WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 1999 >> [1999] EPICAlert 15

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 6.15 [1999] EPICAlert 15


Volume 6.15 September 23, 1999

Published by the Electronic Privacy Information Center (EPIC)
Washington, D.C.

Table of Contents

[1] Impact of New Encryption Policy Remains Unclear
[2] Privacy Agenda for the 21st Century Announced
[3] Report Slams Privacy Policies; Poll Finds Privacy is Top Concern
[4] Internet Filtering Debate Resumes in Congress
[5] "Public Voice in Electronic Commerce" Conference
[6] Provision Repealing National Driver's Licenses In Final Stages
[7] EPIC Bookstore - The Code Book and More
[8] Upcoming Conferences and Events

NOTE TO SUBSCRIBERS: A listserv problem has resulted in duplicate copies of recent Alerts being sent to some recipients. We are aware of the problem and apologize for any inconvenience. Your patience is appreciated as we continue to diagnose the listserv.

[1] Impact of New Encryption Policy Remains Unclear

On September 16, the Clinton Administration unveiled a new encryptionpolicy initiative. The White House's revised approach seems torecognize the futility of seeking to prevent the spread of privacy-
enhancing technologies, and shifts the emphasis to monitoring theexports of encryption products and developing "new tools" to countertheir use. It remains unclear whether the revised policy willactually enhance the privacy of most computer users.

On the export control front, the Administration will draft newencryption export regulations that will "strike a balance" between theneeds of industry and law enforcement. According to the White House,
the new rules -- due to be released by December 15 -- will constitutea significant liberalization of the export process. Any "retail"
encryption commodity or software reportedly will be exportable withouta license (after a "technical review") to commercial firms and othernongovernment end users in any country except for seven statesdesignated as supporters of terrorism. The standards governing therequired technical review have not yet been announced. TheAdministration's policy on export of encryption source code apparentlyhas not changed, so that academic exchanges such as those at issue inthe pending Bernstein v. Department of Justice litigation (see EPICAlert 6.07) would still be subject to government approval prior toexport.

Coupled with the export revisions is new legislation that wouldprovide a legal framework for law enforcement access to decryptionkeys; provide $80 million in funding for an FBI Technical SupportCenter; and protect the confidentiality of decryption techniquesdeveloped cooperatively by government and industry. Under the latterprovision, law enforcement agents presenting "plaintext" evidencewould be exempted from routine requirements of criminal procedure thatpermit a defendant to explore the means by which evidence wasobtained. The proposal would also prohibit the government fromdisclosing "trade secrets disclosed to it [presumably by encryptionmanufacturers] to assist it in obtaining access to informationprotected by encryption." The legislative vehicle for theseinitiatives -- the Cyberspace Electronic Security Act -- will soon betransmitted to Congress. It does not include a highly controversialprovision contained in an earlier White House draft that would haveauthorized secret police break-ins to alter computer equipment.

EPIC believes that more details of the new encryption policy must bereleased before its impact on user privacy can be fully assessed. EPICwill closely monitor the process of implementing the newly- announcedinitiative, particularly the promulgation of the revised exportcontrol regulations and the development of special sensitivetechniques to be used to extract plaintext from encryption productsand services.

The details of the White House announcement, including the text of theCyberspace Electronic Security Act and other documents released by theAdministration, are available at:

[2] Privacy Agenda for the 21st Century Announced

Supporters of privacy from around the world recently gathered in HongKong for the 1999 Privacy Agenda Conference. At the conference,
representatives from an international group of non-governmentalorganizations issued a declaration supporting strong privacyprotections and continued vigilance against privacy abuses.

The meeting of NGOs from around the world took place as dataprotection commissioners were meeting to review new threats to privacyand new opportunities for privacy protection. Earlier in the week,
Consumer International President Pamela Chan said that governmentsshould conduct research on the potential for abuse in the way Internettransactions are carried out. She also urged the adoption of newsafeguards to protect the privacy of individuals.

Privacy International Director Simon Davies said, "We plan to goforward with an aggressive campaign to protect the right of privacyand to stand against all who would undermine this critical freedom."

Marc Rotenberg, director of the Electronic Privacy Information Center,
said that national government must continue to listen to the "publicvoice" as they go forward with policies for the Internet. "Privacy andthe protection of consumer interests remain a central concern for theInternet economy."

Participants in the Privacy Agenda conference included representativesfrom Australia, Canada, Denmark, Italy, Hong Kong SAR, Japan,
Malaysia, the Netherlands, New Zealand, Thailand, the United Kingdom,
and the United States.

"A Privacy Agenda for the 21st Century"
1999 Privacy Agenda Conference

EPIC and PI, "Privacy & Human Rights: An International Survey of Privacy Laws and Developments"

[3] Report Slams Privacy Policies; Poll Finds Privacy is Top Concern

According to a recent article in E-Commerce Times, a new report byForrester Research, Inc., finds that 90 percent of Web sites fail tocomply with basic privacy principles. The report strongly contradictsthe findings of the Federal Trade Commission, which recently toldCongress that industry self-policing is working. "The vast majorityof such policies, like those of the Gap, Macy's and JC Penney, usevague terms and legalese that serve to protect companies and notindividuals."

The report also notes that "clever interactive tools such's Mood Matcher -- which helps customers find movies based ontheir moods -- and PlanetRx's personalized prescription filler make itpossible for companies to collect "highly intrusive psychographic datathat individuals would rarely provide on a standard registrationform."

The report suggests that the FTC, rather than producing reassuringmessages to the industry, should push companies to take bigger andfaster strides towards complying with already established privacyprinciples. Forrester also suggests that companies should be requiredto make customer profiles available to users, including all partieswith whom data is shared, and provide the ability for customers tocontrol who the information is shared with and the option to removethemselves from lists. Finally, the report says that "becauseindependent privacy groups like TRUSTe and BBBOnline earn their moneyfrom e-commerce organizations, they become more of a privacy advocatefor the industry -- rather than for consumers. The FTC should callfor a consumer-based organization to provide principles and redress."

Meanwhile, a Wall Street Journal/NBC News polls finds that the loss ofpersonal privacy is the Number One concern of Americans as thetwenty-first century approaches. When asked what concerns them themost about the next century, twenty-nine percent of respondentsanswered the "loss of personal privacy." Overpopulation and terroristacts on U.S. soil followed at twenty-three percent, racial tensions atseventeen percent, world war at sixteen percent, and global warming atfourteen percent.

The Wall Street Journal/NBC News poll was based on nationwidetelephone interviews of 2,025 adults, by the polling organizations ofPeter Hart and Robert Teeter.

"Report Labels Internet Privacy Policies 'A Joke'"
Forrester Research Inc.

Wall Street Journal

[4] Internet Filtering Debate Resumes in Congress

Congress' move towards mandatory Internet filtering for schools andlibraries is likely to resume next week, as Senate and House confereeson juvenile justice legislation are expected to consider the issue.
The House-approved version of the legislation would mandate thatpublic schools and libraries receiving "E-Rate" universal servicefunds purchase and use Internet filtering software to regulate accessby minors. The Senate did not include such a provision in its versionof the massive juvenile justice bill and the conferees must decidewhether to retain the mandate in the final, consensus measure.

Although not included in the Senate's juvenile justice package, theissue has been addressed by the Senate Commerce Committee. On June23, the committee approved Sen. John McCain's (R-AZ) Children'sInternet Protection Act (S.97). That action came over the objectionsof leading education, library and civil liberties groups, which arguedthat the legislation would impose a costly unfunded requirement andignore a variety of alternative approaches being taken in localitiesaround the country.

The juvenile justice conferees will consider language included in theHouse bill that would require schools and libraries to certify thatthey have selected and installed "a technology for computers withInternet access to filter or block . . . materials deemed to beharmful to minors." It further provides that "the determination ofwhat material is to be deemed harmful to minors shall be made by theschool, school board, library or other [local] authority," and not thefederal government. While the latter provision was included tocounter concerns over the creation of a national standard for Internetcontent, it amounts to a federal mandate requiring local censorshipdecisions. Such local actions have already been challenged in thecourts, including a case in which the Loudoun County, Virginialibraries were ordered to remove filtering software from theircomputers (see EPIC Alert 5.18).

More information on mandatory Internet filtering is available at thewebsite of the Internet Free Expression Alliance:

[5] "Public Voice in Electronic Commerce" Conference

The 3rd Trade-Union/NGO Public Voice conference, "The Public Voice inElectronic Commerce," will be held at the Organization for EconomicCooperation and Development (OECD) in Paris, on October 11th, 1999.
The conference seeks to inject the concerns of consumers andindividuals into the ongoing development of international e-commercepolicy.

The conference program includes four panels, on the following topics:

1. Protecting consumer rights in electronic commerce 2. Privacy and personal data protection 3. Access as the key for development 4. Internet, the Future of Work, and Quality of Life
Two Global Internet Liberty Campaign (GILC) member organizations,
Imaginons un R#233#seau Internet Solidaire (IRIS) and the ElectronicPrivacy Information Center (EPIC) are organizing the 3rd Public Voiceconference, in conjunction with the OECD Forum on Electronic Commerce(October 12-13, 1999).

"The Public Voice in Electronic Commerce" will be hosted by TUAC(Trade-Union Advisory Committee) and is sponsored by the GlobalInternet Liberty Campaign, with the help of TACD (TransatlanticConsumer Dialogue).

For more detailed information about the program and registration,
please see: or

[6] Provision Repealing National Driver's Licenses In Final Stages

The pending Transportation Appropriations bill contains an amendmentthat could repeal a federal law requiring National Driver's Licenses.
National Driver's Licenses, so-called because of a requirement toinclude a Social Security number (SSN) on all state-issued driver'slicenses, were initially introduced by Section 656(b) of the IllegalImmigration Reform and Immigrant Responsibility Act of 1996. Intendedto weed out illegal immigrants -- who do not possess SSNs -- fromusing false driver's licenses as identification, the inclusion of SSNson all driver's licenses could undermine privacy and increase fraud.

Social Security numbers, once actually used simply for distribution ofsocial security benefits, have become a widespread, unalterablepersonal identifier. While someone may change their name, address, orjob, it is impossible to get a new SSN. For decades, the numbers havebeen used by the government to keep track of citizens and theirinformation. In the private realm, SSNs are often used as passwordsand/or identification for credit information, school records, andmedical histories.

Any widespread dissemination of SSNs on a commonly displayedidentification such as a driver's license increases the risk of fraudand invasion of privacy. Privacy advocates have long argued that thenumber's use should be restricted to situations where it is the onlysuitable piece of identification. With respect to the identificationof illegal immigrants, there are no less than twenty-six other formsof documentation that available to the Immigration and NaturalizationService (INS).

For further comment on implementation of a national driver's licenseplease see:

[7] EPIC Bookstore - The Code Book and More

The Code Book : The Evolution of Secrecy from Mary, Queen of Scots toQuantum Cryptography by Simon Singh
"For millennia, secret writing was the domain of spies, diplomats,
and generals; with the advent of the Internet, it has become the concern of the public and businesses. One cyber-libertarian responded with the freeware encryption program Pretty Good Privacy (PGP), and Singh similarly meets a sharpening public curiosity about how codes work.[. . .] Beginning with such simple ideas as monoalphabetic substitution, which can protect the communications of a boy's treehouse club but not much more, Singh underscores with stories how codemakers and codebreakers have battled each other throughout history. A tool called frequency analysis easily defeats the monoalphabetic cipher, and encryptors over time have added the Vigenere square, cipher disks, one-time pads, and public-key cryptography that underlies PGP. But each security strategy, Singh explains, contains some vulnerability that the clever code cracker can exploit, an opaque process the author splendidly illuminates.
Instances of successful decipherment, as of Egyptian hieroglyphics or the German Enigma cipher system in World War II, combine with Singh's sketches of the mathematicians who have advanced the art of secrecy, from Julius Caesar to Alan Turing to contemporary mathematicians, resulting in a wonderfully understandable survey."

-- Gilbert Taylor, Booklist
Also available from the EPIC Bookstore:

"The Privacy Law Sourcebook: United States Law, International Law, andRecent Developments," Marc Rotenberg, editor (EPIC 1999). Price: $50.

The "Physicians Desk Reference of the privacy world." An invaluableresource for students, attorneys, researchers and journalists who needan up-to-date collection of US and International privacy law, as wellas a comprehensive listing of privacy resources.

"Filters and Freedom - Free Speech Perspectives on Internet ContentControls," David Sobel, editor (EPIC 1999). Price: $20.

A collection of essays, studies, and critiques of Internet contentfiltering. These papers are instrumental in explaining why filteringthreatens free expression.

"Cryptography and Liberty: An International Survey of CryptographyPolicy" Wayne Madsen and David Banisar, editors, (EPIC 1999). Price:

An international survey of encryption policies around the world.
Survey results show that in the vast majority of countries,
cryptography may be freely used, manufactured, and sold withoutrestriction, with the U.S. being a notable exception.

"Privacy and Human Rights 1999: An International Survey of PrivacyLaws and Developments" David Banisar, Simon Davies, editors, (EPIC1999). Price: $15.

An international survey of the privacy and data protection laws foundin 50 countries around the globe. This report outlines theconstitutional and legal conditions of privacy protection, andsummarizes important issues and events relating to privacy andsurveillance.

Additional titles on privacy, open government, free expression,
computer security, and crypto, as well as films and DVDs can beordered through the EPIC Bookstore:

[8] Upcoming Conferences and Events

Information Security Solutions Europe 1999. October 4-6, 1999. MaritimproArte Hotel. Berlin, Germany. For more information:

The Public Voice in Electronic Commerce. October 11, 1999.
Organization for Economic Co-operation and Development. Paris, France.
For more information:
The Internet Security Conference (TISC). October 11-15, 1999. BostonWorld Trade Center. Boston, MA. For more information:
Public Workshop on "Online Profiling" -- November 8, 1999. NationalTelecommunications and Information Administration, Commerce and FederalTrade Commission. Submissions and requests to participate due October18, 1999. For more information:
The 1999 BNA Public Policy Forum: E-Commerce and Internet Regulation.
November 15, 1999. Mayflower Hotel. Washington, D.C. For moreinformation:

Annual Computer Security Applications Conference: Practical Solutionsto Real Security Problems. December 6-10, 1999. Radisson ResortScottsdale. Phoenix, Arizona. For more information:

Integrating Government with New Technologies '99 Policy vs Technology:
Service Integration in the New Environments - A two-day Seminar andTraining Session. December 13-14, 1999. Government Conference Center.
Ottawa, Canada. For more information:
Surveillance Expo '99. December 13-15, 1999. Doubletree Hotel. CrystalCity, Virginia. For more information:
PEN/Newman's Own Eighth Annual First Amendment Award. Nominations dueDecember 31, 1999. For more information:
RSA 2000. The ninth annual RSA Data Security Conference and Expo.
January 16-20, 2000. San Jose McEnery Convention Center. San Jose, CA.
For more information:

Subscription Information

The EPIC Alert is a free biweekly publication of the ElectronicPrivacy Information Center. A Web-based form is available forsubscribing or unsubscribing at:
To subscribe or unsubscribe using email, send email with the subject: "subscribe" (no quotes) or"unsubscribe".

Back issues are available at:

About EPIC

The Electronic Privacy Information Center is a public interestresearch center in Washington, DC. It was established in 1994 to focuspublic attention on emerging privacy issues such as the Clipper Chip,
the Digital Telephony proposal, national ID cards, medical recordprivacy, and the collection and sale of personal information. EPIC issponsored by the Fund for Constitutional Government, a non-profitorganization established in 1974 to protect civil liberties andconstitutional rights. EPIC publishes the EPIC Alert, pursues Freedomof Information Act litigation, and conducts policy research. For moreinformation, e-mail, or write EPIC,
666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 5449240 (tel), +1 202 547 5482 (fax).

If you'd like to support the work of the Electronic Privacy InformationCenter, contributions are welcome and fully tax-deductible. Checksshould be made out to "The Fund for Constitutional Government" and sentto EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003.

Your contributions will help support Freedom of Information Act andFirst Amendment litigation, strong and effective advocacy for the rightof privacy and efforts to oppose government regulation of encryptionand expanding wiretapping powers.

Thank you for your support.

END EPIC Alert 6.15


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback