============================================================== @@@@ @@@@ @@@ @@@@ @ @ @@@@ @@@@ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @@@ @ @ @@@@@ @ @@@ @@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @ @@@ @@@@ @ @ @@@@ @@@@ @ @ @ ============================================================== Volume 7.09 May 15, 2000 -------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org ======================================================================= Table of Contents ======================================================================= [1] FTC Completes Internet Privacy Sweep and Advisory Committee Report [2] Anonymous Message Board Poster Sues Yahoo! for Disclosures [3] Court to Hear Challenge to Proposed FBI Wiretap Standards [4] Privacy Groups Oppose Financial Privacy Delay [5] EPIC Testifies on Use of Social Security Numbers [6] New Survey Details Experiences of Identity Theft Victims [7] Press Freedom Survey Finds Extensive Censorship [8] Upcoming Conferences and Events ======================================================================= [1] FTC Completes Internet Privacy Sweep and Advisory Committee Report ======================================================================= As reported in the Wall Street Journal on May 11, the Federal Trade Commission's sweep of Internet privacy policies found that the overwhelming majority of websites fail to meet standards for privacy protection. According to the coverage, the Federal Trade Commission (FTC) found that while almost 90 percent of websites surveyed had privacy policies, only roughly 20 percent satisfied the FTC's version of Fair Information Practices -- notice, consent, access, and security. The report also includes a staff recommendation that the FTC ask Congress for the authority to issue rules over Internet privacy. The results of the FTC's sweep are not surprising considering other recent surveys. EPIC's last survey conducted in December 1999, "Surfer Beware 3: Privacy Policies Without Privacy Protection," found that none of the top 100 e-commerce sites met the standard set out by a more robust set of Fair Information Practices. An industry-funded survey conducted by Georgetown University in January 1999 found that less than 10 percent of websites visited met the FTC's standards. Tommorrow, the FTC Advisory Committee on Online Access and Security will release its final report. The report brought together representatives from industry, academia and privacy groups to recommend implementation options for access and security. The report discusses access, the ability of the consumer to view and edit their personal information, and security, the prevention of unauthorized access or use of data. The final version of the report contains a consensus recommendation for security and four options for access. EPIC Policy Analyst Andrew Shen was a member of the Advisory Committee. The security recommendation is that Web sites maintain a security program detailing their procedures and should be evaluated on the basis of whether or not it is "appropriate under the circumstances." The access implementation options are "total access" in which a consumer to access all their personal information; "default to consumer access" in which access would be provided in accordance with the "ordinary course of business"; "case-by-case" in which the provision of access is not presumed but depends on the types of information and costs; "access for correction" in which a limited scope of information would be subject to access and available only for minor editing. The final report of the FTC Advisory Committee, transcripts of public meetings, and public comments are available at: http://www.ftc.gov/acoas/ "Surfer Beware 3: Privacy Policies Without Privacy Protection" is available at: http://www.epic.org/reports/surfer-beware3.html ======================================================================= [2] Anonymous Message Board Poster Sues Yahoo! for Disclosures ======================================================================= A federal lawsuit filed in California on May 11 could establish important protections for Internet privacy, anonymity and free expression. The suit, filed against Yahoo! by a user of the service's popular financial message boards, challenges the company's practice of disclosing a user's personal information to third parties without prior notice to the user. It accuses the online portal of violating the "constitutional and contractual rights to privacy" of the user, who lost his job after posting remarks about his employer on a Yahoo! message board. Over the past year, Yahoo! has been inundated with subpoenas issued by companies seeking the identities of individuals anonymously posting information critical of the firms and their executives. Without notifying the targeted users, and without assessing the validity of the legal claims underlying the subpoenas, Yahoo! has systematically disclosed identifying information such as users' names, e-mail addresses and Internet protocol addresses. Yahoo! has been unique among major online companies in its refusal to notify its users of such subpoenas and provide them with an opportunity to challenge the information requests. (Since the filing of the lawsuit, Yahoo! has claimed that it changed its policy in April and does now notify users. However, that change is not yet reflected at the Yahoo! website.) Privacy and free speech advocates, including EPIC, have criticized Yahoo!'s policy on the ground that Internet users have a right to communicate anonymously and usually do so for valid reasons. According to David L. Sobel, EPIC's General Counsel, "online anonymity plays a critical role in fostering free expression on the Internet, and has clearly contributed to the popularity of the medium." He said, "The U.S. Supreme Court has ruled that anonymity is a constitutional right, but the failure to inform users when subpoenas are issued may make that right illusory online." The lawsuit was filed in United States District Court in Los Angeles by "Aquacool_2000," a pseudonymous Yahoo! user whose personal information was disclosed to AnswerThink Consulting Group, Inc., a publicly held company. A copy of the lawsuit (in PDF) is available at: http://www.epic.org/anonymity/aquacool_complaint.pdf ======================================================================= [3] Court to Hear Challenge to Proposed FBI Wiretap Standards ======================================================================= This week, EPIC and other Internet privacy advocacy groups will ask a federal appeals court to block new rules that would enable the FBI to dictate the design of the nation's communication infrastructure. The challenged rules would, among other capabilities, enable the Bureau to track the physical locations of cellular phone users and potentially monitor Internet traffic. In an oral argument to be heard by the U.S. Court of Appeals for the District of Columbia Circuit on May 17, EPIC, the American Civil Liberties Union (ACLU) and the Electronic Frontier Foundation (EFF) will argue that the rules -- contained in a Federal Communications Commission (FCC) decision issued last August -- could result in a significant increase in government interception of digital communications. Also arguing against the proposed technical standards will be another group of challengers, comprised of telecommunications industry trade associations and the Center for Democracy and Technology. The court challenge involves the Communications Assistance for Law Enforcement Act (CALEA), a controversial law enacted by Congress in 1994, which requires the telecommunications industry to design its systems in compliance with FBI technical requirements to facilitate electronic surveillance. In negotiations over the last few years, the FBI and industry representatives were unable to agree upon those standards, resulting in last year's FCC ruling. EPIC, ACLU and EFF participated as parties in the FCC proceeding and argued that the privacy rights of Americans must be protected. The groups' court briefs asserted that the FCC ruling exceeds the requirements of CALEA and frustrates the privacy interests protected by federal statutes and the Fourth Amendment. Among other things, the Commission order would require telecommunications providers to determine the physical locations of cellular phone users and deliver "packet-mode communications" -- such as those that carry Internet traffic -- to law enforcement agencies. Proposed architectural changes to communications networks are also being considered this week in Paris, where a Group of Eight (G-8) conference is considering "cybercrime" issues. The process, which began several years ago at the behest of the United States, may be moving toward concrete proposals that could impact online anonymity. During the G-8 ministerial conference in Moscow last October, the countries committed their experts to organize a dialogue between industry and governments about "identifying and locating cybercriminals." During the scheduled Okinawa summit in July, the results of the discussion will be considered by the Heads of State of the G-8. Background materials on CALEA, including the briefs filed by EPIC, ACLU and EFF, are available at EPIC's website: http://www.epic.org/privacy/wiretap/ Information on the G-8 conference is available at: http://www.g8parishightech.org/en_txt/index.htm ======================================================================= [4] Privacy Groups Oppose Financial Privacy Delay ======================================================================= Despite widespread public support for the protection of personal financial information, government agencies have decided to delay the effective date of financial privacy protections until July 2001. Upon rumors that the agencies in charge of issuing rules protecting financial privacy were planning to delay their effective date, a coalition of privacy groups issued a joint letter on May 9 insisting that the rules goes into effect as planned. The open letter to the agencies stated that while the privacy guidelines provided by the Gramm-Leach-Bliley Act were inadequate, they still offered more than the current lack of protections. Despite these concerns, on May 11, the Federal Reserve, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision issued their final financial privacy rules but delayed the effective date until July 1 of next year. In a separate announcement released today, the Federal Trade Commission also issued its final rules with the same delayed effective date. Public support for financial privacy continues to grow despite the slow response from the federal government. A recent poll published by the National Journal found that 14 percent of registered voters cited the protection of financial records as their top priority for Congress this year. In comparison, 16 percent of those polled picked tougher gun restrictions and seven percent selected the passage of a patients' bill of rights as high priority issues. The letter opposing the delay of financial privacy protections: http://www.pirg.org/consumer/glbdelay.htm Press release announcing the delay of the effective date for financial privacy rules: http://www.bog.frb.fed.us/boarddocs/press/BoardActs/2000/ 20000510/default.htm Separate press release from the Federal Trade Commission also delaying the implementation of financial privacy protections: http://www.ftc.gov/opa/2000/05/glbpress1.htm ======================================================================= [5] EPIC Testifies on Use of Social Security Numbers ======================================================================= On May 11, EPIC Executive Director Marc Rotenberg testified before the House Subcommittee on Social Security on the "Use and Misuse of Social Security Numbers." The subcommittee convened the hearing to examine the need for legislation to curb the growing misuse of Social Security Numbers (SSNs) such as in cases of identity theft. EPIC's testimony argues that legislation to limit the collection and use of the SSN is appropriate, necessary and fully consistent with U.S. law. The history of the SSN demonstrates that it was never intended to be used widely as a unique identifier and that there is clear judicial and legislative support for further legal restrictions on its use. The testimony concluded that strong privacy laws and other safeguards are necessary to ensure that the problems associated with misuse of the SSN, such as profiling and identity theft, do not increase in the future. Also testifying on the panel were several members of Congress proposing legislation to curb the use of SSNs, the Consumer Program Director of U.S. PIRG, and representatives of industries and government agencies that regularly use Social Security Numbers in the course of their work. EPIC's testimony is available at: http://www.epic.org/privacy/ssn/testimony_0500.html The testimony of other panel members is also online at: http://www.house.gov/ways_means/socsec/106cong/ss-17awi.htm ======================================================================= [6] New Survey Details Experiences of Identity Theft Victims ======================================================================= On May 1, the California Public Interest Research Group (CALPIRG) and the Privacy Rights Clearinghouse (PRC), released a new report highlighting the difficulties that victims of identity theft face in clearing their names. The report, entitled "Nowhere to Turn: Victims Speak out on Identity Theft", surveys the experiences of identity theft victims. The survey found that the victims had spent between two and four years removing an average of $18,000 in fraudulent charges. The report argues that law enforcement, government and credit industry procedures fail to address the growing problem of identity theft and make it difficult for victims to resolve their cases. The report acknowledges that the 1998 law passed by Congress to criminalize identity theft is an important "first step" in combating identity theft but argues that much more needs to be done. It recommends the introduction of state and federal laws to protect consumers and forcing bodies such as banks, department stores and credit bureaus to take a more responsible approach to the growing problem of identity theft. "Nowhere to Turn: Victims Speak out on Identity Theft" is at: http://www.pirg.org/calpirg/consumer/privacy/idtheft2000/ ======================================================================= [7] Press Freedom Survey Finds Extensive Censorship ======================================================================= In its 22nd annual survey of international press freedom, Freedom House recently found that nearly two-thirds of the 186 countries reviewed restrict the content of print and electronic news media. According to the report, sixty-nine countries (37 percent) have a free press, while 51 have a partly free news media and 66 do not provide press freedom. Those governments that restrict press freedom often claim to do so in the interest of preserving public morality and protecting national security. Governments employ various tactics to limit Internet access, such as mandating special licensing and regulation of Internet use, channeling traffic through filtered government servers, and banning access to particular Web pages. For example, the official Internet Service Provider (ISP) in China restricts access to particular news reports generated abroad. The Chinese government also monitors Web sites to ensure that no sensitive government information is disclosed and has imprisoned dissidents who have posted such material. In Russia, one of the successors to the KGB has required ISPs to install surveillance devices that allow direct monitoring of Internet activity. The Freedom House survey is available at: http://www.freedomhouse.org/pfs2000/ ======================================================================= [8] Upcoming Conferences and Events ======================================================================= Electronic Government: New Challenges for Public Administration and Law. May 18, 2000. Center for Law, Public Administration, and Informatization of Tilburg University, Netherlands. For more information: http://schoordijk.kub.nl/crbi/egov/ Securing Linux or BSD Novice Users' Personal Computers. GNU/Linux Beginners SIG. May 19, 2000. New School Computer Instruction Center. New York, NY. For more information: drs@cloud9.net Shaping the Network: The Future of the Public Sphere in Cyberspace. Computer Professionals for Social Responsibility (CPSR). May 20-23, 2000. Seattle, WA. For more information: http://www.scn.org/cpsr/diac-00 New Millennium, New Horizons: Marketing and Public Policy Conference 2000. American Marketing Association. June 1-3, 2000. Marriott Metro Center. Washington, DC. For more information: http://www.ama.org/events/ Data Sharing: Initiatives and Challenges Among Benefit and Loan Programs. United States General Accounting Office. June 7-8, 2000. Library of Congress, Jefferson Building. Washington, DC. For more information: morehousec.hehs@gao.gov First Annual Institute on Privacy Law: Strategies for Legal Compliance in a High Tech and Changing Regulatory Environment. Practicing Law Institute. June 22-23, 2000. PLI Conference Center. New York, NY. For more information: http://www.pli.edu Telecommunications: The Bridge to Globalization in the Information Society. Biennial Conference of the International Telecommunications Society. July 2-5, 2000. For more information: http://www.its2000.org.ar INET 2000: Internet Global Summit. Internet Society. July 18-20, 2000. Yokohama, Japan. For more information: http://www.isoc.org/inet2000 First International Hackers Forum. The Green Planet. August 18-20, 2000. Zaporozhye, Ukraine. For more information: http://www.geocities.com/hack_forum Surveillance Expo 2000. August 28-30, 2000. Arlington, VA. For more information: http://www.surveillance-expo.com KnowRight 2000 - InfoEthics Europe. Austrian Computer Society and UNESCO. September 26-29, 2000. Vienna, Austria. For more information: http://www.ocg.at/KR-IE2000.html Privacy: A Social Research Conference. New School University. October 5-7, 2000. New York, NY. For more information: http://www.newschool.edu/centers/socres/privacy/ Privacy2000: Information and Security in the Digital Age. October 31- November 1, 2000. Adam's Mark Hotel. Columbus, Ohio. For more information: http://www.privacy2000.org ======================================================================= Subscription Information ======================================================================= The EPIC Alert is a free biweekly publication of the Electronic Privacy Information Center. A Web-based form is available for subscribing or unsubscribing at: http://www.epic.org/alert/subscribe.html To subscribe or unsubscribe using email, send email to epic-news@epic.org with the subject: "subscribe" (no quotes) or "unsubscribe". Back issues are available at: http://www.epic.org/alert/ ======================================================================= About EPIC ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC is sponsored by the Fund for Constitutional Government, a non-profit organization established in 1974 to protect civil liberties and constitutional rights. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, e-mail info@epic.org, http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "The Fund for Constitutional Government" and sent to EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ---------------------- END EPIC Alert 7.09 ----------------------- .