============================================================== @@@@ @@@@ @@@ @@@@ @ @ @@@@ @@@@ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @@@ @ @ @@@@@ @ @@@ @@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @ @@@ @@@@ @ @ @@@@ @@@@ @ @ @ ============================================================== Volume 9.15 August 9, 2002 -------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org/alert/EPIC_Alert_9.15.html ======================================================================= Table of Contents ======================================================================= [1] FTC Announces Action Against Microsoft Passport [2] Court Orders DOJ to Disclose Names of 9/11 Detainees [3] OECD Announces Computer Security Guidelines [4] EPIC Files Brief in Online Offender Registry Case [5] EPIC Argues Police Must Be Present for Online Search [6] Eli Lilly Settles With States; NTIA to Hold ENUM Forum [7] EPIC Bookstore - Trust Us, We're Experts [8] Upcoming Conferences and Events ======================================================================= [1] FTC Announces Action Against Microsoft Passport ======================================================================= The Federal Trade Commission (FTC) yesterday announced a consent order with Microsoft regarding the Passport identification and authentication system. Prompted by a complaint submitted by EPIC and fourteen leading consumer groups, the FTC's investigation found that Microsoft had violated federal consumer protection law prohibiting unfair and deceptive trade practices. In July and August 2001, EPIC -- joined by groups including Junkbusters, Consumers Union, US PIRG and the Consumer Federation of America -- submitted detailed complaints to the Commission. The complaints described the serious privacy implications of Microsoft Windows XP and Microsoft Passport, and alleged that the collection and use of personal information by the company would violate Section 5 of the Federal Trade Commission Act. After the complaints were filed, the company experienced a series of serious security breaches, including a vulnerability that would have allowed a person to steal information within the Microsoft Wallet service. The FTC yesterday found that Microsoft made a series of false representations about Passport. First, the company, despite guarantees to the contrary, did not employ reasonable methods to protect the privacy of personal information collected by Passport. Second, the company falsely represented that the Passport Wallet service provided extra security over standard e-commerce transactions. Third, the company did not disclose that Passport tracked users' visits to web sites, when in fact a log of user activity was maintained by the company for months. Fourth, Kids' Passport failed to provide parental control over collection of information online. The order requires Microsoft to implement a new information security program. A third-party auditor will check compliance with this program within one year, and Microsoft must reassess its information security practices every two years. Further, Microsoft is prohibited from making future false representations about the Passport service. Microsoft is bound by the order for 20 years, and fines can be levied for non-compliance. The FTC will accept public comment on the order until September 9, 2002. FTC Consent Order: http://www.ftc.gov/os/2002/08/microsoftagree.pdf FTC Complaint: http://www.ftc.gov/os/2002/08/microsoftcmp.pdf EPIC's Sign Out of Passport Page: http://www.epic.org/privacy/consumer/microsoft/ EPIC's Passport Investigation Docket Page: http://www.epic.org/privacy/consumer/microsoft/passport.html ======================================================================= [2] Court Orders DOJ to Disclose Names of 9/11 Detainees ======================================================================= In a decision issued on August 2, U.S. District Judge Gladys Kessler directed the Justice Department to disclose, no later than August 19, the identities of more than 1,000 individuals detained in connection with the government's September 11 terrorist investigation. Under the order, detainees desiring confidentiality of their identities can file statements requesting non-disclosure. The judicial decision marks a significant defeat for government secrecy in the wake of the terrorist attacks. EPIC joined with a coalition of other groups in seeking the disclosure of the information under the Freedom of Information Act (FOIA) and serves as co-counsel in the case. The Justice Department had argued that releasing the detainees' names and other information could undermine the September 11 investigation and harm national security. Disclosure would subject the detainees to possible intimidation or coercion, the government argued, and provide terrorists with a potential "road map" of the investigation. Judge Kessler found the government's argument "unpersuasive" and concluded that "the public's interest in learning the identities of those arrested and detained is essential to verifying whether the government is operating within the bounds of the law." The FOIA lawsuit was filed by the Center for National Security Studies, EPIC, and 21 other organizations, including the American Civil Liberties Union, Human Rights Watch and Amnesty International USA. The plaintiffs argued that the detentions constituted secret arrests that violated longstanding legal requirements compelling the government to account for the individuals it incarcerates. "The Court fully understands and appreciates that the first priority of the executive branch in a time of crisis is to ensure the physical security of its citizens," Judge Kessler wrote. "By the same token, the first priority of the judicial branch must be to ensure that our government always operates within the statutory and constitutional constraints which distinguish a democracy from a dictatorship." The Justice Department has appealed the ruling and asked Judge Kessler to delay enforcement of her order pending resolution of the appeal. The court's decision is available at: http://www.epic.org/open_gov/foia/cnssdecision.pdf EPIC has produced a resource page with background on the litigation: http://www.epic.org/open_gov/foia/cnss_v_doj.html ======================================================================= [3] OECD Announces Computer Security Guidelines ======================================================================= The Organization for Economic Cooperation and Development (OECD) has released principles for computer security that emphasize democracy, transparency, privacy, and education. The OECD principles are intended to protect important civil society values as countries and private sector organizations go forward with computer security plans. EPIC Research Director Sarah Andrews served on the OECD expert panel as the civil society representative, and consulted with computer security experts, public policy experts, and NGO participants in the Public Voice project during the year-long development of the guidelines. The OECD, based in Paris, is a thirty-member organization of leading industrial nations in North America, Europe and East Asia. Over the years, the OECD has produced several important policy frameworks for information technology in such areas as privacy, cryptography, and electronic commerce. The original OECD Security Guidelines were promulgated in 1992. The new Guidelines seek to take account of the development of network computing and the growth of commercial services, as well as the response of governments to the events of September 11. The OECD Security Guidelines set out nine principles: Awareness, Responsibility, Response, Ethics, Democracy, Risk Assessment, Security Design and Implementation, Security Management, and Reassessment. Each principle is followed by a definition and then a one paragraph description. Taken as a whole, the principles emphasize the joint responsibility of all participants to promote network security. The Guidelines also draw attention to important democratic goals in the design of security policy, including and specifically stating that: Security should be implemented in a manner consistent with the values recognised by democratic societies including the freedom to exchange thoughts and ideas, the free flow of information, the confidentiality of information and communication, the appropriate protection of personal information, openness and transparency. The OECD also adopted a principle on Risk Assessment that states: Risk assessment identifies threats and vulnerabilities and should be sufficiently broad-based to encompass key internal and external factors, such as technology, physical and human factors, policies and third-party services with security implications. Risk assessment will allow determination of the acceptable level of risk and assist the selection of appropriate controls to manage the risk of potential harm to information systems and networks in light of the nature and importance of the information to be protected. Because of the growing interconnectivity of information systems, risk assessment should include consideration of the potential harm that may originate from others or be caused to others. A similar proposal was under consideration by the OECD in 1992 but was not adopted at that time. Regrettably, the OECD adopted the authoritarian "culture of security" as the tagline for its most recent effort. But overall the Guidelines are a welcome contribution to the computer security field, and should promote policies that are more responsive to civil society interests than some of the recent proposals of national governments. OECD Guidelines for the Security of Information Systems and Networks: http://www.oecd.org/pdf/M00033000/M00033183.pdf OECD Governments Launch Drive to Improve Security of Online Networks: http://www.epic.org/redirect/oecd_redirect.html The Public Voice: http://www.thepublicvoice.org/ ======================================================================= [4] EPIC Files Brief in Online Offender Registry Case ======================================================================= EPIC filed an amicus brief with the Supreme Court on August 5, urging the Court to uphold a circuit court ruling that the Alaska "Megan's Law" statute violates the Constitution. EPIC argues that the mandatory online dissemination of a sex offender registry is excessive when weighed against the statutory purpose of protecting people in the geographic vicinity of released offenders. The Alaska law is the state's adaptation of federal legislation requiring public notification of the locations of convicted sex offenders upon their release. Commonly called "Megan's Law," the federal law directing such notification was enacted in 1996 after the slaying of Megan Kanka, a seven-year-old New Jersey girl, by a neighbor who had been released after serving time for sex offenses. The federal appellate court determined that that the Alaska law, permitting inclusion of names, addresses, descriptions, and other private information in a sex offender registry to be posted on the Internet, violated the ex post facto clause of the Constitution because the information included in the registry was too broad and the methods of gathering that information were extremely burdensome. Most importantly, the appeals court found that the intent of protecting those in the geographical area from individuals required to register was not furthered by allowing people all over the world to access the personal data included in the registry. EPIC's amicus brief focuses on the effect of Internet dissemination of stigmatizing information collected by the government. EPIC argues that the government has a duty to impose safeguards and limitations upon its dissemination of private, stigmatizing information that it collects, especially when such information would otherwise be effectively unavailable but is made readily accessible worldwide through government action. EPIC's resource page with background information on the case: http://www.epic.org/privacy/godfrey/ EPIC's amicus brief is available at: http://www.epic.org/privacy/otte_v_doe/godfrey_amicus.pdf ======================================================================= [5] EPIC Argues Police Must Be Present for Online Search ======================================================================= On July 26, EPIC filed an amicus brief in the Eighth Circuit arguing that police officer presence is required during the service of a warrant on an ISP. EPIC argues that the service of a search warrant by fax machine doesn't adequately safeguard Fourth Amendment guarantee of a "reasonable" search. EPIC's brief details the history of U.S. search and seizure law, which has mandated officer presence at the service of a warrant since the 1700s. The case arose in October 2000, when police officers in Minnesota began investigating Dale Robert Bach for potential child pornography crimes. As part of the investigation, an officer obtained a search warrant to be served upon Yahoo, an Internet service provider in California. Minnesota requires that an officer be present at the service of a search warrant. However, rather than adhering to the requirements provided by Minnesota law, the officer investigating Bach served the search warrant on Yahoo by fax. Upon receiving the fax, Yahoo employees retrieved all data from Bach's account, including deleted email messages. Yahoo then mailed the disk to Minnesota, where the data became evidence in Bach's federal criminal trial. At trial, Bach moved to have the evidence suppressed, citing violations of the Minnesota statute as well as a federal statute. The district court held that the evidence should be suppressed as the search was illegal under both federal and state laws. EPIC's brief urges the appellate court to uphold this ruling, because officer presence is a historical and crucial procedural safeguard guaranteeing Fourth Amendment protections. There are more than 140 million Internet users in the United States; thus, the court's resolution of this case could potentially affect the privacy interests of millions of citizens. EPIC's Bach Page: http://www.epic.org/privacy/bach/ EPIC's amicus brief is available at: http://www.epic.org/privacy/bach/brief.pdf ======================================================================= [6] Eli Lilly Settles With States; NTIA to Hold ENUM Forum ======================================================================= New York and seven other states have settled an investigation of pharmaceutical company Eli Lilly, which accidentally disclosed over 600 personally-identifiable e-mail addresses of individuals who signed up for an online messaging service. The messaging service sent subscribers a daily reminder to take Prozac, a prescription anti-depressant. In July 2001, the ACLU alerted federal authorities to the privacy violation. Under the settlement agreement, the company agreed to improve internal information security standards. The company will issue information security reports, and undergo independent compliance reviews. The company also paid $160,000 to the eight states for attorney fees and investigative costs. In January 2002, Eli Lilly settled a federal investigation of the same matter, but was not required to pay monetary damages. Individuals who were harmed by the disclosure may still bring suit against the company. =============== The Department of Commerce's National Telecommunications Information Agency (NTIA) will hold a roundtable on Electronic Numbering (ENUM) on August 14, 2002. ENUM is a technology that enables a user to store contact information that can be accessed by another person through the use of a single number. For instance, a person could store fax, voice, and voicemail numbers, as well as e-mail and home addresses, all in a single ENUM account. By using the ENUM associated with the account, another person could access all the personal contact information contained within that account. ENUM may become a widely-used technology to facilitate convenient communications. However, its privacy implications have not been adequately addressed. The ENUM database would be public and searchable by anyone. It is likely that marketers, spammers, and malicious actors will mine the database for personal contact information. Since there are no statutory protections in place regulating the use of ENUM contact information, marketers and spammers may use the contact information for junk mail, unsolicited commercial e-mail, and other forms of commercial solicitations. Lilly's Multi-State Settlement Agreement: http://www.epic.org/privacy/medical/lillyagreement.pdf The ACLU's Complaint: http://www.aclu.org/news/2001/n070501b.html EPIC's ENUM resource page: http://www.epic.org/privacy/enum/ NTIA ENUM Public Meeting Notice: http://www.epic.org/redirect/ntia_redirect.html ======================================================================= [7] EPIC Bookstore - Trust Us, We're Experts ======================================================================= Trust Us, We're Experts: How Industry Manipulates Science and Gambles With Your Future, by Sheldon Rampton and John Stauber (Putnam 2001). http://www.epic.org/bookstore/powells/redirect/alert915.html At a recent Federal Trade Commission (FTC) workshop on telemarketing, Jim Miller, former FTC Chairman and now Washington lobbyist, presented a study showing that predictive dialers, the systems that allow telemarketers to phone many persons at the same time, should not be eliminated because they lower costs for consumers. Miller's report, sponsored by the "Consumer Choice Coalition," glossed over objections to predictive dialers, which result in hang-up calls to phone subscribers. While calculating in detail the costs of new telemarketing regulations to industry, Miller did not attempt to account for the lost time and frustration caused by predictive dialers. A little digging shows that no consumers seem to be members of the Consumer Choice Coalition -- rather, it is a "cross-industry coalition of companies and associations." In "Trust Us, We're Experts," Sheldon Rampton and John Stauber's second book on the public relations (PR) industry, the reader is warned about the role that Miller and other experts play in the public policy process. These experts, supported by massive funding from industry, formulate clever studies that ward off regulators and legislators. In some cases, these experts even endanger the public. The authors illustrate a formula for industry advocacy. First, experts are acquired to present the appearance of neutral, third-party support. Third-party advocacy is well-recognized as a force for creating credibility, and in fact, it is the first guideline in a developing field called "persuasive computing," which seeks to develop computer interfaces that alter individuals' behavior. Second, industry groups grow "astroturf" -- that is, fake grassroots support for their position. This usually takes the form of letters to newspapers and legislators from concerned citizens who are quietly remunerated for their support. Third, well-organized PR firms send out pre-written news stories that are republished by busy journalists, sometimes in full as original news. PR techniques are also used to distract the public from public health hazards. A typical approach is to deny that the hazard exists at all. But when denial is no longer tenable, PR experts advise companies to blame the problem on other hazards, or on the victim himself. When blame can no longer be assigned, they claim that assigning responsibility to the company will result in lost jobs or bankruptcy. While these approaches sound simple and predictable, they have been effective in duping the public repeatedly. The authors illustrate how they successfully delayed or stopped regulations to protect individuals from known toxins, including asbestos, tobacco, vinyl chloride, and conditions such as silicosis. They were even effective in stalling the removal of lead from gasoline, despite the fact that lead has been a known toxin for centuries. The book is full of surprises, including a description of a software program called "Outrage" that helps companies manage potential PR problems. The software advises companies to "deflect, defer, dismiss, or defeat" negative attention, depending on the situation. Companies can even purchase "crisis management" consulting packages to ward off negative media attention. The authors do present solutions to lessen the impact of industry experts on public policy. One important practice, which was recently adopted by the prestigious New England Journal of Medicine, is to refuse to publish any study where the sponsor has the right to pre-publication review and veto -- in essence, the ability to withhold unfavorable results from public view. The authors also suggest that research from other countries be relied upon to evaluate public policy. Researchers in other countries sometimes have exposed industrial hazards decades before American experts. But, most importantly, the authors urge us to question authority. Collectively, whether the issue is privacy, pesticides, or global warming, we need to pay more attention to the man behind the curtain. - Chris Hoofnagle ================================ EPIC Publications: "Privacy & Human Rights 2001: An International Survey of Privacy Laws and Developments," (EPIC 2001). Price: $20. http://www.epic.org/bookstore/phr2001/ This survey, by EPIC and Privacy International, reviews the state of privacy in over fifty countries around the world. The survey examines a wide range of privacy issues including, data protection, telephone tapping, genetic databases, ID systems and freedom of information laws. ================================ "The Privacy Law Sourcebook 2001: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2001). Price: $40. http://www.epic.org/bookstore/pls2001/ The "Physicians Desk Reference of the privacy world." An invaluable resource for students, attorneys, researchers and journalists who need an up-to-date collection of U.S. and International privacy law, as well as a comprehensive listing of privacy resources. ================================ "Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20. http://www.epic.org/bookstore/filters2.0/ A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ "The Consumer Law Sourcebook 2000: Electronic Commerce and the Global Economy," Sarah Andrews, editor (EPIC 2000). Price: $40. http://www.epic.org/cls/ The Consumer Law Sourcebook provides a basic set of materials for consumers, policy makers, practitioners and researchers who are interested in the emerging field of electronic commerce. The focus is on framework legislation that articulates basic rights for consumers and the basic responsibilities for businesses in the online economy. ================================ "Cryptography and Liberty 2000: An International Survey of Encryption Policy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price: $20. http://www.epic.org/crypto&/ EPIC's third survey of encryption policies around the world. The results indicate that the efforts to reduce export controls on strong encryption products have largely succeeded, although several governments are gaining new powers to combat the perceived threats of encryption to law enforcement. ================================ EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at: EPIC Bookstore http://www.epic.org/bookstore/ "EPIC Bookshelf" at Powell's Books http://www.powells.com/features/epic/epic.html ======================================================================= [8] Upcoming Conferences and Events ======================================================================= IT and Law. University of Geneva, University of Bern, Swiss Association of IT and Law. September 9-10, 2002. Geneva, Switzerland. For more information: http://www.informatiquejuridique.ch/ ILPF Conference 2002: Security v. Privacy. Internet Law & Policy Forum. September 17-19, 2002. Seattle, WA. For more information: http://www.ilpf.org/conference2002/ Privacy2002: Information, Security & New Global Realities. Technology Policy Group. September 24-26, 2002. Cleveland, OH. For more information: http://www.privacy2000.org/privacy2002/ Privacy in Ubicomp 2002: Workshop on Socially-informed Design of Privacy-enhancing Solutions in Ubiquitous Computing. Held as part of UBICOMP 2002. September 29, 2002. Goeteborg, Sweden. For more information: http://guir.berkeley.edu/privacyworkshop2002/ Shrinking World, Expanding Net. Computer Professionals for Social Responsibility (CPSR). October 5, 2002. Cambridge, MA. For more information: http://www.cpsr.org/conferences/annmtg02/ Bridging the Digital Divide: Challenge and Opportunities. 3rd World Summit on Internet and Multimedia. October 8-11, 2002. Montreux, Switzerland. For more information: http://www.internetworldsummit.org/ 2002 WSEAS International Conference on Information Security (ICIS '02). World Scientific and Engineering Academy and Society. October 14-17, 2002. Rio de Janeiro, Brazil. For more information: http://www.wseas.org/conferences/2002/brazil/icis/ IAPO Privacy & Security Conference. International Association of Privacy Officers. October 16-18, 2002. Chicago, IL. For more information: http://www.privacyassociation.org/html/conferences.html Privacy Trends: Complying With New Demands. Riley Information Services Inc. and the Commonwealth Centre for Electronic Governance. October 22, 2002. Ottawa, Canada. For more information: http://www.rileyis.com/seminars/ 3rd Annual Privacy and Security Workshop: Privacy & Security: Totally Committed. Centre for Applied Cryptographic Research, University of Waterloo and the Information and Privacy Commissioner/Ontario. University of Toronto. November 7-8, 2002. Toronto, Canada. For more information: http://www.epic.org/redirect/cacr.html First Hawaii Biometrics Conference. Windward Community College, Pacific Center for Advanced Technology Training (PCATT). November 10-13, 2002. Waikiki, HI. For more information: http://biometrics.wcc.hawaii.edu/ Transformations in Politics, Culture and Society. Inter- Disciplinary.Net. December 6-8, 2002. Brussels, Belgium. For more information: http://www.inter-disciplinary.net/tpcs1.htm 18th Annual Computer Security Applications Conference (ACSAC): Practical Solutions to Real Security Problems. Applied Computer Security Associates. December 9-13, 2002. Las Vegas, NV. For more information: http://www.acsac.org/ Third Annual Privacy Summit. International Association of Privacy Officers. February 26-28, 2003. Washington, DC. For more information: http://www.privacyassociation.org/html/conferences.html CFP2003: 13th Annual Conference on Computers, Freedom, and Privacy. Association for Computing Machinery (ACM). April 1-4, 2003. New York, NY. For more information: http://www.cfp.org/ ======================================================================= Subscription Information ======================================================================= Subscribe/unsubscribe via Web interface: http://mailman.epic.org/cgi-bin/mailman/listinfo/epic_news Subscribe/unsubscribe via email: To: epic_news-request@mailman.epic.org Subject line: "subscribe" or "unsubscribe" (no quotes) Help with subscribing/unsubscribing: To: epic_news-request@mailman.epic.org Subject: "help" (no quotes) Back issues are available at: http://www.epic.org/alert/ The EPIC Alert displays best in a fixed-width font, such as Courier. ======================================================================= Privacy Policy ======================================================================= The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your email address from this list, please follow the above instructions under "subscription information". Please contact info@epic.org if you would like to change your subscription email address, if you are experiencing subscription/unsubscription problems, or if you have any other questions. ======================================================================= About EPIC ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, e-mail info@epic.org, http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at: http://www.epic.org/donate/ ======================================================================= Drink coffee, support civil liberties, get a tax deduction, and learn Latin at the same time! Receive a free epic.org "sed quis custodiet ipsos custodes?" coffee mug with donation of $75 or more. ======================================================================= Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ---------------------- END EPIC Alert 9.15 ----------------------- .