============================================================== @@@@ @@@@ @@@ @@@@ @ @ @@@@ @@@@ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @@@ @ @ @@@@@ @ @@@ @@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @ @@@ @@@@ @ @ @@@@ @@@@ @ @ @ ============================================================== Volume 5.03 March 9, 1998 -------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org/ ======================================================================= Table of Contents ======================================================================= [1] FBI and Telephone Industry Working Toward Wiretap Agreement [2] Advocates, Academics, Experts Send Letter on Privacy Conference [3] New BW/Harris Poll Shows Support for Privacy Legislation [4] Encryption Debate Resumes -- ACLU/EFF/EPIC Issue Statement [5] FCC Requires Privacy Protections for Phone Records [6] Virginia Internet Censorship Law Struck Down [7] Congressional Actions, New Bills and Upcoming Hearings [8] Upcoming Conferences and Events ======================================================================= [1] FBI and Telephone Industry Working Toward Wiretap Agreement ======================================================================= The telephone industry and the FBI may be on the verge of an agreement that could jeopardize the privacy of all Americans. Following a meeting with Attorney General Janet Reno and FBI Director Louis Freeh on March 6, industry executives agreed to resume negotiations over implementation of the Communications Assistance to Law Enforcement Act (CALEA), a controversial 1994 law requiring that digital telephone technology be designed to facilitate wiretapping. The discussions had broken down after industry negotiators concluded that the FBI was seeking to significantly broaden its surveillance powers and require many more technical changes than CALEA envisions. The impasse has delayed implementation of CALEA, which requires new wiretap-friendly technology to be in place by October 28 of this year. Attorney General Reno recently told Congress that the FBI and Justice Department "will avail ourselves of all lawful mechanisms available" to force implementation of CALEA. She has also conceded that the technological changes sought by the FBI will likely exceed the $500 million Congress authorized the government to pay telecommunications companies to make the changes needed to let law enforcement conduct wiretaps on digital lines. The March 6 DOJ/FBI/industry meeting was closed to the public, a fact that led EPIC and other groups to send the Attorney General a letter of protest. The letter noted that, "the effort to agree on a design of the nation's telephone system without privacy input violates the intent of Congress to ensure public participation in the process." Recent FBI actions have also been criticized by Rep. Bob Barr (R-GA), who told the House of Representatives on March 4, The FBI . . . has gone far beyond its consultative role in the implementation of CALEA. The FBI has insisted that the industry's technical standards include requirements for capabilities that go beyond the scope or intent of CALEA. The capabilities proposed to be included by the FBI are costly, technically difficult to deploy or technically infeasible, and raise significant legal and privacy concerns. Barr has introduced legislation that would delay for two years the deadline for industry compliance with CALEA. More information on CALEA and wiretapping is available at: http://www.epic.org/privacy/wiretap/ ======================================================================= [2] Advocates, Academics, Experts Send Letter on Privacy Conference ======================================================================= A group of more than 70 leading privacy scholars, advocates, and technical experts have urged the Department of Commerce to ensure that a proposed White House conference on privacy is not dominated by special interest groups. The group said that "This conference provides an important opportunity for listening to the public and developing policies that respond to public concerns. It is critical to the operation of democratic government that all interested parties are given an opportunity to participate in important government proceedings." The letter was created after the planning for the White House Sponsored event was handed over to represenatives of the Direct Marketing Association and online companies that oppose privacy laws. The group urged certain goals for a White House conference on privacy. These include: - Understanding the threats to privacy and the difficulty that consumers face trying to protect their privacy; - Evaluating the sufficiency of self-regulation and the adequacy and effectiveness of current US privacy policies; - Exploring the use of encryption, anonymity, and other privacy enhancing techniques to protect online privacy; and - Recognizing the level of public support for strong privacy protection. The letter made four recommendations for the organization of the conference: 1) The conference should be organized by full-time employees of the U.S. government and decisions about participation, progam, and conference activities must be made by the agency responsible for the event; 2) The organizing of this event should be as open and inclusive as possible, including use of the Internet to solicit comments; 3) The evaluation of the adequacy of self-regulation to protect privacy should be a primary goal of this conference. Many believe that the policy has not succeeded and that stronger steps, including legislation, should be considered; 4) Cryptography should be a central issue at a White House conference on Internet Privacy. The group said that "a fundamental change in the organization of this event must be made to address the issues we have outlined." The text of the letter is available at: http://www.epic.org/privacy/internet/daley_ltr_2_26_98.html ======================================================================= [3] New BW/Harris Poll Shows Support for Privacy Legislation ======================================================================= A new poll conducted by the Lou Harris organization for Businessweek shows far-reaching public support for privacy legislation. The poll found that 53% of respondents wanted government to "pass laws now for how personal information can be collected and used on the Internet." 23% said that "government should recommend privacy standards for the Internet but not pass laws at this time." Only 19% said "government should let groups develop voluntary privacy standards but not take any action now unless real problems arise." The poll showed little difference in support for Internet privacy legislation between Internet users and non-users. 50% of PC users favord privacy legislation for the Internet. The poll also suggested that privacy policies alone would do little to address public concerns about privacy. Of those who might register at a web site, 44% said a policy would make little difference and 44% said it would make no difference at all. The findings of the Harris/Businessweek poll are consistent with other polls about privacy legislation. Businessweek/Harris Poll http://www.businessweek.com/premium/11/b3569104.htm EPIC Privacy Surveys Archive http://www.epic.org/privacy/survey/ ======================================================================= [4] Encryption Debate Resumes -- ACLU/EFF/EPIC Issue Statement ======================================================================= The debate over U.S. encryption policy is likely to heat up with the creation of a new industry-led coalition and consideration of competing proposals pending before Congress. On March 4, Americans for Computer Privacy (ACP) was unveiled at a press conference on Capitol Hill. The coalition, supported by the high-tech industry and major trade associations, plans a $10 million media campaign to educate the public on the threats to privacy posed by the Administration's crypto policy and the FBI's push for domestic controls on encryption. EPIC, along with the American Civil Liberties Union and the Electronic Frontier Foundation, released a statement welcoming the creation of ACP and supporting the coalition's goal of fostering an informed public debate on encryption policy (see text of statement below). While the ACP is supporting the Safety and Freedom Through Encryption (SAFE) Act sponsored by Rep. Bob Goodlatte (R-VA), Senators John McCain (R-AZ) and Robert Kerrey (D-NE) are promoting a revised version of their Secure Public Networks Act. The McCain-Kerrey bill seeks to establish various incentives for the widespread adoption of key-recovery encryption techniques that would enable governmental access to encrypted information. It would also retain existing export controls on encryption. The SAFE bill, on the other hand, would relax export controls and is generally viewed as a pro-encryption measure. It does, however, contain a provision criminalizing the use of encryption in furtherance of a crime. That provision has been criticized by EPIC and other civil liberties groups. In the midst of this activity, Vice President Gore on March 4 transmitted a letter on encryption policy to Senate Minority Leader Tom Daschle (D-SD). While apparently intended to clarify the Administration's position, the Gore letter sent mixed signals. The Vice President wrote that, "The Administration believes the best approach is to pursue a good faith dialogue over the coming months between industry and law enforcement, which can produce cooperative solutions, rather than seeking to legislate domestic controls." But reiterating its support for key-escrow and key-recovery, he said, "the Administration remains committed to finding ways to preserve the ability of the Nation's law enforcement community to access, under strictly defined legal procedures, the plain text of criminally related communications and stored information." The ACLU, EFF and EPIC issued a statement on the formation of the Americans for Computer Privacy. The groups said that they welcome the formation of the ACP. They said that there are two principal goals that "must be incorporated into our national encryption policy" - Repeal of existing U.S. controls on the export of encryption products and technology for everyone, not simply mass-market producers of encryption software; and - Preserving the right of all Americans to use any encryption product or technique they wish, both domestically and abroad. The groups further said that they oppose: - Any government attempts to regulate the domestic use of encryption; - Legal provisions that would criminalize the use of encryption, such as those in all of the pending legislative proposals; - Requirements for "key-escrow" or "key-recovery" techniques that would enable government access to private communications or data; and - Linkages between the issuance of a digital signature or other electronic authentication certificate and the escrowing or registration of an encryption key. Americans for Computer Privacy's website is at: http://www.computerprivacy.org The text of the Gore-Daschle letter is available at: http://www.epic.org/crypto/legislation/gore_ltr_3_98.html The text of the joint ACLU/EFF/EPIC statement: http://www.epic.org/crypto/legislation/joint_statement_3_98.html ======================================================================= [5] FCC Rules on Telephone Record Privacy ======================================================================= The Federal Communications Commission ruled on February 19 that telephone companies must obtain prior permission from their customers before they can use or disclose personal information collected as a result of providing services. This was a rebuke of companies, such as AT&T, which had argued for the automatic release of the information without permission, even though the law requires prior consent. In the 1996 Telecommunications Act, Congress included a provision governing telecommunications carriers' use and disclosure of customer proprietary network information (CPNI) and other customer information obtained by carriers in their provision of telecommunications services. The law created three categories of customer information to which different privacy protections and carrier obligations apply -- individually identifiable CPNI; aggregate customer information; and subscriber list information. Carriers are permitted to use CPNI without customer approval to market offerings related to the customer's existing service relationship with the carrier. Where information is not sensitive, or where the customer so directs, the statute permits the free flow or dissemination of information beyond the existing customer-carrier relationship. The FCC ruled that: (a) Carriers can use CPNI, without customer approval, to market offerings that are related to, but limited by, the customer's existing service relationship with their carrier; and (b) Before carriers may use CPNI to market services outside the customer's existing service relationship, carriers must obtain express customer approval. Such express approval may be written, oral, or electronic. In order to ensure that customers are informed of their statutory rights before granting approval, carriers must provide a one-time notification of customers' CPNI rights prior to any solicitation for approval. The FCC also asked for further comment on several issues: the customer's right to restrict carrier use of CPNI for all marketing purposes; the appropriate protections for carrier information and additional enforcement mechanisms the agency may apply; and the foreign storage of, and access to, domestic CPNI. The text of the new rules is available at: http://www.fcc.gov/Bureaus/Common_Carrier/Orders/1998/fcc98027.txt ======================================================================= [6] Virginia Internet Censorship Law Struck Down ======================================================================= In the latest judicial rejection of Internet censorship laws, a federal judge has struck down a Virginia statute that sought to bar state employees from viewing "sexually explicit" communications online. In a 30-page decision issued on February 26, U.S. District Judge Leonie M. Brinkema granted summary judgment to the plaintiffs and held that Virginia's "Restrictions on State Employee Access to Information Infrastructure" unconstitutionally curbed the free speech rights of state university professors and others. "Most troubling of all," Judge Brinkema wrote, was that the law seemed "intended to discourage discourse on sexual topics" simply because the state objects to such speech. "The Supreme Court has made it clear that the government may not use its authority over public employees for such a purpose." The judge agreed with free speech advocates who argue that no new content regulation is needed for the Internet. She noted existing obscenity laws and said, "it is clear that the Act presents no improvement over existing federal law and state laws and policies concerning computer use and the Internet." The case, Urofsky v. Allen, was litigated by the ACLU on behalf of six professors from Virginia colleges and universities. The decision was the most recent success in a series of ACLU cases challenging legal restrictions on online speech. Previous court rulings struck down the federal Communications Decency Act and Internet restrictions enacted in New York and Georgia. Currently, at least 25 states have passed or are considering Internet censorship laws. Since the beginning of this year, five state legislatures have introduced restrictive Internet laws. The text of the decision in Urofsky v. Allen is available at: http://www.epic.org/free_speech/censorship/urofsky_v_allen.html ======================================================================= [7] New Congressional Bills and Upcoming Hearings ======================================================================= --- ACTIONS --- H.R. 1428 -- Voter Eligibility Verification Act. Establishes a system through which the Commissioner of Social Security and the Attorney General respond to inquiries made by election officials concerning the citizenship of voting registration applicants and to amend the Social Security Act to permit States to require individuals registering to vote in elections to provide the individual's Social Security number. Rejected by 210-200 vote on suspension calendar vote on February 12, 1998. H.R. 2369 -- The Wireless Privacy Enhancement Act. Increases penalties for intereception and disclosore of cell phone calls. Penalizes possession of modified scanner equipment. Approved by House 414-1 on March 5, 1998. --- UPCOMING HEARINGS --- * Senate * March 10, 1998. Appropriations, Commerce, Justice, State, and the Judiciary Subcommittee. To hold hearings to examine proposals to prevent child exploitation on the Internet. SD-192. 10:00 am. March 17, 1998. Judiciary, Administrative Oversight and the Courts Subcommittee. To hold hearings to examine privacy issues in the digital age, focusing on encryption and mandatory access. SD-226. 10:00 am. March 17, 1998. Judiciary, Technology, Terrorism, and Government Information Subcommittee. To hold hearings to review policy directives for protecting America's critical infrastructures. SD-226. 2:30 pm. March 31, 1998. Appropriations, Commerce, Justice, State, and the Judiciary Subcommittee. To hold hearings on proposed budget estimates for fiscal year 1999 for the Department of Justice's counterterrorism programs. SD-192. 10:00 am. --- NEW BILLS --- H.R. 3174. Requires electronic preservation and filing of reports filed with the Federal Election Commission by certain persons; to require such reports to be made available through the Internet; and for other purposes. Introduced by Rep. White (R-WA) on February 5, 1998. Referred to the Committee on House Oversight. H.R. 3189. Parental Freedom of Information Act. Prohibits schools from giving students medical, psychological, or psychiatric examination, testing, treatment, or immunization (except in the case of a medical emergency); or to reveal any information about the student's personal or family life. Introduced by Rep. Thiart (R-KS). H.R. 3209. On-Line Copyright Infringement Liability Limitation Act. Limits liability of ISPs for copyright infringement for on-line material. Introduced by Rep. Coble on February 12, 1998. Referred to the Committee on the Judiciary. H.R. 3261. Privacy Protection Act of 1997. Introduced by Rep. Paul (R-TX). Limits use of SSN as identifier by government agencies. Referred to the Committee on Ways and Means, and in addition to the Committee on Government Reform and Oversight. H.R. 3299. Family Genetic Privacy and Protection Act. Sets limits on disclosure and use of genetic information in connection with group health plans and health insurance coverage, prohibits employment discrimination on the basis of genetic information and genetic testing. Introduced by Rep. Smith (R-WA). Referred to the Committee on Commerce, and in addition to the Committees on Education and the Workforce, and Veterans' Affairs. H.R. 3303. Department of Justice Appropriation Authorization Act, Fiscal Years 1999, 2000, and 2001. Expands years of eligable funding for CALEA to 2000 from 1998. Funds For the Federal Bureau of Investigation: $3,014,654,000 for fiscal year 1999; $3,164,679,000 for fiscal year 2000; and $3,322,913,000 for fiscal year 2001. S. 1631. Parental Freedom of Information Act. Prohibits schools from giving students medical, psychological, or psychiatric examination, testing, treatment, or immunization (except in the case of a medical emergency); or to reveal any information about the student's personal or family life. Introduced by Senator Hutchinson (R-TX) on February 11, 1998. Referred to the Committee on Labor and Human Resources. ======================================================================= [8] Upcoming Conferences and Events ======================================================================= ETHICOMP98. March 25-27,1998. Erasmus University, The Netherlands. Sponsored by the Centre for Computing and Social Reponsibility Contact: http://www.ccsr.cms.dmu.ac.uk/conf/ccsrorgconf.html Medical Privacy in the Information Age: Access, Ethics and Accountability Friday, March 27, 1998. Baltimore, MD. Sponsored by The Women's Law Center of Maryland. Contact: conf98@wlcmd.org 1998 IEEE Symposium on IEEE Computer Society, Oakland, CA, May 3-6. Sponsored by IEEE and IACR. Contact: http://www.research.att.com/~reiter/oakland98.html ACM Policy98. May 10-12, 1998. Washington, DC. Sponsored by ACM and USACM. http://www.acm.org/usacm/events/policy98/ 1998 EPIC Cryptography and Privacy Conference. June 8, 1998. Washington, DC. Sponsored by EPIC, Harvard University and London School of Economics. Contact: info@epic.org INET'98, July 21-24, 1998, Geneva, Switzerland. Sponsored by Internet Society. http://www.isoc.org/inet98/ Advances in Social Informatics and Information Systems, Baltimore, MD, Aug. 14-16, 1998. Sponsored by the Association for Information Systems Contact: http://info.cwru.edu/rlamb/ais98cfp.htm CPSR Annual Conference - Internet Governance. Boston, Mass, Oct. 10-11. Sponsored by CPSR. contact: cpsr@cpsr.org (Send calendar submissions to alert@epic.org) ======================================================================= Subscription Information ======================================================================= The EPIC Alert is a free biweekly publication of the Electronic Privacy Information Center. To subscribe or unsubscribe, send email to epic-news@epic.org with the subject: "subscribe" (no quotes) or "unsubscribe". A Web-based form is available at: http://www.epic.org/alert/subscribe.html Back issues are available at: http://www.epic.org/alert/ ======================================================================= About EPIC ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC is sponsored by the Fund for Constitutional Government, a non-profit organization established in 1974 to protect civil liberties and constitutional rights. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, e-mail info@epic.org, http://www.epic.org or write EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544 9240 (tel), +1 202 547 5482 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "The Fund for Constitutional Government" and sent to EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington DC 20003. Individuals with First Virtual accounts can donate at http://www.epic.org/epic/support.html Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and funding of the National Wiretap Plan. Thank you for your support. ---------------------- END EPIC Alert 5.03 -----------------------
Return to: