===============================================================
@@@@ @@@@ @@@ @@@@ @ @ @@@@ @@@@ @@@@@
@ @ @ @ @ @ @ @ @ @ @ @
@@@@ @@@ @ @ @@@@@ @ @@@ @@@ @
@ @ @ @ @ @ @ @ @ @ @
@@@@ @ @@@ @@@@ @ @ @@@@ @@@@ @ @ @
==============================================================
Volume 5.11 July 29, 1998
--------------------------------------------------------------
Published by the
Electronic Privacy Information Center (EPIC)
Washington, D.C.
http://www.epic.org
=======================================================================
Table of Contents
=======================================================================
[1] Senate Makes Stealth Assault on Internet Free Speech
[2] House Approves "Patients Rights Act," Undermines Privacy
[3] New Report on Congress, Money and Privacy
[4] FTC Proposes Privacy Legislation
[5] Wiretap and Surveillance Update
[6] Encryption Policy Update
[7] New Bills and Action in Congress
[8] Upcoming Conferences and Events
=======================================================================
[1] Senate Makes Stealth Assault on Internet Free Speech
=======================================================================
Without advance notice or public discussion, the U.S. Senate last week
approved three controversial measures that could adversely impact free
expression on the Internet. By offering the provisions on the Senate
floor as amendments to the $33 billion appropriations bill for the
Commerce, State and Justice departments (S. 2260), the sponsors avoided
debate and apparently reneged on an agreement to consider alternative
approaches to the complex issue of children's access to "inappropriate"
material.
The Senate's stealth action involved the following measures:
- The so-called "CDA 2" bill sponsored by Sen. Dan Coats (R-IN). The
bill creates criminal penalties for anyone who "through the World Wide
Web is engaged in the business of the commercial distribution of
material that is harmful to minors" and fails to "restrict access to
such material by persons under 17 years of age." Opponents of the bill
contend that it, like the unconstitutional Communications Decency Act,
would restrict the ability of adults to receive online information
because speakers on the Internet are unable to determine the age of
potential recipients.
- The "Internet School Filtering Act" sponsored by Sen. John McCain
(R-AZ). The bill requires schools and libraries receiving federal
Internet subsidies to install software "to filter or block matter
deemed to be inappropriate for minors." Senate opponents of the
filtering bill, led by Sen. Conrad Burns (R-MT) had been assured that
the Senate would consider an alternative measure requiring schools and
libraries to adopt Internet "acceptable use policies." That agreement
was not honored.
- An amendment offered by Sen. Christopher Dodd (D-CT) requiring
Internet access providers to, "at the time of entering into an
agreement with a customer for the provision of Internet access
services, offer such customer (either for a fee or at no charge)
screening software that is designed to permit the customer to limit
access to material on the Internet that is harmful to minors."
The Internet provisions of the appropriations bill must now be
considered by a House-Senate conference committee that will reconcile
discrepancies between the two chambers' versions of the spending bill.
The Coats and McCain provisions are likely to be challenged in court if
they emerge from the conference committee and are signed into law.
The text of the Internet-related amendments to S. 2260 (including a
prohibition on Internet gambling) are available at:
http://www.epic.org/free_speech/censorship/sen_amend_7_98.html
=======================================================================
[2] House Approves "Patients Rights Act," Undermines Privacy
=======================================================================
The House of Representatives on July 24 approved a far-reaching bill on
health care that seriously undermines the privacy of medical records.
The Patients Rights Act -- the official Republican health care plan --
was approved by a partisan vote of 216-210. President Clinton had
indicated that he would veto the bill.
Among the problems with the bill:
- The act permits very broad use of medical information. Under the
version passed by the House, information can be disclosed or used "for
the purpose of permitting the provider or plan to conduct health care
operations." Health care operations is broadly defined and includes
research, "health promotion," underwriting and auditing.
- The bill preempts states from enacting stronger acts in most areas.
There are currently efforts in 16 states to approve laws on genetic
privacy and several states have approved comprehensive state medical
privacy laws. The weaker federal law would override these efforts.
- The bill is silent on law enforcement access to general medical
records.
- The bill only provides weak penalties for disclosure and misuse.
Fines can be as low as $500 and there are no criminal penalties for
willful abuses. At most, a company that has a pattern of willfully
abusing the privacy of its clients can be fined $100,000. There would
also be no independent oversight body to enforce the act.
- While the bill prohibits the sale or barter of medical records, it
does nothing about the cases where pharmaceutical companies purchase
pharmacies to obtain information about their customers.
One positive aspect is a provision introduced by Rep. Ron Paul (R-TX)
that prohibits promulgation or final adoption of the national patient
health identifier (See EPIC Alert 5.10) without prior Congressional
enactment of legislation specifically approving the standard. Senators
Ashcroft, Leahy and Burns have introduced a bill in the Senate that
would strip those provisions from federal law altogether.
The Senate is planning to vote on its version of the bill, S. 2330 (the
Patients' Bill of Rights Act) as soon as this week. S. 2230 is also
weak on privacy. Observers believe that there may be an attempt to
attach Senator Jeffords' S. 1921 (Health Care PIN Act) to S. 2230.
Medical privacy experts consider that bill to be an assault on medical
privacy.
More information on the Republican health care bills will be available
shortly at a new site on medical privacy set up by the National
Coalition for Patients' Rights at:
http://www.nationalcpr.org
More information on medical privacy is also available from EPIC at:
http://www.epic.org/privacy/medical/
=======================================================================
[3] New Report on Congress, Money and Privacy
=======================================================================
The Center for Public Integrity, a Washington-based public interest
research organization, has released a new report -- "Nothing Sacred:
The Politics of Privacy" -- which shows that Congress has often put
corporate interests ahead of the basic privacy interests of the
American people. The report documents the efforts of various industry
groups to block privacy legislation on Capitol Hill.
Chuck Lewis, the executive director of the Center, described the
results at a press conference held earlier this week at the National
Press Club. According to Lewis, when it comes to privacy "the agenda
in Congress seems to be set mostly by commercial interests." Lewis
emphasized that the Center took no position on particular privacy
legislation, but did say that Congress had an important role to help
preserve, protect and defend what little privacy we have left.
The Center report cites numerous examples where bills were bottled up
and effectively killed in Congressional committees when industry groups
weighed in. According to the Center, in 1991 and 1993 at the behest of
various corporate interests, Congress killed legislation that would
have regulated the clandestine videotaping and wiretapping of workers
on their jobs. In 1996, after lobbying by the direct-marketing
industry, Congress killed a bill that would have restricted companies'
gathering of information about children without their parents' consent.
Many of the most interesting findings in "Nothing Sacred" concern
efforts by the insurance industry and the medical industry to oppose
medical privacy legislation, a topic that is now pending on Capitol
Hill (see above).
"Nothing Sacred: The Politics of Privacy" is available from the Center
for Public Integrity, 1634 I Street, NW, Suite 902, Washington, DC
20006; 202-783-3900 (tel); 202-783-3906 (fax);
contact@publicintegrity.org and on the Internet at:
http://www.publicintegrity.org/nothing_sacred.html
=======================================================================
[4] FTC Proposes Privacy Legislation
=======================================================================
Testifying before a House Commerce Subcommittee on July 21, Federal
Trade Commission Chairman Robert Pitofsky outlined model privacy
legislation for commercial transactions on the Internet. Under the FTC
proposal, all commercial Web sites that collect personal identifying
information from or about consumers online would be required to comply
with four basic information practices: Notice, Choice, Security and
Access. Pitofsky was joined by Commissioners Sheila F. Anthony,
Mozelle W. Thompson, and Orson Swindle.
In June the FTC released a report on Internet privacy, "Privacy Online:
A Report to Congress," modeled after the 1997 EPIC report, "Surfer
Beware: Personal Privacy and the Internet." The FTC report, base on an
analysis of the effectiveness of self-regulation as a means of
protecting consumer privacy, found that industry's efforts to encourage
voluntary adoption of the most basic fair information practices have
fallen short of what is needed to protect consumers. Also in June, the
Commission released legislative recommendations for protecting
children's privacy online.
Pitofsky said the implementation of the proposed practices will vary by
industry and with technological developments. For this reason, the
Commission recommends that any legislation be phrased in general terms
and be technologically neutral.
Pitofsky also said that the FTC wished to create an incentive for
continued participation by industry. The legislative model would
provide a means by which industries could develop their own guidelines
for protecting consumers' privacy, and that those guidelines could
receive governmental approval. Industries also would be required to
ensure that they comply with and enforce their guidelines.
In addition, the proposal calls for the granting of rule-making
authority to the government agency charged with implementing the
statute. Rule-making would allow for the promulgation of specific rules
and procedures for the approval of industry guidelines.
The following materials are available online:
FTC Testimony, "Consumer Privacy on the World Wide Web"
http://www.ftc.gov/os/9807/privac98.htm
FTC Report, "Privacy Online: A Report to Congress"
http://www.ftc.gov/reports/privacy3/index.htm
EPIC Report, "Surfer Beware: Personal Privacy and the Internet"
http://www.epic.org/reports/surfer-beware.html
=======================================================================
[5] Wiretap and Surveillance Update
=======================================================================
Just Kidding ...
The U.S. Department of Justice is now saying that it does not support
the proposed amendments to the Communications Assistance for Law
Enforcement Act (CALEA) that the FBI had provided to Senators a few
weeks ago (See EPIC Alert 5.10). Assistant Attorney General Steven
Colgate characterizes the amendment as a "staff document" and describes
the language on emergency access to cell phone location information
without a warrant as "boneheaded." However, Senate staff reports
receiving calls from a senior FBI lobbyist pushing for the amendment
even after the New York Times reported on the Bureau proposal.
Judge Dismisses Wiretap Suit
A federal judge has dismissed the civil lawsuit by Rep. John A. Boehner
(R-OH) against Rep. Jim McDermott (D-WA) for McDermott's disclosure of
Boehner's cell phone conversations with Speaker Newt Gingrich. The
court ruled that, "Although protection of privacy is certainly a
substantial government interest, it is not clear that it is an interest
'of the highest order,' such that it can trump defendant's First
Amendment rights." The judge was critical of both Congressmen for the
political nature of the case.
Two Party Consent Nearly Adopted by the Senate.
The Senate barely rejected an amendment to S. 2260, the Commerce, State
and Justice Appropriations Bill, by a vote to 50-50 that would have
required both parties to a telephone conversation to consent before
phone calls can be recorded. The amendment was introduced by Senator
Dale Bumpers (D-AR).
UK Taps Up 25 Percent in 1997.
Lord Nolan, the UK Interception of Communications Commissioner,
reported this week that wiretapping in the UK increased 25 percent in
1997 over 1996. A total of 1647 taps were authorized under the
Interception of Communications Act 1985. The report also said that the
phones of several people who were not targets of investigations were
bugged because operators got the wrong numbers. Another tribunal also
criticized Foreign Minister Robin Cook for failing to read a warrant,
leading to an unlawful surveillance operation by the GCHQ spy agency.
Justice, the UK affiliate of the International Committee of Jurists,
released a report on July 28 critical of current UK law and calling for
the improvement of laws governing wiretapping, bugging and video
surveillance. More details are available at:
http://reports.guardian.co.uk/articles/1998/7/28/p-13297.html
Russian Net Surveillance Plan
The UK Guardian Newspaper reports that the Russian Federal Security
Bureau (formerly the KGB) has a plan that would force all providers of
Internet services to install a "black box" snooping device in their
main computers. Internet providers would be obliged to build a
high-speed data link to the security service's Internet control room so
that FSB operators could access a vast amount of information about any
user. Perhaps Cisco will have a market for the "Private Doorbell"
surveillance-friendly encryption system after all.
http://www.fe.msk.ru/libertarium
=======================================================================
[6] Encryption Policy Update
=======================================================================
A digital signature bill introduced by Senator Spencer Abraham (R-MI)
could pass in the Senate within the next week. The Government
Paperwork Elimination Act (S. 2107) would set the stage for a national
certificate authority infrastructure. Privacy advocates fear that a
such a government-sanctioned system could eliminate anonymity by
creating an ID for each user of the Internet.
In an announcement of one of Europe's most liberal encryption policies,
Ireland announced on July 1 that it would not restrict the use or
import of cryptographic tools or technology, and would regulate
cryptographic exports only out of compliance with the Wassenaar
agreement. Law enforcement needs would be accommodated by enacting
legislation that would "oblige users of encryption products to release,
in response to lawful authorization, either plaintext which verifiably
relates to the encrypted data in question or the keys ... necessary to
retrieve the plaintext." http://www.irlgov.ie:80/tec/html/signat.htm
The Department of Commerce Technical Advisory Committee on key escrow
that folded last month has been resurrected by the Department in order
to develop a standard for escrow to be used by federal computers and
foisted upon the public. The Committee plans to meeting in San
Francisco and Orlando in September and October to attempt to come up
with a final standard by the end of the year.
Americans for Computer Privacy, an industry trade group organized to
relax export controls on encryption, launched a multimedia advertising
campaign including TV and print ads on export controls. The effort
includes an ad based on the infamous "Harry and Louise" campaign
against the 1994 Health Care bill, in this case a "middle American"
couple sit around talking about crypto policy. See
http://www.computerprivacy.com for additional information.
More information on encryption policy is available at:
http://www.crypto.org/
=======================================================================
[7] New Congressional Bills and Upcoming Hearings
=======================================================================
H.R. 4243. Government Waste, Fraud, and Error Reduction Act of 1998.
Increases data sharing among federal agencies, proposes using NIST
crypto standards (aka key escrow) for systems, recommends using credit
reports, National New Hires Data Bases for checking. Introduced by Horn
(R-CA) on July 16. Referred to the Committee on Government Reform and
Oversight, and in addition to the Committees on the Judiciary, and Ways
and Means.
H.R. 4250. Patient Protection Act of 1998. Republican Health Care bill.
Sets weak standards for privacy, prohibits states from passing stronger
protections. Approved by the House 216-210 on July 24.
H.R. 4276. Departments of Commerce, Justice, and State, and Judiciary,
and Related Agencies Appropriations Act, 1999. $2,965,971,000 for the
Federal Bureau of Investigation, $35,929,000 above the appropriation
for the current year and $52,353,000 below the request. $6,120,000 and
31 positions to establish three new Computer Investigative and
Infrastructure Threat Assessment (CITAC) Teams. No funding for CALEA.
Approved by the House Committee on Appropriations, July 20. (H. Rept.
105-636).
S. 2260. Departments of Commerce, Justice, and State, the Judiciary,
and Related Agencies Appropriations Act, 1999 (see Article 1 above).
S. 2294. National Criminal History Access and Child Protection Act. To
facilitate the exchange of criminal history records for non criminal
justice purposes, to provide for the decentralized storage of criminal
history records, to amend the National Child Protection Act of 1993 to
facilitate the fingerprint checks authorized by that Act, and for other
purposes. Introduced by Hatch (R-UT) on July 13. Approved by Senate on
July 13.
S. 2330. Patients' Bill of Rights Act. Republican Health Care Bill.
Scheduled for vote this week (see Article 2 above).
S. 2352. The Patient Privacy Rights Act. Repeals the "unique medical
identifiers" requirement of the Health Insurance Portability Law of
1996 (HIPAA). Introduced by Leahy (D-VT) on June 24. Referred to the
Committee on Finance.
* Hearings Scheduled *
July 29. House Committee hearing on Electronic Commerce: The Global
Electronic Marketplace. 10:30 a.m. in 2123 Rayburn House Office
Building.
July 30. House Committee, Subcommittee on Telecommunications, Trade,
and Consumer Protection markup of H.R. 3888, the Anti-slamming
Amendments Act. 2:00 p.m. in 2123 Rayburn House Office Building. Bill
also relates to Spam.
=======================================================================
[8] Upcoming Conferences and Events
=======================================================================
"Law Enforcement and the March of Technology: The Erosion of Privacy in
the Information Age," American Bar Association Annual Meeting. Sunday
August 2, 1998, from 2:00 pm to 3:15 pm, Toronto, Canada. Sponsored by
the ABA. Contact: Andrew Grosso
Advances in Social Informatics and Information Systems, Baltimore, MD,
Aug. 14-16, 1998. Sponsored by the Association for Information Systems
Contact: http://info.cwru.edu/rlamb/ais98cfp.htm
Fifth Annual Privacy Issues Forum. 2 - 3 September 1998, Wellington,
New Zealand. Sponsored by the NZ Privacy Commissioner. Contact:
privacy@iprolink.co.nz
The Outlook for Freedom, Privacy and Civil Society on the Internet in
Central and Eastern Europe. Budapest, Hungary. 4-6 September 1998.
Sponsored by Global Internet Liberty Campaign. Contact:
http://www.gilc.org/events/budapest/
Telecommunications Policy Research Conference. October 3-5, 1998
Alexandria, Virginia. Contact: http://www.si.umich.edu/~prie/tprc/
The Public Voice in the Development of Internet Policy. Ottawa, Canada.
October 7, 1998. Sponsored by GILC and Privacy International. Contact:
info@gilc.org
One Planet, One Net: Governing the Internet Symposium. Boston, Mass,
Oct. 10-11. Sponsored by CPSR. Contact:
http://www.cpsr.org/conferences/annmtg98/
PDC 98 - the Participatory Design Conference, "Broadening
Participation" November 12-14, 1998. Seattle, Washington. Sponsored by
Computer Professionals for Social Responsibility in cooperation with
ACM and CSCW 98. Contact: http://www.cpsr.org/conferences/pdc98
Computer Ethics. Philosophical Enquiry 98 (CEPE'98). 14-15 December
1998 London, UK. Sponsored by ACMSIGCAS and London School of Economics.
http://is.lse.ac.uk/lucas/cepe98.htm
1999 RSA Data Security Conference. January 18-21, 1999. San Jose,
California. Sponsored by RSA. Contact: http://www.rsa.com/conf99/
FC '99 Third Annual Conference on Financial Cryptography. February
22-25 1999 Anguilla, B.W.I., (submissions due: September 25, 1998).
Computers, Freedom and Privacy (CFP) '99. April 6-8. Washington, DC.
Sponsored by ACM. Contact: info@cfp99.org.
(Send calendar submissions to alert@epic.org)
=======================================================================
Subscription Information
=======================================================================
The EPIC Alert is a free biweekly publication of the Electronic
Privacy Information Center. To subscribe or unsubscribe, send email
to epic-news@epic.org with the subject: "subscribe" (no quotes) or
"unsubscribe". A Web-based form is available at:
http://www.epic.org/alert/subscribe.html
Back issues are available at:
http://www.epic.org/alert/
=======================================================================
About EPIC
=======================================================================
The Electronic Privacy Information Center is a public interest
research center in Washington, DC. It was established in 1994 to
focus public attention on emerging privacy issues such as the Clipper
Chip, the Digital Telephony proposal, national ID cards, medical
record privacy, and the collection and sale of personal information.
EPIC is sponsored by the Fund for Constitutional Government, a
non-profit organization established in 1974 to protect civil liberties
and constitutional rights. EPIC publishes the EPIC Alert, pursues
Freedom of Information Act litigation, and conducts policy research.
For more information, e-mail info@epic.org, http://www.epic.org or
write EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC
20003. +1 202 544 9240 (tel), +1 202 547 5482 (fax).
If you'd like to support the work of the Electronic Privacy
Information Center, contributions are welcome and fully tax-
deductible. Checks should be made out to "The Fund for
Constitutional Government" and sent to EPIC, 666 Pennsylvania Ave.,
SE, Suite 301, Washington DC 20003. Individuals with First Virtual
accounts can donate at http://www.epic.org/epic/support.html
Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the
right of privacy and efforts to oppose government regulation of
encryption and funding of the digital wiretap law.
Thank you for your support.
---------------------- END EPIC Alert 5.11 -----------------------
.
