============================================================== @@@@ @@@@ @@@ @@@@ @ @ @@@@ @@@@ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @@@ @ @ @@@@@ @ @@@ @@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @ @@@ @@@@ @ @ @@@@ @@@@ @ @ @ ============================================================== Volume 7.14 July 27, 2000 -------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org/alert/EPIC_Alert_7.14.html ======================================================================= Table of Contents ======================================================================= [1] Congress Examines FBI Carnivore Surveillance System [2] New Bill Would Require Notice of Workplace Monitoring [3] European Commission Adopts Safe Harbor Data Principles [4] Microsoft Offers Security Patch for Third-Party Cookies [5] EPIC Bill-Track: New Bills in Congress [6] Resources Available for National High School Debate Topic [7] EPIC Bookstore - The Electronic Privacy Papers [8] Upcoming Conferences and Events ======================================================================= [1] Congress Examines FBI Carnivore Surveillance System ======================================================================= On July 24, the House Judiciary Committee convened a hearing on the Federal Bureau of Investigation's controversial Internet surveillance program, Carnivore. The Committee hoped to shed light on the largely unknown capabilities of the program, as well as to solicit feedback from Carnivore's critics. Carnivore is an advanced packet sniffer which the FBI installs on an Internet Service Provider's (ISP) backbone to scan and record selected communications. Carnivore scans all of an ISP's Internet traffic, looking for and recording relevant messages. It is Carnivore's ability to monitor large amounts of communications, as well as its still unknown configuration potential, that has raised concerns among members of Congress and privacy and civil liberties advocates. The FBI faced stiff bi-partisan questioning over Carnivore, led by Reps. Jerrold Nadler (D-NY) and Bob Barr (R-GA). Both representatives expressed skepticism about the FBI's assurances that Carnivore was a "surgical" instrument that is actually less intrusive than a standard wiretap, and both were curious as to why the FBI had not informed Congress about Carnivore earlier. Witnesses on a second panel were also highly critical of the Bureau. Barry Steinhardt of the ACLU said the use of Carnivore is like "a wiretap capable of accessing the contents of all of the phone company's customers." This, he stated, was a direct violation of the Fourth Amendment's requirement of narrow and targeted searches, designed to protect both the privacy of individuals and the ability of the government to conduct searches. Like many members of the Committee, Steinhardt was skeptical of the FBI's "trust us" approach. One of the consistent criticisms of the Carnivore program is that very little information on its use and capabilities has been made public. In the interest of the fullest possible public disclosure, EPIC submitted a Freedom of Information Act request to the FBI on July 12 seeking the disclosure of all information relating to Carnivore. Testimony presented at the House Judiciary Committee hearing: http://www.house.gov/judiciary/2.htm The hearing can be viewed in its entirety over the web at: http://www.cspan.org/technology_science/ More on the history of FBI monitoring of Internet communications and the "digital telephony" law (or CALEA) is available at the EPIC Wiretap Page: http://www.epic.org/privacy/wiretap/ ======================================================================= [2] New Bill Would Require Notice of Workplace Monitoring ======================================================================= Bi-partisan legislation introduced in both houses of Congress would prevent employers from secretly monitoring the communications and computer use of their employees. The "Notice of Electronic Monitoring Act" (S.2898 and H.R.4908) would require employers to give "clear and conspicuous notice" to their employees if they intend to read e-mail, monitor keystrokes or Web activity, or listen to telephone conversations. The bill was introduced on July 20 by Sen. Charles Schumer (D-NY) and Reps. Charles Canady (R-FL) and Bob Barr (R-GA). The proposed legislation would not prohibit electronic monitoring, nor would it require employers to give notice each time they monitor an employee's activity. Instead, employers would be required to provide workers with initial notices when they are hired, and then annually and whenever there are changes to the company's monitoring policy. Monitoring could be conducted without notice if there is reason to believe the employee is engaging in conduct harmful to the employer or another employee. The required notification would have to specify the type of computer use that would be monitored, how the monitoring would be accomplished, the frequency of the monitoring, the kinds of information that would be obtained, and how the information would be stored, used or disclosed. Employees would be able to sue employers for civil damages if electronic monitoring is conducted without the required notice. Workplace monitoring has become increasingly common in recent years -- an American Management Association report found that forty-five percent of major U.S. firms record and review employee communications and activities on the job -- but the courts have generally provided employees with little recourse. Privacy advocates have long maintained that providing notice of a monitoring policy should, as a bare minimum, be required before employers can engage in such invasive activities. Another privacy-related bill was introduced on July 26 by Sens. John McCain (R-AZ), John Kerry (D-MA), and Spencer Abraham (R-MI). The bi-partisan Internet privacy legislation would require all commercial websites to make clear disclosures about their information collection practices. The mandatory disclosures would be enforced by the Federal Trade Commission. The Senate Commerce Committee plans to hold hearings on the proposal in September. The American Management Association's 1999 survey, "Workplace Monitoring and Surveillance," is available at: http://www.amanet.org/research/monit/index.htm ======================================================================= [3] European Commission Adopts Safe Harbor Data Principles ======================================================================= On July 26, the European Commission finalized its decision to approve the latest U.S. Safe Harbor proposal, thereby ending two years of negotiations between the U.S. Department of Commerce and the European Union on the transborder flows of European citizens' personal data. The agreement allows companies to voluntarily abide to a set of principles protecting data belonging to EU citizens. However, the arrangement will not offer any increase in protections for U.S. citizens. The Commission decided to approve this agreement in spite of a forceful resolution by the European Parliament adopted on July 5 that the agreement needed to be re-negotiated in order to provide adequate protection (see EPIC Alert 7.13). Acknowledging the Parliament's criticisms, the Commission went ahead with the adoption of Safe Harbor and promised to re-open negotiations on the arrangement if the remedies available to European citizens prove inadequate. EU member states will have 90 days to put the Commission's decision into effect and companies may join Safe Harbor starting in November. In other international news, the Group of Eight (G8) has issued a charter on the "Global Information Society." The group, which comprises the top eight industrial countries in the world, met last week in Okinawa for its annual summit. The charter recognizes the need to promote consumer trust and confidence in the electronic marketplace (in particular by providing reliable means of settling cross-border disputes), developing "effective and meaningful" privacy protections, and ensuring the security of stored data. Addressing the issue of cyber-crime, the Group stated that it will continue to promote dialogue and co-operation between governments and industry. Building on its earlier meeting in May of this year with industry groups, the Group re-affirmed the need to tackle urgent security issues such as hacking, viruses, and critical infrastructure. Information regarding the European Commission's adoption of Safe Harbor: http://europa.eu.int/rapid/start/cgi/guesten.ksh?p_action.gettxt= gt&doc=IP/00/865|0|RAPID&lg=EN The European Parliament resolution is available at: http://www.epic.org/privacy/intl/EP_SH_resolution_0700.html The G8 Communique from the Okinawa meeting is available at: http://www.g8kyushu-okinawa.go.jp/e/documents/commu.html ======================================================================= [4] Microsoft Offers Security Patch for Third-Party Cookies ======================================================================= On July 20, Microsoft announced that it was introducing a beta security patch for the next version of Internet Explorer that would allow for better management of web cookies. The test version of the patch should be available to the public by the end of August. According to preliminary descriptions, the patch will offer several features that will allow users to control cookies more effectively. The browser will be able to differentiate between first-party and third-party cookies and the default setting will warn the user when a persistent third-party cookie is being served. Persistent third-party cookies are used heavily by Internet advertisers, such as DoubleClick, to track computer users' activities. In addition, the new functionality will allow Internet users to delete all cookies with a single click and will make information about security and privacy more easily accessible. The security patch does not, however, increase consumer control over the use of first-party cookies prevalent on commercial websites. The cookie management features follow on the heels of other recent security patches issued by Microsoft correcting data leak issues. In May, the company released a patch for the popular Outlook program that would turn off cookies in email messages. In related news, the newly created non-profit Privacy Foundation has announced its first initiative, the creation of a Privacy Center at the University of Denver. The Privacy Center will be a research and education organization that seeks to investigate new technology and inform the public on how to protect themselves from privacy invasions. Richard Smith, noted Internet privacy expert, is the Chief Technology Officer for the organization. Information about the security patch is available at: http://www.microsoft.com/windows/ie/default.htm For cookie management software and other privacy enhancing technologies, visit the EPIC Online Guide to Practical Privacy Tools: http://www.epic.org/privacy/tools.html For more information about the Privacy Foundation's new research center: http://www.privacyfoundation.org/ ======================================================================= [5] EPIC Bill-Track: New Bills in Congress ======================================================================= *House* H.R.4311. Identity Theft Protection Act of 2000. Institutes confirmations of changes of address, annually distributed free credit reports, and access to information held by individual reference services providers (see also S.2328). Sponsor: Rep. Hooley, Darlene (D-OR). Referred to the Subcommittee on Financial Institutions and Consumer Credit. H.R.4857. Privacy and Identity Protection Act of 2000. Far-reaching law that would restrict government uses of the social security number and create regulations over the sale and purchase and sale of social security numbers by the private sector (see also S.2876). Sponsor: Rep. Shaw, E. Clay, Jr. (R-FL). Forwarded by Subcommittee to Full House Ways and Means Committee (Amended) by Voice Vote. H.R.4908 Notice of Electronic Monitoring Act. Amends the Electronic Communications Privacy Act to require employers to provide notice to employees of electronic monitoring unless the employer believes the employee is engaged in harmful activity (see also S.2898). Sponsor: Rep. Canady, Charles T. (R-FL). Referred to the House Committee on the Judiciary. *Senate* S.2328. Identity Theft Prevention Act of 2000. Institutes confirmations of changes of address, annually distributed free credit reports, and access to information held by individual reference services providers (see also H.R.4311). Sponsor: Sen. Feinstein, Dianne (D-CA). Read twice and referred to the Committee on Banking, Housing, and Urban Affairs. S.2554. Amy Boyer's Law. Would limit display of social security numbers. Sponsor: Sen. Gregg, Judd (R-NH). Read twice and referred to the Committee on Finance. S.2871. Social Security Number Privacy Act of 1999. Amends the Gramm-Leach-Bliley Act (see S.900) to prohibit financial institutions from selling social security numbers. Sponsor: Sen. Shelby, Richard C. (R-AL). Read twice and referred to the Committee on Banking, Housing, and Urban Affairs. S.2876. Privacy and Identity Protection Act of 2000. Far-reaching law that would restrict government uses of the social security number and create regulations over the sale and purchase and sale of social security numbers by the private sector (see also H.R.4857). Sponsor: Sen. Bunning, Jim (R-KY). Read twice and referred to the Committee on Finance. S.2898. Notice of Electronic Monitoring Act. Amends the Electronic Communications Privacy Act to require employers to provide notice to employees of electronic monitoring unless the employer believes the employee is engaged in harmful activity (see also H.R. 4908). Sponsor: Sen. Schumer, Charles E. (D-NY). Read twice and referred to the Committee on the Judiciary. EPIC Bill Track: Tracking Privacy, Speech, and Cyber-Liberties Bills in the 106th Congress, is available at: http://www.epic.org/privacy/bill_track.html ======================================================================= [6] Resources Available for National High School Debate Topic ======================================================================= In response to requests for information regarding the 2000-2001 National High School Debate Topic, "Resolved: that the United States federal government should significantly increase protection of privacy in one or more of the following areas: employment, medical records, consumer information, search and seizure," EPIC has produced a webpage containing links to relevant websites, litigation, court cases, and surveys. A brief essay on the subject is also included. We at EPIC are encouraged that the national debate topic relates to privacy issues, and hope that the ideas and discussions produced will become part of the larger debate on privacy. The National High School Debate Topic Resources page is at: http://www.epic.org/privacy/debate_resources.html ======================================================================= [7] EPIC Bookstore - The Electronic Privacy Papers ======================================================================= The Electronic Privacy Papers: Documents on the Battle for Privacy in the Age of Surveillance by Bruce Schneier, David Banisar http://www.amazon.com/exec/obidos/ISBN=0471122971/electronicprivacA While most books on privacy and security issues in cyberspace simply give accounts of debates on the issues, The Electronic Privacy Papers documents the war--practically salvo by salvo. Authors Schneier and Banisar present the actual government and industry documents, which cover both legal and technical matters. The information includes research reports on the value of wiretaps, influential speeches and articles, and actual legislation that has gone before Congress. Many of the government documents, although legally available to the public through the Freedom of Information Act, were improperly kept secret until several lawsuits eventually forced their release. These "hidden" papers exhibit the FBI's push for government access to all electronic communications, report on how increased government access could also increase the opportunities for computer crime, and record the conflict between those who favor private encryption technology and those who'd make illegal encryption systems that don't allow government agencies access to decryption keys. Legislation and Supreme Court decisions on these disputes are also presented. This book will give you a clear understanding of both sides of the debate and will provide insight into the strategies that both government and privacy advocates use in attempt to achieve their desired result. ================================ EPIC Publications: "Cryptography and Liberty 2000: An International Survey of Encryption Policy," Wayne Madsen and David Banisar, editors, (EPIC 2000). Price: $20. http://www.epic.org/crypto&/ EPIC's third survey of encryption policies around the world. The results indicate that the efforts to reduce export controls on strong encryption products have largely succeeded, although several governments are gaining new powers to combat the perceived threats of encryption to law enforcement. ================================ "The Privacy Law Sourcebook: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 1999). Price: $50. http://www.epic.org/pls/ The "Physicians Desk Reference of the privacy world." An invaluable resource for students, attorneys, researchers and journalists who need an up-to-date collection of U.S. and International privacy law, as well as a comprehensive listing of privacy resources. ================================ "Filters and Freedom - Free Speech Perspectives on Internet Content Controls," David Sobel, editor (EPIC 1999). Price: $20. http://www.epic.org/filters&freedom/ A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ "Privacy and Human Rights 1999: An International Survey of Privacy Laws and Developments," David Banisar, Simon Davies, editors, (EPIC 1999). Price: $15. http://www.epic.org/privacy&humanrights99/ An international survey of the privacy and data protection laws found in 50 countries around the globe. This report outlines the constitutional and legal conditions of privacy protection, and summarizes important issues and events relating to privacy and surveillance. ================================ Additional titles on privacy, open government, free expression, computer security, and crypto, as well as films and DVDs can be ordered through the EPIC Bookstore: http://www.epic.org/bookstore/ ======================================================================= [8] Upcoming Conferences and Events ======================================================================= CPSR Meeting on Privacy & Security. August 15, 2000. Toronto Cypherpunks/Webgrrls. Toronto, Canada. For more information: http://toronto.cypherpunks.ca/ First International Hackers Forum. The Green Planet. August 18-20, 2000. Zaporozhye, Ukraine. For more information: http://www.geocities.com/hack_forum Surveillance Expo 2000. August 28-30, 2000. Arlington, VA. For more information: http://www.surveillance-expo.com Health Information Privacy: A Dialogue with the Stakeholders. September 21, 2000. Westin Hotel. Ottawa, Canada. For more information: http://www.rileyis.com/seminars KnowRight 2000 - InfoEthics Europe. Austrian Computer Society and UNESCO. September 26-29, 2000. Vienna, Austria. For more information: http://www.ocg.at/KR-IE2000.html One World, One Privacy: 22nd Annual International Conference on Privacy and Personal Data Protection. September 28-30, 2000. Venice, Italy. For more information: http://www.dataprotection.org/ Privacy: A Social Research Conference. New School University. October 5-7, 2000. New York, NY. For more information: http://www.newschool.edu/centers/socres/privacy/ Privacy2000: Information and Security in the Digital Age. October 31- November 1, 2000. Columbus, Ohio. Adam's Mark Hotel. For more information: http://www.privacy2000.org ======================================================================= Subscription Information ======================================================================= The EPIC Alert is a free biweekly publication of the Electronic Privacy Information Center. A Web-based form is available for subscribing or unsubscribing at: http://www.epic.org/alert/subscribe.html To subscribe or unsubscribe using email, send email to epic-news@epic.org with the subject: "subscribe" (no quotes) or "unsubscribe". Back issues are available at: http://www.epic.org/alert/ ======================================================================= About EPIC ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC is sponsored by the Fund for Constitutional Government, a non-profit organization established in 1974 to protect civil liberties and constitutional rights. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, e-mail info@epic.org, http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "The Fund for Constitutional Government" and sent to EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ======================================================================= Privacy Policy ======================================================================= The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your email address from this list, please follow the above instructions under "subscription information". Please contact info@epic.org if you have any other questions. ---------------------- END EPIC Alert 7.14 ----------------------- .