Volume 3.18 October 23, 1996
NOTE: This issue of the EPIC Alert reviews legislation passed by the 104th Congress in the last few days of the session that may have significant implications for privacy, civil liberties, and free speech.
[1] Budget Bill [2] Digital Telephony [3] Credit Report Bill Revised [4] Immigration Bill Approved [5] Intelligence Bill [6] Computer Crime Bill [7] Computer Pornography [8] FAA Authorization [9] Upcoming Conferences and Events
[1] Budget Bill
On September 30, President Clinton signed the Omnibus Consolidated Appropriations Act (PL 104-208). The Act was a conglomeration of a number of bills including funding bills for most federal agencies for Fiscal Year 1997, an immigration bill, a banking bill and other unrelated pending measures. There were several provisions in the Appropriations Act that concern programs to extend government surveillance. The other bills with civil liberties implications are covered below as separate items. Included in the omnibus appropriations legislation were numerous grants for new technologies for expanding government databases and other monitoring capabilities. Overall, the programs total nearly $300 million. The FBI received a total of $2.735 billion for salaries and expenses for FY 97, an increase of $315 million over the previous year. The White House had requested $2.845 billion. Included in the FBI's funding are numerous surveillance programs, including $30 million over two years to complete the NCIC 2000 project which, according to the legislative report, is already three one half years overdue and $100 million over budget. The Integrated Automated Fingerprint Identification system also received $98 million dollars, even though the Conference Committee report found it to be "$119,500,000 over budget and more than one year behind schedule." More money was also poured into databases, including $9.5 million for grants to the states to create databases that are compatible with the FBI's NCIC, DNA and fingerprint databases; $8.5 million to add two new databases to the NCIC; and $20 million to establish a "National Instant Background Check for handgun purchases." Other agencies also received large amounts of money for surveillance. The DEA received $8.1 million for 50 agents to conduct wiretaps in the Southwest. The INS received $27 million for new equipment including infrared scopes, low light television systems, sensors, and forward looking infrared systems. The Financial Crimes Enforcement Network (FinCEN) received $24 million and an extra $1 million from the Violent Crime Reduction Program for its "Cybercash Initiative." A large portion of federal money was also appropriated to provide local and state police with new surveillance technologies. A total of $50 million was appropriated for upgrading state criminal databases under the Brady bill. Three million dollars is set aside for "DNA Identification State Grants" and $900,000 for developing identification systems for missing Alzheimer Patients. All of the grants are contingent on the state databases being networked with the federal systems. The National Institute of Justice was given $20 million for "assisting units of local governments to identify, select, develop, modernize, and purchase new technologies for use by law enforcement," including $3.5 million for "Facial Recognition Technology." Undefined amounts are also given to the FBI's Center of Advanced Supported for Technology for Law Enforcement for "computerized identification systems and forensic DNA analysis techniques." Another $10 million is appropriated for "counterterrorism technologies" authorized by the counterterrorism bill.
[2] Digital Telephony Funding
The Omnibus Consolidated Appropriations Act also included funding for the Communications Assistance for Law Enforcement Act, popularly known as the FBI's "Digital Telephony" plan. The provision creates a permanent Telecommunications Carrier Compliance Fund within the Department of Justice. Unlike previous plans for the Fund, where the money was to be appropriated each year by Congress or obtained from civil and criminal fines, the provision enacted by Congress allows intelligence agencies such as the CIA and the NSA to finance the program directly -- the Fund can receive money from "any US Government agency with law enforcement or intelligence responsibilities." This funding mechanism could effectively diminish Congress's ability to oversee the program and to identify waste, fraud, or abuse in the implementation of the wiretap plan. In addition to the donations from intelligence agencies, the bill provides for $60 million in direct funding. Another $12 million was reprogrammed from previously unspent funds in the Department of Justice budget. However, Congress must approve the Fund as an "emergency requirement" under the provisions of a 1985 budget bill. The bill also contains a number of minor oversight mechanisms. The FBI is again required to submit an implementation plan and yearly reports to Congress. Similar provisions in the original 1994 law have been largely ignored by the FBI. Congress rejected attempts to incorporate sections from the Counterterrorism bill increasing wiretapping into the budget bill. Those provisions would have increased roving wiretaps and allowed the use of information obtained from unlawful wiretaps in court proceedings. More information on the Digital Telephony bill and other wiretap issues is available from: http://www.epic.org/privacy/wiretap/
[3] Credit Report Bill Revised
The 104th Congress also amended the Fair Credit Reporting Act (FCRA). The new amendments mark the first changes to the law since its enactment 25 years ago. Overall, the changes are mixed, with some modest improvements to the law, but also some anti-consumer provisions allowing for greater sharing of information. The bill makes dozens of substantive changes to the existing law. The revised law imposes a duty on banks and department stores that provide information to credit bureaus to avoid making errors and to assist in correcting errors. Only government agencies are empowered to enforce this requirement -- the consumer cannot sue to enforce it. Banks can allow subsidiaries to use credit reports for insurance, credit and employment purposes. Consumer groups are concerned that this could be used to create "mini credit bureaus" within banks that would be exempt from the privacy provisions of the FCRA. States are preempted for eight years from passing stronger new laws in several areas including affiliate sharing, pre-screening and compliance. States can still pass new laws governing costs of reports for consumers. Provisions allowing for free credit reports were defeated. Consumers can now obtain a free credit report for a period of 60 days after a use of a credit report results in an adverse decision against them. Indigent persons, victims of identify theft and unemployed people can obtain free reports. Other consumers can get reports for $8.00 each. A controversial amendment that would have allowed the use of credit reports for target marketing was scrapped after opposition by the Federal Trade Commission and public interest groups (a lawsuit by the FTC against TransUnion is currently pending). Individuals active in the fight say that the controversy over the Lexis-Nexis P-TRAK service prevented a more business-oriented version of the bill from being enacted. Finally, the Federal Reserve Board, the FTC and other agencies are required to conduct a study within six months on whether organizations not subject to the FCRA are "engaged in the business of making information, including social security numbers, mothers maiden names, prior addresses, and the dates of birth, available to the general public." The report is intended to examine whether this information is being used for fraudulent purposes and to suggest changes in federal laws to Congress. More information on credit reports, including a copy of the revisions to the FCRA is available at: http://www.epic.org/privacy/credit/
[4] Immigration Bill Approved
Also included in the final budget agreement was the Illegal Immigration Reform and Responsibility Act of 1996. The bill had been hotly debated throughout the year and was included in the final budget bill at the last moment. The bill requires the creation of three pilot programs to be operated by the Attorney General. The pilot programs will experiment with various identity verification schemes including a database of information from the Social Security Administration and the Immigration and Naturalization Service that can be queried via an 800 number. The bill also prohibits federal agencies from accepting state drivers licenses that are not designed to federal standards. A person's Social Security Number must be on the license in a form "that can be read visually or by electronic means" unless the state agency collects the SSN and provides it to the Social Security Administration for validation. States must initiate this practice by October 1, 2000. The Commissioner of Social Security is also ordered to develop "a prototype of a counterfeit social security card" and submit cost studies on implementing such a card within three, five, and ten years. More information on the immigration bill and other efforts to create national ID cards is available at: http://www.epic.org/privacy/id_cards/
[5] Child Pornography Prevention Act of 1996 Approved
Another controversial law incorporated in the omnibus budget bill was S. 1237, the "Child Pornography Prevention Act of 1996." The bill, introduced by Sen. Orin Hatch (R-UT), expands the definition of child pornography to include the creation of images in which adults appear to be minors or the morphing or creation of pictures to make it appear that a minor was used. It also amends the Privacy Protection Act of 1980 to allow for searches of publishers if child pornography is involved. An affirmative defense is included for producers who can prove that adults were used in creating images and that the material was not promoted as involving children. The ACLU is considering a court challenge. Under a 1982 Supreme Court decision, child pornography must involve an actual child. A copy of the bill and other information on Internet censorship is available at: http://www.epic.org/free_speech/
[6] Intelligence Bill
In a separate action, President Clinton signed H.R.3259, the Intelligence Authorization Act for Fiscal Year 1997, funding the intelligence agencies for the next year. The total amount of the funding and the amount that each agency receives is classified, but news accounts indicate that the total is around $30 billion, a four percent increase over last year's budget of $28 billion. The bill also includes two substantive provisions that extend government surveillance capabilities. One modifies the wiretap law to include local phone records in the "transactional information" that can be obtained by the FBI and other government agencies using only a subpoena. Penalties are increased for any person who abuses this provision. Another provision allows intelligence agencies to obtain information on foreign individuals outside the United States specifically for law enforcement purposes. This has proven controversial within the government because of the fear that intelligence sources could be revealed if a prosecution was brought based on information that would have to be revealed to the defense. More information on counterterrorism proposals is available at: http://www.epic.org/privacy/terrorism/
[7] Computer Crime Bill and Cryptography
Also passing in the final days of the session was HR 3723, the National Information Infrastructure Protection Act of 1996. The bill, introduced by Senator Patrick Leahy (D-VT), makes numerous substantive changes to the Computer Fraud and Abuse Act. It is included in a larger act that criminalizes economic espionage. The bill expands the reach of the computer crime laws; it now covers any illegal access, not just ones that affect interstate commerce or federal computer systems. After the 1994 revisions, it was widely believed that an illegal entry perpetrated entirely within one state was not covered. It also criminalizes the receipt of any information from an unlawful access from a computer "engaged in interstate or foreign communication." Previously, this section only covered credit reporting agencies' computers. Since every entry into a system obtains some information, it could criminalize every access no matter how trivial and without regard to whether there was any damage. A separate section buried deep in the larger bill entitled "Use of Certain Technology to Facilitate Criminal Conduct" requires the Administrative Office of the US Courts to include in presentencing reports a statement of whether the defendant used encryption. Such use could result in an "obstruction of justice" increase in jail time under the Federal Sentencing Guidelines. The Sentencing Commission would also produce an annual report on the use of encryption to facilitate or conceal criminal conduct. [In a related matter, the General Accounting Office released a report on September 24 criticizing US government efforts on computer security on government computer systems. The GAO report "Information Security: Opportunities for Improved OMB Oversight of Agency Practices" (GAO/AIMD-96-110) found that weak security is a "widespread problem" because "agencies have not implemented information security programs that establish appropriate policies and controls and routinely monitor their effectiveness." The GAO looked at 15 of the largest federal agencies and found that ten had "serious information security weaknesses, some of which have existed for years."] The FBI also received $5 million for a Computer Investigations Threat Assessment Center (CITAC) as part of the omnibus funding bill. More information on computer security issues is available at: http://www.epic.org/security/
[8] FAA Authorization
H.R.3539, Federal Aviation Reauthorization Act of 1996, included provisions authorizing passenger profiling: SEC. 307. PASSENGER PROFILING. The Administrator of the Federal Aviation Administration, the Secretary of Transportation, the intelligence community, and the law enforcement community should continue to assist air carriers in developing computer-assisted passenger profiling programs and other appropriate passenger profiling programs which should be used in conjunction with other security measures and technologies. In addition, $10 million was budgeted to implement the passenger profiling initiative. All of this was done even in the face of increasing evidence that mechanical failures likely caused the crash of TWA Flight 800. More information on passenger profiling is available at: http://www.epic.org/privacy/airline/
[9] Upcoming Conferences and Events
19th National Information Systems Security Conference. October 22-25, 1996. Baltimore, MD. Sponsored by NSA & NIST. Contact: Tammy Grice (301) 948-2067. National Consumer Rights Litigation Conference: Defending Consumer Access to Justice. October 26-28. Washington, DC. Sponsored by the National Consumer Law Center. Contact: NCSL: (617) 523-7398 (fax). ETHICOMP96: The Third International Conference on Ethical Issues of Information Technology, November 6-8, 1996. Madrid, Spain. Contact: pbarroso@capilla.cph.es. 1997 RSA Data Security Conference. January 28-31, 1997. San Francisco, CA. Contact: http://www.rsa.com. "CFP97: Commerce & Community." March 11-14, 1997. Burlingame, California. Sponsored by the Association for Computing Machinery. Contact: cfp97@cfp.org or http://www.cfp.org/. "Eurosec'97, the Seventh Annual Forum on Information Systems Quality and Security." March 17-19. 1997. Paris, France. Sponsored by XP Conseil. Contact: http://ourworld.compuserve.com/homepages/eurosec/ "INET 97 -- The Internet: The Global Frontiers." June 24-27, 1997. Kuala Lumpur, Malaysia. Sponsored by the Internet Society. Contact: inet97@isoc.org or http://www.isoc.org/inet97. "International Conference on Privacy." September 23-26, 1997. Montreal, Canada. Sponsored by the Commission d'Acces a l'information du Quebec. (Send calendar submissions to Alert@epic.org)
The EPIC Alert is a free biweekly publication of the Electronic Privacy Information Center. To subscribe, send email to epic-news@epic.org with the subject: "subscribe" (no quotes) or use the subscription form at: http://www.epic.org/alert/subscribe.html Back issues are available via http://www.epic.org/alert/
The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues relating to the National Information Infrastructure, such as the Clipper Chip, the Digital Telephony proposal, medical record privacy, and the sale of consumer data. EPIC is sponsored by the Fund for Constitutional Government, a non-profit organization established in 1974 to protect civil liberties and constitutional rights. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, email info@epic.org, HTTP://www.epic.org or write EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544 9240 (tel), +1 202 547 5482 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "The Fund for Constitutional Government" and sent to EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington DC 20003. Individuals with First Virtual accounts can donate at http://www.epic.org/epic/support.html Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and funding of the National Wiretap Plan. Thank you for your support.