============================================================== @@@@ @@@@ @@@ @@@@ @ @ @@@@ @@@@ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @@@ @ @ @@@@@ @ @@@ @@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @ @@@ @@@@ @ @ @@@@ @@@@ @ @ @ ============================================================== Volume 7.06 April 3, 2000 -------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org ======================================================================= Table of Contents ======================================================================= [1] New EPIC Crypto Report Finds Progress and Potential Threats [2] Census Questions Create Privacy Furor [3] Judge Prohibits Distribution of "Censorware" Decoding Program [4] SEC Proposal Would Search Web and Invade Privacy [5] No Agreement on Safe Harbor Proposal [6] European Parliament Supports Echelon Hearing [7] EPIC Bookstore -- EPIC Publications [8] Upcoming Conferences and Events ======================================================================= [1] New EPIC Crypto Report Finds Progress and Potential Threats ======================================================================= The Electronic Privacy Information Center (EPIC) today released "Cryptography and Liberty 2000: An International Survey of Encryption Policies." This is the third annual survey of encryption policy conducted by EPIC. The report finds that the movement towards the relaxation of regulations of encryption technologies has largely succeeded. In particular, in the vast majority of countries, cryptography may be freely used, manufactured, and sold without restriction. "Cryptography and Liberty" notes that export controls remain the most powerful obstacle to the development and free flow of encryption products and services. However, the rise of electronic commerce and the need to protect privacy and increase the security of the Internet have resulted in the development of policies that favor the spread of strong encryption worldwide. Despite these advances, the battle for secure and private communications is not yet won. EPIC's report finds that some countries are now proposing "lawful access" requirements that would force users to disclose keys or decrypted files to government agencies. Others are considering proposals that give intelligence and law enforcement agencies new powers to conduct surveillance, break into buildings or hack computers to obtain encryption keys and obtain information. Law enforcement and intelligence agencies are also demanding and receiving substantial increases in budgets. These new powers and budgets raise concerns about the expansion of government surveillance and the need for public accountability. Presenting the findings of the report at a press conference today in Washington, EPIC Senior Fellow Wayne Madsen stressed that "the majority of countries around the world are not interested in controlling encryption; however, a few nations are now proposing surreptitious and covert methods for obtaining private keys and access to encoded communications." EPIC Executive Director Marc Rotenberg said that the report will contribute significantly to the ongoing discussion about the right to communicate freely and in private in the digital age. "Strong encryption is critical for the development of networks that will safeguard personal communications," he said. An online version of the report is available at: http://www2.epic.org/reports/crypto2000/ The printed, book version of "Cryptography and Liberty 2000: An International Survey of Encryption Policy" (EPIC, 154 pages, softcover, ISBN: 1893044076, $20) is available at: http://www.epic.org/crypto&/ ======================================================================= [2] Census Questions Create Privacy Furor ======================================================================= The U.S. Census Bureau is quickly learning something that many online companies have known for awhile: the American public is growing increasingly concerned about privacy. Census 2000, the decennial process of counting the U.S. population, has become mired in a privacy controversy concerning census questions that many citizens find intrusive. The questions -- included on the "long form" that the Census Bureau mailed to one of every six U.S. households -- seek information concerning physical and mental disabilities, employment, income, housing specifications, and other personal details. In the face of public concern over the questions, several members of Congress have recently suggested that long form recipients should refrain from providing information they consider sensitive. Sen. Chuck Hagel (R-NE) has reportedly prepared legislation that would remove the existing criminal penalties for failing to answer all census questions. The Census Bureau is defending the long form questionnaire, noting that it does not seek any more information than has been requested in earlier census counts and that, in fact, this year's form is shorter than those issued in previous years. Census officials also maintain that there is a legitimate basis for all of the data being sought. According to Census Director Kenneth Prewitt, the information is critical for implementation of specific legislation and government programs. But he has acknowledged the discomfort the form is causing many recipients. "Millions of Americans have expressed an unprecedented level of concern for their privacy when asked to complete the long form," Prewitt said. "While it may be the shortest long form in history, it has raised more questions than any of its predecessors." There are, indeed, early indications that privacy concerns may seriously hamper the census process. Three weeks after census forms were sent out, half of the recipient households have mailed them back. The response rate for the long form is ten percent below the rate for the short form, enough of a variance, according to Prewitt, to "make us somewhat concerned." Official handling of personal information was also at issue in a controversial judicial decision issued last week. In an opinion that grows out of the FBI "Filegate" litigation, U.S. District Judge Royce C. Lamberth found that the White House and President Clinton committed a "criminal violation of the Privacy Act" when they released personal letters sent to the President by Kathleen Willey. The White House has strongly denied the allegation. An online version of Judge Lamberth's opinion is available at: http://www.epic.org/privacy/litigation/clinton_privacy_act.pdf ======================================================================= [3] Judge Prohibits Distribution of "Censorware" Decoding Program ======================================================================= A federal judge in Boston has issued a permanent injunction against distribution of a decoding program that unlocks the list of Web sites blocked by the Cyber Patrol filtering program. In an opinion issued on March 28, U.S. District Judge Edward F. Harrington refused to clarify whether U.S. website operators who posted "mirror" copies of the program are subject to the injunction. He also appeared to suggest that mirror sites could test that question only by risking a contempt charge that could lead to fines and incarceration. Prior to the ruling, EPIC joined with the American Civil Liberties Union in court papers filed on behalf of three U.S. mirror site operators, arguing that the court lacked jurisdiction over the matter and that the First Amendment precludes the broad prohibition on dissemination sought by toy manufacturer Mattel, which markets Cyber Patrol. Mattel sought the injunction after the decoding program was posted on sites in Sweden and Canada by the two programmers who wrote the code. The company alleged that the "reverse-engineering" process employed by the authors violated U.S. copyright laws, despite the fact that the activity occurred outside of the United States. At a court hearing on March 27, Mattel disclosed that it had reached a settlement with the Swedish and Canadian programmers and had obtained the rights to the decoding program. As a result, the real impact on the court's injunction falls only on the mirror sites. Underlying the copyright issues raised in the case is the controversy surrounding "censorware" programs that contain secret lists of blocked sites. Filtering critics have long maintained that users of such products should have a means of reviewing the "block lists" contained in the programs. While the right of parents to use the software was never at issue, Judge Harrington wrote that the case "raises a profound societal issue, namely, who is to control the educational and intellectual nourishment of young children -- the parents or the purveyors of pornography and the merchants of death and violence." But by allowing the owners of Cyber Patrol to control the dissemination of the decoding program, the judge's ruling leaves parents in the dark about the products they are buying to protect their children. More information on the Cyber Patrol litigation, including links to relevant court filings, is available at: http://www.epic.org/free_speech/censorware/cyberpatrol/ More information on the free speech issues surrounding filtering software is available at the Internet Free Expression Alliance website: http://www.ifea.net ======================================================================= [4] SEC Proposal Would Search Web and Invade Privacy ======================================================================= Controversy has recently arisen around a Securities and Exchange Commission (SEC) plan to use webcrawlers to search the Internet for potential securities fraud. Many have found the plan to be an overreaction that invades privacy and could chill free speech. The SEC's plan would utilize webcrawlers to browse and record statements made in chat rooms, bulletin boards, and web pages based on undisclosed keywords. In the process of storing publicly posted statements, the webcrawler would also attempt to collect personal information to identify posters who often attempt to maintain their anonymity. While the SEC currently takes these steps manually in attempts to thwart potential securities fraud, the automation of the process would potentially extend the reach of the federal agency into activities that could violate the Privacy Act of 1974. Many critics have considered the plan a violation of the Privacy Act, which puts limits on the collection and use of personal information by federal agencies. The Act prohibits the collection of personal information without the data subject's consent, allows the data subject to review any information in the possession of government agencies, and forbids the storage of statements that would be protected by the First Amendment. While the Privacy Act provides exceptions in order to protect the integrity of ongoing criminal investigations, the law restricts what government agencies like the SEC can do in the normal course of their business. ======================================================================= [5] No Agreement on Safe Harbor Proposal ======================================================================= The Article 31 Committee, the EU body responsible for the implementation of the EU Data Protection Directive, has failed to accept the most recent draft of the Safe Harbor arrangement released by the U.S. Department of Commerce. The Article 31 Committee, which comprises of representatives from all EU member states, met on March 30-31 to discuss the draft. No formal decision was reached and the Committee is now expected to draft a list of areas which still have to be improved in the U.S. proposal. Prominent among these outstanding issues will be the matter of individual redress for privacy violations. During its meetings, the Committee referred to comments recently submitted by the Trans Atlantic Consumer Dialogue (TACD), a coalition of over sixty American and European consumer groups that includes EPIC. In its comments, the TACD argued that the latest Safe Harbor proposal would still provide European citizens with less than adequate protection with respect to the processing of their personal data. In particular, the TACD expressed "little confidence" in the effectiveness of a self-regulatory scheme for protecting privacy and called for the establishment of stronger principles with a clear enforcement mechanism. The next meeting of the Article 31 committee is scheduled for May 30-31. The TACD's comments are available at: http://www.tacd.org/press_releases/state300300.html The current version of the Safe Harbor Principles and FAQs: http://www.ita.doc.gov/td/ecom/menu1.html Information and news on the EU Data Protection Directive: http://europa.eu.int/comm/internal_market/en/media/dataprot/index.htm ======================================================================= [6] European Parliament Supports Echelon Hearing ======================================================================= On March 28, the Green Party secured the necessary number of signatures from members of the European Parliament to support the establishment of a formal commission of enquiry into the Echelon surveillance system. The motion to appoint the commission was put forward by the Green Party in response to a report presented to the European Parliament on February 23 by British journalist Duncan Campbell. The report, "Interception Capabilities 2000," suggested that Echelon forms part of a global surveillance scheme carried out by the U.S., the UK and other countries capable of intercepting all electronic communications. The Greens have presented the signatures to the President of the European Parliament, Nicole Fontaine. In accordance with the rules of procedure, the Parliament's Conference of Presidents will now decide whether to make a formal recommendation for an Inquiry Committee. The Greens have also asked the European Commission and Council to confirm whether they are doing enough to protect the privacy of European citizens' communications. Echelon has also provoked public debate in the U.S., with recent allegations that the National Security Agency (NSA) has used its surveillance powers not only for foreign intelligence purposes but also to intercept domestic communications. Campbell is currently working with EPIC to prepare a new report on this issue. The report, scheduled for publication in early May, will serve as a roadmap for proposed Congressional hearings into NSA activities, expected to be held later this spring. See the Green Party press release at: http://www.europarl.eu.int/greens/press/2000/0328_en.htm The European Parliament report, "Interception Capabilities 2000" (in PDF format) is available at: http://www.europarl.eu.int/dg4/stoa/en/publi/pdf/98-14-01-2en.pdf ======================================================================= [7] EPIC Bookstore -- EPIC Publications ======================================================================= EPIC Publications: "Cryptography and Liberty 2000: An International Survey of Encryption Policy," Wayne Madsen and David Banisar, editors, (EPIC 2000). Price: $20. http://www.epic.org/crypto&/ EPIC's third survey of encryption policies around the world. The results indicate that the efforts to reduce export controls on strong encryption products have largely succeeded, although several governments are