============================================================== @@@@ @@@@ @@@ @@@@ @ @ @@@@ @@@@ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @@@ @ @ @@@@@ @ @@@ @@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @ @@@ @@@@ @ @ @@@@ @@@@ @ @ @ ============================================================== Volume 7.05 March 22, 2000 -------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org ======================================================================= Table of Contents ======================================================================= [1] Revised Safe Harbor Proposal Released [2] New Survey Shows Strong Support for Privacy Laws [3] Echelon Surveillance Controversy Heats Up in Europe [4] Cyber Patrol Hackers Face Legal Proceedings [5] Problems with Online Advertising Persist [6] EPIC Submits Comments on Legal Barriers to E-Commerce [7] EPIC Bookstore -- EPIC Publications [8] Upcoming Conferences and Events ======================================================================= [1] Revised Safe Harbor Proposal Released ======================================================================= On March 17, the International Trade Administration of the U.S. Department of Commerce publicly released the current version of the Safe Harbor proposal. The Safe Harbor negotiations between American and European authorities have dragged on for more than two years, and this most recent version of the principles represents some progress. EU citizens are currently legally protected by the EU Data Protection Directive which prevents information from being sent to jurisdictions that do not offer similarly adequate protections. Safe Harbor is a voluntary arrangement coordinated by the Dept. of Commerce for the purpose of satisfying the adequacy requirement of the EU Directive. The new proposal sets out obligations that American companies would have to provide to European data subjects including: notice, choice (opt-in for sensitive information, opt-out otherwise), onward transfer, security, data integrity, access and enforcement. Companies choosing to join Safe Harbor can do so in several ways including joining self-regulatory programs that adhere to these guidelines. In all the various options, the Federal Trade Commission (FTC) would have ultimate enforcement authority over any company's compliance with the principles. While U.S. negotiators prematurely announced that an agreement had been reached, significant issues still remain. Enforcement remains a key issue in the arrangement. Both self-regulatory programs and the FTC do not have a good record in following up on privacy complaints in their jurisdictions. Further, many of the provisions in the Safe Harbor proposal, such as the access provision, provide fewer rights to European citizens than would otherwise be available under the Data Directive. In addition, the Safe Harbor principles would offer little direct support for greater privacy protections for U.S. consumers despite growing public support (see item [2]). At the end of this month, the Article 31 Committee, charged with overseeing the implementation of the EU Directive, will meet and vote on whether or not to accept the proposal. After the expected approval, the EU Commission could review the arrangement as early as this May. On the U.S. side, the proposal is subject to public comment until March 28, 2000. The Commerce Department requests that all comments be submitted electronically in an HTML format to the following email address: Ecommerce@ita.doc.gov. If your organization does not have the technical ability to provide comments in an HTML format, please forward them in the body of the email, or in a Word or WordPerfect format. If necessary, hard copies of comments can be mailed to the Electronic Commerce Task Force, U.S. Department of Commerce, Room 2009, 14th and Constitution Ave., NW, Washington DC 20230, or faxed to 202-501-2548. Please direct any questions to Becky Richards at Rebecca_Richards@ita.doc.gov or 202-482-5227. EPIC recommends that commentators consider whether the current self-regulatory approach provides an adequate level of privacy protection. The current set of Safe Harbor Principles is available at: http://www.ita.doc.gov/td/ecom/menu1.html Information and news on the EU Data Protection Directive: http://europa.eu.int/comm/internal_market/en/media/dataprot/index.htm ======================================================================= [2] New Survey Shows Strong Support for Privacy Laws ======================================================================= A survey conducted by Harris Interactive demonstrates strong public support for legal protections over personal information. Fifty-seven percent of respondents said "the government should pass laws now for how personal information can be collected and used on the Internet". In comparison, only 15 percent expressed support for allowing industry groups to develop voluntary privacy standards. Other statistics produced by the survey shed light on growing concerns about privacy. Forty-one percent of online consumers were very concerned over the use of personal information by Internet companies. The last time the same question was asked in 1998, only 31 percent of respondents were similarly concerned. The survey also addressed the recent online profiling business models. When asked about whether they were comfortable with websites merging browsing habits with real-life identities, fully 68 percent were "not at all comfortable" and an additional 21 percent were "not very comfortable." The poll appeared in the March 20 issue of Business Week and is available online at: http://www.businessweek.com/2000/00_12/b3673010.htm ======================================================================= [3] Echelon Surveillance Controversy Heats Up in Europe ======================================================================= Public concern over the Echelon surveillance system is growing in Europe. Next week in Strasbourg, France, the European Commission intends to issue a statement about Echelon, communications surveillance, and allegations of U.S. industrial espionage, according to Graham Watson, chairman of the European Parliament's Citizens' Rights Committee. The Commission -- the official government body of the European Union -- has previously denied knowledge of documents or factual information concerning these issues. During the same plenary session, the European Parliament will be asked to establish a formal commission of inquiry into communications surveillance. The motion to appoint a commission has been proposed by the Parliament's Green grouping. Early this week, the group was reporting that 130 of the required 160 signatures had already been obtained in support of their proposal. The Commission statement scheduled for next week will respond specifically to the "Interception Capabilities 2000" report, which was presented to the Citizens' Rights Committee on February 23 by British journalist Duncan Campbell. Since then, the controversy has been significantly enlarged by a series of publications and briefings from James Woolsey, who served as Director of the Central Intelligence Agency from 1993 to 1995. In his most recent statement, an op-ed in the Wall Street Journal published on March 17, Woolsey told Europeans to "get real" about U.S. spying. Woolsey referred to examples cited by Campbell where surveillance had taken place against two French companies and stated, "That's right, my continental friends, we have spied on you because you bribe". Both companies involved, Thomson-CSF and Airbus Industrie, quickly issued statements denying Woolsey's charges. This spring, Campbell is working with EPIC in Washington, DC as Senior Research Fellow and is currently preparing a new report on communications surveillance issues. The new report, scheduled for publication in early May, will focus on the activities of the National Security Agency and the resulting civil liberties issues. The report will provide a suggested roadmap for proposed Congressional hearings into NSA activities. The European Parliament report, "Interception Capabilities 2000" (in PDF format) is available at: http://www.europarl.eu.int/dg4/stoa/en/publi/pdf/98-14-01-2en.pdf Four other reports in the same series on the "Development of surveillance technology and risk of abuse of economic information" are available at: http://www.europarl.eu.int/dg4/stoa/en/publi/default.htm#up ======================================================================= [4] Cyber Patrol Hackers Face Legal Proceedings ======================================================================= A federal judge in Boston issued a temporary restraining order on March 17, prohibiting further distribution on the Internet of a program that discloses a list of the sites that the filtering program Cyber Patrol blocks and reveals the password that parents use to enable the filtering software. U.S. District Judge Edward F. Harrington ordered the removal of the "cphack" program, created by Matthew Skala of Canada and Eddy L. O. Jansson of Sweden, and banned its use by anyone working with the two cryptography experts. The ruling also bans further publication of the bypass codes and binaries by any other sites that may have obtained access to the information. Mattel and a subsidiary, Microsystems Software Inc., which sells Cyber Patrol, filed suit against Skala and Jansson on March 15. Microsystems claims that the pair violated U.S. copyright laws by reverse-engineering Cyber Patrol, which is prohibited in its licensing agreements, and then distributing the source code and binaries that enable users to bypass the software's encryption scheme. Skala and Jansson published the "cphack" program March 11 and provided a detailed description of their reverse-engineering methodology. The "cphack" program reveals a list of more than 100,000 sites that Cyber Patrol deems unsuitable for children. Among the blocked sites are all of the student organizations at Carnegie Mellon University and all journalism-related Usenet groups, as well as information about feminism, chess and food. Cyber Patrol claims to protect children from sites containing violence, hate or pornography. Another court hearing has been scheduled for March 27. No defense lawyers were present at the March 17 hearing. For more information about filtering software and their free speech implications, visit the homepage of the Internet Free Expression Alliance: http://www.ifea.net ======================================================================= [5] Problems with Online Advertising Persist ======================================================================= Online profiling has not gone away. While DoubleClick released a statement on March 2 vowing not to join online profiles to real-life identities, concerns about the company's tracking of Internet users have not ended. DoubleClick continues to use invisible images embedded in web pages, also referred to as "web bugs," to track users. The advertising company also continues to maintain two separate websites -- the Internet Address Finder (www.iaf.net) and the Get Away From It All Sweepstakes site (www.netdeals.com) -- both of which collect personal information. In addition, South Carolina Attorney General Charles Condon has joined attorney generals from both Michigan and New York State in investigating DoubleClick's information collection and use practices. Other online advertising companies have had to scale back their plans to personally identify online profiles as well. Online advertiser 24/7 has voluntarily refused to capitalize on its capability to join personal information to online profiles. As reported in the Wall Street Journal on March 20, several companies with online operations have started to restrict information available to their advertisers. Procter & Gamble, General Motors, and the Ford Motor Company have all started to limit the information transmitted to online advertisers DoubleClick, Real Media, and MatchLogic. For more information about "web bugs" and online profiling, visit Richard Smith's page on Internet Privacy: http://www.tiac.net/users/smiths/privacy/ For archived news reports and an analysis of the DoubleClick controversy: http://www.epic.org/doubletrouble/ ======================================================================= [6] EPIC Submits Comments on Legal Barriers to E-Commerce ======================================================================= On March 17, EPIC responded to the Department of Commerce's Request for Public Comment on Legal Barriers to Electronic Commerce. In its submission, EPIC said that legally enforceable privacy protections, the free use and availability of cryptography and the formation of international consumer protection standards would greatly promote trust and confidence in electronic commerce and remove barriers to its full development. In its submission, EPIC argues that in developing national policies in each of these three key areas, the U.S. Government should co-operate with its international partners and be influenced by the sound principles set out in the related Organization for Economic Co-Operation and Development (OECD) Guidelines. The text of EPIC's response to the Department of Commerce is available online at: http://www.epic.org/privacy/internet/Barriers_to_E-commerce.html The Request for Public Comment and submitted comments are available at: http://osecnt13.osec.doc.gov/ecommerce/barriers.nsf Copies of the OECD guidelines on privacy, cryptography, and consumer protection in electronic commerce can be found at: http://www.oecd.org/dsti/sti/ ======================================================================= [7] EPIC Bookstore -- EPIC Publications ======================================================================= EPIC Publications: "The Privacy Law Sourcebook: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 1999). Price: $50. http://www.epic.org/pls/ The "Physicians Desk Reference of the privacy world." An invaluable resource for students, attorneys, researchers and journalists who need an up-to-date collection of U.S. and International privacy law, as well as a comprehensive listing of privacy resources. ================================ "Filters and Freedom - Free Speech Perspectives on Internet Content Controls," David Sobel, editor (EPIC 1999). Price: $20. http://www.epic.org/filters&freedom/ A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ "Cryptography and Liberty: An International Survey of Cryptography Policy," Wayne Madsen and David Banisar, editors, (EPIC 1999). Price: $15. http://www.epic.org/cryptobook99/ An international survey of encryption policies around the world. Survey results show that in the vast majority of countries, cryptography may be freely used, manufactured, and sold without restriction, with the U.S. being a notable exception. ================================ "Privacy and Human Rights 1999: An International Survey of Privacy Laws and Developments," David Banisar, Simon Davies, editors, (EPIC 1999). Price: $15. http://www.epic.org/privacy&humanrights99/ An international survey of the privacy and data protection laws found in 50 countries around the globe. This report outlines the constitutional and legal conditions of privacy protection, and summarizes important issues and events relating to privacy and surveillance. ================================ Additional titles on privacy, open government, free expression, computer security, and crypto, as well as films and DVDs can be ordered through the EPIC Bookstore: http://www.epic.org/bookstore/ ======================================================================= [8] Upcoming Conferences and Events ======================================================================= ***** Big Brother Awards Nominations ***** Awards to be presented at the Computers, Freedom, and Privacy 2000 Conference in Toronto, Canada. For more information and submission of nominees: http://www.privacyinternational.org/bigbrother/ Is It Any of Your Business? Consumer Information, Privacy, and the Financial Services Industry. Federal Deposit Insurance Corporation. March 23, 2000. Seidman Center Auditorium. Arlington, VA. For more information: http://www.fdic.gov/news/news/press/2000/pr0014.html Privacy, Security & Confidentiality of Medical Records 2000: Complying With New HIPAA Regulations. NonProfit Management. One Day Seminars. Various Locations and Times. For more information: http://www.nonprofitmgt.com/privacy Chief Privacy Officer (CPO) Program 2000. Privacy & American Business. For more information: http://www.pandab.org/ Federal Trade Commission Advisory Committee on Online Privacy and Security. Series of Meetings. Federal Trade Commission Headquarters. Washington, DC. For more information: http://www.ftc.gov/acoas/ HIPAA Security and Privacy Requirements: A How To Blueprint for Compliance. MIS Training Institute. Two-day Seminars. Various Locations and Times. For more information: http://www.misti.com Call for Papers -- Freedom of Expression in the Information Age. Stanford Journal of International Law. Deadline April 15, 2000. For more information: http://www.stanford.edu/group/SJIL/ Access Act Reform: The Destruction of Records and Proposed Access Act Amendments. Riley Information Services. May 1, 2000. Westin Hotel. Ottawa, Canada. For more information: http://www.rileyis.com/seminars/ Entrust SecureSummit 2000. May 1-4, 2000. Hyatt Regency Dallas at Reunion. Dallas, TX. For more information: http://www.securesummit.com Call for Papers -- 16th Annual Computer Security Applications Conference. Deadline May 12, 2000. Sheraton Hotel. New Orleans, LA. December 11-15, 2000. For more information: http://www.acsac.org/ Electronic Government: New Challenges for Public Administration and Law. May 18, 2000. Center for Law, Public Administration, and Informatization of Tilburg University, Netherlands. For more information: http://schoordijk.kub.nl/crbi/egov/ Shaping the Network: The Future of the Public Sphere in Cyberspace. Computer Professionals for Social Responsibility (CPSR). May 20-23, 2000. Seattle, WA. For more information: http://www.scn.org/cpsr/diac-00 Telecommunications: The Bridge to Globalization in the Information Society. Biennial Conference of the International Telecommunications Society. July 2-5, 2000. For more information: http://www.its2000.org.ar KnowRight 2000 - InfoEthics Europe. Austrian Computer Society and UNESCO. September 26-29, 2000. Vienna, Austria. For more information: http://www.ocg.at/KR-IE2000.html Privacy2000: Information and Security in the Digital Age. November 29, 2000. Adam's Mark Hotel. Columbus, Ohio. For more information: http://www.privacy2000.org ======================================================================= Subscription Information ======================================================================= The EPIC Alert is a free biweekly publication of the Electronic Privacy Information Center. A Web-based form is available for subscribing or unsubscribing at: http://www.epic.org/alert/subscribe.html To subscribe or unsubscribe using email, send email to epic-news@epic.org with the subject: "subscribe" (no quotes) or "unsubscribe". Back issues are available at: http://www.epic.org/alert/ ======================================================================= About EPIC ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC is sponsored by the Fund for Constitutional Government, a non-profit organization established in 1974 to protect civil liberties and constitutional rights. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, e-mail info@epic.org, http://www.epic.org or write EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544 9240 (tel), +1 202 547 5482 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "The Fund for Constitutional Government" and sent to EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ---------------------- END EPIC Alert 7.05 ----------------------- .