============================================================== @@@@ @@@@ @@@ @@@@ @ @ @@@@ @@@@ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @@@ @ @ @@@@@ @ @@@ @@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @ @@@ @@@@ @ @ @@@@ @@@@ @ @ @ ============================================================== Volume 7.01 January 12, 2000 -------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org ======================================================================= Table of Contents ======================================================================= [1] Supreme Court Upholds Drivers' Privacy Law [2] White House Releases "Cyber-Terrorism" Plan [3] EPIC Comments on Use of the Internet for Campaign Activity [4] EPIC Releases Survey of Online Privacy Policies [5] Update on Safe Harbor Negotiations [6] EPIC Job Announcements [7] EPIC Bookstore -- Database Nation [8] Upcoming Conferences and Events *********************************************************************** THIS JUST IN: As the Alert "goes to press," the U.S. Commerce Department has released the final revision of its encryption export control regulations. The new rules maintain a complex and burdensome licensing scheme and retain substantial restrictions on the ability to exchange information concerning encryption. The next issue of the Alert will contain additional information on the export control revisions. *********************************************************************** ======================================================================= [1] Supreme Court Upholds Drivers' Privacy Law ======================================================================= In an opinion released today, the Supreme Court has unanimously held that Congress did not exceed its constitutional authority when it enacted legislation establishing privacy safeguards for motor vehicle records held by state agencies. Several states challenged the Drivers Privacy Protection Act, arguing that Congress had violated the Tenth Amendment. Central to the Court's decision in Condon v. Reno was the fact that information obtained by state motor vehicle agencies is now routinely sold in interstate commerce. The Court, in an opinion by Chief Justice Rehnquist, said that "the motor vehicle information which the States have historically sold is used by insurers, manufacturers, direct marketers, and others engaged in interstate commerce to contact drivers with customized solicitations. The information is also used in the stream of interstate commerce by various public and private entities for matters related to interstate motoring. Because drivers' information is, in this context, an article of commerce, its sale or release into the interstate stream of business is sufficient to support congressional regulation." The Supreme Court rejected the argument made by South Carolina that the Drivers Privacy Protection Act violated the Tenth Amendment, holding that "the DPPA does not require the States in their sovereign capacity to regulate their own citizens. The DPPA regulates the States as the owners of databases." EPIC filed an amicus brief in the case arguing in support of the Drivers Privacy Protection Act. EPIC said in its brief: The Drivers Privacy Protection Act safeguards the personal information of licensed drivers from improper use or disclosure. It is a valid exercise of federal authority in that it seeks to protect a fundamental privacy interest. It restricts the activities of states only to the extent that it concerns the subsequent use or disclosure of the information in a manner unrelated to the original purpose for which the personal information was collected. The states should not impermissibly burden the right to travel by first compelling the collection of sensitive personal information and then subsequently disclosing the same information for unrelated purposes. The decision is remarkable, particularly in light of recent cases where the Supreme Court has typically deferred to state Tenth Amendment claims and struck down federal statutes or claims brought in federal court. The decision in Condon v. Reno (US 2000) is available at: http://supct.law.cornell.edu/supct/html/98-1464.ZO.html EPIC's Amicus Brief in Condon v. Reno is available at: http://www.epic.org/privacy/drivers/epic_dppa_brief.pdf ======================================================================= [2] White House Releases "Cyber-Terrorism" Plan ======================================================================= The White House on January 7 released a national plan to protect America's computer systems from unauthorized intrusions. Included in the proposal is the establishment of the controversial Federal Intrusion Detection Network (FIDNET) which would monitor activity on government computer systems. The plan also calls for the establishment of an "Institute for Information Infrastructure Protection" and a new program that will offer college scholarships to students in the field of computer security in exchange for public service commitments. The initiative is an outgrowth of recommendations made in the October 1997 report of the President's Commission on Critical Infrastructure Protection (PCCIP) and in Presidential Decision Directive 63 (PDD 63) on Critical Infrastructure Protection issued in May 1998. In its report "Critical Infrastructure Protection and the Endangerment of Civil Liberties," released in October 1998, EPIC noted that the PCCIP had proposed the development of a large-scale monitoring strategy for communications networks. Borrowing techniques that have been applied to hostile governments and foreign agents, the PCCIP brings the Cold War home with an open-ended proposal to conduct ongoing surveillance on the communications of American citizens. EPIC noted in its report that "these proposals are more of a threat to our system of ordered liberty than any single attack on our infrastructure could ever be." Last year, EPIC filed a series of Freedom of Information Act requests seeking the details of these initiatives. President Clinton acknowledged the privacy concerns when he announced the new initiative. "It is essential that we do not undermine liberty in the name of liberty. I will continue to work equally hard to uphold the privacy rights of the American people as well as the proprietary rights of American businesses," he said. The text of the "National Plan for Information Systems Protection" and other relevant material -- including EPIC's report "Critical Infrastructure Protection and the Endangerment of Civil Liberties -- is available at: http://www.epic.org/security/CIP/ ======================================================================= [3] EPIC Comments on Use of the Internet for Campaign Activity ======================================================================= EPIC submitted comments to the Federal Election Commission on January 4 in response to the FEC's Notice of Inquiry about the use of the Internet for campaign activity. The FEC is conducting a review to determine whether to amend the Federal Election Campaign Act to regulate the creation of Web pages supporting particular candidates. The Commission seeks to evaluate whether websites created by individuals constitute contributions or expenditures and whether hyperlinks to candidate websites should be regarded as in-kind contributions. EPIC urged the Commission to refrain from regulating political speech online and to sustain the Internet's capacity as a vehicle for democracy and debate. The paper noted that -- unlike print, radio, and television -- the Internet is a unique medium of communication with a capacity to transfer messages to vast audiences at little or no cost. Moreover, determining the costs associated with the utility or maintenance of web sites is difficult if not impossible particularly when individuals use their computers to post information about diverse topics. EPIC also warned the Commission that requiring individuals who create Web sites that strongly advocate the election or defeat of a candidate to identify themselves in disclaimer statements would impede speech and violate the constitutional protection of anonymity. The paper asserted that the Commission should welcome political speech on the Web and recognize the Internet's potential to expand democratic debate and deliberation. EPIC explained: "Regulating speech on the Internet could deter the individual and grassroots efforts that would possibly gain visibility only on the Web. Just as individuals can hang banners on their front yards or post bumper stickers on their car, they should be able to express their viewpoints on the Web free of reporting obligations or abstract cost assessments." The comments EPIC submitted to the FEC are available at: http://www.epic.org/free_speech/FEC_submission_1_4_2000.html ======================================================================= [4] EPIC Releases Survey of Online Privacy Policies ======================================================================= In an effort to educate the online shopper during the past holiday season, EPIC released its survey of the privacy policies of the top 100 e-commerce sites -- "Surfer Beware III: Privacy Policies Without Privacy Protection" -- on December 17. "Surfer Beware III" found that few of high-traffic websites offered adequate privacy protection. In fact, not a single one of them fulfilled important elements of Fair Information Practices investigated in the survey. Fair Information Practices serve as basic guidelines for safeguarding personal information. Also alarming was the significant proportion (35 out of 100) of shopping sites that allowed profile-based advertising networks to operate. These advertising networks present a stealthy and invasive way in that third parties -- companies that display banner advertisements -- are tracking online behavior without the knowledge of the Internet user. EPIC Executive Director Marc Rotenberg concluded that, "On balance, we think that consumers are more at risk today than they were in 1997, when we first examined privacy practices on the web. The profiling is more extensive and the marketing techniques are more intrusive. Anonymity, which remains crucial to privacy on the Internet, is being squeezed out by the rise of electronic commerce." To improve privacy protection on the web, Rotenberg added that legally enforceable standards of protection and more techniques enabling anonymity are necessary. "Surfer Beware III: Privacy Policies without Privacy Protection" is available at: http://www.epic.org/reports/surfer-beware3.html ======================================================================= [5] Update on Safe Harbor Negotiations ======================================================================= Safe Harbor negotiations between the U.S. Department of Commerce and the European Union continue although both sides remain outwardly optimistic about a long-awaited agreement. The latest in a long line of estimated deadlines is this upcoming March. The Safe Harbor proposal, a U.S.-sponsored set of principles that U.S. companies would abide by to protect personal data of EU citizens, has been the subject of debate for almost two years. As EU citizens have strong legal protections over their personal information via the 1995 EU Data Protection Directive, European authorities are attempting to seek guarantees that those protections will continue when the data is in the hands of U.S. companies. As the United States has no comprehensive laws protecting personal information in the hands of the private sector, much of the debate has centered on how the Safe Harbor Principles would be enforced. The lack of enforcement and the overall weakness of the last draft of the Safe Harbor Principles released on November 15 have been pointed out in comments submitted by the TransAtlantic Consumer Dialogue (TACD) -- a coalition of EU and US consumer groups -- and by the Article 29 Working Group -- an expert panel of Privacy Commissioners established to oversee the implementation of the EU Data Protection Directive. Despite opposition from the aforementioned groups and others, on December 13, the semi-annual EU-US summit was expected unveil an agreement between the negotiating parties. Shortly before the summit, it was announced that no such agreement had yet been reached. Related to the ongoing debates, on January 11, the European Commission announced that it would take France, Luxembourg, the Netherlands, Germany, and Ireland to court for failing to implement the EU Data Protection Directive in national law. The EU Data Protection Directive has come under fire for failing to gain statutory support in some of its member countries. However, this recent action demonstrates that European authorities continue to take implementation of the Directive seriously. TACD Comments on the Latest Draft of the Safe Harbor Principles (see also EPIC Alert 6.20): http://www.epic.org/privacy/intl/tacd_sh_1299.html Article 29 Working Group Opinion on the Safe Harbor Principles: http://www.epic.org/privacy/intl/art29wp_report_1299.pdf ======================================================================= [6] EPIC Job Announcements ======================================================================= EPIC will be filling two new job openings in the upcoming months. The Internet Activist position requires someone with an interest in civil liberties issues and a strong technical background to maintain internal equipment and work on web projects. The Policy Analyst opening seeks a person with the same civil liberties focus who would work on research and writing projects and monitor legislation. Applications are due on March 1, 2000. Please send resumes and cover letters to jobs@epic.org. The complete job announcements can be found at: http://www.epic.org/epic/jobs_1_00.html ======================================================================= [7] EPIC Bookstore -- Database Nation ======================================================================= EPIC is pleased to announce the publication of "Database Nation: The Death of Privacy in the 21st Century" by noted author Simson Garfinkel. Fifty years ago George Orwell imagined a future in which privacy was vanquished by a totalitarian state that used spies and video surveillance to maintain control. In 2000 we find that the threats to our privacy are not coming from a monolithic "Big Brother", but -- even harder to grapple with -- hundreds of sources, not seeking to control us, merely to market to us, track us, count us, or streamline paperwork. The result, though, is still as chilling as "1984". "Database Nation" explores the many threats to privacy in the Twenty First century and warns its readers, as Orwell's 1984 did before, that the cost of inaction will be the loss of freedom. It has already received widespread critical acclaim: "This is a chilling compendium of the myriad methods government and industry have devised to catalog and profile the preferences of American citizens. It is an essential handbook in the fight against the insidious erosion of a right so dear that freedom itself depends on it." The Hon. Edward J. Markey U.S. House of Representatives Database Nation by Simson Garfinkel is a graphic and blistering indictment of the burgeoning technologies used by business, government, and others to invade the self - yourselves - and restrict both your freedom to participate in power and your freedom from abuses of power. The right of privacy is a constitutionally protected right, and its erosion or destruction undermines democratic society as it generate, in one circumstance after another, a new kind of serfdom. This book is one that you're entitled to take very personally." Ralph Nader, Consumer Advocate "Simson has captured the depth and breadth of our ever-increasing privacy problems, demonstrating their insidious nature and the extreme difficulties that they present for all of us. This book is hugely important. It should be read by everyone. Wonderfully readable. Five stars." Peter G. Neumann Principal Scientist, SRI-CRL Author, Inside Risks Database Nation is now available for sale at the EPIC Bookstore. Garfinkel, "Database Nation: The Death of Privacy in the 21st Century": http://www.amazon.com/exec/obidos/ISBN=1565926536/electronicprivacA Database Nation website: http://www.databasenation.com EPIC Bookstore: http://www.epic.org/bookstore ======================================================================= [8] Upcoming Conferences and Events ======================================================================= RSA 2000. The ninth annual RSA Data Security Conference and Expo. January 16-20, 2000. San Jose McEnery Convention Center. San Jose, CA. For more information: http://www.rsa.com/rsa2000/ Privacy, Security & Confidentiality of Medical Records 2000: Complying With New HIPAA Regulations. NonProfit Management. One Day Seminars. Various Locations and Times. For more information: http://www.nonprofitmgt.com/privacy Cyberspace and Privacy: A New Legal Paradigm? February 7, 2000. Stanford Law School. Stanford, CA. For more information: http://lawreview.stanford.edu or http://stlr.stanford.edu Santa Clara University Computer and High Technology Journal Symposium on Internet Privacy. February 11-12, 2000. For more information: http://www.scu.edu/techlaw/symposium E-Commerce and Privacy: Implementing the New Law. Riley Information Services. February 21, 2000. Westin Hotel, Ottawa. For more information: http://www.rileyis.com/seminars/ Financial Cryptography '00. International Financial Cryptography Association. February 21-24, 2000. InterIsland Hotel. Anguilla, British West Indies. For more information: http://fc00.ai/ The New Wave of Privacy Protection in Canada. BC Freedom of Information and Privacy Association and Riley Information Services. March 9-10, 2000. Hotel Vancouver. Vancouver, British Columbia. For more information: http://www.rileyis.com Entrust SecureSummit 2000. May 1-4, 2000. Hyatt Regency Dallas at Reunion. Dallas, Texas. For more information: http://www.securesummit.com Shaping the Network: The Future of the Public Sphere in Cyberspace. Computer Professionals for Social Responsibility (CPSR). Call for Papers -- Abstracts Due February 15. May 20-23, 2000. Seattle, Washington. For more information: http://www.scn.org/cpsr/diac-00 Telecommunications: The Bridge to Globalization in the Information Society. Biennial Conference of the International Telecommunications Society. July 2-5, 2000. For more information: http://www.its2000.org.ar ======================================================================= Subscription Information ======================================================================= The EPIC Alert is a free biweekly publication of the Electronic Privacy Information Center. A Web-based form is available for subscribing or unsubscribing at: http://www.epic.org/alert/subscribe.html To subscribe or unsubscribe using email, send email to epic-news@epic.org with the subject: "subscribe" (no quotes) or "unsubscribe". Back issues are available at: http://www.epic.org/alert/ ======================================================================= About EPIC ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC is sponsored by the Fund for Constitutional Government, a non-profit organization established in 1974 to protect civil liberties and constitutional rights. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, e-mail info@epic.org, http://www.epic.org or write EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544 9240 (tel), +1 202 547 5482 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "The Fund for Constitutional Government" and sent to EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ---------------------- END EPIC Alert 7.01 ----------------------- .