gaining new powers to combat the perceived threats of encryption to law enforcement. ================================ "The Privacy Law Sourcebook: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 1999). Price: $50. http://www.epic.org/pls/ The "Physicians Desk Reference of the privacy world." An invaluable resource for students, attorneys, researchers and journalists who need an up-to-date collection of U.S. and International privacy law, as well as a comprehensive listing of privacy resources. ================================ "Filters and Freedom - Free Speech Perspectives on Internet Content Controls," David Sobel, editor (EPIC 1999). Price: $20. http://www.epic.org/filters&freedom/ A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ "Privacy and Human Rights 1999: An International Survey of Privacy Laws and Developments," David Banisar, Simon Davies, editors, (EPIC 1999). Price: $15. http://www.epic.org/privacy&humanrights99/ An international survey of the privacy and data protection laws found in 50 countries around the globe. This report outlines the constitutional and legal conditions of privacy protection, and summarizes important issues and events relating to privacy and surveillance. ================================ Additional titles on privacy, open government, free expression, computer security, and crypto, as well as films and DVDs can be ordered through the EPIC Bookstore: http://www.epic.org/bookstore/ ======================================================================= [8] Upcoming Conferences and Events ======================================================================= Call for Papers -- Freedom of Expression in the Information Age. Stanford Journal of International Law. Deadline April 15, 2000. For more information: http://www.stanford.edu/group/SJIL/ Regulating the Internet: EU & US Perspectives. April 27-29, 2000. European Union Center, the School of Communications, and the Center for Law, Commerce & Technology at the University of Washington. Seattle, WA. For more information: http://jsis.artsci.washington.edu/programs/europe/euc.html Access Act Reform: The Destruction of Records and Proposed Access Act Amendments. Riley Information Services. May 1, 2000. Westin Hotel. Ottawa, Canada. For more information: http://www.rileyis.com/seminars/ Entrust SecureSummit 2000. May 1-4, 2000. Hyatt Regency Dallas at Reunion. Dallas, TX. For more information: http://www.securesummit.com Call for Papers -- 16th Annual Computer Security Applications Conference. Deadline May 12, 2000. Sheraton Hotel. New Orleans, LA. December 11-15, 2000. For more information: http://www.acsac.org/ Electronic Government: New Challenges for Public Administration and Law. May 18, 2000. Center for Law, Public Administration, and Informatization of Tilburg University, Netherlands. For more information: http://schoordijk.kub.nl/crbi/egov/ Shaping the Network: The Future of the Public Sphere in Cyberspace. Computer Professionals for Social Responsibility (CPSR). May 20-23, 2000. Seattle, WA. For more information: http://www.scn.org/cpsr/diac-00 First Annual Institute on Privacy Law: Strategies for Legal Compliance in a High Tech and Changing Regulatory Environment. Practicing Law Institute. June 22-23, 2000. PLI Conference Center. New York, NY. For more information: http://www.pli.edu Telecommunications: The Bridge to Globalization in the Information Society. Biennial Conference of the International Telecommunications Society. July 2-5, 2000. For more information: http://www.its2000.org.ar KnowRight 2000 - InfoEthics Europe. Austrian Computer Society and UNESCO. September 26-29, 2000. Vienna, Austria. For more information: http://www.ocg.at/KR-IE2000.html Privacy2000: Information and Security in the Digital Age. November 29, 2000. Adam's Mark Hotel. Columbus, Ohio. For more information: http://www.privacy2000.org ======================================================================= Subscription Information ======================================================================= The EPIC Alert is a free biweekly publication of the Electronic Privacy Information Center. A Web-based form is available for subscribing or unsubscribing at: http://www.epic.org/alert/subscribe.html To subscribe or unsubscribe using email, send email to epic-news@epic.org with the subject: "subscribe" (no quotes) or "unsubscribe". Back issues are available at: http://www.epic.org/alert/ ======================================================================= About EPIC ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC is sponsored by the Fund for Constitutional Government, a non-profit organization established in 1974 to protect civil liberties and constitutional rights. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, e-mail info@epic.org, http://www.epic.org or write EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544 9240 (tel), +1 202 547 5482 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "The Fund for Constitutional Government" and sent to EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ---------------------- END EPIC Alert 7.06 ----------------------- .