============================================================== @@@@ @@@@ @@@ @@@@ @ @ @@@@ @@@@ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @@@ @ @ @@@@@ @ @@@ @@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @ @@@ @@@@ @ @ @@@@ @@@@ @ @ @ ============================================================== Volume 7.02 February 3, 2000 -------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org ======================================================================= Table of Contents ======================================================================= [1] EPIC Calls for Withdrawal of FIDNET at Senate Hearing [2] DoubleClick Faces Lawsuit Over Change in Privacy Practices [3] Privacy Groups Challenge Proposed FBI Wiretap Standards [4] New Crypto Export Regulations: Still Not De-Control [5] Industry Targets DVD Copying in Digital Copyright Suits [6] Clinton Proposes Privacy Protections in State of Union Address [7] EPIC Bookstore -- Critical Infrastructure Report [8] Upcoming Conferences and Events ======================================================================= [1] EPIC Calls for Withdrawal of FIDNET at Senate Hearing ======================================================================= This week the Senate Judiciary Committee reviewed the Administration's computer security plan. Civil liberties organizations have criticized the National Plan for Information Systems Protection, saying it would dramatically expand government surveillance of the nation's communications networks. They have singled out the Federal Intrusion Detection Network -- FIDNET -- as raising far-reaching threats to American citizens. Testifying before the committee, Marc Rotenberg, Executive Director of the Electronic Privacy Information Center (EPIC), called the FIDNET proposal contrary to "the spirit of the federal wiretap statute, the plain language of the federal Privacy Act, and the history of the Fourth Amendment." He said that "the FIDNET proposal, as currently conceived, must simply be withdrawn. EPIC also released a government memo at the hearing, obtained under the Freedom of Information Act, which indicates that the U.S. Department of Justice is aware that the FIDNET proposal may violate U.S. law. Other records obtained by EPIC show that the government will use credit card records and telephone toll records as part of its intrusion detection system. John Tritak, Director of the Critical Infrastructure Assurance Office, was unable to answer questions put to him by the committee members regarding what type of personal information would be collected by FIDNET. Rotenberg charged that backers of the security plan were "trying to apply twentieth century notions of national defense to twenty-first century problems of communications security." Last year, EPIC warned that a similar "critical infrastructure protection" proposal posed risks to the civil liberties of Americans. The revised security plan discusses privacy issues in a number of places, but civil liberties organizations contend that the plan is long on rhetoric and short on safeguards. "The plan lacks the legal protections and independent oversight that would be necessary to prevent abuse," said Rotenberg. Also testifying at the hearing was Frank Cilluffo, Senior Policy Analyst, Center for Strategic and International Studies. The Senate Subcommittee is chaired by Senator John Kyl (R-AZ). Senator Kyl said that future hearings will be held on the proposal and that government witnesses will be called to answer specific legal and technical questions about the design and operation of FIDNET. EPIC Testimony on "CyberAttack: The National Protection Plan and its Privacy Implications": http://www.epic.org/security/cip/EPIC_testimony_0200.pdf [PDF] EPIC Critical Infrastructure Protection Resources Page: http://www.epic.org/security/cip/ Memo from Ronald D. Lee, Associate Deputy Attorney General, Department of Justice to Jeffrey Hunker, Director, Critical Infrastructure Assurance Office regarding the National Information Systems Protection Plan, March 8, 1999 (obtained by EPIC under the Freedom of Information Act): http://www.epic.org/security/cip/lee_memo.html Memo from Jeffrey Hunker, CIAO to CICG Members regarding "Offsite Materials" (obtained by EPIC under the Freedom of Information Act): http://www.epic.org/security/cip/hunker_memo.html White House "National Plan for Information Systems Protection" (January 7, 2000): http://www.ciao.ncr.gov/National_Plan/national%20plan%20final.pdf Executive Summary of "National Plan for Information Systems Protection" (January 7, 2000) http://www.whitehouse.gov/WH/EOP/NSC/html/documents/ npisp-execsummary-000105.pdf ======================================================================= [2] DoubleClick Faces Lawsuit Over Privacy Practices ======================================================================= DoubleClick, one of the largest advertisers on the World Wide Web, has taken a dramatic new approach in learning about Internet users -- finding out their names and addresses. The move by the company toward personally identifying all the information it collects previously drew fire from privacy advocates and now from private citizens. The change in DoubleClick's strategy was not unexpected by privacy advocates who have been following their recent acquisitions. In late November, DoubleClick completed a merger with market research firm Abacus Direct. From the dramatic increase in information, DoubleClick hopes to find out more about all Internet users in order to provide targeted one-to-one advertising. Prior to the merger, DoubleClick had been learning about Internet users through the use of cookie technology -- an Internet protocol that allows for unique identification and tracking. While DoubleClick had been collecting personal information before, correlating existing information it has already accumulated from Internet users with the data in the Abacus database requires access to personally identifying information such as a name. For that reason, DoubleClick formed the Abacus Alliance -- an unnamed group of Internet websites that will pass on personal information to the advertiser. On January 28, attorneys in California filed a lawsuit alleging that DoubleClick had unlawfully represented that it was only collecting non-personally identifying information. Judnick's attorneys are asking for an injunction against DoubleClick that would prevent any further collection of personal information without written consent, an easy way for Internet users to destroy any personal information in DoubleClick's possession, and the destruction of all personal information collected without consent in the past. For more information about DoubleClick and its recent merger with Abacus Direct, see: http://www.epic.org/doubletrouble/ ======================================================================= [3] Privacy Groups Challenge Proposed FBI Wiretap Standards ======================================================================= On January 20, EPIC and other Internet privacy advocacy groups asked a federal appeals court to block new rules that would enable the FBI to dictate the design of the nation's communication infrastructure. The challenged rules would enable the Bureau to track the physical locations of cellular phone users and potentially monitor Internet traffic. In a brief filed with the U.S. Court of Appeals for the District of Columbia Circuit, EPIC, the American Civil Liberties Union (ACLU) and the Electronic Frontier Foundation (EFF) said that the rules -- contained in a Federal Communications Commission (FCC) decision issued last August -- could result in a significant increase in government interception of digital communications. The court challenge involves the Communications Assistance for Law Enforcement Act (CALEA), a controversial law enacted by Congress in 1994, which requires the telecommunications industry to design its systems in compliance with FBI technical requirements to facilitate electronic surveillance. In negotiations over the last few years, the FBI and industry representatives were unable to agree upon those standards, resulting in the recent FCC ruling. EPIC, ACLU and EFF participated as parties in the FCC proceeding and argued that the privacy rights of Americans must be protected. The groups' court filing asserts that the FCC ruling exceeds the requirements of CALEA and frustrates the privacy interests protected by federal statutes and the Fourth Amendment. Among other things, the Commission order would require telecommunications providers to determine the physical locations of cellular phone users and deliver "packet-mode communications" -- such as those that carry Internet traffic -- to law enforcement agencies. The privacy groups are being represented on a pro bono basis by Kurt Wimmer and Gerard J. Waldron, attorneys at the Washington law firm of Covington & Burling, and Carlos Perez-Albuerne, an attorney at the Boston law firm of Choate, Hall & Stewart. Oral argument in the court challenge to the CALEA standards is scheduled for May 17, 2000. In a related development, the Internet Engineering Task Force (IETF) has published a draft document explaining its decision not to consider requirements for wiretapping as part of the process for creating and maintaining IETF standards. Among other things, the draft notes that "[a]dding a requirement for wiretapping will make the designs considerably more complex, thereby jeopardizing the security of communications " Background materials on CALEA, including the brief filed by EPIC, ACLU and EFF, are available at EPIC's website: http://www.epic.org/privacy/wiretap/ The draft IETF document on wiretapping standards is available at: http://www.ietf.org/internet-drafts/draft-ietf-iab-raven-00.txt ======================================================================= [4] New Crypto Export Regulations: Still Not De-Control ======================================================================= The U.S. Commerce Department released its revised encryption export regulations on January 12. While the new rules will allow for the export of a wide variety of "retail" encryption products, they fall short of the Clinton Administration's promise to deregulate the privacy-enhancing technology. Following the release of the new regulations, EPIC joined the American Civil Liberties Union (ACLU) and the Electronic Frontier Foundation (EFF) in announcing that the groups will continue to press pending constitutional litigation challenging encryption controls. While recognizing that the Administration has taken a positive and long-overdue step with its latest revisions, the cyber-liberties groups believe that the fundamental constitutional defects of the encryption export regime have not been remedied. Specifically: - The new regulations, like the old ones, impose special requirements on Internet speech, contrary to the Supreme Court's 1997 ruling in Reno v. ACLU. The regulations require that the government be notified of any electronic "export" of publicly available encryption source code, and prohibit electronic "export" to certain countries. Yet people may freely send the same information anywhere on paper. - The export regulations are still a completely discretionary licensing scheme. They continue to require licenses for a large amount of communication protected by the First Amendment, including transmitting source code that is not "publicly available," source code that is "restricted," source code forming an "open cryptographic interface," and various forms of object code. - While the new regulations appear to permit free posting of encryption source code to Internet discussion lists, such posting may be illegal if the poster has 'reason to know' that it will be read by a person in one of the seven regulated countries (such as Cuba). - The new regulations still ban providing information on how to create or use some encryption technology as prohibited "technical assistance." Software publishers can be fined or imprisoned for helping people to use their code. These same limitations do not apply to non-encryption source code. In a highly-publicized court case, mathematician Daniel Bernstein has challenged the export control laws on First Amendment grounds. Professor Bernstein claims that his right to publish his own encryption software and share his research results with others over the Internet is being unconstitutionally restricted by the government's controls. Bernstein won his case at the trial level, and last year won an appeal in the Ninth Circuit Court of Appeals. Prior to the release of the new regulations, the court had granted the government's request that the appeal be reconsidered by a larger "en banc" panel of eleven judges, but recently sent the case back to the three-judge panel that originally heard it for further consideration in light of the new regulations. A similar case challenging the constitutionality of the export rules was brought by the ACLU of Ohio on behalf of Ohio law professor Peter Junger, who wished to publish an electronic version of an encryption program he wrote. The case is pending in the Sixth Circuit Federal Court of Appeals. EPIC has participated as a "friend-of-the-court" in both the Bernstein and Junger cases. The text of the revised encryption regulations is available at: http://www.epic.org/crypto/export_controls/regs_1_00.html ======================================================================= [5] Industry Targets DVD Copying in Digital Copyright Suits ======================================================================= The movie industry has filed lawsuits in California, New York, and Connecticut to prevent Internet sites from distributing information about the DVD Content Scrambling System. A federal judge in a district court in New York granted a preliminary injunction January 20 against three defendants who provided the decoding software on their Web sites. A judge in a California state court granted a preliminary injunction the following day against 21 defendants. The contended program, DeCSS, created by a Norwegian programmer, allows users to decode the encryption used on DVDs. The California case was filed by the DVD Copy Control Association, an industry trade group, after Christmas against 72 Web sites and individuals who had either published information about DeCSS or provided a link to the information from their sites. The DVD-CCA claims that the defendants are violating their trade secrets by discussing the source code used to bypass the DVD encryption scheme through reverse engineering. The defendants, however, assert that the purpose of the DeCSS is not to engage in illegal duplication of DVDs but rather to allow DVDs to operate on computers using the Linux operating system. The Global Internet Liberty Campaign, a coalition of more than 50 civil liberties groups worldwide, issued a statement claiming that the DVD-CCA's assault could have a severe impact on free expression: "We believe that intellectual property owners should not be allowed to expand their property rights at the expense of free speech -- particularly when the speech in question explains how companies have prevented the dissemination of new scientific ideas." The New York case and a companion case in a Connecticut federal court were filed on Jan. 15 and center upon the Digital Millennium Copyright Act, a 1998 law that prohibits the distribution of products that can circumvent copy protection schemes. The Motion Picture Association of America, as well as six other movie studios, are plaintiffs. Critics assert that the decoding of encryption schemes is crucial to researching, developing, and testing information processing systems. The Electronic Frontier Foundation is providing legal counsel to defendants both in California and New York. The Global Internet Liberty Campaign statement is available at: http://www.gilc.org/speech/DVD-CSS.html Testimony of EPIC Executive Director Marc Rotenberg on the Digital Millennium Copyright Act (June 5, 1998) is available at: http://www.epic.org/privacy/copyright/epic-wipo-testimony-698.html The Electronic Frontier Foundation maintains an archive of court material relating to the DVD-CCA case at: http://www.eff.org/ip/Video/DVDCCA_case/ EFF also maintains an archive of court material relating to the MPAA DVD cases at: http://www.eff.org/ip/Video/MPAA_DVD_cases/ ======================================================================= [6] Clinton Proposes Privacy Protections in State of Union Address ======================================================================= In President Clinton's State of the Union speech on January 27, he brought attention to the growing need to protect personal information in the next century. After referring to the recent growth of information technology, he reminded his audience that technology has to be carefully directed in order to assure that its reach does not compromise societal values. Additionally, he said, "First and foremost, we have to safeguard our citizens' privacy." Specifically, he mentioned the ongoing rule-making process over medical privacy regulations, the need for stronger protections over financial records, and more work on preventing genetic discrimination from insurers and employers. The full text of the President's speech is available at: http://www.whitehouse.gov/WH/SOTU00/sotu-text.html ======================================================================= [7] EPIC Bookstore -- Critical Infrastructure Report ======================================================================= Critical Infrastructure Protection and the Endangerment of Civil Liberties: An Assessment of the President's Commission on Critical Infrastructure Protection (PCCIP) by Wayne Madsen. http://www.amazon.com/exec/obidos/ISBN=1893044017/electronicprivacA Excerpt from the Executive Summary: On July 15, 1997, President Clinton signed Executive Order 13010, which established the President's Commission on Critical Infrastructure Protection (PPCIP). The Executive Order listed eight sectors that the PCCIP was to examine for security vulnerabilities. They are: telecommunications, electrical power systems, gas and oil storage and transportation, banking and finance, transportation, water supply systems, emergency services, and continuity of government. President Clinton appointed retired Air Force General Robert T. Marsh to chair the PCCIP. Although the commission, its Steering Committee, and its Advisory Committee were composed of members of government and industry, the membership of the three bodies consisted of a majority of military and intelligence representatives. PCCIP's report, issued in October 1997, contained many recommendations that have the potential to curtail a number of important civil liberties, including freedom of speech and freedom of information. Although the report concluded there was no evidence of an "impending cyber attack which could have a debilitating effect on the nation's critical infrastructure," it did recommend a new bureaucratic security establishment with expansive authority. If not properly monitored and controlled, these new national security structures and intelligence-sharing networks, in addition to those that already exist, may, instead of protecting the national infrastructure, be used by the government and private corporations to further erode the privacy of U.S. and foreign citizens. ---------- Additional titles on privacy, open government, free expression, computer security, and crypto, as well as films and DVDs can be ordered through the EPIC Bookstore: http://www.epic.org/bookstore/ ======================================================================= [8] Upcoming Conferences and Events ======================================================================= Privacy, Security & Confidentiality of Medical Records 2000: Complying With New HIPAA Regulations. NonProfit Management. One Day Seminars. Various Locations and Times. For more information: http://www.nonprofitmgt.com/privacy Federal Trade Commission Advisory Committee on Online Privacy and Security. Series of Meetings. Federal Trade Commission Headquarters. Washington, D.C. For more information: http://www.ftc.gov/acoas/ Cyberspace and Privacy: A New Legal Paradigm? February 7, 2000. Stanford Law School. Stanford, CA. For more information: http://lawreview.stanford.edu or http://stlr.stanford.edu Santa Clara University Computer and High Technology Journal Symposium on Internet Privacy. February 11-12, 2000. For more information: http://www.scu.edu/techlaw/symposium Government Technology Conference 2000. February 14-18, 2000. Austin Convention Center. Austin, TX. For more information: http://www.govtech.net E-Commerce and Privacy: Implementing the New Law. Riley Information Services. February 21, 2000. Westin Hotel, Ottawa. For more information: http://www.rileyis.com/seminars/ Financial Cryptography '00. International Financial Cryptography Association. February 21-24, 2000. InterIsland Hotel. Anguilla, British West Indies. For more information: http://fc00.ai/ The New Wave of Privacy Protection in Canada. BC Freedom of Information and Privacy Association and Riley Information Services. March 9-10, 2000. Hotel Vancouver. Vancouver, British Columbia. For more information: http://www.rileyis.com HIPAA Security and Privacy Requirements: A How To Blueprint for Compliance. MIS Training Institute. Two-day Seminars. Various Locations and Times. For more information: http://www.misti.com Entrust SecureSummit 2000. May 1-4, 2000. Hyatt Regency Dallas at Reunion. Dallas, Texas. For more information: http://www.securesummit.com Shaping the Network: The Future of the Public Sphere in Cyberspace. Computer Professionals for Social Responsibility (CPSR). Call for Papers -- Abstracts Due February 15. May 20-23, 2000. Seattle, Washington. For more information: http://www.scn.org/cpsr/diac-00 Telecommunications: The Bridge to Globalization in the Information Society. Biennial Conference of the International Telecommunications Society. July 2-5, 2000. For more information: http://www.its2000.org.ar ======================================================================= Subscription Information ======================================================================= The EPIC Alert is a free biweekly publication of the Electronic Privacy Information Center. A Web-based form is available for subscribing or unsubscribing at: http://www.epic.org/alert/subscribe.html To subscribe or unsubscribe using email, send email to epic-news@epic.org with the subject: "subscribe" (no quotes) or "unsubscribe". Back issues are available at: http://www.epic.org/alert/ ======================================================================= About EPIC ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC is sponsored by the Fund for Constitutional Government, a non-profit organization established in 1974 to protect civil liberties and constitutional rights. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, e-mail info@epic.org, http://www.epic.org or write EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544 9240 (tel), +1 202 547 5482 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "The Fund for Constitutional Government" and sent to EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ---------------------- END EPIC Alert 7.02 ----------------------- .