============================================================== @@@@ @@@@ @@@ @@@@ @ @ @@@@ @@@@ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @@@ @ @ @@@@@ @ @@@ @@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @ @@@ @@@@ @ @ @@@@ @@@@ @ @ @ ============================================================== Volume 5.20 December 17, 1998 -------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org ======================================================================= Table of Contents ======================================================================= [1] EPIC Urges FCC to Reject FBI Surveillance Proposal [2] Free Speech Groups Say "No" to Library Filters [3] Appeals Court Upholds Drivers Privacy Protection Act [4] FDIC Proposes New "Spy on Your Customer" Regulations [5] CDC Issues Guidelines on HIV Tracking [6] Australia Announces Privacy Law for Businesses [7] EPIC Bookstore [8] Upcoming Conferences and Events ======================================================================= [1] EPIC Urges FCC to Reject FBI Surveillance Proposal ======================================================================= EPIC, joined by the Electronic Frontier Foundation and the American Civil Liberties Union, filed formal comments with the Federal Communications Commission on December 14 urging the rejection FBI-proposed technical requirements for wiretapping. The FBI proposals would -- among other things -- enable law enforcement to determine the location of individuals using cellular telephones. Also at issue is the surveillance of "packet-mode" communications such as those that form the core of the Internet. The comments were filed as part of the FCC's proceeding on implementation of the controversial Communications Assistance for Law Enforcement Act (CALEA). In a "Further Notice of Proposed Rulemaking" released on November 5, the Commission expressed its initial opinion that an interim FBI/industry technical standard (J-STD-025) on cellular phone "tracking" complies with CALEA. The FCC withheld judgment on the packet-mode issue, but sided with the FBI on the so-called "punchlist" issues of conference call wiretaps, the capture of signaling information and "post-cut-through digits," and other surveillance capabilities. The EPIC/EFF/ACLU comments note that "as advancing technology increases the ability of government agents to intercept private communications, the potential threat to individual liberties grows." The groups also urged the FCC to recognize that advanced telecommunications services dramatically multiply the number of private encounters that take place electronically and thus create the potential for pervasive government surveillance of private activities that were never previously subject to government monitoring. The law firm of Covington & Burling is providing pro bono assistance in this case. Excerpts from the comments: Groups dedicated to the protection of privacy expressed grave reservations in 1994 about the potential for CALEA to be used improperly by law enforcement to expand the scope of electronic surveillance; with the filing of the DoJ/FBI Petition, these concerns were realized. Now, with the release of the Commission's Further Notice of Proposed Rulemaking, the privacy of our Nation's communications is seriously at risk. . . . In explaining its tentative conclusions, the Commission offers virtually no discussion of privacy interests. The Commission fails to explain how its tentative conclusions are consistent with the privacy protections embodied in CALEA, the Fourth Amendment and Title III of the 1968 Wiretap Act. Privacy interests had no voice in drafting or adoption of the interim standard. Having been excluded from these earlier proceedings, it is imperative that privacy interests, as directed by Congress, be given full consideration by the Commission. Accordingly, the Commission must confront the privacy issues raised by the interim standard and the "punchlist" items. . . . [T]he Commission should find that the industry's interim standard and the DoJ/FBI Petition, if granted, would frustrate the privacy interests of federal statutes and of the Fourth Amendment. The DoJ/FBI Petition seeks surveillance capabilities that far exceed the capabilities law enforcement has had in the past and is entitled to under the law. Additional information on CALEA, including the full text of EPIC's comments, is available at: http://www.epic.org/privacy/wiretap/ ======================================================================= [2] Free Speech Groups Say "No" to Library Filters ======================================================================= Members of the Internet Free Expression Alliance (IFEA) submitted a joint statement to the National Commission on Library and Information Science (NCLIS) on December 14, urging the Library Commission to oppose the use of Internet filters in public libraries when it issues its forthcoming report on "Kids and the Internet." EPIC joined with nine other organizations in recommending a "user education" approach to the issue of objectionable online content, rather than relying on clumsy and often ineffective filtering systems. The joint statement cites the recent federal court decision in the Loudoun County case, which found that placing filters on all library computers violated the First Amendment rights of adult patrons (see EPIC Alert 5.18). The judge in that case (a former librarian) held that a government body like a library "cannot avoid its constitutional obligation by contracting out its decisionmaking to a private entity" such as a software vendor." The decision was issued two weeks after NCLIS held a public hearing to discuss the use of Internet filtering systems in libraries. The Library Commission has said the purpose of its November hearing was "to hear firsthand from experts on the problems and complex issues arising from what NCLIS Vice Chair Martha Gould described as the 'dark side of the Internet.'" The NCLIS report on "Kids and the Internet: The Promise and the Perils" is expected to be released as early as the first week of January. The full text of the IFEA members' statement is available at: http://www.ifea.net/joint_nclis_statement.html More information on IFEA is available from: http://www.ifea.net/ ======================================================================= [3] Appeals Court Upholds Drivers Privacy Protection Act ======================================================================= The Tenth Circuit Court of Appeals ruled on December 3 that the Drivers Privacy Protection Act of 1994, a law that requires states to limit the disclosure of motor vehicle records, does not violate the Tenth Amendment. The state of Oklahoma had challenged the DPPA as an unconstitutional infringement on state sovereignty. The state relied on two prior decisions of the Supreme Court that invalidated federal legislation which "commandeers" state legislative and administrative processes. The state also cited a Fourth Circuit decision that held that the DPPA was unconstitutional because it regulated only the activity of the states and was not a law of "general application" that also covered private parties. In an opinion by Judge Bobby R. Baldock, the Tenth Circuit found that, "the arguments against the DPPA are much less compelling than the arguments against the statutes at issue" in the two earlier cases. The court said: [T]he DPPA does not commandeer the state legislative process by requiring states to enact legislation regulating the disclosure of personal information from motor vehicle records. Rather, the DPPA directly regulates the disclosure of such information and preempts contrary state law. If states do not wish to comply with those regulations, they may stop disseminating information in their motor vehicle records to the public. The court further said: In enacting the DPPA, Congress obviously curtailed states' prerogative to make choices respecting the release of motor vehicle information. No one claims that Congress exceeded the scope of its power under the Commerce Clause in so doing. Nor has the Supreme Court ever suggested that Congress impermissibly invades areas reserved to the states under the Tenth Amendment because it exercises its preemptive authority under the Commerce Clause in a manner that displaces state law and policy to some extent. The DPPA simply requires states to make a choice, i.e. stop releasing personal information from state motor vehicle records to the public, or release such information consistent with the dictates of the DPPA. The split between the Tenth Circuit and the Fourth Circuit now raises the prospect that the Supreme Court will be asked to decide the constitutionality of the Drivers Privacy Protection Act. Oklahoma v. United States, No 97-6389 (CA10, Dec. 3, 1998) http://lawlib.wuacc.edu/ca10/cases/1998/12/97-6389.htm Condon v. Reno, 155 F.3d 453 (CA4 1998) http://www.law.emory.edu/4circuit/sept98/972554.p.html ======================================================================= [4] FDIC Proposes New "Spy on Your Customer" Regulations ====================================================================== = The Federal Deposit Insurance Corporation (FDIC), Federal Reserve Board, Office of the Comptroller of the Currency, and Office of Thrift Supervision, issued a proposed rule on December 7 to require banks to expand monitoring of their customers activities and require banks to report "suspicious" activities. The new "Know Your Customer" rules are intended to require banks to verify the identity of their customers, determine the source of their funds, determine "normal and expected transactions," and report suspicious activities. Banks will require identification from prospective customers which will include a document containing a photograph and signature. The new rules have already generated significant protests. Nearly 3,000 comments from individuals opposing the new rules on privacy grounds were submitted after the proposed regulation was published. Many bankers are also concerned with the proposal: "We think the regulation is by its very nature, at odds with attempts to protect customer privacy," said Paul Stock of the North Carolina Bankers Association. The proposal raises numerous issues: lack of accountability, lack of recourse for customers -- no provision for customer review and correction of data; no restrictions on secondary use of the data. Furthermore, the cost of establishing this program and monitoring accounts are also likely to be passed on to the customer in new fees. The FDIC acknowledges that information gathered, if misused, could "result in an invasion of a customer's privacy." While suggesting that the banks should "integrate comprehensive privacy practices" into these programs, they do not set out any privacy procedures or limitations on its use. Comments on the proposed rule are due on March 8, 1998. The FDIC proposal is available at: http://www.fdic.gov/banknews/know.html ======================================================================= [5] CDC Issues Guidelines on HIV Tracking ======================================================================= The Center for Disease Control and Prevention (CDC) issued new guidelines on December 10, 1998 recommending that health-care providers report the names of individuals testing positive for the HIV virus. The proposed rule recommends that all states begin tracking HIV cases and submit that information to the CDC. The proposed rule does not require using the names of individuals with HIV but does strongly recommend their use over a coded-name system. Many AIDS groups who support coded systems believe that the CDC will use the federal grants to encourage name-based systems and that such systems discourage people from getting tested because of fears over discrimination. The proposed federal guidelines would still permit anonymous HIV testing at clinics that do not provide treatment and the CDC "strongly recommends" that states that do not allow anonymous testing change their policies. The CDC is also recommending additional security and confidentiality practices. The CDC requires that information sent to the CDC is encrypted during transfer, kept in physically secure locations, that the information is limited and only used for HIV surveillance, that identifying information is not used for other purposes, that states audit usage and investigate breaches of confidentiality and punish violations. CDC is also working with other groups to develop a model state law on confidentiality. Comments on the proposed guidelines must be submitted by January 11, 1999. Comments can be submitted electronically to hivmail@cdc.gov More information on the guidelines can be found at: http://www.cdc.gov/nchstp/hiv_aids/pubs/rrfrfin.htm ======================================================================= [6] Australia Announces Privacy Law for Businesses ======================================================================= The Australian government announced on December 16 that it is planning to introduce new legislation to protect the privacy of individuals' information held by companies. The Attorney-General, Daryl Williams, and the Minister for Communications, Information Technology and the Arts, Senator Richard Alston, announced that the law will be based on creating enforceable industry codes. The new legislation will be based on eight privacy principles developed by the Privacy Commissioner and roughly modeled after the 1980 OECD Privacy Guidelines. The principles are Collection, Use and Disclosure, Data Quality, Data Security, Openness, Access and Correction, Identifiers, Anonymity, Transborder Data Flows, and Sensitive Information. Industry will then create codes that will be legally enforceable. Exceptions for employee records and journalists will be included. The announcement marks another turnabout for the Australian government on privacy policy. In 1996, following the party's campaign promise, the Attorney General recommended adopting privacy laws for the private sector but was overruled by the Prime Minister after heavy lobbying by the banking industry. Since then, consumer and privacy advocates have been effective in keeping the issue alive and have been successful in advancing state-level laws on privacy. Groups such as the Australian Chamber of Commerce and Industry and the Smart Card Forum expressed support for national legislation because of concerns about the European Union's privacy directive limiting flows of data and the recent announcement by the State of Victoria that if the federal government did not adopt a law covering the private sector, it would enact one itself. Australia joins a growing number of non-EU countries that have moved recently to develop comprehensive privacy legislation. The Privacy Principles are available at: http://www.privacy.gov.au/news/p6_4_1.html More information on Australian privacy is available at: http://www.anu.edu.au/people/Roger.Clarke/DV/OzCurrent.html ======================================================================= [7] EPIC Bookstore ======================================================================= Browse the cyber shelves of good books on privacy, free speech, and civil liberties at the Internet's only bookstore devoted to online freedom. Shipping, discounts, and gift wrapping provided. And there's still time to purchase a gift for that special someone (or yourself!) in time for Christmas. Here are some last minute gift ideas from EPIC: ** Books ** Private Matters: In Defense of the Personal Life by Janna Malamud Smith (Perseus Press, 1997) "... both a personal rumination and a gorgeously written anecdotal cultural history of the emergence and the fragile sanctity of the modern creative self, and of the development of the right to close the door, pull the shade and shut out the gaze of the community." (The New York Times Book Review, Richard A. Shweder) Speech Stories: How Free Can Speech Be? by Randall P. Bezanson (New York University Press, 232 pages 1998) This book brings to life seven of the most significant free speech cases of the past twenty-five years. In each case, the Supreme Court was asked to consider the appropriate scope of the First Amendment. But the story behind the story is the story here. And before the footnotes and headnotes appeared in legal opinions, there were slogans on jackets, flags on fire, and names missing from pamphlets. ** Videos ** Brazil (DVD VHS) A wildly imaginative Orwellian comedy about a future society in which a central bureaucracy regulates everything via endless airducts, tubes and plumbing. A typographical error plunges an average man into a Kafkaesque nightmare of bureaucracy and brainwashing. DeNiro plays a heroic non-union plumber unplugging the stopped-up pipes. Academy Award Nominations: Best (Original) Screenplay, Best Art Direction-Set Decoration. (Amazon review) (United Artists, 1985) R Gattaca (DVD) In the 21st century, genetic engineering makes possible the creation of biologically superior human specimens ("valids"), who then grow to positions of power and prestige. Would-be astronaut Vincent, born the old-fashioned way, can only hope for a janitorial position at the elite Gattaca Corporation--until he buys the blood, urine, and identity of a perfect but paralyzed athlete. But a murder in the company's ranks attracts the attention of a detective who threatens to sniff Vincent out. A slick futuristic thriller. Academy Award Nominations--Best Art Direction. Stars Ethan Hawke, Uma Thurman. (Columbia/Tristar Studios, 1997) PG These and other titles are available for purchase online at the EPIC Bookstore: http://www.epic.org/bookstore/ ======================================================================= [8] Upcoming Conferences and Events ======================================================================= 1999 RSA Data Security Conference. January 18-21, 1999. San Jose, CA. Sponsored by RSA. Contact: http://www.rsa.com/conf99/ FC '99 Third Annual Conference on Financial Cryptography. February 22-25, 1999. Anguilla, B.W.I. Contact: http://fc99.ai/ Electronic Commerce and Privacy Legislation -- Building Trust and Confidence. February 23, 1999. Ottawa, Canada. Sponsored by Riley Information Services. http://www.rileyis.com/seminars/Feb99/ Communitarian Summit. February 27-28, 1999. Arlington, Virginia. Contact: http://www.gwu.edu/~ccps 1999 ASAP Western Regional Training Conference. February 28 - March 3, 1999. Portland, Oregon. Contact: http://www.podi.com/asap/ "CYBERSPACE 1999: Crime, Criminal Justice and the Internet". 29 & 30 March 1999. York, UK. Sponsored by the British and Irish Legal Education Technology Association (BILETA). http://www.bileta.ac.uk/ Computers, Freedom and Privacy (CFP) '99. April 6-8, 1999. Washington, DC. Sponsored by ACM. Call for proposals available. Contact: http://www.cfp99.org/ 1999 EPIC Cryptography and Privacy Conference. June 7, 1999. Washington, DC. Sponsored by EPIC. Contact: info@epic.org Cryptography & International Protection of Human Rights (CIPHR'99). 9-13 August 1999. Lake Balaton, Hungary. Contact: http://www.cryptorights.org/ ======================================================================= Subscription Information ======================================================================= The EPIC Alert is a free biweekly publication of the Electronic Privacy Information Center. To subscribe or unsubscribe, send email to epic-news@epic.org with the subject: "subscribe" (no quotes) or "unsubscribe". A Web-based form is available at: http://www.epic.org/alert/subscribe.html Back issues are available at: http://www.epic.org/alert/ ======================================================================= About EPIC ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC is sponsored by the Fund for Constitutional Government, a non-profit organization established in 1974 to protect civil liberties and constitutional rights. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, e-mail info@epic.org, http://www.epic.org or write EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544 9240 (tel), +1 202 547 5482 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "The Fund for Constitutional Government" and sent to EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington DC 20003. Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ---------------------- END EPIC Alert 5.20 ----------------------- .
Return to: