WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 1998 >> [1998] EPICAlert 14

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 5.14 [1998] EPICAlert 14


Volume 5.14 October 13, 1998

Published by the Electronic Privacy Information Center (EPIC)
Washington, D.C.

Table of Contents

[1] Congress Expands Surveillance Authority
[2] Child Protection Bill Includes Privacy Loophole
[3] Digital Millennium Copyright Act Sent to President
[4] GILC Convenes Policy Conference in Ottawa
[5] NGOs Issue Declaration at OECD Conference
[6] National DNA Database Goes Online
[7] New Bills and Actions in Congress
[8] Upcoming Conferences and Events

[1] Congress Expands Surveillance Authority

The House and the Senate last week approved legislation that wouldexpand wiretapping and the collection of personal information by lawenforcement and intelligence agencies. The bill, H.R. 3694 -- theIntelligence Authorization Act for Fiscal Year 1999 -- funds theoperations of the intelligence agencies, which reportedly received afunding increase to expand signals intelligence and analysis. Thetotal budget figures are classified.

The bill authorizes the expansion of the use of roving wiretaps, whichallow law enforcement to wiretap multiple telephones to intercept thecommunications of a single person who is using different phones. Underthe revisions, law enforcement agencies are no longer required todemonstrate in court that the person is deliberately switching phonesto avoid interception, only that there is "probably cause that theperson's actions could have the effect of thwarting interception."
Under current law, roving taps are uncommon -- there were twelve rovingtaps authorized in 1997, three in 1996, and four in 1995.

The bill also authorizes the Attorney General to ask the ForeignIntelligence Surveillance Court to issue orders placing pen registersand trap and trace devices on telephones "to gather foreignintelligence or information concerning international terrorism." IfCongress declares war on any country, a court order will not berequired. The number of orders will not be disclosed, except to theHouse and Senate Intelligence Committees.

The bill also increases access to records held by businesses in thename of national security. Under the new law, the FBI will be able toobtain information on individuals from travel records, hotelinformation, and storage facilities with an order from the ForeignIntelligence Surveillance Court.

The bill has been sent to President Clinton for his signature; thePresident has expressed his intent to sign the bill into law shortly.

[2] Child Protection Bill Includes Privacy Loophole

Congress has enacted legislation requiring Internet service providers(ISPs) to report to law enforcement all suspected activities involvingchild pornography. The "Child Protection and Sexual PredatorPunishment Act," which passed the House on October 12 and the Senate onOctober 9, carves out a new exception to provisions of the ElectronicCommunications Privacy Act (ECPA) protecting the confidentiality ofe-mail. While ECPA generally requires the government to obtain asearch warrant before obtaining the "contents" of a communication, thenew legislation appears to waive that requirement where the presence ofchild pornography is suspected.

Under the "Child Protection Act," whenever an ISP "obtains knowledge offacts or circumstances from which a violation of [child pornographylaws] is apparent," it must report such information to a lawenforcement agency. The law does not establish any standard of proofthat must be met, and creates substantial disincentives forunder-reporting; ISPs could be fined up to $50,000 for the firstfailure to report suspicious activity, and up to $100,000 for eachsubsequent failure to contact law enforcement authorities. While notrequiring ISPs to turn over detailed information on the activities ofsubscribers, the legislation clearly permits such disclosures. Itprovides, for example, that an ISP's report "may include additionalinformation or material developed by [the ISP], except that the FederalGovernment may not require the production of such information ormaterial."

Subscribers will have little recourse if an overzealous ISP improperlydiscloses confidential information; the bill provides that no ISP"shall be held liable on account of any action taken in good faith tocomply" with the reporting requirement.

[3] Digital Millennium Copyright Act Sent to President

On October 12, the House of Representatives approved legislation toupdate copyright law for digital media (H.R. 2281). The bill will nowbe sent to the White House where President Clinton is expected to signit into law. The Senate approved the bill last week. The legislationcreates criminal penalties for circumventing copyright protectionsystems and also forbids the manufacture, import, sale or distributionof devices or services used for circumvention.

In response to the concerns of cryptographers and security experts,
limited exemptions for circumventing for the purposes of securitytesting or encryption research were included. However, there stillremain concerns that the exemptions are too limited and will preventthe development and use of necessary research and security tools.

The bill also contains an exemption that allows circumvention if "thetechnological measure, or the work it protects, contains the capabilityof collecting or disseminating personally identifying informationreflecting the online activities" of a user who seeks to gain access tothe work protected. The circumvention is only allowed to disable theinformation collecting program. This provision was added after EPICtestified about the threats to personal privacy presented by the bill.
The EPIC testimony stressed that users needed the ability to removecookies, or other information collecting technologies, which also maybe used as copyright protection measures.

EPIC's testimony can be found at:

[4] GILC Convenes Policy Conference in Ottawa

The Global Internet Liberty Campaign (GILC) sponsored a conference on"The Public Voice in the Development of Internet Policy" in Ottawa,
Canada on October 7. More than 140 people from a dozen differentcountries attended the day-long symposium. The conference occurredjust prior to an OECD Ministerial conference on electronic commerce.

John Manley, the Canadian Minister of Industry and chair of the OECDconference on Electronic Commerce, opened the Public Voice conferenceand thanked GILC for bringing together NGOs. Mr. Manley stated thatthe GILC conference presented an excellent opportunity to bring diversepublic interest groups together in a structured forum to discuss thedevelopment of global policy for electronic commerce.

According to Mr. Manley, the GILC concerns have been heard by the OECDministers and there is a link between the two conferences and the OECDconference should benefit from a diversity of voices regardless offrontiers. In his conclusion Mr. Manley emphasized the importance of a"global village," and showed his desire to have a "cyber marketplace"
which is available to wealthy and poor. "We gather from many countriesto develop e-commerce in the global village. Our challenge is muchbroader today. Access to the Internet should be available to all andat a stage where half of the world population did not make a telephonecall, this remains a very important challenge for consumers andsuppliers."

Mr. Manley was followed by David Johnston, the former Chair of theCanadian Information Highway Advisory Council and former Provost ofMcGill University. According to Mr. Johnston, "we need to establish anenvironment where innovation can thrive, which recognizes that ideasand innovation are keys to wealth creation and institutional adoption,
where change is not feared and strangled." Also governments arechallenged to adopt themselves in the information age and betterunderstanding of the new technologies are needed.

Next was a panel on Consumer Protection, chaired by Karen Coyle ofCPSR, that included Benoit De Bayer (Centre de droit de laconsummation, Belgium), Phillip McKee (National Consumer's League,
USA), Nathalie St. Pierre, (Fédération Nationale des Associations deConsommateurs du Quebec), Louise Sylvan (Vice President of Consumers'
International and Chief Executive of the Australian Consumers'
Association) and Bjorn Erik Thon (Consumer Council of Norway).

The second panel focused on Free Speech and Access. It was chaired byBarry Steinhardt of the Electronic Frontier Foundation and featuredYaman Akdeniz (Cyber-Rights and Cyber-Liberties UK), Pippa Lawson(Public Interest Advocacy Center), Meryem Marzouki (Imaginons un ReseauInternet Soldaire), Sid Shniad (BC Telecommunications Workers Union),
Rigo Wenning (Fîrderverein Informationstechnik undGesellschaft), andJames Dempsey (Center for Democracy and Technology).

The luncheon speaker was Stephen Lau, the privacy commissioner for HongKong. Mr. Lau spoke about the need to protect dignity in the on-lineworld.

The third panel was chaired by Deborah Hurley, director of the HarvardUniversity Information Infrastructure Project, and looked at issuesrelated to Privacy and Encryption. Speakers on this panel includedDavid Banisar (Electronic Privacy Information Center), Ulf Bruhan(European Commission, DG XV), David Jones (Electronic Frontier Canadaand Computer Science Professor, McMaster University), ViktorMayer-Schonberger (University of Vienna, Austria and Kennedy School ofGovernment, Harvard University), and Jim Savary (York University).

The final panel was on Human Rights in the Twenty-First Century and waschaired by Marc Rotenberg of the Electronic Privacy Information Center.
The speakers were Harry Hochheiser (Computer Professionals for SocialResponsibility), Jagdish Parikh (Human Rights Watch), Edwin Rekosh(Public Interest Law Initiative in Transitional Societies), FelipeRodriguez (Electronic Frontiers Australia) and Laurie Wiseberg (HumanRights Internet).

The GILC participants and other NGOs representatives produced astatement that was later forwarded to the OECD Ministers (see below).

Complete conference reports are available at the conference report page:

[5] NGOs Issue Declaration at OECD Conference

Consumer, labor, civil liberties, and research organizations joinedtogether last week in support of a letter addressed to Organization forEconomic Co-operation and Development (OECD) Ministers on the future ofInternet policy. Representatives of more than twenty non-governmentalorganizations (NGOs) from eight countries signed the statement.

The NGOs urged the establishment of a permanent Public InterestAdvisory Committee (PIAC), similar in type and function to business andlabor groups that currently advise the OECD. The group said that theCommittee should include representatives of public interest groups inthe fields of human rights and democracy, privacy and data protection,
consumer protection, and access. The group said that the promotion ofelectronic commerce "must be considered within the broader framework ofprotection of human rights, the promotion and strengthening ofdemocratic institutions, and the provision of affordable access toadvanced communication services."

The group made the following recommendations to the OECD:

- Authentication and certification: All OECD member countries shouldimplement and enforce the 1992 OECD Guidelines for the Security ofInformation Systems, particularly the Principles on Democracy, Ethics,
and Proportionality. The OECD should also consider issues ofauthentication and certification within the context of consumerprotection and privacy protection. Policies and practices thatdisregard consumer and privacy concerns will ultimately underminepublic trust.

- Cryptography: The OECD should promote implementation of theCryptography Guidelines of 1997 and urge the removal of all controls onthe use and export of encryption and other privacy enhancingtechniques. Trust requires the widespread availability of thestrongest means to protect privacy and security.

- Protection of privacy: The OECD should urge member states toimplement fully and develop means to enforce the Privacy Guidelines of1980. The OECD Guidelines provide an essential framework to establishconsumer trust in online transactions. Self-regulation has failed toprovide adequate assurance. The group further recommended efforts topromote anonymity and minimize the collection of personal informationso as to promote consumer confidence.

- Consumer protection: The OECD should support the establishment ofminimum standards for consumer protection, including the simplificationof contracts, means for cancellation, effective complaint mechanisms,
limits on consumer liability, non-enforceability of unreasonablecontract provisions, recourse at least to the laws and courts of theirhome country, and cooperation among governments in support of legalredress. Such minimal standards should provide a functional equivalenceto current safeguards, offering at least the same levels of protectionthat would be afforded in the off-line world.

- Intellectual property: The framework for intellectual propertyprotection should be based upon mechanisms that are least intrusive topersonal privacy, and least restrictive for the development of newtechnologies.

- Internet governance: Governments should foster Internet governancestructures that reflect democratic values and are transparent andpublicly accountable to users. Standards processes should be open andshould foster competition.

- Taxation: At the Ottawa ministerial Conference, Charles Rossotti,
Commissioner of the United States Internal Revenue Service, spoke ofthe creation of a Tax Advisory Group, in which government andbusinesses will participate. Similarly, the public interest groupsshould be invited to participate in this advisory group.

- Employment: Impacts on employment must be evaluated and taken fullyinto account in all discussions and negotiations.

Finally, the group recommended continued support for the OECD Committeefor Consumer Policy.

The following versions of the NGO letter are available: (English) (French)

[6] National DNA Database Goes Online

An FBI database of the DNA of up to a million convicted criminals>from all fifty states will be activated on October 13, according topublished reports. States will provide data to the National DNAIdentification System and share the DNA information. Investigatorswill be able to upload DNA crime scene samples to the nationwidesystem and locate matches.

The federal DNA Identification Act of 1994 limits the database to DNA>from convicted criminals. Access will be restricted to lawenforcement agencies and court orders will be required to use theinformation in judicial proceedings. For security reasons, thephysical location of the database will not be disclosed.

DNA collection has been controversial, as it singles out individualsbased upon past criminal activity. The practice varies from state tostate; every state collects DNA of sex offenders, while they differon whether they collect the DNA of other criminals, includingmurderers, robbers and those who commit crimes against children.
White-collar criminals are universally excluded from collection.

In recent years, millions of dollars have been set aside in thefederal budget for "DNA Identification State Grants." The grantswere made contingent on the state databases being networked withfederal computer systems.

In an August ruling that invalidated the Massachusetts "DNA Seizureand Dissemination Act," the State Superior Court held that theinvoluntary seizure of DNA samples from prisoners, parolees, andprobationers without probable cause violates both the FourthAmendment of the U.S. Constitution and Article 14 of theMassachusetts Constitution.

[7] New Bills and Actions in Congress

* NOTE: Several important measures, including the "CDA II" Internetcensorship legislation, remain pending in Congress. FinalCongressional action will be reported in the next issue of the Alert.

H.R. 4651. Federal Criminal Law Improvements Act of 1998. Allowswiretapping for money laundering offenses, disclosure of illegallyobtained wiretap information. Introduced by McCullum (R-FL) onSeptember 28. Referred to the Committee on the Judiciary.

H.R. 4667. Electronic Privacy Bill of Rights Act of 1998. Limitscollection of personal information of children under 13. Gives FTCenforcement power. Orders FTC and FCC to hold proceedings onelectronic privacy. Introduced by Markey (D-MA) on October 1.
Referred to the Committee on Commerce. Text included in H.R. 3783 andapproved by the House.

S.2529. The Patients' Bill of Rights Act of 1998. Sets limited ruleson patient records privacy. Introduced by Daschle (D-SD) on September29. Placed on Senate Calendar October 2.

S.2536. International Crime and Anti-Terrorism Amendments of 1998.
Allows for wiretaps in computer crime cases. Introduced by Hatch(R-UT). Placed on the Calendar On October 1.

[8] Upcoming Conferences and Events

Privacy Pandemonium: What the EU's Privacy Directive Means for theUnited States. October 16. Washington, DC. Sponsored by the CatoInstutute. Contact:

1998 UK Big Brother Awards. October 26. London School of Economics,
London, UK. Sponsored by Privacy International. Contact:

Symposium on Infowar and Civil Liberties. October 26. National PressClub, Washington, D.C. Sponsored by EPIC and FCG. Contact:

Encryption Controls Workshop. Bedford, MA, October 29. Sponsored byU.S. Department of Commerce. Contact: (202) 482-6031.

PDC 98 - the Participatory Design Conference, "BroadeningParticipation" November 12-14. Seattle, WA. Sponsored by ComputerProfessionals for Social Responsibility in cooperation with ACM andCSCW 98. Contact:
Data Privacy in the Global Age. November 13. Milwaukee, WI. Sponsoredby ACLU of Wisconsin Data Privacy Project. Contact: Carole Doeppers<>.

Computer Ethics. Philosophical Enquiry 98 (CEPE'98). December 14-15.
London, UK. Sponsored by ACMSIGCAS and London School of Economics.
1999 RSA Data Security Conference. January 18-21, 1999. San Jose, CA.
Sponsored by RSA. Contact:

FC '99 Third Annual Conference on Financial Cryptography. February22-25, 1999 Anguilla, B.W.I. Contact:

Computers, Freedom and Privacy (CFP) '99. April 6-8, 1999. Washington,
DC. Sponsored by ACM. Contact:

1999 EPIC Cryptography and Privacy Conference. June 7, 1999.
Washington, DC. Sponsored by EPIC. Contact:

Subscription Information

The EPIC Alert is a free biweekly publication of the ElectronicPrivacy Information Center. To subscribe or unsubscribe, send emailto with the subject: "subscribe" (no quotes) or"unsubscribe". A Web-based form is available at:
Back issues are available at:

About EPIC

The Electronic Privacy Information Center is a public interestresearch center in Washington, DC. It was established in 1994 tofocus public attention on emerging privacy issues such as the ClipperChip, the Digital Telephony proposal, national ID cards, medicalrecord privacy, and the collection and sale of personal information.
EPIC is sponsored by the Fund for Constitutional Government, anon-profit organization established in 1974 to protect civil libertiesand constitutional rights. EPIC publishes the EPIC Alert, pursuesFreedom of Information Act litigation, and conducts policy research.
For more information, e-mail, orwrite EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC20003. +1 202 544 9240 (tel), +1 202 547 5482 (fax).

If you'd like to support the work of the Electronic PrivacyInformation Center, contributions are welcome and fully tax-
deductible. Checks should be made out to "The Fund forConstitutional Government" and sent to EPIC, 666 Pennsylvania Ave.,
SE, Suite 301, Washington DC 20003. Individuals with First Virtualaccounts can donate at
Your contributions will help support Freedom of Information Act andFirst Amendment litigation, strong and effective advocacy for theright of privacy and efforts to oppose government regulation ofencryption and funding of the digital wiretap law.

Thank you for your support.

END EPIC Alert 5.14

WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback