============================================================== @@@@ @@@@ @@@ @@@@ @ @ @@@@ @@@@ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @@@ @ @ @@@@@ @ @@@ @@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @ @@@ @@@@ @ @ @@@@ @@@@ @ @ @ ============================================================== Volume 7.20 November 14, 2000 -------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org/alert/EPIC_Alert_7.20.html ======================================================================= Table of Contents ======================================================================= [1] President Vetoes "Official Secrets Act" Legislation [2] California Enacts New Privacy Laws [3] IRS Gains Access to Overseas Credit Card Accounts [4] Information Brokers Challenge Financial Privacy Rules [5] Poll Finds Strong Majority Concerned About Online Privacy [6] "Safe Harbor" Arrangement Begins [7] EPIC Bookstore - Rethinking PKI and Digital Certificates [8] Upcoming Conferences and Events ======================================================================= [1] President Vetoes "Official Secrets Act" Legislation ======================================================================= President Clinton on November 4 vetoed legislation that would have made leaking of government secrets a criminal act (see EPIC Alert 7.19). The president, in his veto message, said he agreed that some leaks "can be extraordinarily harmful" to national security. But he agreed with critics of the provision who argued that the new penalties could silence whistle-blowers: "We must never forget that the free flow of information is essential to a democratic society." The provision, which was contained in an intelligence spending bill (H.R. 5630), would have extended penalties that now exist for leaking classified, national defense information, to the leaking of other classified, but nondefense data that could harm the United States if made public or given to foreign governments. A broad coalition of public interest groups -- including EPIC -- said that the legislation was likely to stifle public debate on important policy matters. Several of the nation's largest news organization -- including CNN, The Washington Post, The New York Times and the Newspaper Association of America -- also appealed to Clinton to veto the bill. The legislation's opponents said it amounted to the nation's first "Official Secrets Act," and noted that even members of Congress would be subject to criminal charges for leaking classified information. In his veto statement, Clinton said, "As president ... it is my responsibility to protect not only our government's vital information from improper disclosure but also to protect the rights of citizens to receive the information necessary for democracy to work." He added that it requires a careful balance to reconcile the goals of protecting national security and the public's right to know. "This legislation does not achieve the proper balance." On November 13, the House voted to again pass the intelligence authorization bill, without the controversial secrecy provision. President Clinton's veto statement is available at: http://www.epic.org/open_gov/WH_pr_110400.html ======================================================================= [2] California Enacts New Privacy Laws ======================================================================= In October, California Governor Gray Davis signed into law six new privacy measures aimed at protecting consumers' privacy and protecting against identity theft. One of the new laws establishes the first dedicated U.S. privacy protection agency within the Department of Consumer Affairs. The new Office of Privacy Protection will operate as a central clearinghouse for privacy complaints and will provide information, advice and referrals to consumers to help resolve privacy disputes and concerns. Another law requires businesses to destroy customer records containing personal information by shredding them, erasing them or otherwise making them unreadable. Two of the laws specifically address the growing problem of identify theft. The first allows victims of identity theft to seek the assistance of the courts in clearing their names and restoring their identities. The second allows those victims to join law enforcement in accessing a statewide database documenting identity theft crimes. Under the fifth law, credit card companies will have to give consumers an opportunity to "opt-out" annually of having their personal information shared. The final law prohibits consumer credit reporting agencies from including medical information, provided for insurance purposes, in consumer credit reports. This new package of laws, coupled with the state's strong constitutional right to privacy, clearly establishes California as the leading U.S. state in the protection of individual privacy. Press release from the California Department of Consumer Affairs discussing the new legislation: http://www.dca.ca.gov/press_releases/20001030.htm ======================================================================= [3] IRS Gains Access to Overseas Credit Card Accounts ======================================================================= A federal judge on October 30 granted the Internal Revenue Service (IRS) access to thousands of MasterCard and American Express credit card accounts held by U.S. taxpayers in several offshore banking havens. U.S. District Judge Adalberto Jordan's order allows the IRS to issue summonses for information concerning charge, debit and credit cards issued by banks in the Cayman Islands, Bahamas and Antigua and Barbuda in 1998 and 1999. Banks in the targeted jurisdictions require customers to open bank accounts before obtaining credit cards, so obtaining the names of cardholders produces the names of bank account holders as well. IRS investigators are reportedly interested in reviewing things like car, boat and airline ticket purchases and hotel and car rentals to determine whether credit card account holders are living beyond their reported means. Offshore credit accounts are legal for U.S. taxpayers, but they are required to file forms with the IRS disclosing them. The three nations targeted by the IRS have long been identified by U.S. authorities as offshore tax havens and centers of money launderering. An affidavit filed by the IRS with the summons request claimed the U.S. Treasury loses an estimated $70 billion yearly from individual taxpayers who use offshore accounts to evade taxes. Promoters of offshore accounts often claim that they can be used to shelter income because the U.S. government cannot penetrate some foreign banking secrecy laws. But the IRS believed it could avoid those laws by getting records through the Miami headquarters of the companies' Caribbean operations, an approach that Judge Jordan accepted. MasterCard International issued a brief statement saying it has "always cooperated with, and will continue to cooperate with, investigations by governmental agencies." The company added that it is "mindful of customers' privacy concerns." ======================================================================= [4] Information Brokers Challenge Financial Privacy Rules ======================================================================= An industry association representing information brokers -- the Individual Reference Services Group (IRSG) -- has challenged the Federal Trade Commission's (FTC) newly-enacted financial privacy rules. As one of the federal agencies promulgating privacy rules under the Financial Services Modernization Act (Gramm-Leach-Bliley), the FTC designated credit headers as a type of personal financial information subject to opt-out privacy protections (see EPIC Alert 7.10). Credit headers, so-called because they are at the top of credit reports, contain information such as names, addresses, phone numbers, and Social Security numbers. IRSG companies sell credit header information to direct marketers, private investigators, and other information brokers. The IRSG complaint, filed in the U.S. District Court for the District of Columbia, alleges that the FTC credit header rule unlawfully expands the definition of non-public personal information contained in the legislation, and that it improperly supersedes the Fair Credit Reporting Act, which has not traditionally protected credit header information. The FTC contends that its rulemaking follows the law's legislative intent. In related privacy news, the Social Security number provisions contained in the Commerce-Justice-State appropriations bill were singled out in a veto threat letter sent by President Clinton to Congress before the election recess. The Social Security number provisions are opposed by consumer and privacy groups (see EPIC Alert 7.18). The provisions are still included in the appropriations bill which has yet to pass and is pending before the current lame duck Congress. The FTC's final financial privacy rules (PDF) are available at: http://www.ftc.gov/os/2000/05/glb000512.pdf See President Clinton's letter threatening to veto the Commerce- Justice-State Appropriations bill: http://www.epic.org/privacy/ssn/WH_pr_102600.html ======================================================================= [5] Poll Finds Strong Majority Concerned About Online Privacy ======================================================================= A newly released Gallup poll finds that a majority of Americans are concerned about their privacy on the Internet. The Gallup survey, which was commissioned by the MedicAlert Foundation, an emergency medical information service, questioned individuals' willingness to transmit personal health information over the Internet. As a result of privacy concerns, only seven percent of all respondents said that they would be willing to store or transmit personal health information on the Internet. Seventy-seven percent of respondents considered the privacy of their health and medical information to be very important, and 84 percent said that they would be concerned if that information was made available to others without their consent. Whereas 90 percent of respondents said that they trust their own doctor to keep their personal health information private and secure, only eight percent would trust an Internet website to do the same. Thirty percent said that they would be more willing to disclose this information on the Internet if they could be assured of its privacy and security. A summary of the results of the Gallup survey is available at: http://www.medicalert.org/Releaselatest.html ======================================================================= [6] "Safe Harbor" Arrangement Begins ======================================================================= On November 1, the long-negotiated Safe Harbor agreement formally went into effect. Safe Harbor allows U.S. companies to voluntarily subscribe to a set of principles and procedures for the handling of data originating in the European Union. The EU Data Protection Directive requires that an adequate level of privacy protection exist before any personal information can be transferred to a third country. The European Commission has agreed that any U.S. company that subscribes to Safe Harbor should be deemed to be providing an adequate level of privacy protection for such data. The U.S. Department of Commerce maintains the official list of U.S. companies that join the arrangement. Both the European Commission and U.S. government officials are expected to monitor the number of companies that join over the next few months. Due to earlier opposition from the European Parliament to the agreement, the European Commission is expected to review the arrangement by the middle of next year. Since the beginning of the month, only one U.S. entity -- TRUSTe -- has joined the system. To see the Safe Harbor list, as well as related materials: http://www.export.gov/safeharbor/ Past comments on Safe Harbor are available from the TransAtlantic Consumer Dialogue: http://www.tacd.org/meeting2/electronic.html ======================================================================= [7] EPIC Bookstore - Rethinking PKI and Digital Certificates ======================================================================= Rethinking Public Key Infrastructures and Digital Certificates: Building in Privacy by Stefan A. Brands http://www.powells.com/cgi-bin/partner?partner_id=24075&cgi=search/ search&searchtype=isbn&searchfor=0262024918 As paper-based communication and transaction mechanisms are replaced by automated ones, traditional forms of security such as photographs and handwritten signatures are becoming outdated. Most security experts believe that digital certificates offer the best technology for safeguarding electronic communications. They are already widely used for authenticating and encrypting email and software, and eventually will be built into any device or piece of software that must be able to communicate securely. There is a serious problem, however, with this unavoidable trend: unless drastic measures are taken, everyone will be forced to communicate via what will be the most pervasive electronic surveillance tool ever built. There will also be abundant opportunity for misuse of digital certificates by hackers, unscrupulous employees, government agencies, financial institutions, insurance companies, and so on. In this book Stefan Brands proposes cryptographic building blocks for the design of digital certificates that preserve privacy without sacrificing security. Such certificates function in much the same way as cinema tickets or subway tokens: anyone can establish their validity and the data they specify, but no more than that. Furthermore, different actions by the same person cannot be linked. Certificate holders have control over what information is disclosed, and to whom. Subsets of the proposed cryptographic building blocks can be used in combination, allowing a cookbook approach to the design of public key infrastructures. Potential applications include electronic cash, electronic postage, digital rights management, pseudonyms for online chat rooms, health care information storage, electronic voting, and even electronic gambling. ================================ EPIC Publications: "Privacy & Human Rights 2000: An International Survey of Privacy Laws and Developments," David Banisar, author (EPIC 2000). Price: $20. http://www.epic.org/phr/ This survey, by EPIC and Privacy International, reviews the state of privacy in over fifty countries around the world. The survey examines a wide range of privacy issues including, data protection, telephone tapping, genetic databases, ID systems and freedom of information laws. ================================ "The Privacy Law Sourcebook 2000: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2000). Price: $40. http://www.epic.org/pls/ The "Physicians Desk Reference of the privacy world." An invaluable resource for students, attorneys, researchers and journalists who need an up-to-date collection of U.S. and International privacy law, as well as a comprehensive listing of privacy resources. ================================ "Cryptography and Liberty 2000: An International Survey of Encryption Policy," Wayne Madsen and David Banisar, editors (EPIC 2000). Price: $20. http://www.epic.org/crypto&/ EPIC's third survey of encryption policies around the world. The results indicate that the efforts to reduce export controls on strong encryption products have largely succeeded, although several governments are gaining new powers to combat the perceived threats of encryption to law enforcement. ================================ "Filters and Freedom - Free Speech Perspectives on Internet Content Controls," David Sobel, editor (EPIC 1999). Price: $20. http://www.epic.org/filters&freedom/ A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ Additional titles on privacy, open government, free expression, computer security, and crypto, as well as films and DVDs can be ordered through the EPIC Bookstore: http://www.epic.org/bookstore/ ======================================================================= [8] Upcoming Conferences and Events ======================================================================= Election 2000: Implications for Science & Technology. Washington Science Policy Alliance. November 15, 2000. Washington, DC. For more information: http://www.aaas.org/spp/dspp/rd/gwu.htm 2000 BNA Public Policy Forum: e-commerce and internet regulation. November 15-16, 2000. Tysons Corner, VA. For more information: http://internetconference.pf.com Privacy by Design: The Future of Privacy Compliance and Business. Zero-Knowledge Systems. November 19-21, 2000. Le Château Montebello, Quebec. For more information: http://www.zeroknowledge.com/conference/privacybydesign/ Managing the Privacy Revolution. Privacy and American Business's Seventh Annual Conference. November 28-30, 2000. Washington, DC. For more information: http://www.pandab.org Government Secrecy in a New Administration and a New Century. Information Security Oversight Office and the James Madison Project. December 5, 2000. Washington, DC. For more information: http://www.fas.org/sgp/news/2000/11/symposium.pdf 16th Annual Computer Security Applications Conference (ACSAC). December 11-15, 2000. New Orleans, Louisiana. For more information: http://www.acsac.org Network and Distributed System Security Symposium (NDSS '01). Internet Society. February 7-9, 2001. San Diego, CA. For more information: http://www.isoc.org/ndss01/ EUROSEC 2001: Forum sur la Sécurité des Systèmes d'Information. XP Conseil. March 13-15, 2001. Paris, France. For more information: http://www.xpconseil.com/eurosec2001/ Online, Offshore and Cross-Border: Regulating Global E-Commerce. Washington College of Law, American University. March 30, 2001. Washington, DC. For more information: http://www.wcl.american.edu First International Conference on Human Aspects of the Information Society. Information Management Research Institute, University of Northumbria at Newcastle. April 9-11, 2001. Newcastle upon Tyne, England. For more information: http://is.northumbria.ac.uk/imri ======================================================================= Subscription Information ======================================================================= The EPIC Alert is a free biweekly publication of the Electronic Privacy Information Center. A Web-based form is available for subscribing or unsubscribing at: http://www.epic.org/alert/subscribe.html To subscribe or unsubscribe using email, send email to epic-news@epic.org with the subject: "subscribe" (no quotes) or "unsubscribe". Back issues are available at: http://www.epic.org/alert/ ======================================================================= Privacy Policy ======================================================================= The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your email address from this list, please follow the above instructions under "subscription information". Please contact info@epic.org if you have any other questions. ======================================================================= About EPIC ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, e-mail info@epic.org, http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ---------------------- END EPIC Alert 7.20 ----------------------- .