============================================================== @@@@ @@@@ @@@ @@@@ @ @ @@@@ @@@@ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @@@ @ @ @@@@@ @ @@@ @@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @ @@@ @@@@ @ @ @@@@ @@@@ @ @ @ ============================================================== Volume 9.17 September 20, 2002 -------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org/alert/EPIC_Alert_9.17.html ======================================================================= Table of Contents ======================================================================= [1] Groups Urge Secret Appeals Court to Reject Expanded Spying Powers [2] Bush Administration Releases Cyber Security Plan [3] EPIC Testifies Before Congress on Preventing SSN Misuse [4] FCC Approves Rulemaking on Telephone Consumer Protection Act [5] Coalition Urges FTC to Adopt Effective Strategy for Passport [6] Groups File Brief Opposing Identification of ISP Subscriber [7] EPIC Bookstore - Litigation Under the Federal Open Government Laws [8] Upcoming Conferences and Events ======================================================================= [1] Groups Urge Secret Appeals Court to Reject Expanded Spying Powers ======================================================================= EPIC today joined with a coalition of civil liberties groups to urge a secret appeals court to reject a government bid for broadly expanded powers to conduct "national security" surveillance on U.S. citizens. In a "friend of the court" brief filed with the Foreign Intelligence Surveillance Court of Review (FISCR), the groups said that expanding such powers would jeopardize fundamental constitutional interests, "including the First Amendment right to engage in lawful public dissent, and the warrant, notice, and judicial review rights guaranteed by the Fourth and Fifth Amendments." At issue in the case is whether new Justice Department surveillance rules seeking to use looser foreign intelligence standards to conduct criminal investigations in the United States are constitutional and permissible under the USA PATRIOT Act adopted by Congress after the September 11 terrorist attacks. The civil liberties brief urges the FISCR to uphold a decision of the Foreign Intelligence Surveillance Court, which in May unanimously rejected the government's bid for expanded powers. In its decision, the intelligence court documented abuses of "national security" warrants by both the Bush and Clinton Administrations, including serious errors in approximately 75 applications for foreign intelligence surveillance (see EPIC Alert 9.16). At a hearing last week, members of the Senate Judiciary Committee, which has oversight of the Justice Department, also condemned the government's position. "We need to do our work well and ensure that domestic surveillance is aimed at true national security targets and does not simply serve as an excuse to violate the Constitutional rights of our own citizens," said Committee Chairman Patrick J. Leahy (D-VT). "The abuses of the past are far too fresh simply to surrender to the executive branch unfettered discretion to determine the scope of these changes." After the lower court's decision was made public in late August, the civil liberties groups notified the FISCR that they intended to file a brief. The groups had hoped to submit their brief before the appeals court met to review the case, but the secret court met on September 9 and only the government was allowed to present arguments. EPIC joined the American Civil Liberties Union, Center for Democracy and Technology, Center for National Security Studies, Electronic Frontier Foundation, and the Open Society Institute in submitting today's brief. The civil liberties amicus brief is available at: http://www.epic.org/privacy/terrorism/fisa/FISCR_amicus_brief.pdf Background information on the Foreign Intelligence Surveillance Act, including the current controversy, is available at: http://www.epic.org/privacy/terrorism/fisa/ The text of the USA PATRIOT ACT is available at: http://www.epic.org/privacy/terrorism/hr3162.html ======================================================================= [2] Bush Administration Releases Cyber Security Plan ======================================================================= Amid tight security on pre-publication, the President's Critical Infrastructure Protection Board on September 18 released its first public draft of the National Strategy to Secure Cyberspace at a joint government-industry press event at Stanford University. The White House claimed the draft plan "was developed in close collaboration with key sectors of the economy that rely on cyberspace, State, and local governments, colleges and universities, and concerned organizations." Among the initiatives called for in the strategy are the creation of a North American "Cyber Safe Zone," extension of the Council of Europe Cybercrime Convention to other countries not currently signatories to the Convention, and the promotion of "national and international watch and warning" and a "global 'culture of security.'" Identifiable "cyber points of contact" are also encouraged in the plan. The plan separates cyberspace into five levels: 1) Home users and small businesses; 2) Major private enterprises; 3) Various sectors of the national information infrastructure; 4) National Priorities; and 5) Global. The draft represents an ongoing work in progress that is subject to change and modification, according to White House sources. Earlier drafts of the plan were viewed by the private sector, particularly the wireless industry and Internet Service Providers, as unreasonably mandating government-induced security standards. Contrary to earlier reports, the National Strategy does not contain requirements of data retention or any other data collection/data mining requirements by ISPs or other IT service providers. Significantly, unlike previous versions of the plan, the current draft strategy does not call for the creation of a Federal privacy "czar" position. Comments on the plan are invited until November 18, 2002. They may be e-mailed to feedback@who.eop.gov. The draft National Strategy to Secure Cyberspace is available at: http://www.epic.org/security/draftstrategy0902.pdf ======================================================================= [3] EPIC Testifies Before Congress on Preventing SSN Misuse ======================================================================= At a joint hearing before two House subcommittees, EPIC legislative counsel Chris Hoofnagle urged Congress to create a comprehensive set of limitations on the collection and use of the Social Security Number (SSN). The hearing, chaired by Rep. Clay Shaw (R-FL), focused on "Preserving the Integrity of Social Security Numbers and Preventing Their Misuse by Terrorists and Identity Thieves." Representatives from the Social Security Administration, the Federal Bureau of Investigation, and the Secret Service also testified before the committee. EPIC's testimony covered recent developments in identity theft, state attempts to limit the SSN, and federal legislation designed to stem SSN use. According to the Privacy Rights Clearinghouse, 500,000-700,000 persons are affected by identity theft annually. The toll on victims is burdensome -- most victims do not discover that their identities have been stolen until many months after the crime has occurred. Victims spend hundreds of hours and substantial sums of money fixing their credit rating. Two states, California and Georgia, have recently passed legislation to limit the use of SSNs. In California, Senate Bill 168 was signed into law in October 2001. The bill prohibits public posting of SSNs and the printing of SSNs on identity cards or documents used to obtain a product or service. The bill also prohibits businesses from printing SSNs on invoices or bills sent through the mail. In Georgia, businesses are now required to safely dispose of records that contain personal identifiers. Business records -- including data stored on computer hard drives -- must be shredded or, in the case of electronic records, completely wiped clean where they contain SSNs, driver's license numbers, dates of birth, medical information, account balances, or credit limit information. The Georgia law carries penalties up to $10,000. EPIC praised H.R. 2036, the Social Security Number Privacy and Identity Theft Prevention Act of 2001, which was introduced by Rep. Shaw and enjoys bipartisan support. The bill would establish meaningful restrictions on the sale and display of SSNs, and discourage the use of the identifier in the private sector. EPIC's Testimony: http://www.epic.org/privacy/ssn/ssntestimony9.19.02.html Hearing Notice and Links to Witness Testimony: http://waysandmeans.house.gov/socsec/107cong/ss-16wit.htm H.R. 2036, Social Security Number Privacy and Identity Theft Prevention Act of 2001: http://thomas.loc.gov/cgi-bin/bdquery/z?d107:h.r.02036: ======================================================================= [4] FCC Approves Rulemaking on Telephone Consumer Protection Act ======================================================================= The Federal Communications Commission (FCC) has approved a notice of proposed rulemaking (NPRM) on the Telephone Consumer Protection Act of 1991 (TCPA), a federal law that regulates telemarketing and fax advertising. The NPRM solicits comments on a series of telemarketing issues, including automatic dialers, prerecorded voice telemarketing, unsolicited fax advertising, and whether the FCC should create a national do-not-call (DNC) list. The TCPA authorized the FCC to create a DNC list ten years ago, but the agency declined to do so. Instead, the FCC adopted a "company-specific" DNC list that requires individuals to opt-out from each business that engages in telemarketing. The Direct Marketing Association (DMA) has opposed the creation of DNC lists, arguing that its opt-out list, the "Telephone Preference Service" (TPS), adequately protects consumers. However, the TPS only applies to DMA members. Enrollment in the TPS is burdensome, as the DMA allows a free opt-out only to those who send in a letter by postal mail. Additionally, states have been far more effective in facilitating convenient enrollment in DNC lists. Many states offer free Internet enrollment, but the DMA continues to charge $5 for the same service. Earlier this year, the Federal Trade Commission (FTC) sought public comment on telemarketing practices and on whether that agency should create a national DNC list. The FCC voted 4-0 to examine these same issues, marking a willingness to cooperate with FTC in order to create more comprehensive protections against telemarketing. The mood of the FCC commissioners was favorable to empowering individuals to exercise control over telemarketing solicitations. Commissioner Michael Copps said, "Unrestricted telemarketing has gone beyond being a nuisance and become in many cases an invasion of privacy." FCC NPRM on Regulations Implementing the Telephone Consumer Protection Act of 1991: http://hraunfoss.fcc.gov/edocs_public/attachmatch/FCC-02-250A1.doc EPIC's Telemarketing Page: http://www.epic.org/privacy/telemarketing/ ======================================================================= [5] Coalition Urges FTC to Adopt Effective Strategy for Passport ======================================================================= In comments to the Federal Trade Commission (FTC), EPIC and a coalition of privacy organizations urged the agency to amend its Consent Order regarding Microsoft Passport to include greater privacy protections. In July and August 2001, EPIC and a coalition of privacy organizations filed complaints with the FTC describing privacy and security risks inherent in the Microsoft Passport identification and authentication system. The FTC began an investigation into Passport, and in July 2002, issued a Complaint and Consent Order finding four violations of federal consumer protection law (see EPIC Alert 9.15). The Consent Order requires Microsoft to implement a new information security program that is audited by an independent third-party. The company must reassess this security program every two years. Microsoft is also barred from making misrepresentations about the security or privacy of Passport. The groups made four recommendations to the FTC to ensure effective implementation of the Consent Order. First, the groups requested that the security audits of Passport be made available to the public, and that individuals be given access to their entire Passport profile. Second, the groups recommended that the FTC examine AOL's authentication system, the "Screen Name Service," and Project Liberty, which is currently under development. Third, the groups recommended that the FTC ensure Microsoft is complying with the EU-US Safe Harbor. Last, the groups requested the FTC to establish limitations on the functions of Passport. Without limitations on the functions that Passport performs and the information that Passport collects, Passport becomes an increasingly attractive and lucrative target for malicious hackers. EPIC's Comments on the Microsoft Passport Consent Order: http://www.epic.org/privacy/consumer/microsoft/ordercomments.html EPIC's "Sign Out of Passport" Page: http://www.epic.org/privacy/consumer/microsoft/ FTC Consent Order Page: http://www.ftc.gov/opa/2002/08/microsoft.htm ======================================================================= [6] Groups File Brief Opposing Identification of ISP Subscriber ======================================================================= EPIC and a coalition of civil liberties groups filed an amicus brief in late August challenging the Recording Industry Association of America (RIAA)'s attempt to identify a Verizon ISP subscriber. The brief argues that a portion of the Digital Millennium Copyright Act (DMCA) unconstitutionally violates individuals' right to anonymous communications. The case arose after Verizon refused to comply with a subpoena sent by the RIAA in July, compelling the ISP to release the name of a customer accused of illegally trading hundreds of songs. RIAA filed suit seeking to have a court enforce the subpoena and force Verizon to disclose the customer's name. The RIAA's subpoena was sent pursuant to a provision of the DMCA that permits a copyright owner to send a subpoena (without filing a lawsuit) ordering a "service provider" to turn over information about a subscriber. The amicus brief states that the provision violates the right of Americans to be anonymous online: "Purported copyright owners should not have the right to violate protected, anonymous speech with what amounts to a single snap of the fingers." The amicus brief (as well as Verizon's brief, which opposes RIAA's motions mostly on procedural grounds) maintains that the RIAA has the right to unmask a true copyright infringer, but argues that common civil procedure rules have always provided sufficient routes for obtaining such information. If copyright owners were permitted to use the DMCA's subpoena process to assail peer-to-peer pirates, the amicus brief argues, the combined number of notices and subpoenas that Internet providers would have to process could easily reach into the millions annually. The coalition's Amicus Brief is available at: http://www.eff.org/Cases/RIAA_v_Verizon/20020830_eff_amicus.html Verizon's Brief is available at: http://www.politechbot.com/docs/verizon.brief.090302.pdf ======================================================================= [7] EPIC Bookstore - Litigation Under the Federal Open Government Laws ======================================================================= JUST PUBLISHED! Litigation Under the Federal Open Government Laws 2002 570 pages, $40.00 http://www.epic.org/bookstore/foia2002/ "Deserves a place in the library of everyone who is involved in, or thinking about, litigation under the Freedom of Information Act." - Steve Aftergood Federation of American Scientists This is the standard reference work covering all aspects of the Freedom of Information Act, the Privacy Act, the Government in the Sunshine Act, and the Federal Advisory Committee Act. EPIC has published the book jointly with Access Reports and the James Madison Project. This 21st edition fully updates the manual that lawyers, journalists and researchers have relied on for more than 25 years. It is edited by Harry Hammitt of Access Reports, David L. Sobel of EPIC, and Mark S. Zaid of the James Madison Project. The book draws upon the expertise of practicing attorneys who are recognized leaders in the field. Appendices include the text of the relevant acts, and sample pleadings for litigators. "Litigation Under the Federal Open Government Laws 2002" adheres to the same high standards as previous editions and is intended as a guide for FOIA requesters and plaintiff litigators. For those who litigate open government cases (or need to learn how to litigate them), this is an essential reference manual. ================================ EPIC Publications: "Privacy & Human Rights 2002: An International Survey of Privacy Laws and Developments" (EPIC 2002). Price: $25. http://www.epic.org/bookstore/phr2002/ This survey, by EPIC and Privacy International, reviews the state of privacy in over fifty countries around the world. The survey examines a wide range of privacy issues including data protection, telephone tapping, genetic databases, video surveillance, location tracking, ID systems and freedom of information laws. ================================ "The Privacy Law Sourcebook 2001: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2001). Price: $40. http://www.epic.org/bookstore/pls2001/ The "Physicians Desk Reference of the privacy world." An invaluable resource for students, attorneys, researchers and journalists who need an up-to-date collection of U.S. and International privacy law, as well as a comprehensive listing of privacy resources. ================================ "Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20. http://www.epic.org/bookstore/filters2.0/ A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ "The Consumer Law Sourcebook 2000: Electronic Commerce and the Global Economy," Sarah Andrews, editor (EPIC 2000). Price: $40. http://www.epic.org/cls/ The Consumer Law Sourcebook provides a basic set of materials for consumers, policy makers, practitioners and researchers who are interested in the emerging field of electronic commerce. The focus is on framework legislation that articulates basic rights for consumers and the basic responsibilities for businesses in the online economy. ================================ "Cryptography and Liberty 2000: An International Survey of Encryption Policy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price: $20. http://www.epic.org/crypto&/ EPIC's third survey of encryption policies around the world. The results indicate that the efforts to reduce export controls on strong encryption products have largely succeeded, although several governments are gaining new powers to combat the perceived threats of encryption to law enforcement. ================================ EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at: EPIC Bookstore http://www.epic.org/bookstore/ "EPIC Bookshelf" at Powell's Books http://www.powells.com/features/epic/epic.html ======================================================================= [8] Upcoming Conferences and Events ======================================================================= Civil Liberties Under Attack -- One Year Later. National Lawyers Guild; Refuse & Resist. September 7, 2002. Los Angeles, CA. For more information: http://www.refuseandresist.org/new/calendar.php IT and Law. University of Geneva, University of Bern, Swiss Association of IT and Law. September 9-10, 2002. Geneva, Switzerland. For more information: http://www.informatiquejuridique.ch/ Observing Surveillance. Photo Exhibit. September 12, 2002. Washington, DC. For more information: dcvsp@epic.org ILPF Conference 2002: Security v. Privacy. Internet Law & Policy Forum. September 17-19, 2002. Seattle, WA. For more information: http://www.ilpf.org/conference2002/ The Biometric Consortium Conference (BC2002). Biometric Consortium. September 23-25, 2002. Arlington, VA. For more information: http://www.nist.gov/bc2002/ Privacy2002: Information, Security & New Global Realities. Technology Policy Group. September 24-26, 2002. Cleveland, OH. For more information: http://www.privacy2000.org/privacy2002/ Privacy Management Summit. Privastaff. September 25, 2002. San Jose, CA. For more information: http://www.privastaff.com/psevents.html Commercialization of Human Genomics: Consequences for Science and Humanity. Duke University Center for Genome Ethics, Law, and Policy. September 27-28, 2002. Durham, NC. For more information: http://www.law.duke.edu/conference/gelp/ Privacy in Ubicomp 2002: Workshop on Socially-informed Design of Privacy-enhancing Solutions in Ubiquitous Computing. Held as part of UBICOMP 2002. September 29, 2002. Goeteborg, Sweden. For more information: http://guir.berkeley.edu/privacyworkshop2002/ Shrinking World, Expanding Net. Computer Professionals for Social Responsibility (CPSR). October 5, 2002. Cambridge, MA. For more information: http://www.cpsr.org/conferences/annmtg02/ Bridging the Digital Divide: Challenge and Opportunities. 3rd World Summit on Internet and Multimedia. October 8-11, 2002. Montreux, Switzerland. For more information: http://www.internetworldsummit.org/ 2002 WSEAS International Conference on Information Security (ICIS '02). World Scientific and Engineering Academy and Society. October 14-17, 2002. Rio de Janeiro, Brazil. For more information: http://www.wseas.org/conferences/2002/brazil/icis/ IAPO Privacy & Security Conference. International Association of Privacy Officers. October 16-18, 2002. Chicago, IL. For more information: http://www.privacyassociation.org/html/conferences.html Privacy Trends: Complying With New Demands. Riley Information Services Inc. and the Commonwealth Centre for Electronic Governance. October 22, 2002. Ottawa, Canada. For more information: http://www.rileyis.com/seminars/ 3rd Annual Privacy and Security Workshop: Privacy & Security: Totally Committed. Centre for Applied Cryptographic Research, University of Waterloo and the Information and Privacy Commissioner/Ontario. University of Toronto. November 7-8, 2002. Toronto, Canada. For more information: http://www.epic.org/redirect/cacr.html First Hawaii Biometrics Conference. Windward Community College, Pacific Center for Advanced Technology Training (PCATT). November 10-13, 2002. Waikiki, HI. For more information: http://biometrics.wcc.hawaii.edu/ Transformations in Politics, Culture and Society. Inter- Disciplinary.Net. December 6-8, 2002. Brussels, Belgium. For more information: http://www.inter-disciplinary.net/tpcs1.htm 18th Annual Computer Security Applications Conference (ACSAC): Practical Solutions to Real Security Problems. Applied Computer Security Associates. December 9-13, 2002. Las Vegas, NV. For more information: http://www.acsac.org/ Third Annual Privacy Summit. International Association of Privacy Officers. February 26-28, 2003. Washington, DC. For more information: http://www.privacyassociation.org/html/conferences.html CFP2003: 13th Annual Conference on Computers, Freedom, and Privacy. Association for Computing Machinery (ACM). April 1-4, 2003. New York, NY. For more information: http://www.cfp.org/ ======================================================================= Subscription Information ======================================================================= Subscribe/unsubscribe via Web interface: http://mailman.epic.org/cgi-bin/mailman/listinfo/epic_news Subscribe/unsubscribe via email: To: epic_news-request@mailman.epic.org Subject line: "subscribe" or "unsubscribe" (no quotes) Help with subscribing/unsubscribing: To: epic_news-request@mailman.epic.org Subject: "help" (no quotes) Back issues are available at: http://www.epic.org/alert/ The EPIC Alert displays best in a fixed-width font, such as Courier. ======================================================================= Privacy Policy ======================================================================= The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your email address from this list, please follow the above instructions under "subscription information". Please contact info@epic.org if you would like to change your subscription email address, if you are experiencing subscription/unsubscription problems, or if you have any other questions. ======================================================================= About EPIC ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, e-mail info@epic.org, http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at: http://www.epic.org/donate/ ======================================================================= Drink coffee, support civil liberties, get a tax deduction, and learn Latin at the same time! Receive a free epic.org "sed quis custodiet ipsos custodes?" coffee mug with donation of $75 or more. ======================================================================= Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ---------------------- END EPIC Alert 9.17 ----------------------- .