Volume 3.02 January 24, 1996
[1] Commerce Department Releases Crypto Report
[2] Court finds Constitutional Right of Privacy in Pharmacy Records
[3] Avrahami Asks Court for Summary Judgment
[4] New Book Examines FBI Surveillance
[5] UK Medical Association Recommends New Security Standards
[6] Upcoming Conferences and Events
[1] Commerce Department Releases Crypto Report
Following a six month delay, the US Department of Commerce released a
report on January 19 on the international market for encryption
software. The report finds that there are foreign products available
which "can have an impact on US competitiveness" and that US export
controls "may have discouraged US software producers from enhancing
the software features of general purpose software to meet the
anticipated growth demand by foreign markets." It anticipates that
there will be steadily increasing demand for crypto to be included in
general use software products.
Commerce Secretary Ron Brown told Blumberg Business News that, "If
your foreign competitors are exporting products with encryption
capability and you are not, that puts you at a tremendous competitive
disadvantage."
The report, which was jointly produced by the Commerce Department's
Bureau of Export Administration and the National Security Agency,
reviews the foreign availability of encryption products and other
nations' import, export and domestic use policies.
Significant portions of the report have been removed at the request of
the NSA. In December 1995, EPIC filed suit under the Freedom of
Information Act to obtain a full copy of the report and will continue
to demand its release in its entirety.
A copy of the Executive Summary and more information on crypto policy
is available at:
http://www.epic.org/crypto/
[2] Court finds Constitutional Right of Privacy in Pharmacy Records
In the past month, two federal courts have ruled on the privacy of an
employee's use of prescription drugs. Using different legal bases, the
court decisions bring a measure of legal protection into an area where
there is no specific federal privacy law.
In one decision filed last week, a federal district court judge in Denver
ruled that a private ski resort violated the Americans With Disability
Act when it required its employees to disclose the prescription drugs
they used. The court found that "a policy that requires employees to
disclose the prescription medication they use would force the employees
to reveal their disabilities to their employer." Employees argued that
requiring disclosure could result in them deferring from taking needed
medication for fear of employer retailiation. According to the Wall
Street Journal, the ski resort will not appeal the decision.
In late December, the Third Circuit Court of Appeals ruled that
individuals have a constitutional right to privacy in prescription
records. The court based its decision on previous holdings of the
Supreme Court that individuals have a right of privacy in their medical
records. In applying the precedent to prescription records, the appeals
court stated:
It is now possible from looking at an individual's
prescription records to determine a person's illnesses,
or even to ascertain such private facts as whether a woman is
attempting to conceive a child though the use of fertility
drugs. This information is precisely the sort to be protected
by penumbras of privacy ... An individual using prescription
drugs has a right to expect that such information will
customarily remain private.
In protecting the information, the court ruled that an intermediate
level of scrutiny should be used in balancing the privacy rights
against an employer's interest in obtaining the information to prevent
abuses of its health program. However, in cases where there is a
severe intrusion, the court suggested that the stronger "compelling
interest analysis" should be used.
The case came about after Rite-Aid pharmacy sent the director of
the South Eastern Pennsylvania Transportation Authority (SEPTA) a list
of SEPTA employees and the prescription drugs they were receiving as
part of a SEPTA-Rite-Aid contract for health services. Included in
that list was the plaintiff, who was taking medication for treatment
of HIV-related illnesses. The plaintiff also sued Rite-Aid for the
disclosure and Rite-Aid settled, agreeing not to provide employees names
in future reports. John Doe v. SEPTA, 3rd Circuit, Case No. 95-1559
(December 28, 1995).
More information on medical privacy is available at:
http://www.epic.org/privacy/medical/
[3] Avrahami Asks Court for Summary Judgment
Ram Avrahami, the Virginia man who brought suit against US News and
World Report for selling his personal data without his permission,
filed a motion with the Virginia court on January 16 for summary
judgment. The motion is an effort to simplify the case, where there is
no dispute over material facts, by asking the judge to rule on the
original motion as a matter of law.
"The law is explicit," said Jonathan C. Dailey, who represents
Avrahami in this case. "Virginia Code 8.01-40 has been interpreted by
the Virginia Supreme Court as creating a property right in a person's
name, a right that is vested in all people, including ordinary
citizens. When USN&WR received a commercial benefit from Mr. Avrahami's
name, as little as it may be, without first obtaining his express
written consent, it violated the law."
USN&WR had already admitted in a previous court filing that it had
traded Avrahami's name under a "list exchange agreement" with the
Smithsonian. According to the motion, a Spring 1995 edition of the
Direct Marketing List Source, a list industry catalog, both USN&WR and
the Smithsonian Magazine were sell subscribers' names (2.2 million of
USN&WR, 1.9 million of the Smithsonian) for $80-85 per thousand. Mr.
Avrahami said that this demonstrates that the exchange of lists is a
clear commercial transaction.
"USN&WR has systematically used my name for a commercial benefit,
either for receipt of money or as a way to get reciprocal names of
similar value so as to increase its own circulation. The law
proscribes such practices and the magazine should stop exchanging names
without the express written consent of its subscribers."
The court is expected to rule on the motion on the scheduled day of
the trial, Feb. 6. If the court rules in Avrahami's favor, the court
will then consider the issue of damages.
More information on the case is available at:
http://www.epic.org/privacy/junk_mail/
In another case challenging junk mail, a small claims court in California
ruled in favor of a man who sued Computer City for sending him unsolicited
mail. In April, Bob Beken purchased merchandise from the store and
indicated on the back of a check that the store could not sell his name or
send him mail and that if it did, he could recover $1,000.
The statement said:
Computer City agrees NOT to place Robert Beken on any mailing
list or send him any advertisements or mailings. Computer
City agrees that a breach of this agreement by Computer City
will damage Robert Beken and that these damages may be
pursued in court. Further, that the damages for the first
breach are $1,000. The deposit of this check is agreement
with these terms and conditions.
The court upheld the contract and awarded Beken $1,021 in damages and
fees.
[4] New Book Examines FBI Surveillance
A new book on the Justice Department by former New York Times reporter
David Burnham reviews federal surveillance activities and current
controversies involving the nation's chief law enforcement agency.
The book, "Above the Law: Secret Deals, Political Fixes, and Other
Misadventures of the U.S. Department of Justice" (Scribner 1996), is
an extensive survey of the history of the Justice Department and the
political machinations of the agency.
In a chapter entitled "Keeping Track of the American People: The
Unblinking Eye and Giant Ear," Burnham examines new technologies of
surveillance used by law enforcement agencies. Using both public and
classified documents, he describes the activities of the FBI's Rapid
Prototyping Facility in Quantico, Virginia, which develops miniature
"microphones on a chip," the growing use of transactional records
including direct marketing files and telephone toll records by the
FBI and the DEA, and the FBI's new artificial intelligence-enhanced
investigative systems. He also reviews current controversies such
as the Clipper Chip and the Digital Telephony law and the relationship
between the FBI and the National Security Agency.
The book also looks at the Department's enforcement efforts in civil
rights cases, national security, and the drug war. Burnham makes extensive
use of statistics to evaluate the agency's performance and finds that in
most areas, the agency is ill-managed and lacking public accountability.
Burnham has published two previous books, "The Rise of the Computer State"
(Random House 1983), one of the first books that looked at the
threats to privacy in the computer age, and "A Law Unto Itself" (Random
House 1989), an expose of the Internal Revenue Service. He is
co-director of the Transactional Records Access Clearinghouse and a
member of the EPIC Advisory Board.
More information about "Above the Law," including exerpts from the
chapters on surveillance, the drug war and civil rights enforcement,
is available at:
http://www.epic.org/epic/board/burnham/book.html
[5] UK Medical Association Recommends New Security Standards
A new report prepared for the British Medical Association recommends
the adoption of strong security and privacy standards to protect the
confidentiality of medical information. The author of the report,
"Security in Clinical Information Systems," is Dr. Ross J. Anderson
of the Computer Laboratory, University of Cambridge.
Last year the British Medical Association recommended that doctors
boycott the National Health Services data network. The BMA said that
"use of the data network violates a doctor's duty of care to patient
confidentiality and could subject doctors professional sanctions."
(See "British Doctors Boycott Medical Network," EPIC Alert 2.13,
October 30, 1995)
In the new report, Dr. Anderson writes, "The proposed introduction of
a nationwide NHS network has led to concern about security. Doctors and
other clinical professionals are worried that making personal health
information more widely available may endanger patient confidentiality.
The problem is not limited to the NHS; it also concerns clinicians in
prisons, immigration services, forensic laboratories and private
healthcare. However the NHS network has forced the issues to the fore.
"It has been generally agreed that the security of electronic patient
records must meet or exceed the standard that should be applied to paper
records, yet the absence of clarity on the proper goals of protection
has led to confusion. The British Medical Association therefore asked
the author to consider the risks, and to prepare a security policy for
clinical information systems."
The report concludes, "the advice of the British Medical Association
to its members is that exposing unprotected patient identifiable
clinical information to the NHS-wide network (or indeed to any other
insecure network), or even sending it in encrypted form to an
untrustworthy system, is imprudent to the point of being unethical."
The BMA report is available at:
http://www.cl.cam.ac.uk/users/rja14/policy11/policy11.html
[6] Upcoming Conferences and Events
Security, Privacy and Intellectual Property Protection in the Global
Information Infrastructure, Canberra, Australia. February 7-8, 1996.
Sponsored by the Australian Government, Attorney-General's Department
and the Organization for Economic Cooperation and Development.
http://www.nla.gov.au/gii/oecdconf.html
Technologies of Freedom: Blueprints for Action, Feb. 29-March 2.
Washington, DC. Sponsored by the Alliance for Public Technology.
Contact: Ruth Holder holder@apt.org or http://apt.org/apt/
Computers Freedom and Privacy '96. March 27-30, 1996. Cambridge, Mass.
Sponsored by MIT, ACM and WWW Consortium. Contact cfp96@mit.edu or
http://web.mit.edu/cfp96/
Conference on Technological Assaults on Privacy, April 18-20, 1996.
Rochester Institute of Technology, Rochester, New York. Papers should
be submitted by February 1, 1996. Contact Wade Robison
privacy@rit.edu, by FAX at (716) 475-7120, or by phone at (716)
475-6643.
IEEE Symposium on Security and Privacy, May 6-8, 1996. Oakland, CA.
Sponsored by IEEE. Contact: sp96@cs.pdx.edu or
http://www.cs.pdx.edu/SP96.
Visions of Privacy for the 21st Century: A Search for Solutions. May
9-11, 1996. Victoria, British Columbia. Sponsored by The Office of
Information and Privacy Commissioner for the Province of British
Columbia and the University of Victoria. Program at
http://www.cafe.net/gvc/foi
Australasian Conference on Information Security and Privacy June
24-26, 1996. New South Wales, Australia. Sponsored by Australasian
Society for Electronic Security and University of Wollongong. Contact:
Jennifer Seberry (jennie@cs.uow.edu.au).
Privacy Laws & Business 9th Annual Conference. July 1-3, 1996. St.
John's College, Cambridge, England. Contact: Ms. Gill Ehrlich +44 181
423 1300 (tel), +44 181 423 4536 (fax).
Advanced Surveillance Technologies II. Sponsored by EPIC and Privacy
International. September 16, 1996. Ottawa, Canada. Contact
pi@privacy.org or http://www.privacy.org/pi/conference/
18th International Conference of Data Protection and Privacy
Commissioners. September 18-20, 1996. Ottawa, Canada. Sponsored by the
Privacy Commissioner of Canada.
(Send calendar submissions to Alert@epic.org)
The EPIC Alert is a free biweekly publication of the Electronic
Privacy Information Center. To subscribe, send email to
epic-news@epic.org with the subject: "subscribe" (no quotes).
Back issues are available via http://www.epic.org/alert/
The Electronic Privacy Information Center is a public interest
research center in Washington, DC. It was established in 1994 to focus
public attention on emerging privacy issues relating to the National
Information Infrastructure, such as the Clipper Chip, the Digital
Telephony proposal, medical record privacy, and the sale of consumer
data. EPIC is sponsored by the Fund for Constitutional Government, a
non-profit organization established in 1974 to protect civil liberties
and constitutional rights. EPIC publishes the EPIC Alert, pursues
Freedom of Information Act litigation, and conducts policy research.
For more information, email info@epic.org, HTTP://www.epic.org or
write EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC
20003. +1 202 544 9240 (tel), +1 202 547 5482 (fax).
If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible. Checks should
be made out to "The Fund for Constitutional Government" and sent to EPIC,
666 Pennsylvania Ave., SE, Suite 301, Washington DC 20003.
Your contributions will help support Freedom of Information Act and First
Amendment litigation, strong and effective advocacy for the right of
privacy and efforts to oppose government regulation of encryption and
funding of the National Wiretap Plan.
Thank you for your support.