============================================================== @@@@ @@@@ @@@ @@@@ @ @ @@@@ @@@@ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @@@ @ @ @@@@@ @ @@@ @@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @ @@@ @@@@ @ @ @@@@ @@@@ @ @ @ ============================================================== Volume 7.19 October 31, 2000 -------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org/alert/EPIC_Alert_7.19.html ======================================================================= Table of Contents ======================================================================= [1] Federal Filtering Mandate Moves Toward Enactment [2] Opposition Grows to "Anti-Leak" Secrecy Legislation [3] U.S. Copyright Office Announces Exceptions to DMCA [4] International NGOs Oppose Draft Computer Crime Convention [5] U.S. Implements Relaxed Encryption Export Controls [6] IETF Issues New RFCs on Cookies [7] EPIC Bookstore - Secrets and Lies [8] Upcoming Conferences and Events ======================================================================= [1] Federal Filtering Mandate Moves Toward Enactment ======================================================================= Despite strong opposition from education, library and civil liberties organizations, Congress appears to be on the verge of adopting a mandatory requirement for schools and libraries to install Internet filtering software (see EPIC Alert 7.17). The filtering mandate was attached to the appropriations bill for the Departments of Labor, Health and Human Services, and Education by Sen. John McCain (R-AZ) and Rep. Ernest Istook (R-OK). Although the $350 billion spending bill is currently tied up in partisan wrangling, the White House and Republican leaders appear to have reached an agreement on the filtering provision. The bill would require schools and libraries to use "technology protection measures" to block access to obscenity and child pornography on all computers and material "harmful to minors" on all computers used by minors. It would also require schools and libraries to hold public hearings on creating "Internet safety policies," a component of which would include the mandatory technological solution. Congress is moving ahead with the filtering mandate despite growing evidence that filtering systems block access to valuable material that is not even arguably "pornographic." A joint report released last week by EPIC and Peacefire.org -- "Mandated Mediocrity: Blocking Software Gets a Failing Grade" -- illustrates the dangers of blocking software in public schools. The report documents how N2H2's popular software package "Bess" blocks access to a large number of educational and political webpages. If, as now appears likely, the filtering mandate is enacted into law, the issue is likely to reach the courts, where prior legislation on Internet content regulation, such as the Communications Decency Act and Child Online Protection Act have been ruled unconstitutional. EPIC participated in the challenges to those earlier measures and will likely join other organizations in challenging mandatory filtering requirements. In a related development, three U.S.-based websites today re-posted a program that reveals a list of Web sites blocked by the Cyber Patrol filtering software package. The site operators had been coerced into removing the program because of Cyber Patrol's claim that doing so would violate its copyright. But a First Circuit Court of Appeals review of a lower court decision last month confirmed the operators' belief that they are not bound by the earlier ruling. In a further vindication of the operators' position, final copyright law regulations issued last week by the Library of Congress recognize the important free speech rights at stake, and exempt from the new digital copyright law any "reverse engineering" of, or unauthorized access to, filtering software in order to expose lists of blocked sites (see item 3, below). Additional information on the Cyber Patrol case is available at: http://www.epic.org/free_speech/censorware/cyberpatrol/ The EPIC/Peacefire report "Mandated Mediocrity: Blocking Software Gets a Failing Grade" is available at: http://www.epic.org/censorware/mandated_mediocrity.html ======================================================================= [2] Opposition Grows to "Anti-Leak" Secrecy Legislation ======================================================================= President Clinton is being urged to veto legislation that would greatly increase the secrecy of government information and possibly authorize intrusive investigations. The provision, which Congress passed on a voice vote, is being compared to Britain's infamous "Official Secrets Act." The legislation, which was enacted without public hearings as part of the Intelligence Authorization Act (H.R. 4392), criminalizes the disclosure by government officials of a broad array of classified or "classifiable" information. "Classifiable" information is any unclassified information which a government official later determines should have been classified but was not. Although the law only applies to disclosures by government employees, investigators could subpoena journalists' notebooks, computer disks, phone records, and other private information in order to pursue government leakers. The "anti-leak" legislation was requested by the Central Intelligence Agency, which claims its operations have been compromised by newspaper articles based on leaks of classified information. Although Justice Department officials assert that the provision was narrowly drafted and merely fills gaps in existing disclosure laws, many journalists and free speech advocates oppose the bill. Representing the two ends of the political spectrum, Reps. Bob Barr (R-GA) (a former CIA attorney) and John Conyers (D-MI) have both voiced opposition to the bill. Barr lambasted the bill in the House, stating, "This legislation contains a provision that will create -- make no mistake about it, with not one day of hearings, without one moment of public debate, without one witness -- an official secrets act." Current law makes it a crime to disclose classified information if the disclosure aids a foreign government, exposes covert intelligence agents or relates to national defense. The breadth of the new legislation is subject to dispute, with critics saying it would cover virtually all classified information, and the Justice Department claiming that it includes only disclosures of information that would harm national security. The legislation's critics believe that this ambiguity would have a chilling effect on public debate. Although White House officials had initially signed off on the legislation, opinion within the Administration is reportedly changing in response to the strong opposition to the bill. The president has until Nov. 4 to act on the measure. Opponents of the secrecy provision are also seeking the passage of new legislation to delay the effective date of the criminal liability provision of the secrecy bill until 2002. Additional details, including contact information for key members of Congress, is available at the website of the Government Accountability Project: http://www.whistleblower.org/www/specialaction.htm ======================================================================= [3] U.S. Copyright Office Announces Exceptions to DMCA ======================================================================= On October 27, the U.S. Copyright Office issued its final rule implementing the anti-circumvention provisions of the Digital Millennium Copyright Act (DMCA). The statutory provisions prohibit the circumvention of technical measures that prevent the unauthorized copying, transmission or access of copyrighted works, subject to this rulemaking of the Copyright Office. The final rule establishes two exceptions to the anti-circumvention provisions. The first exception will allow users of Internet content filtering programs to view lists of websites blocked by such software. The Copyright Office recognized a First Amendment interest in access to this information and stated the need for circumvention in this instance "since persons who wish to criticize and comment on them cannot ascertain which sites are contained in the lists unless they circumvent." This exception to the DMCA rule will likely impact the ongoing public debate about filters. In March, two programmers who revealed the list of thousands of websites blocked by the Internet filtering program Cyber Patrol faced charges of copyright violation (see EPIC Alert 7.05). The second exception is for software programs that malfunction or are damaged and fail to permit lawful use. The exceptions went into effect on October 28 and will be re-evaluated in 2003. The American Library Association (ALA), in conjunction with the American Association of Law Libraries, the Medical Library Association and the Special Libraries Association, have argued for broader exceptions. The library groups, as well as educational associations and technical experts, believe that restrictive anti-circumvention provisions could restrict public access to copyrighted works, especially if digital publishers move towards a pay-per-use model. In a public statement, the ALA stated that "users of digital information will have fewer rights and opportunities than users of print information." In 1998, EPIC Executive Director Marc Rotenberg testified in opposition to the DMCA, stating that the bill would diminish online privacy and warned that "the anti-circumvention language in section 1201 is extraordinarily broad and will have all sorts of unintended consequences." EPIC said that the "crime of circumvention should be specifically linked to the actual infringing act and not simply the use of a particular technique that may or may not be harmful." EPIC also recommended the development of techniques to protect copyrighted works that did not track the activities of Internet users. Some of these concerns were addressed in the final version of the DMCA but others were not. American Library Association (ALA) Office for Information Technology Policy's Anti-Circumvention Page: http://www.ala.org/oitp/copyr/anticir.html U.S. Copyright Office, Rulemaking on Exemptions from Prohibition on Circumvention: http://www.loc.gov/copyright/1201/anticirc.html EPIC Testimony before the House Committee on International Relations on Copyright and Privacy: http://www.epic.org/privacy/copyright/epic-wipo-testimony-698.html ======================================================================= [4] International NGOs Oppose Draft Computer Crime Convention ======================================================================= On October 18, members of the Global Internet Liberty Campaign (GILC), an international coalition of civil liberties and human rights groups, voiced their opposition to the Council of Europe's Convention on Cyber-Crime. The Cyber-Crime Convention first appeared in April and was recently discussed at an October 24 meeting of the Group of Eight (G-8) in Berlin. In a letter addressed to the Council of Europe (COE) Secretary General and Committee of Cyber-Crime experts, the groups stated that the draft treaty runs "contrary to well established norms for the protection of the individual, that it improperly extends the police authority of national governments, that it will undermine the development of network security techniques, and that it will reduce government accountability in future law enforcement conduct." The organizations went on to say that the Convention would require Internet companies to retain records of customer activity and monitor personal communications. The draft Convention would also criminalize copyright violations and discourage the development of network security tools. Other sections of the international agreement would encourage law enforcement access to stored records and encryption keys without sufficient legal safeguards and expand surveillance powers. The Council of Europe plans to finalize its Convention on Cyber-Crime in December. The GILC member letter is still open for signatures from Internet users' organizations. If you are a member of an organization that opposes the Cyber-Crime treaty and seeks to protect the rights of all Internet users, send an email to gilc@gilc.org. Global Internet Liberty Campaign Member Letter on Council of Europe Convention on Cyber-Crime: http://www.gilc.org/privacy/coe-letter-1000.html ======================================================================= [5] U.S. Implements Relaxed Encryption Export Controls ======================================================================= On October 19, the U.S. Department of Commerce's Bureau of Export Administration (BXA) published an amendment to its export regulations on encryption products. The new rule amends the Export Administration Requirements (EAR) and liberalizes exports and re-exports of encryption products to the fifteen European Union member states plus Australia, the Czech Republic, Hungary, Japan, New Zealand, Norway, Poland and Switzerland. Encryption products may now be exported to these countries and to the offices of firms, organizations and governments headquartered there, under license exemption. Exporters may ship these products immediately upon filing a commodity classification with the Bureau of Export Administration without waiting for a full review and classification. Technical reviews and post-reporting requirements are removed for consumer products preloaded with encryption software and short range wireless technologies. Reporting requirements are also reduced for foreign-based U.S. distributors including subsidiaries of U.S. companies. Finally, encryption source code may now be exported to non-government end users once a classification request is filed. The Administration announced its intention to update its encryption policy on July 17 in response to the European Union's decision earlier that month to revise its restrictions on certain "dual use" technologies. Under the European Union's previous export regime, encryption products could only be exported to countries outside the EU upon the issuance of a special license from national authorities. The new regulations allow member states to obtain a single license for the export of most dual use goods to other member states and ten non-EU countries including the U.S., Canada and Japan. The U.S. Administration had promised, since January 2000, that it would match any relaxation on the export of encryption products introduced by the European Union in order to assure the competitiveness of U.S. companies internationally. The text of the revised rules are available at: http://www.bxa.doc.gov/Encryption/pdfs/EncryptionRuleOct2K.pdf For more information about the availability of cryptography worldwide, see "Cryptography & Liberty 2000: An International Survey of Encryption Policy": http://www.epic.org/bookstore/crypto&/ ======================================================================= [6] IETF Issues New RFCs on Cookies ======================================================================= The Internet Engineering Task Force (IETF) has posted two new Requests For Comments (RFCs) that address privacy issues surrounding the use of cookies. RFC 2965 ("HTTP State Management Mechanism") is a proposed standard replacing RFC 2109, one of the first cookie documentations. The updated RFC pays particular attention to the privacy standards for cookie use. The document states that "Informed consent should guide the design of systems that use cookies." In the protocol, both the server setting the cookie and the web browser should incorporate an informed consent standard. RFC 2964 ("Use of HTTP State Management") discusses Best Current Practices for the use of cookies. While pointing out the positive purposes for cookies, the document also recommends that cookies should be used only with the user's awareness, the user's ability to delete cookies, and assurances that information collected through tracking is not passed onto third parties without explicit consent. EPIC's view is that these proposals are a step in the right direction and could help limit several of the current problems with cookie misuse. At the same time, the RFCs place too much emphasis on "informed consent" and not enough on the ongoing obligations of organizations that collect personal information that are typically found in privacy standards based on "Fair Information Practices." EPIC recommends that the RFCs be further revised to comply with the OECD Privacy Guidelines. The IETF Request For Comments (RFCs) can be found at: http://www.ietf.org/rfc.html Also check out the EPIC Cookies page: http://www.epic.org/privacy/internet/cookies/ ======================================================================= [7] EPIC Bookstore - Secrets and Lies ======================================================================= Secrets and Lies: Digital Security in a Networked World, by Bruce Schneier http://www.powells.com/cgi-bin/partner?partner_id=24075&cgi=search/ search&searchtype=isbn&searchfor=0471253111 Internationally recognized information security expert Bruce Schneier provides a practical, straightforward guide to understanding and achieving security throughout computer networks. Schneier uses his extensive field experience with his own clients to dispel the myths that can mislead you while trying to build secure systems. He also clearly covers everything you'll need to know to protect your company's digital information. And he shows you how to assess your business and corporate security needs so that you can choose the right products and implement the right processes. ================================ EPIC Publications: "Privacy & Human Rights 2000: An International Survey of Privacy Laws and Developments," David Banisar, author (EPIC 2000). Price: $20. http://www.epic.org/phr/ This survey, by EPIC and Privacy International, reviews the state of privacy in over fifty countries around the world. The survey examines a wide range of privacy issues including, data protection, telephone tapping, genetic databases, ID systems and freedom of information laws. ================================ "The Privacy Law Sourcebook 2000: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2000). Price: $40. http://www.epic.org/pls/ The "Physicians Desk Reference of the privacy world." An invaluable resource for students, attorneys, researchers and journalists who need an up-to-date collection of U.S. and International privacy law, as well as a comprehensive listing of privacy resources. ================================ "Cryptography and Liberty 2000: An International Survey of Encryption Policy," Wayne Madsen and David Banisar, editors (EPIC 2000). Price: $20. http://www.epic.org/crypto&/ EPIC's third survey of encryption policies around the world. The results indicate that the efforts to reduce export controls on strong encryption products have largely succeeded, although several governments are gaining new powers to combat the perceived threats of encryption to law enforcement. ================================ "Filters and Freedom - Free Speech Perspectives on Internet Content Controls," David Sobel, editor (EPIC 1999). Price: $20. http://www.epic.org/filters&freedom/ A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ Additional titles on privacy, open government, free expression, computer security, and crypto, as well as films and DVDs can be ordered through the EPIC Bookstore: http://www.epic.org/bookstore/ ======================================================================= [8] Upcoming Conferences and Events ======================================================================= Privacy2000: Information and Security in the Digital Age. October 31-November 1, 2000. Columbus, Ohio. For more information: http://www.privacy2000.org Mealey's Internet Law 101 Conference. November 1-2, 2000. Tysons Corner, VA. For more information: seminars@mealeys.com Call for Papers. First International Conference on Human Aspects of the Information Society. Information Management Research Institute, University of Northumbria at Newcastle. November 10, 2000. Newcastle upon Tyne, England. For more information: http://is.northumbria.ac.uk/imri Data Protection and System Design Workshop. Innovation Through Electronic Commerce: 3rd International Conference. November 14, 2000. Manchester, England. For more information: http://www.iec2000.org.uk/ 2000 BNA Public Policy Forum: e-commerce and internet regulation. November 15-16, 2000. Tysons Corner, VA. For more information: http://internetconference.pf.com Privacy by Design: The Future of Privacy Compliance and Business. Zero-Knowledge Systems. November 19-21, 2000. Le Château Montebello, Quebec. For more information: http://www.zeroknowledge.com/conference/privacybydesign/ Managing the Privacy Revolution. Privacy and American Business's Seventh Annual Conference. November 28-30, 2000. Washington, DC. For more information: http://www.pandab.org 16th Annual Computer Security Applications Conference (ACSAC). December 11-15, 2000. New Orleans, Louisiana. For more information: http://www.acsac.org Network and Distributed System Security Symposium (NDSS '01). Internet Society. February 7-9, 2001. San Diego, CA. For more information: http://www.isoc.org/ndss01/ Online, Offshore and Cross-Border: Regulating Global E-Commerce. Washington College of Law, American University. March 30, 2001. Washington, DC. For more information: http://www.wcl.american.edu ======================================================================= Subscription Information ======================================================================= The EPIC Alert is a free biweekly publication of the Electronic Privacy Information Center. A Web-based form is available for subscribing or unsubscribing at: http://www.epic.org/alert/subscribe.html To subscribe or unsubscribe using email, send email to epic-news@epic.org with the subject: "subscribe" (no quotes) or "unsubscribe". Back issues are available at: http://www.epic.org/alert/ ======================================================================= Privacy Policy ======================================================================= The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your email address from this list, please follow the above instructions under "subscription information". Please contact info@epic.org if you have any other questions. ======================================================================= About EPIC ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, e-mail info@epic.org, http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ---------------------- END EPIC Alert 7.19 ----------------------- .