============================================================== @@@@ @@@@ @@@ @@@@ @ @ @@@@ @@@@ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @@@ @ @ @@@@@ @ @@@ @@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @ @@@ @@@@ @ @ @@@@ @@@@ @ @ @ ============================================================== Volume 9.18 October 7, 2002 -------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org/alert/EPIC_Alert_9.18.html ======================================================================= Table of Contents ======================================================================= [1] EPIC Testifies Before Congress on Anti-Privacy Bill [2] European Conference Reaffirms Support for Data Directive [3] Landmark Public Domain Case To Be Argued Before Supreme Court [4] Student Profilers Settle Privacy Cases with FTC [5] Intellectual Property, Digital Rights Management, Online Privacy [6] First Monday 2002: Civil Liberties In A New America [7] EPIC Bookstore - Books by Christine L. Borgman and Bruce Schneier [8] Upcoming Conferences and Events ======================================================================= [1] EPIC Testifies Before Congress on Anti-Privacy Bill ======================================================================= On September 24, EPIC Executive Director Marc Rotenberg testified before the House Subcommittee on Commerce, Trade, and Consumer Protection on the Consumer Privacy Protection Act, H.R. 4678. The hearing was chaired by Rep. Cliff Stearns (R-FL), the original sponsor of the bill. In addition to Mr. Rotenberg, six industry representatives testified about the bill. The EPIC testimony noted that the bill favors industry over the consumer and the invasion of privacy over the protection of privacy in almost every key provision. It would require companies to adopt privacy policies; however, no restrictions are placed on what the policies can say, and the policies could be substantively changed at any time. The bill also allows sale of personal data to third parties as long as a benefit is offered to the customer, which could simply be the services originally sought. Furthermore, the Act provides no safeguards against disclosure of personally identifiable information to law enforcement agencies. The bill would also preempt all state and local information privacy laws. Recent privacy victories such as an "opt-in" standard for financial information sharing in North Dakota and San Mateo County, California would thus be repealed. Local interest in privacy protection has sprung up across the country, but further efforts would be stymied by this bill. Mr. Rotenberg noted that even the White House panel charged with protecting the country from cyberterrorism had shown greater regard for privacy protection. Meanwhile, the industry representatives praised the bill. When asked by a committee member about the costs of compliance with the bill, they responded that their policies were already in compliance with the bill's requirements, and implementation costs would be minimal. EPIC's Testimony is available at: http://www.epic.org/privacy/consumer/hr4678testimony_92402.html Hearing Notice and Links to Witness Testimony: http://www.epic.org/redirect/housecommerce.html H.R. 4678, Consumer Privacy Protection Act of 2002: http://thomas.loc.gov/cgi-bin/bdquery/z?d107:h.r.4678: ======================================================================= [2] European Conference Reaffirms Support for Data Directive ======================================================================= A landmark conference in Brussels with leading privacy experts, industry leaders, and data protection officials, ended with support for the continued implementation of the European Union Data Directive, but noted areas where implementation could be improved and new opportunities for privacy protection pursued. Fritz Bolkestein, European Commissioner for Internal Markets, said that "the Commission will hesitate before embarking on any kind of new legislative action, even those involving minor amendments. Rather than embarking on legislative change which, of course, can be slow to produce results, we should first exploit all more pragmatic possibilities at our disposal." Peter Hustinx, the Dutch Data Protection Commissioner, expressed the view of many when he said that no one had suggested that the principles in the Directive are not valid or that the Directive is unworkable. The conference explored a wide range of issues related to the implementation of the Data Directive, the growth of the Internet, the processing of sound and image files, and international issues including data transfers, applicable law, and jurisdiction. Among the speakers were Lene Espersen, Danish Minister of Justice; Giacomo Santini, vice-chairman of the Committee on Citizens' Freedoms and Rights, Justice and Home Affairs of the European Parliament; and Stefano Rodotà, President of the Working Party of Article 29 of the Directive (committee of Data Protection Commissioners in the Community). EPIC Executive Director Marc Rotenberg chaired a session on the Internet and Privacy Enhancing Technologies, which included Helmut Bäumler of the German Data Protection Authority, Lee Bygrave of the University of Oslo, Stephanie Perrin of zeroknowledge, Maurice Wessling of Bits of Freedom, and Jason Albert with Covington & Burling in Brussels. The session explored opportunities and obstacles for the development of new techniques to safeguard privacy. Simon Davies, Director General of Privacy International, summarizing a report on the rights and interests of data subjects, urged the Commission to continue to seek input from the public and to ensure that the Directive continues to uphold its critical purpose of safeguarding human rights. In conclusion, Mr. Bolkestein suggested that the Commission would consider several proposals for future Community action, including: * the simplification of notification requirements; * reduction of divergences in Member States practices; * a more determined effort to promote privacy enhancing technologies; * more flexible arrangements for the transfer of personal data to third countries, together with a clearer and more uniform interpretation of the rules; * promotion of self-regulatory approaches and in particular Codes of Conduct that can contribute to the free movement of personal data. A report from the Commission is expected later this year. European Commission, Data Protection: http://europa.eu.int/comm/internal_market/en/dataprot/ Data Protection Conference and Report of the Implementation of the Directive 95/46/EC: http://europa.eu.int/comm/internal_market/en/dataprot/lawreport/ Privacy International: http://www.privacyinternational.org/ EPIC, Privacy and Human Rights: An International Survey of Privacy Laws and Developments: http://www.epic.org/bookstore/phr2002/ ======================================================================= [3] Landmark Public Domain Case To Be Argued Before Supreme Court ======================================================================= On Wednesday, October 9, the U.S. Supreme Court will hear the case of Eldred v. Ashcroft, the challenge to the controversial 1998 Sonny Bono Copyright Term Extension Act (CTEA). The CTEA lengthened copyright terms by 20 years, stretching them to 70 years after an artist's death. This effectively prevents hundreds of thousands of works (notably, and not coincidentally, Mickey Mouse) from falling into the public domain for an additional 20 years. Eldred is the first challenge to copyright extensions to reach the Supreme Court. Although the outcome of this case has significant consequences for the future of the CTEA, the public domain, and copyright in general, the Supreme Court on Wednesday will be considering the more narrow question of whether Congress has the right to extend copyright law if the change does not promote the "progress of science and useful arts" as stated in Article 1, Section 8 of the Constitution. Professor Lawrence Lessig, who will argue for Eldred before the Court, argues that Congress should extend copyright protection only if the change is aimed at promoting new creative works. The CTEA, rather than promoting the progress of arts and sciences, prevents works from falling into the public domain (where they can be used to create new and significant works: Shakespeare and Disney, for example, borrowed liberally from prior works in creating their masterpieces) despite the fact that no incentive will urge the works' creators, long dead, to produce new works. The government counters that the 1998 Act promotes the arts by protecting their economic value, thereby fostering greater incentives to create. The copyright term limit in 1790, as passed by the First Congress, was 14 years, plus another 14 if the creator was still alive. Under this standard, Mickey Mouse, first introduced in 1928, would have entered the public domain in 1956. Under the CTEA, Mickey Mouse will not enter the public domain until 2023. (Prior to the passage of the CTEA, Mickey would have entered the public domain in 2003). On the eve of the Court hearing, "The Bookmobile" is scheduled to reach Washington, DC on Tuesday night. It is a "mobile digital library capable of downloading public domain books from the Internet via satellite and printing them anytime, anywhere, for anyone." The Bookmobile, which is intended to illustrate the value of books and the importance of the public domain, left San Francisco on September 30, and has stopped at schools and libraries across the nation. Information on The Bookmobile is available at: http://www.archive.org/texts/bookmobile.php Legal materials on Eldred v. Ashcroft are available at: http://eldred.cc/ ======================================================================= [4] Student Profilers Settle Privacy Cases with FTC ======================================================================= The Federal Trade Commission (FTC) has settled cases against American Student List (ASL) and the National Research Center for College and University Admissions (NRCCUA) for collecting personal information from students through deceptive practices. The FTC complaint alleged that the companies operated a scheme to cull marketing data through surveys administered under the pretense of college admissions and scholarship opportunities. NRCCUA sent letters to schools asking teachers to dedicate classroom time to administering detailed surveys for college admissions and financial aid purposes. These "Post-Secondary Planning" surveys elicited detailed personal information from students, including their religious affiliations, personal interests, and social attitudes. The surveys did have a privacy notice, but the language implied that the information was for educational purposes only. NRCCUA marketed the information collected to higher education institutions, but also shared the information with ASL, which used the data for direct marketing. ASL is a list brokerage company that sells personal information in "Teenage Lifestyle Interests," "Ethnic Families," and "Preschool" databases. The settlement requires the companies to improve their privacy notices by disclosing future marketing use of the survey data in communications with students and teachers. Also, the companies cannot use data collected prior to the settlement for "non-educational marketing purposes." However, this still allows use of student data for student "recognition" programs, book clubs, magazine subscriptions, and other "educational" products. The FTC's action follows a prosecution brought by the New York Attorney General against Student Marketing Group (SMG), a similar student-profiling company (see EPIC Alert 9.16). FTC Settlement with Student Profilers: http://www.ftc.gov/opa/2002/10/student1r.htm EPIC's Student Privacy Page: http://www.epic.org/privacy/student/ ======================================================================= [5] Intellectual Property, Digital Rights Management, Online Privacy ======================================================================= Several recent bills and proposals to increase intellectual property protection rights could significantly impact online privacy. In July, Rep. Howard Berman (D-CA) introduced H.R. 5211, the Peer-to-Peer Piracy Prevention Act, a bill which would "limit the liability of copyright owners for protecting their works on peer-to-peer networks." Under the bill, copyright owners would be exempt from all State and Federal statutory and common law liability for engaging in self-help, including "disabling, interfering with, blocking, diverting, or otherwise impairing the unauthorized distribution, display, performance, or reproduction . . . on a publicly accessible peer-to-peer file trading network." While proponents of the bill claim it would only permit the use of innocuous technologies, the language of the bill fails to limit the copyright owner's self-help activities other than in terms of direct monetary loss of "$50 per impairment." For copyright owners to effectively reduce P2P piracy, they are likely to employ more invasive measures in an escalating "arms race" with peer-to-peer software. As it becomes harder to discover what is being exchanged across P2P networks, and as the distinction blurs between the peer-to-peer file trading networks and other general Internet communications such as e-mail and Web browsing, copyright owners may scrutinize the content of communications in order to identify potentially infringing transactions. Furthermore, it may become increasingly difficult to even identify which system within a local network is running a file- sharing application, requiring more sophisticated surveillance on the part of the copyright owner. This sort of activity is a necessary predicate to taking the self-help measures proposed in H.R. 5211, and could open the door to significant invasions of user privacy. Meanwhile, Rep. Billy Tauzin (R-LA) has circulated a draft bill that would mandate the adoption of a "broadcast flag" in devices receiving digital television broadcast; the FCC has also initiated a request for comments on a similar rule. In theory, the flag allows copyright owners to signal that redistribution or duplication of certain content broadcast over the public airwaves is prohibited. The implications of the mandate, however, could be far-reaching as copyright owners seek to gain complete control over their content. For example, the flag's presence might trigger certain devices to report back to the copyright owner that unauthorized duplication is taking place. Furthermore, the flag could be used to prohibit traditional "fair use" of copyrighted works. Since details on the actual implementation of the broadcast flag remain unresolved, EPIC plans to monitor these developments closely. Finally, Rep. Zoe Lofgren (D-CA) and Rep. Rick Boucher (D-VA) each introduced legislation in the past week to protect consumer's rights and limit some of the more invasive provisions of the Digital Millenium Copyright Act. Although action on the bills is unlikely in the remaining days of this Congressional session, these bills will set the stage in the next Congress for a debate over the balance between the rights of copyright owners and consumers. H.R. 5211, Peer-to-Peer Piracy Prevention Act of 2002: http://thomas.loc.gov/cgi-bin/bdquery/z?d107:h.r.05211: Tauzin Draft of Broadcast Flag Mandate: http://www.eff.org/IP/Video/HDTV/tauzin-bf-mandate.pdf H.R. 5522, Digital Choice and Freedom Act of 2002: http://thomas.loc.gov/cgi-bin/bdquery/z?d107:h.r.05522: H.R. 5544, Digital Media Consumers' Rights Act of 2002: http://thomas.loc.gov/cgi-bin/bdquery/z?d107:h.r.05544: ======================================================================= [6] First Monday 2002: Civil Liberties In A New America ======================================================================= Today, October 7, marks First Monday 2002. First Monday is an organizing effort by the Alliance for Justice to bring attention to a critical public policy issue each year and to reach out to young people, mobilizing them to become activists for change. Founded in 1994, First Monday began as an annual event coinciding with the opening of the Supreme Court's session on the first Monday in October. It was originally designed to support law students who were considering careers in public interest law. Over time, First Monday has grown to become a rallying point for the entire public interest community, including progressive students in social work, medicine, public health, nursing and undergraduate colleges. The purpose of this year's First Monday theme, "Civil Liberties in a New America," is to raise awareness about the importance of civil liberties after September 11th. This is accomplished through the organization of numerous grassroots events involving students and community members across the nation. At the heart of First Monday is a documentary film that serves as the cornerstone for every First Monday event, whether they are campus-based educational events, city-wide screenings, community forums, or ongoing organizing by activists and advocates. The films coincide with each year's focus and have explored such topics as hunger and homelessness, the death penalty, and the gun violence epidemic. It's not too late to bring First Monday: Civil Liberties in a New America to your community or campus. Contact First Monday today if you want to host a screening of their film "Of Rights and Wrongs: The Threat to America's Freedoms," featuring Susan Sarandon and the music of Bruce Springsteen. First Monday activists are also taking action by signing "Subpoenas for Information" addressed to Attorney General John Ashcroft, pressuring him to lift the veil of secrecy at the Justice Department and answer important questions concerning civil liberties. You can add your voice to the growing chorus seeking information from Attorney General Ashcroft by signing on to the subpoena. This year, there are over 200 events being planned on campuses and in communities from Maine to California. Get involved in this national mobilization to protect America's freedoms! Sign the subpoena on the First Monday Web site at: http://www.firstmonday2002.com/ To find the First Monday event nearest you, go to: http://www.firstmonday2002.com/events.cfm ======================================================================= [7] EPIC Bookstore - Books by Christine L. Borgman and Bruce Schneier ======================================================================= From Gutenberg to the Global Information Infrastructure: Access to Information in the Networked World, by Christine L. Borgman Will the emerging global information infrastructure (GII) create a revolution in communication equivalent to that wrought by Gutenberg, or will the result be simply the evolutionary adaptation of existing behavior and institutions to new media? Will the GII improve access to information for all? Will it replace libraries and publishers? How can computers and information systems be made easier to use? What are the trade-offs between tailoring information systems to user communities and standardizing them to interconnect with systems designed for other communities, cultures, and languages? This book takes a close look at these and other questions of technology, behavior, and policy surrounding the GII. Topics covered include the design and use of digital libraries; behavioral and institutional aspects of electronic publishing; the evolving role of libraries; the life cycle of creating, using, and seeking information; and the adoption and adaptation of information technologies. The book takes a human-centered perspective, focusing on how well the GII fits into the daily lives of the people it is supposed to benefit. Taking a unique holistic approach to information access, the book draws on research and practice in computer science, communications, library and information science, information policy, business, economics, law, political science, sociology, history, education, and archival and museum studies. It explores both domestic and international issues. The author's own empirical research is complemented by extensive literature reviews and analyses. ---------------- Secrets and Lies: Digital Security in a Networked World, by Bruce Schneier Internationally recognized information security expert Bruce Schneier provides a practical, straightforward guide to understanding and achieving security throughout computer networks. Schneier uses his extensive field experience with his own clients to dispel the myths that can mislead you while trying to build secure systems. He also clearly covers everything you'll need to know to protect your company's digital information. And he shows you how to assess your business and corporate security needs so that you can choose the right products and implement the right processes. Both of the above books are available through the EPIC Bookstore at: http://www.epic.org/bookstore/epic_books.html ================================ EPIC Publications: "FOIA 2002: Litigation Under the Federal Open Government Laws," Harry Hammitt, David Sobel and Mark Zaid, editors (EPIC 2002). Price: $40. http://www.epic.org/bookstore/foia2002/ This is the standard reference work covering all aspects of the Freedom of Information Act, the Privacy Act, the Government in the Sunshine Act, and the Federal Advisory Committee Act. The 21st edition fully updates the manual that lawyers, journalists and researchers have relied on for more than 25 years. For those who litigate open government cases (or need to learn how to litigate them), this is an essential reference manual. ================================ "Privacy & Human Rights 2002: An International Survey of Privacy Laws and Developments" (EPIC 2002). Price: $25. http://www.epic.org/bookstore/phr2002/ This survey, by EPIC and Privacy International, reviews the state of privacy in over fifty countries around the world. The survey examines a wide range of privacy issues including data protection, telephone tapping, genetic databases, video surveillance, location tracking, ID systems and freedom of information laws. ================================ "The Privacy Law Sourcebook 2001: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2001). Price: $40. http://www.epic.org/bookstore/pls2001/ The "Physicians Desk Reference of the privacy world." An invaluable resource for students, attorneys, researchers and journalists who need an up-to-date collection of U.S. and International privacy law, as well as a comprehensive listing of privacy resources. ================================ "Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20. http://www.epic.org/bookstore/filters2.0/ A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ "The Consumer Law Sourcebook 2000: Electronic Commerce and the Global Economy," Sarah Andrews, editor (EPIC 2000). Price: $40. http://www.epic.org/cls/ The Consumer Law Sourcebook provides a basic set of materials for consumers, policy makers, practitioners and researchers who are interested in the emerging field of electronic commerce. The focus is on framework legislation that articulates basic rights for consumers and the basic responsibilities for businesses in the online economy. ================================ "Cryptography and Liberty 2000: An International Survey of Encryption Policy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price: $20. http://www.epic.org/crypto&/ EPIC's third survey of encryption policies around the world. The results indicate that the efforts to reduce export controls on strong encryption products have largely succeeded, although several governments are gaining new powers to combat the perceived threats of encryption to law enforcement. ================================ EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at: EPIC Bookstore http://www.epic.org/bookstore/ "EPIC Bookshelf" at Powell's Books http://www.powells.com/features/epic/epic.html ======================================================================= [8] Upcoming Conferences and Events ======================================================================= Bridging the Digital Divide: Challenge and Opportunities. 3rd World Summit on Internet and Multimedia. October 8-11, 2002. Montreux, Switzerland. For more information: http://www.internetworldsummit.org/ Symposium: The Rule of Law in the Information Age: Reconciling Private Rights and Public Interest. The Catholic University of America School of Law, Interdisciplinary Program in Law and Religion and the Institute for Communications Law Studies. October 9-10, 2002. Washington, DC. For more information: http://law.cua.edu/news/conference/informationage/ 2002 WSEAS International Conference on Information Security (ICIS '02). World Scientific and Engineering Academy and Society. October 14-17, 2002. Rio de Janeiro, Brazil. For more information: http://www.wseas.org/conferences/2002/brazil/icis/ Privacy & Data Security Academy & Expo. International Association of Privacy Officers (IAPO). October 16-18, 2002. Chicago, IL. For more information: http://www.privacyassociation.org/html/conferences.html Privacy Law and Policy: Meeting the Challenges of Technology, Terrorism, and Accountability. Council on Law in Higher Education (CLHE). October 20-22, 2002. Washington, DC. For more information: http://www.clhe.org/programs/privacysymposium/ Privacy Trends: Complying With New Demands. Riley Information Services Inc. and the Commonwealth Centre for Electronic Governance. October 22, 2002. Ottawa, Canada. For more information: http://www.rileyis.com/seminars/ Symposium on Privacy and Security (SPS). Stiftung für Datenschutz und Informationssicherheit (SDI), Basel/Switzerland. October 30-31, 2002. Zurich, Switzerland. For more information: http://www.privacy-security.ch/ 3rd Annual Privacy and Security Workshop: Privacy & Security: Totally Committed. Centre for Applied Cryptographic Research, University of Waterloo and the Information and Privacy Commissioner/Ontario. University of Toronto. November 7-8, 2002. Toronto, Canada. For more information: http://www.epic.org/redirect/cacr.html First Hawaii Biometrics Conference. Windward Community College, Pacific Center for Advanced Technology Training (PCATT). November 10-13, 2002. Waikiki, HI. For more information: http://biometrics.wcc.hawaii.edu/ Transformations in Politics, Culture and Society. Inter- Disciplinary.Net. December 6-8, 2002. Brussels, Belgium. For more information: http://www.inter-disciplinary.net/tpcs1.htm 18th Annual Computer Security Applications Conference (ACSAC): Practical Solutions to Real Security Problems. Applied Computer Security Associates. December 9-13, 2002. Las Vegas, NV. For more information: http://www.acsac.org/ Third Annual Privacy Summit. International Association of Privacy Officers. February 26-28, 2003. Washington, DC. For more information: http://www.privacyassociation.org/html/conferences.html CFP2003: 13th Annual Conference on Computers, Freedom, and Privacy. Association for Computing Machinery (ACM). April 1-4, 2003. New York, NY. For more information: http://www.cfp.org/ ======================================================================= Subscription Information ======================================================================= Subscribe/unsubscribe via Web interface: http://mailman.epic.org/cgi-bin/mailman/listinfo/epic_news Subscribe/unsubscribe via email: To: epic_news-request@mailman.epic.org Subject line: "subscribe" or "unsubscribe" (no quotes) Help with subscribing/unsubscribing: To: epic_news-request@mailman.epic.org Subject: "help" (no quotes) Back issues are available at: http://www.epic.org/alert/ The EPIC Alert displays best in a fixed-width font, such as Courier. ======================================================================= Privacy Policy ======================================================================= The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your email address from this list, please follow the above instructions under "subscription information". Please contact info@epic.org if you would like to change your subscription email address, if you are experiencing subscription/unsubscription problems, or if you have any other questions. ======================================================================= About EPIC ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, e-mail info@epic.org, http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at: http://www.epic.org/donate/ ======================================================================= Drink coffee, support civil liberties, get a tax deduction, and learn Latin at the same time! Receive a free epic.org "sed quis custodiet ipsos custodes?" coffee mug with donation of $75 or more. ======================================================================= Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ---------------------- END EPIC Alert 9.18 ----------------------- .