WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 1999 >> [1999] EPICAlert 10

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 6.10 [1999] EPICAlert 10


Volume 6.10 June 30, 1999

Published by the Electronic Privacy Information Center (EPIC)
Washington, D.C.

Table of Contents

[1] Senate Committee Approves Mandatory Filtering Bill
[2] Congress Acts on Encryption Legislation
[3] Government Seeks Review of Bernstein Crypto Decision
[4] House to Consider Financial Data Protection
[5] Proposed DoubleClick/Abacus Merger Raises Privacy Concerns
[6] California Supreme Court Upholds Workplace Privacy
[7] Report Notes Benefits of Internet Anonymity
[8] Upcoming Conferences and Events

[1] Senate Committee Approves Mandatory Filtering Bill

Congress' move toward mandatory Internet filtering for schools andlibraries gained momentum on June 23, when the Senate CommerceCommittee approved the Children's Internet Protection Act (S.97). Thelegislation would mandate that public schools and libraries receiving"E-Rate" universal service funds purchase and use Internet filteringsoftware to regulate access by minors. The House of Representativesadded a similar provision to the juvenile justice bill on June 17.

The Committee action came over the objections of leading education,
library and civil liberties groups, which argued that the legislationwould impose a costly unfunded requirement and ignores a variety ofalternative approaches being taken in localities around the country.
Commerce Committee Chairman John McCain (R-AZ) rejected the criticism,
stating that filtering software is inexpensive and necessary to protectchildren. "No issue is more important to America than protecting ourchildren," he said. Under the language approved by the Senatecommittee approach, the thousands of schools that participate in thefederal Internet subsidy program would be required to install softwarepreventing access to obscene material and child pornography. Librariesin the E-Rate program with more than one computer would face a similarrequirement; those with only one computer would have to ensure thatchildren could not access such material.

Prior to the vote, the Internet Free Expression Alliance (IFEA) sent ajoint letter to the Commerce Committee urging rejection of mandatoryfiltering. The coalition members told the committee, "We believe thatthe majority of Americans share our conviction that parents andteachers -- not the federal government -- should provide children withguidance about accessing information on the Internet." They urged theSenators to consider alternative approaches, including training classesto help children bring critical skills to the Internet; adultsupervision of Internet use by minors; highlighting recommended sitesto assist parents in navigating the Internet; and establishment oflimited time periods for supervised use of the Internet by youngchildren. The groups noted that, "Clumsy and ineffective blockingprograms are nothing more than a 'quick fix' solution to parentalconcerns, often providing a false sense of security that children willnot be exposed to material which parents may find inappropriate."

The text of the coalition letter is available at the website of theInternet Free Expression Alliance:

[2] Congress Acts on Encryption Legislation

On June 23, the House Commerce Committee approved the Security andFreedom Through Encryption (SAFE) bill (H.R. 850), which would relaxexport controls on encryption, with several amendments. One of theamendments would make it a crime to fail to decrypt encryptedinformation when ordered to do so, raising serious privacy andconstitutional concerns. The new provision would impose criminalpenalties (including up to ten years in prison) on anyone who
is required by an order of any court to provide to the court or any other party any information in such person's possession which has been encrypted and who,
having possession of the key or such other capability to decrypt such information into the readable or comprehensible format of such information prior to its encryption, fails to provide such information in accordance with the order in such readable or comprehensible form.

House consideration of the SAFE bill will continue for at leastanother month; the International Relations Committee has until July 16to act on the legislation and Intelligence and Armed Services haveuntil July 23. The House Armed Services Committee has scheduled ahearing on the bill for June 30.

Also on June 23, the Senate Commerce Committee approved the PROTECTencryption bill (S. 798). The legislation would allow U.S. companiesimmediately to export medium-strength encryption products (64-bit) andmuch more powerful products (up to 128-bit) beginning in 2002. CurrentU.S. policy generally limits exports to 56-bit encryption with someexceptions such as for subsidiaries of U.S. firms and foreign companiesin banking, insurance, health-care and electronic commerce. The billwould also establish a committee of government and private sectorofficials that could vote to allow export of stronger products ifsimilar products are available outside the United States. Thecommittee's decisions could be overturned by the President. Unlike theSAFE bill in the House, the PROTECT Act does not include criminalpenalties for the use of encryption in furtherance of a crime.

Additional information on encryption policy is available at theInternet Privacy Coalition website:

[3] Government Seeks Review of Bernstein Crypto Decision

While Congress continues to debate encryption policy, the federalcourts are also grappling with the issue. On June 21, the Departmentof Justice filed a petition for rehearing in the Bernstein case,
seeking to overturn the Ninth Circuit Court of Appeal's recent opinionholding that encryption source code is scientific expression protectedby the First Amendment.

The federal appeals court in San Francisco ruled on May 6 that federalregulations that prohibit the dissemination of encryption source codeviolate the First Amendment. The court found that the regulations arean unconstitutional prior restraint on speech because they "grantboundless discretion to government officials" and have "effectivelychilled [cryptographers] from engaging in valuable scientificexpression." The case was initiated by researcher Daniel Bernstein,
who sought government permission to export source code he had written.
EPIC was both co-counsel and coordinator of a "friend-of-the-court"
(amicus) brief in the case, arguing against the government controls onprivacy-enhancing technology. Civil liberties and privacyorganizations have consistently opposed restrictions on thedissemination of encryption technology, and welcomed the Bernsteindecision as a major breakthrough. The opinion was notably for itsrecognition of the threats to privacy that citizens face today and therole of encryption in protecting information.

In seeking the Ninth Circuit's reconsideration of the case, the JusticeDepartment argues that the May 6 decision
rests on fundamental errors regarding First Amendment and severability law. As a result of those errors,
the panel has placed the entire encryption export regime in jeopardy. The potential consequences of repudiating the President's decisions regarding encryption export controls are grave and far-reaching.
Before the views of the panel majority become the law of this Circuit, and unrestricted export of encryption products receives this Court's imprimatur, further review is imperative.

Information on encryption export controls, including the text of theBernstein decision and the EPIC amicus brief, is available at the EPICCryptography Archive:

[4] House to Consider Financial Data Protection

The House of Representatives is expected this week to take up a bill,
H.R. 10, that will make it easier for banks to merge with otherfinancial firms such as health insurance companies and stockbrokerages. These bigger banks are already sharing confidentialcustomer information with their subsidiaries, and with unrelated thirdparties. When the House Commerce Committee considered the bill, Rep.
Ed Markey (D-MA) won what major newspapers called a "stunning" victorywhen the committee approved an amendment that would require banks togive customers a chance to opt-out before they share or sellconfidential customer records. Unfortunately, some of the biggestbanks and financial firms in the country, including Citibank and BankOne (First USA credit cards) are waging a fierce campaign to defeat theMarkey financial privacy amendment and substitute an unacceptabledisclosure alternative.

This spring, citizens convinced the bank regulatory agencies towithdraw plans requiring banks to compile detailed "Know Your Customer"
profiles. Consumer and privacy groups are now encouraging similarcitizen action to enact the Markey privacy amendment. The Markeyamendment is supported by the nation's leading consumer groups,
including Consumers Union, Consumer Federation of America and the U.S.
Public Interest Research Group (PIRG).

Additional information on the Markey financial privacy amendment isavailable at:

[5] Proposed DoubleClick/Abacus Merger Raises Privacy Concerns

Privacy groups have raised concerns over the potential violation ofinternational privacy protection laws involved in the proposed mergerInternet advertiser DoubleClick and market research firm AbacusDirect. When the two firms merge, the DoubleClick database containingdata on Internet usage habits will be cross-referenced with the AbacusDirect database containing real names and addresses, as well asdetailed information on customer buying habits. The proposed deal hasbeen trumpeted as the key to targeting niche markets more effectively,
but the synthesizing of information could create a super-database ofpersonal information without consumers' previous consent.

EPIC, along with other privacy advocates, issued an open letter toAbacus Direct shareholders on June 29, asking them to derail the onebillion dollar merger. The groups urged shareholders to considerwhether the companies understood the privacy implications of theproposed merger, or whether they had considered international lawsthat could restrict their data trades.

Specifically, the letter cites the European Union privacy directive,
which bars data transfers from EU countries to third parties itbelieves don't adequately protect personal data or fail to obtainproper consent before sharing it. The letter also raised thepossibility of legal action in Europe. The location of Abacus'
subsidiary in Teddington, England leaves an opening for thechallenging the merger under the EU data directive, arguing that theU.K. arm of the company shouldn't be able to exchange data withcompanies in the DoubleClick network -- as well as Abacus's USlocations -- that don't comply with the EU directive. Consumeradvocates are also drafting a petition to the Federal Trade Commissionquestioning the merger.

More information on the DoubleClick/Abacus merger, including the textof the privacy groups' open letter, is available at:

[6] California Supreme Court Upholds Workplace Privacy

On June 24, California's highest court handed down a unanimousdecision describing the privacy rights enjoyed by employees in theworkplace:

In an office or other workplace to which the general public does not have unfettered access, employees may enjoy a limited, but legitimate, expectation that their conversations and other interactions will not be secretly videotaped by undercover television reporters, even though those conversations may not have been completely private from the participants'

The case, Sanders v. American Broadcasting Companies, arose after thebroadcast of an investigative report on ABC's PrimeTime Live thatincluded behind the scenes footage of the telephone psychic industry.
The footage had been obtained by an undercover reporter working as atelephone psychic. A camera concealed in the reporter's hat providedvideo images, while a hidden microphone captured sound data.

One of the psychics whose image and voice appeared briefly during thesegment, sued for invasion of privacy and violation of a stateanti-surveillance statute. After winning over $600,000 at trial, theplaintiff's judgment was overturned on appeal. The appellate courtreasoned that the employee could not have a reasonable expectation ofprivacy regarding a conversation carried on in an open workspace,
within earshot of other employees.

The California Supreme Court reversed this decision, adopting insteada more flexible standard. "Privacy," the Court noted, "is not abinary, all-or-nothing characteristic." The Court discussed severalfactors to be considered when evaluating the reasonableness of privacyclaims: "the identity of the claimed intruder and the means ofintrusion," as well as "who might have been able to observe thesubject interaction." Applying this reasoning, the Court found thatSanders could have a reasonable expectation that his conversationswith co-workers would not be secretly recorded by undercoverreporters.

The case was remanded to the appellate court, which must still decideseveral procedural and evidentiary questions, including theappropriateness of the jury award.

[7] Report Notes Benefits of Internet Anonymity

The American Association for the Advancement of Science has released areport titled "Anonymous Communication Policies for the Internet."
The report grows out of a conference on anonymity sponsored by AAAS inNovember 1997. The paper acknowledges that anonymous communicationcan be misused, but concludes that the benefits from its positive usesfar outweigh the risks.

The conference participants conducted a benefit/burden analysis ofonline anonymity in attempting to formulate a policy on the issue. Inthe end, they devised four principles: 1) that anonymous communicationonline is morally neutral; 2) that anonymous communication should beregarded as a strong human right (and a constitutional right in theUnited States); 3) that online communities should be allowed to settheir own policies regarding the use of anonymous communication; and4) that individuals should be informed about the extent to which theiridentities are disclosed offline.

Finally, it was suggested that abuses of online anonymity should notbe tolerated and that those posting defamatory messages must beresponsible for any harm associated with them. The conference membersalso took a stance against key-escrow encryption and liability foroperators of anonymous remailers. They also stressed the importanceof education and public awareness and the possible development ofcodes of conduct.

The full text of the AAAS report is available at:

[8] Upcoming Conferences and Events

National Coalition to Protect Political Freedom, 3rd Annual Meeting.
Georgetown University Law Center, Washington, DC. July 9-10, 1999.
Contact: Kit Gage 301-587-7442,
Jurisdiction: Building Confidence in a Borderless Medium. QueenElizabeth Hotel, Montreal, Canada, July 26-27, 1999. Sponsored by theInternet Law and Policy Forum. Contact: Marilyn Malenfant+1.514.744.0408 or

ABA Annual Conference, Section of International Law and Practice.
"Privacy Issues in Electronic Commerce." August 9, 1999. Atlanta,
Georgia. Contact
The 21st International Conference on Privacy and Personal DataProtection. Hong Kong, September 13-14, 1999. A distinguished groupof over 50 speakers/panelists from overseas and Hong Kong will explorethe theme of "Privacy of Personal Data, Information Technology &
Global Business in the Next Millennium."" Sponsored by the Office ofthe Privacy Commissioner for Personal Data in Hong Kong. Contact:
"A Privacy Agenda for the 21st Century." September 15, 1999. Hong KongConvention and Exhibition Centre, Hong Kong PRC. Contact:

"Certified Wide Area Road Use Monitoring." September 21-23, 1999.
Albuquerque, New Mexico. Sponsored by the New Mexico State Highway andTransportation Department Research Bureau in cooperation with theUniversity of New Mexico Alliance for Transportation Research InstituteAn intensive 2 1/2 day educational and developmental symposium on asingle rapidly evolving concept in Intelligent Transportation Systems(ITS). For more information:
Information Security Solutions Europe 1999. October 4-6, 1999. MaritimproArte Hotel, Berlin, Germany. contact

RSA 2000. The ninth annual RSA Data Security Conference and Expo. SanJose McEnery Convention Center. San Jose, CA. January 16-20, 2000,

Subscription Information

The EPIC Alert is a free biweekly publication of the Electronic PrivacyInformation Center. A Web-based form is available for subscribing orunsubscribing at:
To subscribe or unsubscribe using email, send email with the subject: "subscribe" (no quotes) or"unsubscribe".

Back issues are available at:

About EPIC

The Electronic Privacy Information Center is a public interest researchcenter in Washington, DC. It was established in 1994 to focus publicattention on emerging privacy issues such as the Clipper Chip, theDigital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale of personal information. EPIC is sponsoredby the Fund for Constitutional Government, a non-profit organizationestablished in 1974 to protect civil liberties and constitutionalrights. EPIC publishes the EPIC Alert, pursues Freedom of InformationAct litigation, and conducts policy research. For more information,
e-mail, or write EPIC, 666Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544 9240(tel), +1 202 547 5482 (fax).

If you'd like to support the work of the Electronic Privacy InformationCenter, contributions are welcome and fully tax-deductible. Checksshould be made out to "The Fund for Constitutional Government" and sentto EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003.

Your contributions will help support Freedom of Information Act andFirst Amendment litigation, strong and effective advocacy for the rightof privacy and efforts to oppose government regulation of encryption andexpanding wiretapping powers.

Thank you for your support.

END EPIC Alert 6.10


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback