==============================================================
@@@@ @@@@ @@@ @@@@ @ @ @@@@ @@@@ @@@@@
@ @ @ @ @ @ @ @ @ @ @ @
@@@@ @@@ @ @ @@@@@ @ @@@ @@@ @
@ @ @ @ @ @ @ @ @ @ @
@@@@ @ @@@ @@@@ @ @ @@@@ @@@@ @ @ @
==============================================================
Volume 5.03 March 9, 1998
--------------------------------------------------------------
Published by the
Electronic Privacy Information Center (EPIC)
Washington, D.C.
http://www.epic.org/
=======================================================================
Table of Contents
=======================================================================
[1] FBI and Telephone Industry Working Toward Wiretap Agreement
[2] Advocates, Academics, Experts Send Letter on Privacy Conference
[3] New BW/Harris Poll Shows Support for Privacy Legislation
[4] Encryption Debate Resumes -- ACLU/EFF/EPIC Issue Statement
[5] FCC Requires Privacy Protections for Phone Records
[6] Virginia Internet Censorship Law Struck Down
[7] Congressional Actions, New Bills and Upcoming Hearings
[8] Upcoming Conferences and Events
=======================================================================
[1] FBI and Telephone Industry Working Toward Wiretap Agreement
=======================================================================
The telephone industry and the FBI may be on the verge of an agreement
that could jeopardize the privacy of all Americans. Following a meeting
with Attorney General Janet Reno and FBI Director Louis Freeh on March 6,
industry executives agreed to resume negotiations over implementation of
the Communications Assistance to Law Enforcement Act (CALEA), a
controversial 1994 law requiring that digital telephone technology be
designed to facilitate wiretapping. The discussions had broken down after
industry negotiators concluded that the FBI was seeking to significantly
broaden its surveillance powers and require many more technical changes
than CALEA envisions.
The impasse has delayed implementation of CALEA, which requires new
wiretap-friendly technology to be in place by October 28 of this year.
Attorney General Reno recently told Congress that the FBI and Justice
Department "will avail ourselves of all lawful mechanisms available" to
force implementation of CALEA. She has also conceded that the
technological changes sought by the FBI will likely exceed the $500
million Congress authorized the government to pay telecommunications
companies to make the changes needed to let law enforcement conduct
wiretaps on digital lines.
The March 6 DOJ/FBI/industry meeting was closed to the public, a fact that
led EPIC and other groups to send the Attorney General a letter of protest.
The letter noted that, "the effort to agree on a design of the nation's
telephone system without privacy input violates the intent of Congress to
ensure public participation in the process." Recent FBI actions have also
been criticized by Rep. Bob Barr (R-GA), who told the House of
Representatives on March 4,
The FBI . . . has gone far beyond its consultative role in the
implementation of CALEA. The FBI has insisted that the industry's
technical standards include requirements for capabilities that go
beyond the scope or intent of CALEA. The capabilities proposed to
be included by the FBI are costly, technically difficult to deploy
or technically infeasible, and raise significant legal and privacy
concerns.
Barr has introduced legislation that would delay for two years the
deadline for industry compliance with CALEA.
More information on CALEA and wiretapping is available at:
http://www.epic.org/privacy/wiretap/
=======================================================================
[2] Advocates, Academics, Experts Send Letter on Privacy Conference
=======================================================================
A group of more than 70 leading privacy scholars, advocates, and
technical experts have urged the Department of Commerce to ensure
that a proposed White House conference on privacy is not dominated
by special interest groups. The group said that "This conference provides
an important opportunity for listening to the public and developing
policies that respond to public concerns. It is critical to the operation
of democratic government that all interested parties are given an
opportunity to participate in important government proceedings."
The letter was created after the planning for the White House
Sponsored event was handed over to represenatives of the Direct
Marketing Association and online companies that oppose privacy laws.
The group urged certain goals for a White House conference on
privacy. These include:
- Understanding the threats to privacy and the difficulty that
consumers face trying to protect their privacy;
- Evaluating the sufficiency of self-regulation and the adequacy
and effectiveness of current US privacy policies;
- Exploring the use of encryption, anonymity, and other privacy
enhancing techniques to protect online privacy; and
- Recognizing the level of public support for strong privacy
protection.
The letter made four recommendations for the organization of the
conference:
1) The conference should be organized by full-time employees of the
U.S. government and decisions about participation, progam, and
conference activities must be made by the agency responsible for the
event; 2) The organizing of this event should be as open and
inclusive as possible, including use of the Internet to solicit
comments; 3) The evaluation of the adequacy of self-regulation to
protect privacy should be a primary goal of this conference. Many
believe that the policy has not succeeded and that stronger steps,
including legislation, should be considered; 4) Cryptography should
be a central issue at a White House conference on Internet Privacy.
The group said that "a fundamental change in the organization of this
event must be made to address the issues we have outlined."
The text of the letter is available at:
http://www.epic.org/privacy/internet/daley_ltr_2_26_98.html
=======================================================================
[3] New BW/Harris Poll Shows Support for Privacy Legislation
=======================================================================
A new poll conducted by the Lou Harris organization for Businessweek
shows far-reaching public support for privacy legislation. The poll
found that 53% of respondents wanted government to "pass laws now
for how personal information can be collected and used on the
Internet." 23% said that "government should recommend privacy
standards for the Internet but not pass laws at this time." Only
19% said "government should let groups develop voluntary privacy
standards but not take any action now unless real problems arise."
The poll showed little difference in support for Internet
privacy legislation between Internet users and non-users. 50%
of PC users favord privacy legislation for the Internet.
The poll also suggested that privacy policies alone would
do little to address public concerns about privacy. Of those who
might register at a web site, 44% said a policy would make
little difference and 44% said it would make no difference
at all.
The findings of the Harris/Businessweek poll are consistent
with other polls about privacy legislation.
Businessweek/Harris Poll
http://www.businessweek.com/premium/11/b3569104.htm
EPIC Privacy Surveys Archive
http://www.epic.org/privacy/survey/
=======================================================================
[4] Encryption Debate Resumes -- ACLU/EFF/EPIC Issue Statement
=======================================================================
The debate over U.S. encryption policy is likely to heat up with the
creation of a new industry-led coalition and consideration of competing
proposals pending before Congress. On March 4, Americans for Computer
Privacy (ACP) was unveiled at a press conference on Capitol Hill. The
coalition, supported by the high-tech industry and major trade
associations, plans a $10 million media campaign to educate the public on
the threats to privacy posed by the Administration's crypto policy and the
FBI's push for domestic controls on encryption. EPIC, along with the
American Civil Liberties Union and the Electronic Frontier Foundation,
released a statement welcoming the creation of ACP and supporting the
coalition's goal of fostering an informed public debate on encryption
policy (see text of statement below).
While the ACP is supporting the Safety and Freedom Through Encryption
(SAFE) Act sponsored by Rep. Bob Goodlatte (R-VA), Senators John McCain
(R-AZ) and Robert Kerrey (D-NE) are promoting a revised version of their
Secure Public Networks Act. The McCain-Kerrey bill seeks to establish
various incentives for the widespread adoption of key-recovery encryption
techniques that would enable governmental access to encrypted information.
It would also retain existing export controls on encryption. The SAFE
bill, on the other hand, would relax export controls and is generally
viewed as a pro-encryption measure. It does, however, contain a provision
criminalizing the use of encryption in furtherance of a crime. That
provision has been criticized by EPIC and other civil liberties groups.
In the midst of this activity, Vice President Gore on March 4 transmitted a
letter on encryption policy to Senate Minority Leader Tom Daschle (D-SD).
While apparently intended to clarify the Administration's position, the
Gore letter sent mixed signals. The Vice President wrote that, "The
Administration believes the best approach is to pursue a good faith
dialogue over the coming months between industry and law enforcement, which
can produce cooperative solutions, rather than seeking to legislate
domestic controls." But reiterating its support for key-escrow and
key-recovery, he said, "the Administration remains committed to finding
ways to preserve the ability of the Nation's law enforcement community to
access, under strictly defined legal procedures, the plain text of
criminally related communications and stored information."
The ACLU, EFF and EPIC issued a statement on the formation of the
Americans for Computer Privacy. The groups said that they welcome
the formation of the ACP. They said that there are two principal
goals that "must be incorporated into our national encryption policy"
- Repeal of existing U.S. controls on the export of encryption
products and technology for everyone, not simply mass-market
producers of encryption software; and
- Preserving the right of all Americans to use any encryption
product or technique they wish, both domestically and abroad.
The groups further said that they oppose:
- Any government attempts to regulate the domestic use of
encryption;
- Legal provisions that would criminalize the use of encryption,
such as those in all of the pending legislative proposals;
- Requirements for "key-escrow" or "key-recovery" techniques that
would enable government access to private communications or
data; and
- Linkages between the issuance of a digital signature or other
electronic authentication certificate and the escrowing or
registration of an encryption key.
Americans for Computer Privacy's website is at:
http://www.computerprivacy.org
The text of the Gore-Daschle letter is available at:
http://www.epic.org/crypto/legislation/gore_ltr_3_98.html
The text of the joint ACLU/EFF/EPIC statement:
http://www.epic.org/crypto/legislation/joint_statement_3_98.html
=======================================================================
[5] FCC Rules on Telephone Record Privacy
=======================================================================
The Federal Communications Commission ruled on February 19 that
telephone companies must obtain prior permission from their customers
before they can use or disclose personal information collected as a
result of providing services. This was a rebuke of companies,
such as AT&T, which had argued for the automatic release of the
information without permission, even though the law requires prior
consent.
In the 1996 Telecommunications Act, Congress included a provision
governing telecommunications carriers' use and disclosure of customer
proprietary network information (CPNI) and other customer information
obtained by carriers in their provision of telecommunications
services. The law created three categories of customer information
to which different privacy protections and carrier obligations apply
-- individually identifiable CPNI; aggregate customer information; and
subscriber list information.
Carriers are permitted to use CPNI without customer approval to
market offerings related to the customer's existing service
relationship with the carrier. Where information is not sensitive, or
where the customer so directs, the statute permits the free flow or
dissemination of information beyond the existing customer-carrier
relationship.
The FCC ruled that:
(a) Carriers can use CPNI, without customer approval, to market
offerings that are related to, but limited by, the customer's
existing service relationship with their carrier; and
(b) Before carriers may use CPNI to market services outside the
customer's existing service relationship, carriers must obtain
express customer approval. Such express approval may be written,
oral, or electronic. In order to ensure that customers are informed
of their statutory rights before granting approval, carriers must
provide a one-time notification of customers' CPNI rights prior to
any solicitation for approval.
The FCC also asked for further comment on several issues: the
customer's right to restrict carrier use of CPNI for all marketing
purposes; the appropriate protections for carrier information and
additional enforcement mechanisms the agency may apply; and the foreign
storage of, and access to, domestic CPNI.
The text of the new rules is available at:
http://www.fcc.gov/Bureaus/Common_Carrier/Orders/1998/fcc98027.txt
=======================================================================
[6] Virginia Internet Censorship Law Struck Down
=======================================================================
In the latest judicial rejection of Internet censorship laws, a federal
judge has struck down a Virginia statute that sought to bar state employees
from viewing "sexually explicit" communications online. In a 30-page
decision issued on February 26, U.S. District Judge Leonie M. Brinkema
granted summary judgment to the plaintiffs and held that Virginia's
"Restrictions on State Employee Access to Information Infrastructure"
unconstitutionally curbed the free speech rights of state university
professors and others.
"Most troubling of all," Judge Brinkema wrote, was that the law seemed
"intended to discourage discourse on sexual topics" simply because the
state objects to such speech. "The Supreme Court has made it clear that
the government may not use its authority over public employees for such a
purpose." The judge agreed with free speech advocates who argue that no
new content regulation is needed for the Internet. She noted existing
obscenity laws and said, "it is clear that the Act presents no improvement
over existing federal law and state laws and policies concerning computer
use and the Internet."
The case, Urofsky v. Allen, was litigated by the ACLU on behalf of six
professors from Virginia colleges and universities. The decision was the
most recent success in a series of ACLU cases challenging legal
restrictions on online speech. Previous court rulings struck down the
federal Communications Decency Act and Internet restrictions enacted in New
York and Georgia. Currently, at least 25 states have passed or are
considering Internet censorship laws. Since the beginning of this year,
five state legislatures have introduced restrictive Internet laws.
The text of the decision in Urofsky v. Allen is available at:
http://www.epic.org/free_speech/censorship/urofsky_v_allen.html
=======================================================================
[7] New Congressional Bills and Upcoming Hearings
=======================================================================
--- ACTIONS ---
H.R. 1428 -- Voter Eligibility Verification Act. Establishes a system
through which the Commissioner of Social Security and the Attorney
General respond to inquiries made by election officials concerning
the citizenship of voting registration applicants and to amend the
Social Security Act to permit States to require individuals
registering to vote in elections to provide the individual's Social
Security number. Rejected by 210-200 vote on suspension calendar vote
on February 12, 1998.
H.R. 2369 -- The Wireless Privacy Enhancement Act. Increases penalties
for intereception and disclosore of cell phone calls. Penalizes
possession of modified scanner equipment. Approved by House
414-1 on March 5, 1998.
--- UPCOMING HEARINGS ---
* Senate *
March 10, 1998. Appropriations, Commerce, Justice, State, and the
Judiciary Subcommittee. To hold hearings to examine proposals to
prevent child exploitation on the Internet. SD-192. 10:00 am.
March 17, 1998. Judiciary, Administrative Oversight and the Courts
Subcommittee. To hold hearings to examine privacy issues in the
digital age, focusing on encryption and mandatory access. SD-226.
10:00 am.
March 17, 1998. Judiciary, Technology, Terrorism, and Government
Information Subcommittee. To hold hearings to review policy
directives for protecting America's critical infrastructures.
SD-226. 2:30 pm.
March 31, 1998. Appropriations, Commerce, Justice, State, and the
Judiciary Subcommittee. To hold hearings on proposed budget estimates
for fiscal year 1999 for the Department of Justice's
counterterrorism programs. SD-192. 10:00 am.
--- NEW BILLS ---
H.R. 3174. Requires electronic preservation and filing of reports
filed with the Federal Election Commission by certain persons; to
require such reports to be made available through the Internet; and
for other purposes. Introduced by Rep. White (R-WA) on February 5,
1998. Referred to the Committee on House Oversight.
H.R. 3189. Parental Freedom of Information Act. Prohibits schools
from giving students medical, psychological, or psychiatric
examination, testing, treatment, or immunization (except in the case
of a medical emergency); or to reveal any information about the
student's personal or family life. Introduced by Rep. Thiart (R-KS).
H.R. 3209. On-Line Copyright Infringement Liability Limitation Act.
Limits liability of ISPs for copyright infringement for on-line
material. Introduced by Rep. Coble on February 12, 1998.
Referred to the Committee on the Judiciary.
H.R. 3261. Privacy Protection Act of 1997. Introduced by Rep. Paul
(R-TX). Limits use of SSN as identifier by government agencies.
Referred to the Committee on Ways and Means, and in addition to the
Committee on Government Reform and Oversight.
H.R. 3299. Family Genetic Privacy and Protection Act. Sets limits on
disclosure and use of genetic information in connection with group
health plans and health insurance coverage, prohibits employment
discrimination on the basis of genetic information and genetic
testing. Introduced by Rep. Smith (R-WA). Referred to the Committee on
Commerce, and in addition to the Committees on Education and the
Workforce, and Veterans' Affairs.
H.R. 3303. Department of Justice Appropriation Authorization Act,
Fiscal Years 1999, 2000, and 2001. Expands years of eligable funding
for CALEA to 2000 from 1998. Funds For the Federal Bureau of
Investigation: $3,014,654,000 for fiscal year 1999; $3,164,679,000
for fiscal year 2000; and $3,322,913,000 for fiscal year 2001.
S. 1631. Parental Freedom of Information Act. Prohibits schools from
giving students medical, psychological, or psychiatric examination,
testing, treatment, or immunization (except in the case of a medical
emergency); or to reveal any information about the student's personal
or family life. Introduced by Senator Hutchinson (R-TX) on February
11, 1998. Referred to the Committee on Labor and Human Resources.
=======================================================================
[8] Upcoming Conferences and Events
=======================================================================
ETHICOMP98. March 25-27,1998. Erasmus University, The Netherlands.
Sponsored by the Centre for Computing and Social Reponsibility
Contact: http://www.ccsr.cms.dmu.ac.uk/conf/ccsrorgconf.html
Medical Privacy in the Information Age: Access, Ethics and
Accountability Friday, March 27, 1998. Baltimore, MD. Sponsored by
The Women's Law Center of Maryland. Contact: conf98@wlcmd.org
1998 IEEE Symposium on IEEE Computer Society, Oakland, CA, May 3-6.
Sponsored by IEEE and IACR. Contact:
http://www.research.att.com/~reiter/oakland98.html
ACM Policy98. May 10-12, 1998. Washington, DC. Sponsored by ACM and
USACM. http://www.acm.org/usacm/events/policy98/
1998 EPIC Cryptography and Privacy Conference. June 8, 1998.
Washington, DC. Sponsored by EPIC, Harvard University and London
School of Economics. Contact: info@epic.org
INET'98, July 21-24, 1998, Geneva, Switzerland. Sponsored by Internet
Society. http://www.isoc.org/inet98/
Advances in Social Informatics and Information Systems, Baltimore,
MD, Aug. 14-16, 1998. Sponsored by the Association for Information
Systems Contact: http://info.cwru.edu/rlamb/ais98cfp.htm
CPSR Annual Conference - Internet Governance. Boston, Mass, Oct.
10-11. Sponsored by CPSR. contact: cpsr@cpsr.org
(Send calendar submissions to alert@epic.org)
=======================================================================
Subscription Information
=======================================================================
The EPIC Alert is a free biweekly publication of the Electronic
Privacy Information Center. To subscribe or unsubscribe, send email
to epic-news@epic.org with the subject: "subscribe" (no quotes) or
"unsubscribe". A Web-based form is available at:
http://www.epic.org/alert/subscribe.html
Back issues are available at:
http://www.epic.org/alert/
=======================================================================
About EPIC
=======================================================================
The Electronic Privacy Information Center is a public interest
research center in Washington, DC. It was established in 1994 to
focus public attention on emerging privacy issues such as the Clipper
Chip, the Digital Telephony proposal, national ID cards, medical
record privacy, and the collection and sale of personal information.
EPIC is sponsored by the Fund for Constitutional Government, a
non-profit organization established in 1974 to protect civil liberties
and constitutional rights. EPIC publishes the EPIC Alert, pursues
Freedom of Information Act litigation, and conducts policy research.
For more information, e-mail info@epic.org, http://www.epic.org or
write EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC
20003. +1 202 544 9240 (tel), +1 202 547 5482 (fax).
If you'd like to support the work of the Electronic Privacy
Information Center, contributions are welcome and fully
tax-deductible. Checks should be made out to "The Fund for
Constitutional Government" and sent to EPIC, 666 Pennsylvania Ave.,
SE, Suite 301, Washington DC 20003. Individuals with First Virtual
accounts can donate at http://www.epic.org/epic/support.html
Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the
right of privacy and efforts to oppose government regulation of
encryption and funding of the National Wiretap Plan.
Thank you for your support.
---------------------- END EPIC Alert 5.03 -----------------------
Return to: