============================================================== @@@@ @@@@ @@@ @@@@ @ @ @@@@ @@@@ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @@@ @ @ @@@@@ @ @@@ @@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @ @@@ @@@@ @ @ @@@@ @@@@ @ @ @ ============================================================== Volume 6.06 April 22, 1999 -------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org ======================================================================= Table of Contents =======================================================================  FTC Proposes Rules for Kids' Privacy Protection  Encryption Bill Introduced in Senate  Know Your Passenger: FAA Introduces New Screening Rules  Online Anonymity Under Attack in the Courts  Justice Department Appeals Internet Censorship Ruling  "Orwell Awards" Presented to Biggest U.S. Privacy Invaders  EPIC Bill-Track: New Bills in Congress  Upcoming Conferences and Events =======================================================================  FTC Proposes Rules for Kids' Privacy Protection ======================================================================= The Federal Trade Commission issued proposed rules on April 20 designed to protect the privacy of children on the Internet. The proposed rules, which would apply to certain commercial websites, is the FTC's first step in the implementation of the Children's Online Privacy Protection Act, which Congress enacted last October. The intended goal of the statute is to put parents in control of information collected online from children under 13. "Protecting kids who surf the Internet has been a top priority of the Commission's online privacy initiative," said FTC Chairman Robert Pitofsky. "This proposed rule aims to achieve that goal by putting parents in control of personal information that is collected from their children on the Web. The proposed rule also provides flexibility to accommodate varied business practices and the fast pace of technological change." The proposed FTC rules, which are subject to public comment, apply to commercial websites directed to, or that knowingly collect information from, children under 13. With certain exceptions, these sites would have to obtain parental consent before collecting, using, or disclosing personal information from children. To inform parents of their information practices, these sites also would be required to provide notice on the site and to parents about their policies with respect to the collection, use and disclosure of children's personal information. Under the proposed rules, sites must give parents a choice as to whether their child's information can be disclosed to third parties, and give parents a chance to prevent further use or future collection of personal information from their child. Parents must also, upon request, be given access to the personal information collected from their child and a means of reviewing that information. Written comments on the proposed rules will be accepted until June 11, 1999. Comments may be submitted by e-mail to KidsRule@ftc.gov. More information on children's privacy, including the text of the proposed FTC rules, is available at: http://www.epic.org/privacy/kids/ =======================================================================  Encryption Bill Introduced in Senate ======================================================================= Senator John McCain (R-AZ) on April 14 introduced the Promote Reliable On-Line Transactions to Encourage Commerce and Trade (PROTECT) Act of 1999 (S.798), which is designed to promote international electronic commerce and limit the power of the federal government to mandate encryption requirements for the domestic market. The bill prohibits mandatory access to encryption keys or key recovery information by the United States government or the government of any state. The bill would also permit the export of unlimited strength encryption to members of NATO, the Organization for Economic Cooperation and Development (OECD), and the Association of Southeast Asian Nations (ASEAN). Exports to other nations would limited to strengths of 64-bits. The bill would require the National Institute of Standards and Technology (NIST) to complete work on the Advanced Encryption Standard (AES) by January 1, 2002. It further stipulates that products adhering to the standard will be permitted to be exported "consistent with the national security requirements of the United States." The PROTECT Act also establishes an Encryption Export Advisory Board which would periodically determine the availability of various encryption products abroad and make necessary recommendations to the Secretary of Commerce to amend export regulations on encryption. Notably, the bill does not include a criminalization provision like the one included in the SAFE Act currently pending in the House of Representatives. That provision would create a new federal crime for the use of encryption in the commission of a felony. The introduction of the legislation is also significant because it appears to signal a change in Sen. McCain's position on the encryption issue. As Chairman of the Senate Commerce Committee, Sen. McCain has in the past opposed any liberalization of existing encryption policy. Additional information on encryption, including the text of the PROTECT Act, is available at: http://www.epic.org/crypto/ =======================================================================  Know Your Passenger: FAA Introduces New Screening Rules ======================================================================= The Federal Aviation Administration proposed new rules on April 20 for increasing airline security by requiring that all airlines conduct computerized profiling of all passengers on domestic flights. The new program, called Computer Assisted Passenger Screening (CAPS), would use data from airline computers and secret profiling standards to select passengers for additional questioning and searches. Under the new rules, airlines would select passengers for increased scrutiny based on internal profiling standards. They would also randomly select some passengers for the "deterrent value that would increase airline passenger safety." The FAA funded the program, paying the carriers over $10 million to develop CAPS. The new rules' details on who would be targeted by the automated systems are not revealed for security reasons. However, the Department of Justice has determined that the rules raise no civil liberties concerns. The rules are based on the recommendations of the White House Commissioner on Aviation Safety and Security, led by Vice President Al Gore. The Gore Commission issued its report in 1997 and was criticized by a coalition of groups for its intrusive proposals. The proposed rules recognize that there have been few actual incidents of the sort that CAPS seeks to address (the only one reported was in 1979), but links unrelated occurrences such as the World Trade Center bombing and the accidental crash of TWA Flight 800 as justification for the stringent new procedures. The FAA estimates that it will cost between $50 million and $70 million to implement the program, which will be paid by the airlines and presumably passed onto passengers. Comments are due on the proposal by June 18, 1999. They can be e-mailed to 9-NPRM-CMTS@faa.gov. More information on the proposed rules, airline security and privacy issues is available at: http://www.epic.org/privacy/faa/ =======================================================================  Online Anonymity Under Attack in the Courts ======================================================================= Several recent court cases around the country highlight an increasingly popular litigation tactic: the use of civil discovery to unmask the identities of anonymous Internet posters. In the last few months, a growing number of corporations have issued subpoenas to Internet service providers (ISPs) and operators of online message boards seeking to identify and locate individuals who posted material that the companies, for one reason or another, find objectionable. Brian Payea, a spokesman for Lycos, recently told Salon Magazine that the firm receives subpoenas on "pretty close to a regular basis." The underlying allegations in these cases include defamation, misappropri- ation of trade secrets and securities law violations. Many observers worry, however, that the legal tactic can easily be used to intimidate potential critics into silence and destroy the anonymity that has contributed to the Internet's explosive growth. The recent cases, which include actions filed by Raytheon, Shoney's and Wade Cooke Financial, raise serious issues concerning the rights of anonymous Internet users and the procedural protections they should be entitled to before their identities are disclosed. At present, there is no legal guidance in this area. The federal Electronic Communications Privacy Act (ECPA) doesn't even require the issuance of subpoenas when a private party seeks a subscriber's identity from an ISP; only government agencies are required to present a legal demand for such information. While many service providers (such as America Online) provide in their terms of service that they will not disclose subscriber information to private parties without a subpoena, most are not obligated to notify a subscriber that a subpoenas has been received. Even when the subscriber is notified of a pending demand for identifying information, there are no established judicial procedures that would enable "John Doe" to argue in support of his anonymity. While many of the pending cases involve serious charges of alleged wrongdoing, there is no mechanism currently in place to distinguish between someone who is hiding behind their anonymity to commit a crime or other wrongful act, and someone who is, for instance, shielding their identity for whistle-blowing purposes or to communicate anonymously in an HIV-support group or on a message board for battered women. Until the courts or Congress establish basic ground rules for these cases, the number of subpoenas -- legitimate and otherwise -- is likely to increase. =======================================================================  Justice Department Appeals Internet Censorship Ruling ======================================================================= The U.S. Department of Justice on April 2 appealed a lower court decision enjoining enforcement of the Child Online Protection Act (COPA). The case against COPA -- brought by EPIC, the ACLU and other organizations -- now moves to the U.S. Court of Appeals for the Third Circuit. Appellate briefs are likely to be filed sometime this summer. The government appeal will challenge the finding of Judge Lowell A. Reed, Jr. that the new Internet censorship law would restrict free speech in the "marketplace of ideas." Judge Reed's February 1 ruling enjoins enforcement of COPA, the statutory successor to the Communications Decency Act (CDA), which the Supreme Court struck down in June 1997. The legal challenge to COPA was filed on behalf of 17 organizations publishing information on the World Wide Web. In granting a preliminary injunction against COPA, the court held that the plaintiffs are likely to succeed on their claim that the law "imposes a burden on speech that is protected for adults." The ruling came after a six-day hearing which featured testimony from website operators who provide free information about fine art, news, gay and lesbian issues and sexual health for women and the disabled, and who all fear that COPA would force them to shut down their websites. In his 49-page opinion, Judge Reed listed 68 separate "findings of fact" to support his decision. The judge considered evidence that COPA imposed technological and economic burdens on speakers, but concluded that ultimately the relevant inquiry is the "burden imposed on the protected speech, not the pressure placed on the pocketbooks or bottom lines of the plaintiffs." The full text of the Judge Reed's decision, and complete information on the legal challenge, is available at: http://www.epic.org/free_speech/copa/ =======================================================================  "Orwell Awards" Presented to Biggest U.S. Privacy Invaders ======================================================================= Privacy International presented its first Orwell Awards on April 7 to the worst corporate and government privacy invaders in the United States. Privacy International's Director, Simon Davies, said the awards were designed to raise awareness of the erosion of privacy rights in the U.S. "Surveillance over our private lives has reached a dangerous new level. It's time to turn the spotlight around and shine it on the invaders." The awards were presented at the Computers, Freedom and Privacy (CFP99) conference in Washington, DC. A total of five awards were announced, but most recipients were not on hand to receive them. The winner in the "Worst Public Official" category was Rep. Bill McCollum (R-FL) for his numerous activities in Congress opposing privacy, including pushing through a law increasing wiretapping approved last year, several bills promoting the creation of a national ID card, opposition to efforts to improve financial privacy, and his recent efforts to amend the SAFE encryption bill to mandate key escrow. Runners-up were New York Mayor Rudolph Giuliani (for his suggestion to take DNA samples of all children at birth) and Ambassador David Aaron and White House Advisor Ira Magaziner (for their travels around the world promoting encryption restrictions and opposing privacy laws). The Federal Depository Insurance Corporation received the award for "Most Invasive Proposal" for its "Know Your Customer" proposal (see EPIC Alert 6.05). The runners-up were the Communications Assistance for Law Enforcement Act (CALEA) and the FAA's Airline ID Program. The "Greatest Corporate Invader" award went to Elensys Inc., a Woburn, Massachusetts company that has secretly collected the pharmacy records of millions of consumers from 15,000 pharmacies nationwide. The runners-up were Intel for the Pentium III Processor Serial Number (designed to identify and track users) and ImageData for its attempts to create a national database of drivers license photographs. The "Lifetime Menace" award went to the Federal Bureau of Investigation for its activities over the past 80 years, including CALEA, COINTELPRO, and its efforts on information warfare. Runners-up were the Direct Marketing Association, the National Security Agency, and credit bureau TransUnion Corp. Finally, Microsoft Corp. received the "People's Choice" award for the Global User ID Number, Open Profiling System, and the proposed P3P standard. The other candidates were Intel, President Clinton and Special Prosecutor Kenneth Starr. Two "Brandeis" Awards were presented to individuals who have made an outstanding contribution to the protection of privacy, as well as to victims of privacy invasion who have successfully fought back. Phil Zimmermann, author of the encryption program Pretty Good Privacy, and Diana Mey, a West Virginia housewife who successfully took on Sears telemarketers, were the recipients this year. More information on the awards can be found at: http://www.bigbrotherawards.org/ =======================================================================  EPIC Bill-Track: New Bills in Congress ======================================================================= *House* H.R. 1345. Eliminates requirement that states collect SSNs for recreational licenses. Introduced by Obey (D-WI). Referred to the Committee on Ways and Means. H.R. 1426. Money Laundering Prevention Act of 1999. Expands rules on money laundering. Requires banks to better identify account holders. Introduced by Waters (D-CA). Referred to the Committee on Banking and Financial Services. H.R. 1450. Personal Information Privacy Act of 1999. Limits sale of credit information, SSNs, drivers photographs. Introduced by Rep Kleczka, Gerald D. (D-WI). Referred to the Committee on Ways and Means, and in addition to the Committees on Banking and Financial Services, and the Judiciary. H.R. 1471. Money Laundering Prevention Act of 1999. Expands rules on money laundering. Requires banks to better identify account holders. Introduced by Waters (D-CA). Referred to the Committee on Banking and Financial Services. *Senate* S. 753. Financial Services Act of 1999. Prohibits obtaining financial information under false pretenses. Requires FTC to issue interim report on consumer privacy. Exempts law enforcement & financial institutions. Sponsor Sen Daschle, Thomas A. (D-ND). Referred to the Committee on Banking. S. 759. Inbox Privacy Act of 1999. Anti-spam bill. Sponsor Sen Murkowski, Frank H. (R-AS). Referred to the Committee on Commerce. S. 781. Telephone Privacy Act of 1999. Requires 2 party consent for recording telephone calls. Sponsor: Sen Feinstein, Dianne (D-CA). Referred to the Committee on the Judiciary. S. 782. Patients' Telephone Privacy Act of 1999. Limits health care providers recording of patients phone calls. Sponsor: Sen Feinstein, Dianne (D-CA). Referred to the Committee on the Judiciary. S. 798. Promote Reliable On-Line Transactions to Encourage Commerce and Trade (PROTECT) Act of 1999. Slightly relaxes export controls on cryptography. Sponsor Sen McCain, John (R-AZ). Referred to the Committee on Commerce. S. 800. Wireless Communications and Public Safety Act of 1999. Limits use of cellular location information for non-safety emergency uses. Sponsor: Sen Burns, Conrad R (R-MT). Referred to the Committee on Commerce, Science, and Transportation. S. 809. Online Privacy Protection Act of 1999. Requires FTC to set rules on collection of personal information by online services and web pages. Creates broad safe harbor protections for industry. Sponsor: Sen Burns, Conrad R. (R-MT). Referred to the Committee on Commerce, Science, and Transportation . =======================================================================  Upcoming Conferences and Events ======================================================================= Encryption Controls Workshop. May 13, 1999. Raleigh, NC. Sponsored by the U.S. Dep't of Commerce. Contact: (202) 482-6031 INET 99. San Jose, Calif., June 22-25, 1999. Sponsored by the Internet Society. Contact: http://www.isoc.org/inet99/ ======================================================================= Subscription Information ======================================================================= The EPIC Alert is a free biweekly publication of the Electronic Privacy Information Center. A Web-based form is available for subscribing or unsubscribing at: http://www.epic.org/alert/subscribe.html To subscribe or unsubscribe using email, send email to email@example.com with the subject: "subscribe" (no quotes) or "unsubscribe". Back issues are available at: http://www.epic.org/alert/ ======================================================================= About EPIC ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC is sponsored by the Fund for Constitutional Government, a non-profit organization established in 1974 to protect civil liberties and constitutional rights. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, e-mail firstname.lastname@example.org, http://www.epic.org or write EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544 9240 (tel), +1 202 547 5482 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "The Fund for Constitutional Government" and sent to EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ---------------------- END EPIC Alert 6.06 ----------------------- .
Alert Home Page | EPIC Home Page