You are here:
EPIC Alert >>
 EPICAlert 8
EPIC Alert 3.08  EPICAlert 8 (11 April 1996)
Volume 3.08 April 11, 1996
Published by the
Electronic Privacy Information Center
Table of Contents
 CDA Trial Update -- DoJ to Present Testimony
 House Passes Health Care Bill
 Congress to Vote on Terrorism Bill Next Week
 Insiders Sell Info on 11,000 people from SSA Computers
 California, Minnesota Debate Comprehensive Privacy Bills
 Illinois to Stop Selling DMV Records
 DOD Key Escrow System Problems Surface
 Upcoming Conferences and Eventss
The Justice Department will begin its defense of the CommunicationsDecency Act (CDA) in federal court in Philadelphia on Friday, April12.
Somewhat surprisingly, the government plans to call only twowitnesses. The first, Special Agent Howard A. Schmidt of the AirForce
Office of Special Investigations, is (according to DOJ)
"expected to present a demonstration and testify concerning access toinformation, including sexually explicit material, that is availableonline."
The second witness will be Dr. Dan R. Olsen, Jr., Professorof Computer Science at Brigham Young University, who is expected totestify
"concerning technical issues related to the 'safe harbor'
defenses" under the CDA.
Both government witnesses were examined by ACLU, EPIC and ALA attorneysin depositions conducted earlier this week. Agent Schmidt's
testimonycentered on his use of various Internet "search engines" to locatematerial he characterized as "sexually explicit." The
downloadedimages will be introduced as evidence on April 12. During hisdeposition, Schmidt declined to offer his opinion as to what
kinds ofinformation could be deemed "indecent" or "patently offensive" withinthe meaning of the CDA. Dr. Olsen of BYU described
various approachesthat could be employed to tag online material as inappropriate forminors, as well as technical means for restricting
access toparticular Internet sites through the use of "age verification"
systems. Olsen asserted that these techniques would enable contentproviders to comply with the CDA, although he acknowledged that
theyare not widely available at the present time.
Presentation of the government's case is expected to continue onMonday, April 15. If plaintiffs elect to present rebuttal testimony,
it will be heard on April 26. The three-judge court has scheduledfinal legal arguments in the case for June 3.
Additional information on the CDA constitutional challenge initiatedby the ACLU, EPIC and a coalition of other organizations, is availableat:
On March 28, the House of Representatives approved HR 3103, the HealthCoverage Availability and Affordability Act of 1996. The bill
includesprovisions on "Administrative Simplification" that affect the privacyof medical records.
The provisions delegate all authority for the setting of privacy andsecurity standards to the Secretary of Health and Human Services.
TheSecretary is given 18 months to issue regulations protecting thesecurity and confidentiality of electronic medical records. Todetermine
security, the regulations must take into account a number offactors which water down the security guidelines, while not examiningthe
effect on health care of having insecure systems. The standardsfor privacy are similarly weak and leave HHS with nearly unfettereddiscretion
to determine authorized and unauthorized uses.
Another controversial area is the choice of the identification number.
The bill requires that HHS choose the ID number and that "the Secretaryshall take into account multiple uses for identifiers." There
have beenseveral indications that the HHS plans to use the Social SecurityNumber (SSN) as the medical identification number since
the SocialSecurity Administration is part of HHS.
However, unlike the Bennett bill (S. 1360), the House bill does notprevent states from enacting stronger medical privacy laws. While
itdoes preempt states from enacting laws that require information to bemaintained in written rather than electronic form, it allows
states toadopt laws that "are more stringent than the requirements, standards,
or implementation specifications under this part with respect to theprivacy of individually identifiable health information."
The Senate is also working on a health care bill introduced bySenators Kassebaum and Kennedy. That bill does not contain theadministrative
simplification provisions of the House bill.
More information is available at:
A House-Senate conference committee is expected to vote next week onthe controversial counter-terrorism bill. Earlier this week,
theRepublican members of the committee met behind closed doors to finishamending the bill. The full committee is scheduled to vote
and approvethe Republican changes on Monday. On Tuesday, the full Senate isexpected to vote on the conference committee draft.
The House isexpected to vote on Wednesday or Thursday. Friday is the anniversaryof the bombing of the Oklahoma City federal building
and politicalpressure is on to have a bill completed by then.
A Senate bill passed last year with several provisions increasing thecollection of personal information and expanding wiretapping,
including funding for the Digital Telephony bill. The House bill,
stripped of those provisions, passed last month in a close floor vote.
President Clinton has been pushing the conferees to include the Senateprovisions in the final bill.
The House members of the conference committee are Representatives Hyde(R-IL), McCollum (R-FL), Schiff (R-NM), Buyer (R-ID), Barr (R-GA),
Conyers (D-MI), Schumer (D-NY), and Berman (D-CA). The Senate membersare Hatch (R-UT), Thurmond (R-SC), Simpson (R-WY), Biden (D-DE),
More information and the texts of the House and Senate bills isavailable at:
According the NY Times, several employees of the New York offices ofthe Social Security Administration are being investigated for
leakingthousands of sensitive files from SSA to groups engaged in creditfraud. According to reports, several employees illegally
examinedover 11,000 records of individuals and disclosed Social SecurityNumbers and mothers' maiden names to fraudsters. One SSA
employeeexamined 10,000 files since January 1995. Another ten employeespulled the records of over 1,200 other individuals.
The records were then used to set up charge accounts in the victims'
names. The SSA did not detect the illegal practices until Citibankinformed the agency of a large amount of fraud involving stolen
A New York City public employee has been charged with fraud. Noemployees of the SSA have yet been arrested.
In Minnesota, the state House of Representatives has passed HB 2816, anonline privacy bill that would restrict service providers fromdisclosing
consumers' information without their consent. It requiresonline providers to display pages setting forth their privacy policiesand
to ask subscribers to select the extent to which they authorizesecondary uses of personal information. Individuals can sue for $500and
damages for each violation.
The Minnesota House overwhelmingly passed the bill in early March, butthe state Senate passed a bill that would only create a privacy
studycommission. The House rejected the Senate amendment and the billcurrently is in a conference committee.
A copy of the Minnesota House bill is available at:
In California, a hearing is scheduled for the first week of May onSB 1659, which would prohibit the use or distribution of personalinformation
without the permission of the individual. The bill wasintroduced by State Senator Steve Peace of San Diego, who noted thatcurrent
laws and self-help are not adequate: "so many files are kept onus without our knowledge that it would be a full-time job just tryingto
find out who has them."
The bill includes findings on the California Constitution's right toprivacy. It states:
"No person or corporation may use or distribute for profit any personal information concerning a person without that person's
written consent. Such information includes, but is not limited to, an individual's credit history, finances, medical history,
purchases, and travel patterns."
More information on efforts to stem the collection of personalinformation is available at:
Illinois Secretary of State George Ryan announced on April 2 that thestate would stop its 30-year practice of selling records from
theDepartment of Motor Vehicles (DMV) to direct marketers startingJanuary 1, 1997.
The Illinois DMV currently sells information from driver's licenseapplications and automobile registrations including the names,
addresses, weights, and heights of individuals. More than 14,000people had already asked to be removed from the DMV lists under
a1993 law. Ryan said that the change was being made at the request ofthousands of citizens who were not aware of their ability
to beremoved from the lists. The lists will still be available forpolitical and research purposes and to other government agencies
andinsurance companies. The state has earned an average of $600,000 peryear on the sales.
The EPIC Privacy Archives have been expanded to include documentson 17 different areas of privacy. New information is available onID
cards, welfare reform, educational privacy, Cable TV records andCaller ID:
The EPIC Online Guide to Privacy Resources has been updated to includenew sites and conferences:
Information Leakage by World Wide Web Browsers: How to BlackmailSomeone With Their Own Web Surfing Habits with Shabbir J. Safdar ofVoters
Telecommunications Watch. April 16, 1996. Washington, DC.
Sponsored by the Institute for Computer and TelecommunicationsSystems Policy, George Washington University. Contacthttp://www.seas.gwu.edu/seas/ictsp/Activities/Seminars/.
Colloque: Big Brother Quebec inc. April 17, 1996. Montreal,
Canada. Sponsored by Association securite informatique de Quebec.
Contact: A. Bayle (514) 395-8689 or email fvilleneuvesct.gouv.qc.ca.
Conference on Technological Assaults on Privacy, April 18-20, 1996.
Rochester Institute of Technology, Rochester, New York. Contact: WadeRobison, privacyrit.edu, by FAX at (716) 475-7120, or by phone
Electronic Democracy. April 24-25, 1996. Ottawa, Ontario. Sponsoredby Riley Information Services. Contact: 76470.336compuserve.com
RSA Day in Washington. April 25, 1996. Washington, D.C. Sponsored byRSA Data Security. Contact: Layne Kaplan Events (415) 340-9300
Computerizing Medical Records and Health Information: The SocietalBenefits and Privacy Issues with Professor Alan Westin and EPIC'sMarc
Rotenberg. April 26, 1995. Washington, DC. Sponsored by theInstitute for Computer and Telecommunications Systems Policy, GeorgeWashington
University. Contact http://www.seas.gwu.edu/seas/ictsp/
IEEE Symposium on Security and Privacy. May 6-8, 1996. Oakland, CA.
Sponsored by IEEE. Contact: sp96cs.pdx.edu orhttp://www.cs.pdx.edu/SP96.
Workshop on Medical Records Privacy. May 10, 1996. Washington, DC.
Sponsored by the Consumer Project on Technology. Contact Manon Ress(202) 387-8030 or email mressessential.org.
Visions of Privacy for the 21st Century: A Search for Solutions. May9-11, 1996. Victoria, British Columbia. Sponsored by The Office
ofInformation and Privacy Commissioner for the Province of BritishColumbia and the University of Victoria. Program athttp://www.cafe.net/gvc/foi
Internet Privacy and Security Workshop. May 20-21, 1996. HaystackObservatory, MA. Sponsored by Federal Networking Council andMIT.
InfoWarCon (Europe) '96, Defining the European Perspective. May 23-24,
1996. Brussels, Belgium. Sponsored by the National Computer SecurityAssociation. Contact: euroinfowarncsa.com.
Practicing Law Institute's 16th Annual Institute on Computer Law:
Understanding the Business and Legal Aspects of the Internet, June17-18, 1996, San Francisco. infopli.edu for info
or call 800/4770300.
Australasian Conference on Information Security and Privacy. June24-26, 1996. New South Wales, Australia. Sponsored by AustralasianSociety
for Electronic Security and University of Wollongong.
Contact: Jennifer Seberry (jenniecs.uow.edu.au).
Personal Information - Security, Engineering and Ethics. 21-22 June,
1996. Isaac Newton Institute, Cambridge. Sponsored by CambridgeUniversity and British Medical Association. Paper submission due 10
May1996. Contact: Ross Anderson (rja14newton.cam.ac.uk).
Privacy Laws & Business 9th Annual Conference. July 1-3, 1996. St.
John's College, Cambridge, England. Contact: Ms. Gill Ehrlich +44 181423 1300 (tel), +44 181 423 4536 (fax).
Surveillance Expo 96. August 19-21. McLean, Virginia. Sponsored byRoss Associates. Contact: Marilyn Roseberry 703-450-2200.
Fifth International Information Warfare Conference, "Dominating theBattlefields of Business and War", September 5-6, 1996.
Washington, DC. Sponsored by Interpact, NCSA, OSS. Contact:
Advanced Surveillance Technologies II. Sponsored by EPIC and PrivacyInternational. September 16, 1996. Ottawa, Canada. Contact:
piprivacy.org or http://www.privacy.org/pi/conference/
18th International Conference of Data Protection and PrivacyCommissioners. September 18-20, 1996. Ottawa, Canada. Sponsored bythe
Privacy Commissioner of Canada.
(Send calendar submissions to Alertepic.org)
The EPIC Alert is a free biweekly publication of the ElectronicPrivacy Information Center. To subscribe, send email toepic-newsepic.org with the subject: "subscribe" (no quotes).
Back issues are available via http://www.epic.org/alert/
The Electronic Privacy Information Center is a public interestresearch center in Washington, DC. It was established in 1994 to focuspublic
attention on emerging privacy issues relating to the NationalInformation Infrastructure, such as the Clipper Chip, the DigitalTelephony
proposal, medical record privacy, and the sale of consumerdata. EPIC is sponsored by the Fund for Constitutional Government, anon-profit
organization established in 1974 to protect civil libertiesand constitutional rights. EPIC publishes the EPIC Alert, pursuesFreedom
of Information Act litigation, and conducts policy research.
For more information, email infoepic.org, HTTP://www.epic.org orwrite EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC20003. +1 202 544 9240 (tel), +1 202 547 5482 (fax).
If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible. Checks should
be made out to "The Fund for Constitutional Government" and sent to EPIC,
666 Pennsylvania Ave., SE, Suite 301, Washington DC 20003.
Your contributions will help support Freedom of Information Act and First
Amendment litigation, strong and effective advocacy for the right of
privacy and efforts to oppose government regulation of encryption and
funding of the National Wiretap Plan.
Thank you for your support.