WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 1997 >> [1997] EPICAlert 13

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 4.13 [1997] EPICAlert 13


Volume 4.13 September 26, 1997

Published by the Electronic Privacy Information Center (EPIC)
Washington, D.C.

Table of Contents

[1] House Committee Rejects Domestic Crypto Ban
[2] HHS Releases Medical Privacy Recommendations
[3] Employment Eligibility Pilot Programs Begin
[4] White House Commission Urges Scrutiny of Private Employees
[5] ID Cards to Cost $10 Billion
[6] Imagine: FBI Finally Releases John Lennon Files
[7] New Bills in Congress
[8] Upcoming Conferences and Events

[1] House Committee Rejects Domestic Crypto Ban

The House Commerce Committee has rejected an FBI-backed proposal toimpose the first-ever domestic controls on encryption. In a 35-16vote on September 24, the committee defeated an amendment to the SAFEcrypto bill offered by Reps. Michael Oxley (R-OH) and Thomas Manton(D-NY) that would have banned the domestic manufacture and sale ofencryption products that do not provide law enforcement agencies easyaccess to encrypted information. Speaking in opposition to theamendment, many committee members cited the unprecedented assault onprivacy and civil liberties that would result if the FBI proposal wasadopted.

While surviving the draconian Oxley-Manton amendment, the SAFE bill,
originally introduced by Rep. Bob Goodlatte (R-VA) to relax U.S.
export controls on encryption products, did not emerge from theCommerce Committee unscathed. The committee adopted an amendmentoffered by Reps. Ed Markey (D-MA) and Rick White (R-WA) that wouldcreate a new National Electronic Technologies (NET) Center within theJustice Department. The NET Center would engage in research and"examine encryption techniques and methods to facilitate the abilityof law enforcement to gain efficient access to plaintext ofcommunications and electronic information." The NET Center would beauthorized to seek the assistance of "any department or agency of theFederal Government" in support of its mission, thereby providingexplicit statutory authority for National Security Agency involvementin domestic law enforcement activities. The Markey-White amendmentalso doubles the penalty for the use of encryption in furtherance of afelony and provides that "No person shall be subject to civil orcriminal liability for providing access to the plaintext of encryptedcommunications or electronic information to any law enforcementofficial or authorized government entity, pursuant to judicialprocess."

In a letter sent to the Commerce Committee prior to the vote, EPICjoined with the American Civil Liberties Union, Eagle Forum, Americansfor Tax Reform and other groups in urging members to oppose "anyproposal establishing a legal structure for key recovery even iftemporarily 'voluntary,' any so-called 'compromise' provision drawnfrom Oxley-Manton . . . , and any new proposal that would limit theavailability and use of strong encryption."

The fate of the SAFE bill is now uncertain. The original Goodlattelanguage has been substantially amended by five House committees, withcontradictory results. Rep. Gerald Solomon (R-NY), chairman of theHouse Rules Committee, has indicated that he will not send thelegislation to the House floor unless it contains the Oxley-Mantondomestic controls. As such, SAFE may no longer be a viable vehiclefor the reform of encryption policy that it was originally intended topromote.

PDF versions of House Commerce Committee documents on the SAFE billare available at:

[2] HHS Releases Medical Privacy Recommendations

Health and Human Services (HHS) Secretary Donna Shalala released theDepartment's recommendations for a new medical privacy bill onSeptember 11, calling for legislation that would generally protect allmedical records. In addition, HHS says medical records should not beused by employers and others for making non-medical decisions;
patients would have the right to sue if their records were disclosedimproperly and criminal and civil penalties could be imposed.

On a number of issues, the guidelines fall short. HHS recommends thatthere be no new laws preventing law enforcement access to medicalrecords, essentially enabling law enforcement and other governmentofficials to obtain medical records without a court order. Inaddition, on the issue of medical research, the guidelines recommendthat personally identifiable records be used for medical researchwithout the consent of the patient. They also ignore the issue ofwhether a single unique identifier such as a Social Security numbershould be used to link all medical records in a nationwide network ofrecords.

Importantly, HHS recommends that any new medical privacy law shouldnot preempt already existing state or federal laws that providegreater protection. A major bill introduced last year by Sen. RobertBennett (R-UT) would have prevented states from providing moreprotection to their citizens. Many states have enacted laws givingstronger privacy protection to records on substance abuse, AIDS andmental health. Some states, such as Massachusetts, are currently inthe process of enacting comprehensive privacy legislation.

The text of the HHS recommendations and more information on medicalprivacy is available at:

[3] Employment Eligibility Pilot Programs Begin

The Immigration and Naturalization Service (INS) and the SocialSecurity Administration (SSA) have announced three pilot programs forverifying eligibility of employees to work within the United States.
The pilot programs were ordered by the Congress as part of theImmigration Reform and Immigrant Responsibility Act of 1996 in acompromise attempt to avoid creation of a national identificationsystem.

The three programs are the Basic Pilot; the Citizen Attestation Pilot;
and the Machine-Readable Document Pilot. The Basic Pilot requiresthat employers verify the employment eligibility of all new employeesthrough automated verification checks of SSA and INS databases using atelephone. The Citizen Attestation Pilot only checks the status ofnew employees who attest they are not U.S. citizens, but is limited tostates where drivers' licenses are acceptable to the INS -- presumablythose having the SSN on the face of the license. In the MachineReadable Pilot, the procedures are similar to the Basic Pilot exceptin states with machine readable licenses (currently, only Iowa iseligible).

Each government department is required to assign a pilot program to atleast one agency within the department. In addition, companies thathave been found to violate the Immigration Act can be compelled tojoin in the program. The pilot programs will last for four yearsunless Congress re-authorizes them.

[4] White House Commission Urges Scrutiny of Private Employees

A special Presidential commission will recommend that certain privatesector employees be subjected to in-depth background checks andpolygraph examinations. Speaking before The Bankers Roundtable onSeptember 11, Robert T. Marsh, Chairman of the President's Commissionon Critical Infrastructure Protection, previewed the "corerecommendations" that will be transmitted to the White House.
Addressing "privacy issues in the employer-employee relationship,"
Marsh said:

Throughout its year-long effort, the Commission has struggled to address the competing interests of security and privacy and the trade-offs between these two interests. . . . We are going to recommend that the Administration and Congress study ways to make some of the tools that the federal government uses to perform background checks and issue security clearances more readily available to employers within the critical infrastructures, at least in filling certain sensitive positions within those infrastructures. These efforts may afford you, for example, a greater ability to inquire into and make use of criminal history information, employment histories, and credit history information. Amendments should also be made to federal polygraph law to include within the scope of current exemptions those who are in the business of providing information security services.

The "critical infrastructures," as defined by Executive Order 13010,
include "telecommunications, electrical power systems, gas and oilstorage and transportation, banking and finance, transportation, watersupply systems, emergency services (including medical, police, fire,
and rescue), and continuity of government."

The full text of the Marsh address is available at:

[5] ID Cards to Cost $10 Billion

The Social Security Administration announced on September 22 that itwould cost up to $10 billion to re-issue Social Security cards astamper-proof identifiers.

Congress required the SSA to assess the cost as part of the 1996immigration and welfare bills. The SSA report reviews the history ofthe SSN from its creation in 1935 through the current day. The reportdeclines to make any policy recommendations, but recognizes some ofthe privacy issues raised by the use of the SSN as a nationalidentifier. An appendix to the report includes pending legislationthat would limit the SSN's use.

The report examines the different technologies for ID cards from basicplain plastic cards to smart cards, including those that would includea picture or biometric identifier. It notes that SSA cannotaccurately assess how many actual SSNs are in use -- the agency isonly able to estimate a range between 269 and 327 million. At least10 million are estimated to be duplicate numbers.

More information on national identification cards is available at:

[6] Imagine: FBI Finally Releases John Lennon Files

After resisting disclosure for more than 15 years, the Federal Bureauof Investigation has released almost all of its secret files on JohnLennon. The documents underscore the sometimes questionable rationalefor FBI surveillance operations and the importance of public oversightof those activities.

Since being sued under the Freedom of Information Act in 1983, theBureau had steadfastly withheld the Lennon files on "national security"
grounds. Now released, the records document FBI surveillance of theformer Beatle's political activities, under the close supervision ofthe Nixon White House. Significantly, none of the disclosed filesdescribe Lennon as involved in any illegal act. In December 1995, U.S.
District Judge Robert Takasugi directed the FBI to disclose whether ithad "used unlawful activities in connection with the Lennoninvestigation." Rather than respond to the questions, the FBInegotiated a settlement to release the documents.

Ironically, the Lennon files were released as a senior FBI officialtold an international privacy conference that "extreme" privacyconcerns have "handcuffed" law enforcement's ability to investigatecriminal activity. FBI Counsel Alan McDonald told the InternationalConference on Privacy in Montreal that, "Based on a theory of potentialgovernment abuse, important tools commonly used are to be restricted orembargoed."

More information on the FBI investigation of John Lennon is availableat:

[7] New Bills in Congress

HR 2215, Genetic Nondiscrimination in the Workplace Act. Introduced byKennedy (D-MA) on July 22. Amends Fair Labor Standards Act to restrictemployers in obtaining, disclosing, and using of genetic information.
Referred to the Committee on Education and the Workforce.

HR 2216, Genetic Protection in Insurance Coverage Act. Introduced byKennedy (D-MA) on July 22. Limits the disclosure and use of geneticinformation by life and disability insurers. Prohibits insurers fromrequiring genetic tests, denying coverage, setting rates based ongenetics, using or maintain genetic info. Referred to the Committee onCommerce.

HR 2275, Genetic Employment Protection Act of 1997. Introduced byLowery (D-NY) on July 25. Prohibits employers, unions fromdiscriminating on basis of genetic information. Referred to theCommittee on Education and the Workforce.

H.R.2368, Data Privacy Act of 1997. Introduced by Tauzin (R-LA) onJuly 31. Recommends that businesses create voluntary guidelines toprotect privacy, and stop spamming. Referred to the Committee onCommerce.

HR 2369, Wireless Privacy Enhancement Act of 1997. Introduced byTauzin (R-LA) on July 31. Expands ban and penalties on sale ofscanners that can intercept cellular and digital communications andinterception of communications. Referred to the Committee on Commerce.

HR 2372, Internet Protection Act of 1997. Introduced by White (R-WA)
on July 31. Limits FCC and state ability to regulate Internet.
Referred to the Committee on Commerce.

HR 2404, Stop the Theft of Our Social Security Numbers Act. Introducedby Filner (D-CA) on September 4. Prohibits IRS mailings that includeSSN unless it is inside sealed envelope. Referred to the Committee onWays and Means.

HR 2507, ATM Public Safety and Crime Control Act. Introduced by Nadler(R-NY). Requires banks to install better surveillance cameras in ATMs.
Referred to the Committee on Banking and Financial Services.

S. 1146, Digital Copyright Clarification and Technology Education Actof 1997. Introduced by Ashcroft (R-MO). Sets up new rules forcopyright in digital networks. Referred to the Committee on theJudiciary.

[8] Upcoming Conferences and Events

Net Worth, Net Work: Technology and Values for the Digital Age. October4-5. University of Cal, Berkeley. Sponsored by CPSR. Contact:
20th National Information Systems Security Conference. October 7-10.
Baltimore, MD. Sponsored by NIST and NSA. Contact:

EPIC International Privacy Conference. October 20,1997. GeorgetownUniversity Law Center, Washington, DC. Sponsored by EPIC. Contact:

Managing the Privacy Revolution '97. October 21-23, 1997. Washington,
DC. Sponsored by Privacy and American Business. Contact:
RSA'98 -- The 1998 RSA Data Security Conference. January 12-16, 1998.
San Francisco, CA. Contact or

(Send calendar submissions to

The EPIC Alert is a free biweekly publication of the Electronic PrivacyInformation Center. To subscribe, send email to wihthe subject: "subscribe" (no quotes) or use the subscription form at:
Back issues are available at:

The Electronic Privacy Information Center is a public interestresearch center in Washington, DC. It was established in 1994 tofocus public attention on emerging privacy issues such as the ClipperChip, the Digital Telephony proposal, national ID cards, medicalrecord privacy, and the collection and sale of personal information.
EPIC is sponsored by the Fund for Constitutional Government, anon-profit organization established in 1974 to protect civil libertiesand constitutional rights. EPIC publishes the EPIC Alert, pursuesFreedom of Information Act litigation, and conducts policy research.
For more information, e-mail, orwrite EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC20003. +1 202 544 9240 (tel), +1 202 547 5482 (fax).

If you'd like to support the work of the Electronic PrivacyInformation Center, contributions are welcome and fullytax-deductible. Checks should be made out to "The Fund forConstitutional Government" and sent to EPIC, 666 Pennsylvania Ave.,
SE, Suite 301, Washington DC 20003. Individuals with First Virtualaccounts can donate at
Your contributions will help support Freedom of Information Act andFirst Amendment litigation, strong and effective advocacy for theright of privacy and efforts to oppose government regulation ofencryption and funding of the National Wiretap Plan.

Thank you for your support.

END EPIC Alert 4.13

WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback