You are here:
EPIC Alert >>
 EPICAlert 2
EPIC Alert 3.02  EPICAlert 2 (24 January 1996)
Volume 3.02 January 24, 1996
Published by the
Electronic Privacy Information Center
Table of Contents
 Commerce Department Releases Crypto Report
 Court finds Constitutional Right of Privacy in Pharmacy Records
 Avrahami Asks Court for Summary Judgment
 New Book Examines FBI Surveillance
 UK Medical Association Recommends New Security Standards
 Upcoming Conferences and Events
Following a six month delay, the US Department of Commerce released areport on January 19 on the international market for encryptionsoftware.
The report finds that there are foreign products availablewhich "can have an impact on US competitiveness" and that US exportcontrols
"may have discouraged US software producers from enhancingthe software features of general purpose software to meet theanticipated
growth demand by foreign markets." It anticipates thatthere will be steadily increasing demand for crypto to be included ingeneral
use software products.
Commerce Secretary Ron Brown told Blumberg Business News that, "Ifyour foreign competitors are exporting products with encryptioncapability
and you are not, that puts you at a tremendous competitivedisadvantage."
The report, which was jointly produced by the Commerce Department'sBureau of Export Administration and the National Security Agency,
reviews the foreign availability of encryption products and othernations' import, export and domestic use policies.
Significant portions of the report have been removed at the request ofthe NSA. In December 1995, EPIC filed suit under the Freedom
ofInformation Act to obtain a full copy of the report and will continueto demand its release in its entirety.
A copy of the Executive Summary and more information on crypto policyis available at:
In the past month, two federal courts have ruled on the privacy of an
employee's use of prescription drugs. Using different legal bases, the
court decisions bring a measure of legal protection into an area where
there is no specific federal privacy law.
In one decision filed last week, a federal district court judge in Denverruled that a private ski resort violated the Americans With
DisabilityAct when it required its employees to disclose the prescription drugsthey used. The court found that "a policy that requires
employees todisclose the prescription medication they use would force the employeesto reveal their disabilities to their employer."
Employees argued thatrequiring disclosure could result in them deferring from taking neededmedication for fear of employer retailiation.
According to the WallStreet Journal, the ski resort will not appeal the decision.
In late December, the Third Circuit Court of Appeals ruled thatindividuals have a constitutional right to privacy in prescriptionrecords.
The court based its decision on previous holdings of theSupreme Court that individuals have a right of privacy in their medicalrecords.
In applying the precedent to prescription records, the appealscourt stated:
It is now possible from looking at an individual's prescription records to determine a person's illnesses,
or even to ascertain such private facts as whether a woman is attempting to conceive a child though the use of fertility drugs.
This information is precisely the sort to be protected by penumbras of privacy ... An individual using prescription drugs has
a right to expect that such information will customarily remain private.
In protecting the information, the court ruled that an intermediatelevel of scrutiny should be used in balancing the privacy rightsagainst
an employer's interest in obtaining the information to preventabuses of its health program. However, in cases where there is asevere
intrusion, the court suggested that the stronger "compelling
interest analysis" should be used.
The case came about after Rite-Aid pharmacy sent the director ofthe South Eastern Pennsylvania Transportation Authority (SEPTA) a
listof SEPTA employees and the prescription drugs they were receiving as
part of a SEPTA-Rite-Aid contract for health services. Included in
that list was the plaintiff, who was taking medication for treatmentof HIV-related illnesses. The plaintiff also sued Rite-Aid for
thedisclosure and Rite-Aid settled, agreeing not to provide employees names
in future reports. John Doe v. SEPTA, 3rd Circuit, Case No. 95-1559
(December 28, 1995).
More information on medical privacy is available at:
Ram Avrahami, the Virginia man who brought suit against US News andWorld Report for selling his personal data without his permission,
filed a motion with the Virginia court on January 16 for summaryjudgment. The motion is an effort to simplify the case, where there
isno dispute over material facts, by asking the judge to rule on theoriginal motion as a matter of law.
"The law is explicit," said Jonathan C. Dailey, who representsAvrahami in this case. "Virginia Code 8.01-40 has been interpreted bythe
Virginia Supreme Court as creating a property right in a person'sname, a right that is vested in all people, including ordinarycitizens.
When USN&WR received a commercial benefit from Mr. Avrahami's
name, as little as it may be, without first obtaining his express
written consent, it violated the law."
USN&WR had already admitted in a previous court filing that it hadtraded Avrahami's name under a "list exchange agreement" with theSmithsonian.
According to the motion, a Spring 1995 edition of theDirect Marketing List Source, a list industry catalog, both USN&WR andthe Smithsonian
Magazine were sell subscribers' names (2.2 million ofUSN&WR, 1.9 million of the Smithsonian) for $80-85 per thousand. Mr.
Avrahami said that this demonstrates that the exchange of lists is aclear commercial transaction.
"USN&WR has systematically used my name for a commercial benefit,
either for receipt of money or as a way to get reciprocal names ofsimilar value so as to increase its own circulation. The lawproscribes
such practices and the magazine should stop exchanging nameswithout the express written consent of its subscribers."
The court is expected to rule on the motion on the scheduled day ofthe trial, Feb. 6. If the court rules in Avrahami's favor, the
courtwill then consider the issue of damages.
More information on the case is available at:
In another case challenging junk mail, a small claims court in Californiaruled in favor of a man who sued Computer City for sending
mail. In April, Bob Beken purchased merchandise from the store and
indicated on the back of a check that the store could not sell his name or
send him mail and that if it did, he could recover $1,000.
The statement said:
Computer City agrees NOT to place Robert Beken on any mailing list or send him any advertisements or mailings. Computer City agrees
that a breach of this agreement by Computer City will damage Robert Beken and that these damages may be pursued in court. Further,
that the damages for the first breach are $1,000. The deposit of this check is agreement with these terms and conditions.
The court upheld the contract and awarded Beken $1,021 in damages andfees.
A new book on the Justice Department by former New York Times reporterDavid Burnham reviews federal surveillance activities and currentcontroversies
involving the nation's chief law enforcement agency.
The book, "Above the Law: Secret Deals, Political Fixes, and Other
Misadventures of the U.S. Department of Justice" (Scribner 1996), is
an extensive survey of the history of the Justice Department and the
political machinations of the agency.
In a chapter entitled "Keeping Track of the American People: TheUnblinking Eye and Giant Ear," Burnham examines new technologies ofsurveillance
used by law enforcement agencies. Using both public andclassified documents, he describes the activities of the FBI's RapidPrototyping
Facility in Quantico, Virginia, which develops miniature"microphones on a chip," the growing use of transactional recordsincluding
direct marketing files and telephone toll records by the
FBI and the DEA, and the FBI's new artificial intelligence-enhancedinvestigative systems. He also reviews current controversies such
as the Clipper Chip and the Digital Telephony law and the relationship
between the FBI and the National Security Agency.
The book also looks at the Department's enforcement efforts in civil
rights cases, national security, and the drug war. Burnham makes extensive
use of statistics to evaluate the agency's performance and finds that in
most areas, the agency is ill-managed and lacking public accountability.
Burnham has published two previous books, "The Rise of the Computer State"
(Random House 1983), one of the first books that looked at thethreats to privacy in the computer age, and "A Law Unto Itself" (RandomHouse
1989), an expose of the Internal Revenue Service. He isco-director of the Transactional Records Access Clearinghouse and amember
of the EPIC Advisory Board.
More information about "Above the Law," including exerpts from the
chapters on surveillance, the drug war and civil rights enforcement,
is available at:
A new report prepared for the British Medical Association recommends
the adoption of strong security and privacy standards to protect theconfidentiality of medical information. The author of the report,
"Security in Clinical Information Systems," is Dr. Ross J. Anderson
of the Computer Laboratory, University of Cambridge.
Last year the British Medical Association recommended that doctorsboycott the National Health Services data network. The BMA said
that"use of the data network violates a doctor's duty of care to patientconfidentiality and could subject doctors professional sanctions."
(See "British Doctors Boycott Medical Network," EPIC Alert 2.13,
October 30, 1995)
In the new report, Dr. Anderson writes, "The proposed introduction of
a nationwide NHS network has led to concern about security. Doctors and
other clinical professionals are worried that making personal health
information more widely available may endanger patient confidentiality.
The problem is not limited to the NHS; it also concerns clinicians in
prisons, immigration services, forensic laboratories and private
healthcare. However the NHS network has forced the issues to the fore.
"It has been generally agreed that the security of electronic patient
records must meet or exceed the standard that should be applied to paper
records, yet the absence of clarity on the proper goals of protection
has led to confusion. The British Medical Association therefore asked
the author to consider the risks, and to prepare a security policy for
clinical information systems."
The report concludes, "the advice of the British Medical Association
to its members is that exposing unprotected patient identifiable
clinical information to the NHS-wide network (or indeed to any other
insecure network), or even sending it in encrypted form to an
untrustworthy system, is imprudent to the point of being unethical."
The BMA report is available at:
Security, Privacy and Intellectual Property Protection in the GlobalInformation Infrastructure, Canberra, Australia. February 7-8,
Sponsored by the Australian Government, Attorney-General's Departmentand the Organization for Economic Cooperation and Development.
Technologies of Freedom: Blueprints for Action, Feb. 29-March 2.
Washington, DC. Sponsored by the Alliance for Public Technology.
Contact: Ruth Holder holderapt.org or http://apt.org/apt/
Computers Freedom and Privacy '96. March 27-30, 1996. Cambridge, Mass.
Sponsored by MIT, ACM and WWW Consortium. Contact cfp96mit.edu orhttp://web.mit.edu/cfp96/
Conference on Technological Assaults on Privacy, April 18-20, 1996.
Rochester Institute of Technology, Rochester, New York. Papers shouldbe submitted by February 1, 1996. Contact Wade Robisonprivacyrit.edu,
by FAX at (716) 475-7120, or by phone at (716)
IEEE Symposium on Security and Privacy, May 6-8, 1996. Oakland, CA.
Sponsored by IEEE. Contact: sp96cs.pdx.edu orhttp://www.cs.pdx.edu/SP96.
Visions of Privacy for the 21st Century: A Search for Solutions. May9-11, 1996. Victoria, British Columbia. Sponsored by The Office
ofInformation and Privacy Commissioner for the Province of BritishColumbia and the University of Victoria. Program athttp://www.cafe.net/gvc/foi
Australasian Conference on Information Security and Privacy June24-26, 1996. New South Wales, Australia. Sponsored by AustralasianSociety
for Electronic Security and University of Wollongong. Contact:
Jennifer Seberry (jenniecs.uow.edu.au).
Privacy Laws & Business 9th Annual Conference. July 1-3, 1996. St.
John's College, Cambridge, England. Contact: Ms. Gill Ehrlich +44 181423 1300 (tel), +44 181 423 4536 (fax).
Advanced Surveillance Technologies II. Sponsored by EPIC and PrivacyInternational. September 16, 1996. Ottawa, Canada. Contactpiprivacy.org
18th International Conference of Data Protection and PrivacyCommissioners. September 18-20, 1996. Ottawa, Canada. Sponsored by thePrivacy
Commissioner of Canada.
(Send calendar submissions to Alertepic.org)
The EPIC Alert is a free biweekly publication of the ElectronicPrivacy Information Center. To subscribe, send email toepic-newsepic.org with the subject: "subscribe" (no quotes).
Back issues are available via http://www.epic.org/alert/
The Electronic Privacy Information Center is a public interestresearch center in Washington, DC. It was established in 1994 to focuspublic
attention on emerging privacy issues relating to the NationalInformation Infrastructure, such as the Clipper Chip, the DigitalTelephony
proposal, medical record privacy, and the sale of consumerdata. EPIC is sponsored by the Fund for Constitutional Government, anon-profit
organization established in 1974 to protect civil libertiesand constitutional rights. EPIC publishes the EPIC Alert, pursuesFreedom
of Information Act litigation, and conducts policy research.
For more information, email infoepic.org, HTTP://www.epic.org orwrite EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC20003. +1 202 544 9240 (tel), +1 202 547 5482 (fax).
If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible. Checks should
be made out to "The Fund for Constitutional Government" and sent to EPIC,
666 Pennsylvania Ave., SE, Suite 301, Washington DC 20003.
Your contributions will help support Freedom of Information Act and First
Amendment litigation, strong and effective advocacy for the right of
privacy and efforts to oppose government regulation of encryption and
funding of the National Wiretap Plan.
Thank you for your support.