention on emerging privacy issues such as the Clipper
Chip, the Digital Telephony proposal, national ID cards, medical
record privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Act
litigation, and conducts policy research.  For more information,
e-mail info@epic.org, http://www.epic.org or write EPIC, 1718
Connecticut Ave., NW, Suite 200, Washington, DC 20009.
+1 202 483 1140 (tel), +1 202 483 1248 (fax).
If you'd like to support the work of the Electronic Privacy
Information Center, contributions are welcome and fully
tax-deductible.  Checks should be made out to "EPIC" and sent to
1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009.
Or you can contribute online at:

Drink coffee, support civil liberties, get a tax deduction, and learn
Latin at the same time!  Receive a free epic.org "sed quis custodiet
ipsos custodes?" coffee mug with donation of $75 or more.
Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the
right of privacy and efforts to oppose government regulation of
encryption and expanding wiretapping powers.
Thank you for your support.
   ---------------------- END EPIC Alert 9.15 -----------------------