WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 1995 >> [1995] EPICAlert 14

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 2.14 [1995] EPICAlert 14


Volume 2.14 November 9, 1995

Published by the Electronic Privacy Information Center (EPIC)
Washington, DC

Table of Contents

[1] NIST Releases Updated Export Criteria (Clipper 2.1)

[2] Wiretap Update: FBI Does New Math
[3] Concerns about Medical "Privacy" Bill Grow
[4] Massachusetts Enacts New Consumer Credit Law
[5] New Privacy Polls: Lots of Problems, Few Solutions
[6] Review: "The Right to Privacy," Alderman and Kennedy
[7] EPIC E-mail Bag
[8] Upcoming Conferences and Events

[1] NIST Releases Updated Export Criteria (Clipper 2.1)

The National Institute of Standards and Technology released this week a
"Draft Software Key Escrow Encryption Export Criteria (11/95 version)."
The new standard was expected to take into account industry comment from
a September meeting when the proposal was announced and quickly trashed,
but not much changed. Key requirements for those planning to export

- Key escrow - No functioning crypto without . . .
- A U.S. government certified key escrow agent - No triple-DES - Incompatibility with everything else
The complete NIST proposal is available at:
NIST also announced that it will sponsor a meeting to discuss the
proposed exportability criteria for the 64-bit software key escrow
encryption on December 5. According to NIST, "this meeting continues the
industry-government dialog of an earlier NIST-sponsored meeting held in

Information on the December 5 meeting is available at:
Readers who are interested in a review of the proposed NIST export
standard should look at Brock Meek's column in the November 1995 issue
of Wired. No five mice for Clipper 2.1.

[2] Wiretap Update: FBI Does New Math

Pressure on the Department of Justice to reevaluate the wiretap program
continues to grow. The October 16 Federal Register notice (reported in
EPIC Alert 2.12) prompted national news coverage and led many of those
following the wiretap plan to ask whether 1% means 1 out of 100 or 1 out
of 1,000.

At a November 2 press conference with Jamie Gorelick, the deputy
attorney general was asked repeatedly about the status of the wiretap
plan. Ms. Gorelick responded, "Let me make very clear that there is no
intention to expand the number of wiretaps or the extent of wiretapping.
The entire purpose of the digital telephony legislation was to leave law
enforcement in the same position it is now with respect to wiretaps."
When pressed by a reporter who asked if there would be no substantial
change to the total number of wiretaps performed if "the FBI got
everything that it wanted in the Federal Register" notice, Ms. Gorelick
said yes. She described the news reports as "a misunderstanding or
miscommunication." (Federal electronic surveillance went from 340
warrants authorized in 1992 to 554 in 1994, according to the
Administrative Office of the U.S. Courts).

Readers are urged to do the math and then send the FBI a letter
regarding the wiretap plan before November 15. Check out:

[3] Concerns about Medical "Privacy" Bill Grow

Senator Bennett's medical privacy bill continues to raise concerns. Now,
consumer groups are jumping into the battle. The Consumer Project on
Technology, founded by Ralph Nader and led by public interest advocate
Jamie Love, wrote recently to Senator Kassenbaum to warn that the bill
"ensures that virtually any law enforcement official will have the right
to search your medical records, not by identifying your doctors and
obtaining a warrant for records from a doctors office, but simply by
contacting large insurance companies, employers or database companies,
and searching computer databases."

Even one of the backers of the bill concedes that privacy will likely
get short shrift if the measure goes forward. "To suggest to the public
that this bill is a championing of the doctor-patient relationship and
medical privacy is misrepresenting what's really going on," said
Lawrence Gostin, director of the law and public health program at
Georgetown University, in a November 3 Boston Globe article. "What this
bill does is legitimize the development of these large health databases
that are intended to hold vast amounts of medical information about
individual Americans."

Massachusetts is one of several states that will see current privacy
safeguards drop if the federal bill goes through.

Senator Kassenbaum is expected to hold hearings on November 13, 1995.
Alert readers are urged to contact Senator Kassenbaum with your views on
the bill. More information about the proposal can be found at:

[4] Massachusetts Enacts New Consumer Credit Law

In September, Massachusetts Governor William Weld signed the strongest
consumer credit protection law in the nation. This follows passage of a
law protecting the privacy of medical records held by insurance
companies two years ago.

The new law requires that the three national credit bureaus each provide
one free credit report to each state resident. Local credit bureaus can
charge $5 for a copy. Currently, only TRW provides free reports.

Another important change is that credit givers, such as department
stores and banks, are liable for reporting incorrect information. If a
store incorrectly reports that an individual has defaulted on a loan,
the individual can sue for damages caused by the report. Currently, this
lack of liability is a major reason inaccurate information keeps
reappearing in individuals reports even after the bureaus are informed
of the inaccuracies. Under the new law, errors must be corrected within
three days and inaccurate information that has been deleted from the
report cannot be reentered without notifying the individual.

Investigative reports are also limited. Credit givers can only contact
employers, neighbors and others with the express written consent of the

The law is scheduled to go into effect January 1, 1996.

[5] New Privacy Poll: Lots of Problems, Few Solutions

Equifax, the credit reporting agency now poised to enter the medicalrecord business, and Lou Harris, the national polling organization,
released this week the "Equifax-Harris Mid-Decade Consumer Privacy
Survey." The poll reveals high levels of concerns about privacy.

Consumer concerns about privacy came in slightly behind controlling
false advertising and reducing insurance fraud, but beat out requiring
environmentally safe packing and putting content and calorie labels on

The poll finds that 82% of Americans are very concerned or somewhat
concerned about privacy. And 80% of Americans believe they have lost all
control over personal information.

But the Equifax-Harris poll does not tell the whole story. A recent poll
from the Yankelovich group found that 90% of Americans favored
legislation to protect them from businesses that invade their privacy.
That number is similar to a 1991 Time/CNN poll when consumers, when
asked if they favored legal protections, said yes overwhelmingly.

More information about public attitudes toward medical record privacy
and consumer privacy may be found at:

[6] Review: "The Right to Privacy," Alderman and Kennedy

"The Right to Privacy," Ellen Alderman and Caroline Kennedy (Alfred
Knopf, New York 1995), $26.95.

Justice Brandeis once described privacy as "the most comprehensive of
all rights." But privacy is also one of the most confusing of all
rights. Courts, commentators and scholars often struggle with justthe definition.

To the credit of Ellen Alderman and Caroline Kennedy, there is now an
excellent book that helps clarify and make real the importance of
privacy. The Right to Privacy is a fascinating and well constructed
expose of the pivotal legal battles that have helped shaped the rightof privacy. It is perhaps the most engaging book on privacy ever

The authors look at a series of critical cases that demonstrate various
major privacy themes -- privacy and law enforcement, privacy and the
self, privacy and the press, privacy and the voyeur, privacy in the
workplace, and privacy and information. They approach their task in
even-handed fashion. While their sympathies are clearly with the claims
of the plaintiff, they are careful to describe the competing concerns of
law enforcement, employers, and the press. Courts are often asked to
balance competing claims and the authors invite the readers to consider
as well the interests of both parties.

Alderman and Kennedy also convey the richness of privacy law. Few
privacy claims are slam-dunks in the Supreme Court. Much of the law is
made at the state level. Many cases end quietly in settlement among the
parties. Insurance companies, as the authors note, often play an
important role in both awards and strategy.

The book is at its best describing the individuals who bring claims, and
their sense of outrage and betrayal when their privacy has been
violated: A woman strip-searched in a police station for a parking
violation, a young couple filmed in a hotel room from behind a two-way
mirror, a psychological profile required for a job that asks about
sexual activities and religious belief. Each case makes real the sense
of powerlessness, invasion, and simple humiliation that results when
privacy is lost.

The book provides also a wonderful answer to an age-old question: why go
to law school? In many stories, it becomes clear that without a
sympathetic and determined attorney, rights would not be vindicated.

But, still, this excellent work is not without faults. The last chapter
is a disappointment, a discordant note in an otherwise robust symphony.
In the discussion of cutting edge privacy issues, the authors jump from
hot topic to hot topic without much consideration of significance or
context. They conclude, quite surprisingly, that new technologies will
require us to give up some privacy rights.

That conclusion is unfortunate not only because it quotes Justice
Brandeis (who believed quite the opposite as both the famous law review
article from 1890 and a 1928 wiretap opinion make clear), but also
because it seems to ignore the evidence that much of the book presents.
Individuals whose privacy is violated will indeed seek redress.

Perhaps the problem is simply that the law has not reached a point where
we can talk as clearly about privacy violations in the information world
as we have in the physical world. Maybe it will take cases brought
against police ogling women on the street though Closed Circuit
Television, or credit bureaus scanning medical records to reject credit
risks, a discreet genetic test used by an employer to eliminate
potential workers, or a computer user arrested for sending a personal
message with an illegal form of encryption
Like the plaintiffs in the cases described in the book, the plaintiffsin those future cases will also ask the courts to recognize that right,
both comprehensive and confusing, that is critical for human dignityand civil society.

[7] EPIC E-mail Bag

As the frequency of EPIC Alerts has increased, we've received many
letters and comments. Alert 2.12 brought criticisms from two government
officials. One asked whether it was fair for us to describe the
wiretapping conducted by US officials on Japanese and French trade
officials as "illegal." Admittedly, this is an area of international law
where norms are often unclear. It was also not our point to suggest that
US officials are alone in this activity (similar charges have been made
recently against French agents, though we are not aware of any against
Japan). But if the question is squarely asked whether it is legal for a
government to wiretap a private communication without legal process,
there is plenty of law to suggest that the answer is no. The Universal
Declaration of Human Rights, the International Covenant on Civil and
Political Rights, and the Convention of the International
Telecommunications Union all make clear the responsibility of governments
to respect the privacy of communication. Does it happen anyway? Of course.
Should it? Look at the documents. (

A second official takes issue with our criticism of an early draft of
the privacy working group IITF report on privacy noting that the
proposal has since been changed. We've updated our web site to include
the final version of the report, as well as the NTIA report also
mentioned in Alert 2.13. We leave it to readers to decide if there has
been much improvement with the IITF proposal.

Several comments were received on the draft medical privacy bill in
Alert 2.13. We have incorporated these suggestions in our proposal, and
plan to release a revised bill next week.

The Avrahami case has already stirred interest among Alert readers.
Several have asked for more current updates as the case develops. As a
result, we added a new section with the legal motions and updated other
pages. Readers interested in the Avrahami case should check frequently. We will do our best to keep
you informed.

Please send your comments to

[8] Upcoming Privacy Related Conferences and Events

The Right to Privacy. November 9. Authors Caroline Kennedy and EllenAlderman discuss their new book on privacy. Lizner Auditorium, George
Washington University, Washington, DC. Contact 202/357-3030.

Consumer Rights with Direct Marketing On and Off the Internet: DoesJunk (e-)Mail Really Byte? November 21. Sponsored by Institute for
Computer and Telecommunications Systems Policy. Washington, DC.

11th Annual Computer Security Applications Conference: Technicalpapers, panels, vendor presentations, and tutorials that address theapplication of computer security and safety technologies in the civil,
defense, and commercial environments. December 11-15, 1995, New Orleans,
Louisiana. Contact Vince Reed at (205) 890-3323 or

RSA 6th Annual Data Security Conference: Cryptography Summit.
Focus on the commercial applications of modern cryptographic technology,
with an emphasis on Public Key Cryptosystems. January 17-19, 1996.
Fairmont Hotel, San Francisco. Contact Layne Kaplan Events, at (415)
340-9300, e-mail at, or register at

The Gathering: The Computer Security Conference with a Difference.
February 13-15, 1996. University of Otago, Dunedin, New Zealand.
Speakers include Fred Cohen, Chris Coggans, Bruce Schneier, WinnSchwartau, Robert Ellis Smith, and Philip Zimmerman.

Computers Freedom and Privacy '96. March 27-30, 1996. Cambridge, Mass.
Sponsored by MIT, ACM and WWW Consortium. Contact or

Conference on Technological Assaults on Privacy, April 18-20, 1996.
Rochester Institute of Technology, Rochester, New York. Papers should
be submitted by February 1, 1996. Contact Wade Robison,
by FAX at (716) 475-7120, or by phone at (716) 475-6643.

Australasian Conference on Information Security and Privacy June24-26, 1996. New South Wales, Australia. Sponsored by AustralasianSociety for Electronic Security and University of Wollongong. Contact:
Jennifer Seberry (

Visions of Privacy for the 21st Century: A Search for Solutions.
May 9-11, 1996. Victoria, British Columbia. Sponsored by The Office
of Information and Privacy Commissioner for the Province of British
Columbia and the University of Victoria. Program at
The Privacy Laws & Business 9th Annual Conference. July 1-3, 1996.
St. JohnÕs College, Cambridge, England. Contact: Ms. Gill Ehrlich+44 181 423 1300 (tel), +44 181 423 4536 (fax).

18th International Conference of Data Protection and Privacy
Commissioners. Sponsored by the Privacy Commissioner of Canada.
September 18-20, 1996. Ottawa, Canada.

Advanced Surveillance Technologies II. Sponsored by EPIC and PrivacyInternational. September 17, 1996. Ottawa, Canada. Contact
International Colloquium on the Protection of Privacy and PersonalInformation. Commission d'acces a l'information du Quebec. May 1997.
Quebec City, Canada.

(Send calendar submissions to

The EPIC Alert is a free biweekly publication of the ElectronicPrivacy Information Center. To subscribe, send the message:

to You may also receive the Alert by reading theUSENET newsgroup

Back issues are available via orFTP/WAIS/Gopher/HTTP from /cpsr/alert/ and on Compuserve (GoNCSA), Library 2 (EPIC/Ethics).

The Electronic Privacy Information Center is a public interestresearch center in Washington, DC. It was established in 1994 tofocus public attention on emerging privacy issues relating to theNational Information Infrastructure, such as the Clipper Chip, theDigital Telephony proposal, medical record privacy, and the sale ofconsumer data. EPIC is sponsored by the Fund for ConstitutionalGovernment and Computer Professionals for Social Responsibility. EPICpublishes the EPIC Alert and EPIC Reports, pursues Freedom ofInformation Act litigation, and conducts policy research on emergingprivacy issues. For more information, email, WWW atHTTP:// or write EPIC, 666 Pennsylvania Ave., SE, Suite
301, Washington, DC 20003. (202) 544-9240 (tel), (202) 547-5482 (fax).

The Fund for Constitutional Government is a non-profit organizationestablished in 1974 to protect civil liberties and constitutionalrights. Computer Professionals for Social Responsibility is anational membership organization of people concerned about the impactof technology on society. For information contact:
If you'd like to support the work of the Electronic Privacy InformationCenter, contributions are welcome and fully tax-deductible. Checks
should be made out to "The Fund for Constitutional Government" and sent
to EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington DC 20003.

Your contributions will help support Freedom of Information Actlitigation, strong and effective advocacy for the right of privacy andefforts to oppose government regulation of encryption and funding ofthe National Wiretap Plan.

Thank you for your support.

END EPIC Alert 2.14

Marc Rotenberg ( * +1 202 544 9240 (tel)
Electronic Privacy Information Center * +1 202 547 5482 (fax)
666 Pennsylvania Ave, SE, Suite 301 * HTTP://
Washington, DC 20003 *

WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback