=============================================================== @@@@ @@@@ @@@ @@@@ @ @ @@@@ @@@@ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @@@ @ @ @@@@@ @ @@@ @@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @ @@@ @@@@ @ @ @@@@ @@@@ @ @ @ ============================================================== Volume 5.14 October 13, 1998 -------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org ======================================================================= Table of Contents ======================================================================= [1] Congress Expands Surveillance Authority [2] Child Protection Bill Includes Privacy Loophole [3] Digital Millennium Copyright Act Sent to President [4] GILC Convenes Policy Conference in Ottawa [5] NGOs Issue Declaration at OECD Conference [6] National DNA Database Goes Online [7] New Bills and Actions in Congress [8] Upcoming Conferences and Events ======================================================================= [1] Congress Expands Surveillance Authority ======================================================================= The House and the Senate last week approved legislation that would expand wiretapping and the collection of personal information by law enforcement and intelligence agencies. The bill, H.R. 3694 -- the Intelligence Authorization Act for Fiscal Year 1999 -- funds the operations of the intelligence agencies, which reportedly received a funding increase to expand signals intelligence and analysis. The total budget figures are classified. The bill authorizes the expansion of the use of roving wiretaps, which allow law enforcement to wiretap multiple telephones to intercept the communications of a single person who is using different phones. Under the revisions, law enforcement agencies are no longer required to demonstrate in court that the person is deliberately switching phones to avoid interception, only that there is "probably cause that the person's actions could have the effect of thwarting interception." Under current law, roving taps are uncommon -- there were twelve roving taps authorized in 1997, three in 1996, and four in 1995. The bill also authorizes the Attorney General to ask the Foreign Intelligence Surveillance Court to issue orders placing pen registers and trap and trace devices on telephones "to gather foreign intelligence or information concerning international terrorism." If Congress declares war on any country, a court order will not be required. The number of orders will not be disclosed, except to the House and Senate Intelligence Committees. The bill also increases access to records held by businesses in the name of national security. Under the new law, the FBI will be able to obtain information on individuals from travel records, hotel information, and storage facilities with an order from the Foreign Intelligence Surveillance Court. The bill has been sent to President Clinton for his signature; the President has expressed his intent to sign the bill into law shortly. ======================================================================= [2] Child Protection Bill Includes Privacy Loophole ======================================================================= Congress has enacted legislation requiring Internet service providers (ISPs) to report to law enforcement all suspected activities involving child pornography. The "Child Protection and Sexual Predator Punishment Act," which passed the House on October 12 and the Senate on October 9, carves out a new exception to provisions of the Electronic Communications Privacy Act (ECPA) protecting the confidentiality of e-mail. While ECPA generally requires the government to obtain a search warrant before obtaining the "contents" of a communication, the new legislation appears to waive that requirement where the presence of child pornography is suspected. Under the "Child Protection Act," whenever an ISP "obtains knowledge of facts or circumstances from which a violation of [child pornography laws] is apparent," it must report such information to a law enforcement agency. The law does not establish any standard of proof that must be met, and creates substantial disincentives for under-reporting; ISPs could be fined up to $50,000 for the first failure to report suspicious activity, and up to $100,000 for each subsequent failure to contact law enforcement authorities. While not requiring ISPs to turn over detailed information on the activities of subscribers, the legislation clearly permits such disclosures. It provides, for example, that an ISP's report "may include additional information or material developed by [the ISP], except that the Federal Government may not require the production of such information or material." Subscribers will have little recourse if an overzealous ISP improperly discloses confidential information; the bill provides that no ISP "shall be held liable on account of any action taken in good faith to comply" with the reporting requirement. ======================================================================= [3] Digital Millennium Copyright Act Sent to President ======================================================================= On October 12, the House of Representatives approved legislation to update copyright law for digital media (H.R. 2281). The bill will now be sent to the White House where President Clinton is expected to sign it into law. The Senate approved the bill last week. The legislation creates criminal penalties for circumventing copyright protection systems and also forbids the manufacture, import, sale or distribution of devices or services used for circumvention. In response to the concerns of cryptographers and security experts, limited exemptions for circumventing for the purposes of security testing or encryption research were included. However, there still remain concerns that the exemptions are too limited and will prevent the development and use of necessary research and security tools. The bill also contains an exemption that allows circumvention if "the technological measure, or the work it protects, contains the capability of collecting or disseminating personally identifying information reflecting the online activities" of a user who seeks to gain access to the work protected. The circumvention is only allowed to disable the information collecting program. This provision was added after EPIC testified about the threats to personal privacy presented by the bill. The EPIC testimony stressed that users needed the ability to remove cookies, or other information collecting technologies, which also may be used as copyright protection measures. EPIC's testimony can be found at: http://epic.org/privacy/copyright/epic-wipo-testimony-698.html ======================================================================= [4] GILC Convenes Policy Conference in Ottawa ======================================================================= The Global Internet Liberty Campaign (GILC) sponsored a conference on "The Public Voice in the Development of Internet Policy" in Ottawa, Canada on October 7. More than 140 people from a dozen different countries attended the day-long symposium. The conference occurred just prior to an OECD Ministerial conference on electronic commerce. John Manley, the Canadian Minister of Industry and chair of the OECD conference on Electronic Commerce, opened the Public Voice conference and thanked GILC for bringing together NGOs. Mr. Manley stated that the GILC conference presented an excellent opportunity to bring diverse public interest groups together in a structured forum to discuss the development of global policy for electronic commerce. According to Mr. Manley, the GILC concerns have been heard by the OECD ministers and there is a link between the two conferences and the OECD conference should benefit from a diversity of voices regardless of frontiers. In his conclusion Mr. Manley emphasized the importance of a "global village," and showed his desire to have a "cyber marketplace" which is available to wealthy and poor. "We gather from many countries to develop e-commerce in the global village. Our challenge is much broader today. Access to the Internet should be available to all and at a stage where half of the world population did not make a telephone call, this remains a very important challenge for consumers and suppliers." Mr. Manley was followed by David Johnston, the former Chair of the Canadian Information Highway Advisory Council and former Provost of McGill University. According to Mr. Johnston, "we need to establish an environment where innovation can thrive, which recognizes that ideas and innovation are keys to wealth creation and institutional adoption, where change is not feared and strangled." Also governments are challenged to adopt themselves in the information age and better understanding of the new technologies are needed. Next was a panel on Consumer Protection, chaired by Karen Coyle of CPSR, that included Benoit De Bayer (Centre de droit de la consummation, Belgium), Phillip McKee (National Consumer's League, USA), Nathalie St. Pierre, (Fédération Nationale des Associations de Consommateurs du Quebec), Louise Sylvan (Vice President of Consumers' International and Chief Executive of the Australian Consumers' Association) and Bjorn Erik Thon (Consumer Council of Norway). The second panel focused on Free Speech and Access. It was chaired by Barry Steinhardt of the Electronic Frontier Foundation and featured Yaman Akdeniz (Cyber-Rights and Cyber-Liberties UK), Pippa Lawson (Public Interest Advocacy Center), Meryem Marzouki (Imaginons un Reseau Internet Soldaire), Sid Shniad (BC Telecommunications Workers Union), Rigo Wenning (Fîrderverein Informationstechnik undGesellschaft), and James Dempsey (Center for Democracy and Technology). The luncheon speaker was Stephen Lau, the privacy commissioner for Hong Kong. Mr. Lau spoke about the need to protect dignity in the on-line world. The third panel was chaired by Deborah Hurley, director of the Harvard University Information Infrastructure Project, and looked at issues related to Privacy and Encryption. Speakers on this panel included David Banisar (Electronic Privacy Information Center), Ulf Bruhan (European Commission, DG XV), David Jones (Electronic Frontier Canada and Computer Science Professor, McMaster University), Viktor Mayer-Schonberger (University of Vienna, Austria and Kennedy School of Government, Harvard University), and Jim Savary (York University). The final panel was on Human Rights in the Twenty-First Century and was chaired by Marc Rotenberg of the Electronic Privacy Information Center. The speakers were Harry Hochheiser (Computer Professionals for Social Responsibility), Jagdish Parikh (Human Rights Watch), Edwin Rekosh (Public Interest Law Initiative in Transitional Societies), Felipe Rodriguez (Electronic Frontiers Australia) and Laurie Wiseberg (Human Rights Internet). The GILC participants and other NGOs representatives produced a statement that was later forwarded to the OECD Ministers (see below). Complete conference reports are available at the conference report page: http://www.gilc.org/events/ottawa98/agenda.html ======================================================================= [5] NGOs Issue Declaration at OECD Conference ======================================================================= Consumer, labor, civil liberties, and research organizations joined together last week in support of a letter addressed to Organization for Economic Co-operation and Development (OECD) Ministers on the future of Internet policy. Representatives of more than twenty non-governmental organizations (NGOs) from eight countries signed the statement. The NGOs urged the establishment of a permanent Public Interest Advisory Committee (PIAC), similar in type and function to business and labor groups that currently advise the OECD. The group said that the Committee should include representatives of public interest groups in the fields of human rights and democracy, privacy and data protection, consumer protection, and access. The group said that the promotion of electronic commerce "must be considered within the broader framework of protection of human rights, the promotion and strengthening of democratic institutions, and the provision of affordable access to advanced communication services." The group made the following recommendations to the OECD: - Authentication and certification: All OECD member countries should implement and enforce the 1992 OECD Guidelines for the Security of Information Systems, particularly the Principles on Democracy, Ethics, and Proportionality. The OECD should also consider issues of authentication and certification within the context of consumer protection and privacy protection. Policies and practices that disregard consumer and privacy concerns will ultimately undermine public trust. - Cryptography: The OECD should promote implementation of the Cryptography Guidelines of 1997 and urge the removal of all controls on the use and export of encryption and other privacy enhancing techniques. Trust requires the widespread availability of the strongest means to protect privacy and security. - Protection of privacy: The OECD should urge member states to implement fully and develop means to enforce the Privacy Guidelines of 1980. The OECD Guidelines provide an essential framework to establish consumer trust in online transactions. Self-regulation has failed to provide adequate assurance. The group further recommended efforts to promote anonymity and minimize the collection of personal information so as to promote consumer confidence. - Consumer protection: The OECD should support the establishment of minimum standards for consumer protection, including the simplification of contracts, means for cancellation, effective complaint mechanisms, limits on consumer liability, non-enforceability of unreasonable contract provisions, recourse at least to the laws and courts of their home country, and cooperation among governments in support of legal redress. Such minimal standards should provide a functional equivalence to current safeguards, offering at least the same levels of protection that would be afforded in the off-line world. - Intellectual property: The framework for intellectual property protection should be based upon mechanisms that are least intrusive to personal privacy, and least restrictive for the development of new technologies. - Internet governance: Governments should foster Internet governance structures that reflect democratic values and are transparent and publicly accountable to users. Standards processes should be open and should foster competition. - Taxation: At the Ottawa ministerial Conference, Charles Rossotti, Commissioner of the United States Internal Revenue Service, spoke of the creation of a Tax Advisory Group, in which government and businesses will participate. Similarly, the public interest groups should be invited to participate in this advisory group. - Employment: Impacts on employment must be evaluated and taken fully into account in all discussions and negotiations. Finally, the group recommended continued support for the OECD Committee for Consumer Policy. The following versions of the NGO letter are available: http://www.gilc.org/speech/oecd/ngo-oecd-letter-1098.html (English) http://www.gilc.org/speech/oecd/ong-lettre-ocde-1098.html (French) http://www.ottawaoecdconference.com/english/announcements/e_tuac.pdf (PDF) ======================================================================= [6] National DNA Database Goes Online ======================================================================= An FBI database of the DNA of up to a million convicted criminals >from all fifty states will be activated on October 13, according to published reports. States will provide data to the National DNA Identification System and share the DNA information. Investigators will be able to upload DNA crime scene samples to the nationwide system and locate matches. The federal DNA Identification Act of 1994 limits the database to DNA >from convicted criminals. Access will be restricted to law enforcement agencies and court orders will be required to use the information in judicial proceedings. For security reasons, the physical location of the database will not be disclosed. DNA collection has been controversial, as it singles out individuals based upon past criminal activity. The practice varies from state to state; every state collects DNA of sex offenders, while they differ on whether they collect the DNA of other criminals, including murderers, robbers and those who commit crimes against children. White-collar criminals are universally excluded from collection. In recent years, millions of dollars have been set aside in the federal budget for "DNA Identification State Grants." The grants were made contingent on the state databases being networked with federal computer systems. In an August ruling that invalidated the Massachusetts "DNA Seizure and Dissemination Act," the State Superior Court held that the involuntary seizure of DNA samples from prisoners, parolees, and probationers without probable cause violates both the Fourth Amendment of the U.S. Constitution and Article 14 of the Massachusetts Constitution. ======================================================================= [7] New Bills and Actions in Congress ======================================================================= * NOTE: Several important measures, including the "CDA II" Internet censorship legislation, remain pending in Congress. Final Congressional action will be reported in the next issue of the Alert. H.R. 4651. Federal Criminal Law Improvements Act of 1998. Allows wiretapping for money laundering offenses, disclosure of illegally obtained wiretap information. Introduced by McCullum (R-FL) on September 28. Referred to the Committee on the Judiciary. H.R. 4667. Electronic Privacy Bill of Rights Act of 1998. Limits collection of personal information of children under 13. Gives FTC enforcement power. Orders FTC and FCC to hold proceedings on electronic privacy. Introduced by Markey (D-MA) on October 1. Referred to the Committee on Commerce. Text included in H.R. 3783 and approved by the House. S.2529. The Patients' Bill of Rights Act of 1998. Sets limited rules on patient records privacy. Introduced by Daschle (D-SD) on September 29. Placed on Senate Calendar October 2. S.2536. International Crime and Anti-Terrorism Amendments of 1998. Allows for wiretaps in computer crime cases. Introduced by Hatch (R-UT). Placed on the Calendar On October 1. ======================================================================= [8] Upcoming Conferences and Events ======================================================================= Privacy Pandemonium: What the EU's Privacy Directive Means for the United States. October 16. Washington, DC. Sponsored by the Cato Instutute. Contact: jenyep@cato.org. 1998 UK Big Brother Awards. October 26. London School of Economics, London, UK. Sponsored by Privacy International. Contact: http://www.privacy.org/pi/bigbrother/ Symposium on Infowar and Civil Liberties. October 26. National Press Club, Washington, D.C. Sponsored by EPIC and FCG. Contact: info@epic.org. Encryption Controls Workshop. Bedford, MA, October 29. Sponsored by U.S. Department of Commerce. Contact: (202) 482-6031. PDC 98 - the Participatory Design Conference, "Broadening Participation" November 12-14. Seattle, WA. Sponsored by Computer Professionals for Social Responsibility in cooperation with ACM and CSCW 98. Contact: http://www.cpsr.org/conferences/pdc98 Data Privacy in the Global Age. November 13. Milwaukee, WI. Sponsored by ACLU of Wisconsin Data Privacy Project. Contact: Carole Doeppers <acluwicmd@aol.com>. Computer Ethics. Philosophical Enquiry 98 (CEPE'98). December 14-15. London, UK. Sponsored by ACMSIGCAS and London School of Economics. http://is.lse.ac.uk/lucas/cepe98.htm 1999 RSA Data Security Conference. January 18-21, 1999. San Jose, CA. Sponsored by RSA. Contact: http://www.rsa.com/conf99/ FC '99 Third Annual Conference on Financial Cryptography. February 22-25, 1999 Anguilla, B.W.I. Contact: http://fc99.ai. Computers, Freedom and Privacy (CFP) '99. April 6-8, 1999. Washington, DC. Sponsored by ACM. Contact: info@cfp99.org. 1999 EPIC Cryptography and Privacy Conference. June 7, 1999. Washington, DC. Sponsored by EPIC. Contact: info@epic.org. ======================================================================= Subscription Information ======================================================================= The EPIC Alert is a free biweekly publication of the Electronic Privacy Information Center. To subscribe or unsubscribe, send email to epic-news@epic.org with the subject: "subscribe" (no quotes) or "unsubscribe". A Web-based form is available at: http://www.epic.org/alert/subscribe.html Back issues are available at: http://www.epic.org/alert/ ======================================================================= About EPIC ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC is sponsored by the Fund for Constitutional Government, a non-profit organization established in 1974 to protect civil liberties and constitutional rights. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, e-mail info@epic.org, http://www.epic.org or write EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544 9240 (tel), +1 202 547 5482 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax- deductible. Checks should be made out to "The Fund for Constitutional Government" and sent to EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington DC 20003. Individuals with First Virtual accounts can donate at http://www.epic.org/epic/support.html Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and funding of the digital wiretap law. Thank you for your support. ---------------------- END EPIC Alert 5.14 -----------------------
Return to: