WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 1999 >> [1999] EPICAlert 16

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 6.16 [1999] EPICAlert 16


Volume 6.16 October 12, 1999

Published by the Electronic Privacy Information Center (EPIC)
Washington, D.C.

Table of Contents

[1] EPIC Sues Trade Commission For Privacy Complaints
[2] New Internet Protocol Could Threaten Online Anonymity
[3] Congress Enacts Drivers' Privacy Protections
[4] Appeals Court to Review Bernstein Crypto Decision
[5] FCC Issues New Rule on Phone Customer Data Privacy
[6] Survey Ranks States on Privacy Protection
[7] EPIC Bookstore - The End of Privacy
[8] Upcoming Conferences and Events

[1] EPIC Sues Trade Commission For Privacy Complaints

The Electronic Privacy Information Center (EPIC) filed suit today infederal district court in Washington seeking the disclosure of recordsabout privacy complaints received by the Federal Trade Commission. Itis EPIC's contention that the FTC has failed to take action onthe many privacy complaints that the agency has received fromconsumers.

EPIC Director Marc Rotenberg said, "In order to evaluate the effective-
ness of the current privacy system in the United States, it is criticalto look at how the FTC responds to complaints from the public. If theFTC has no effective means to handle these complaints or to respond topublic concerns, then more aggressive steps should be taken."

EPIC filed the initial information request on June 10, 1999. In aletter to the Commission , EPIC requested "copies of all recordsconcerning the FTC's investigation of privacy complaints." The requestincluded letters, electronic mail, web submissions, fax transmissions,
and formal complaints. EPIC told the Commission it was interested in"records regarding alleged privacy violations by a specific company ororganization and requests for general assistance in a privacy matter,
whether or not a specific company or organization is indicated."

At a Senate hearing in July, Mr. Rotenberg criticized a report from theFTC on Internet privacy, saying that it failed to provide any actualinformation about consumer privacy complaints or the effectiveness ofindustry programs to protect privacy. He noted that EPIC had filed aFreedom of Information Act (FOIA) request regarding the handling ofcomplaints and said that information would be provided to the SenateCommittee once a response from the FTC was received.

Today's lawsuit was filed under the FOIA, which requires federalagencies to comply with requests for disclosure of records withintwenty working days. A provision in the Act allows agencies towithhold information about specific individuals if it is necessary toprotect their privacy.

The text of EPIC's lawsuit is available at:
The text of EPIC's Congressional testimony on Consumer Privacy and theFTC Report is available at:

[2] New Internet Protocol Could Threaten Online Anonymity

A new protocol being developed by the Internet Engineering Task Force(IETF) has raised privacy concerns. Internet Protocol Version 6 (IPv6)
is the "next generation" protocol designed by the IETF to replace thecurrent version Internet Protocol (IPv4), which is now nearly twentyyears old. IPv6 is intended to fix a number of problems in IPv4, suchas the limited number of available IPv4 addresses. It would also addimprovements in areas such as routing and network autoconfiguration.

The new addressing structure, however, may mean that every packet canbe traced back to each user's unique network interface card ID.
Whereas IPv4 has a 32-bit address field, IPv6 has 128 bits of addressspace. The IETF has designated 64 bits of the new space to containEUI-64 format information, which is used to assign Ethernet addresses.
That information, which is generally not transmitted outside a user'slocal area network, forms the basis of the privacy concerns raised bysome observers of the IETF process.

The EUI-64 information identifies the registered manufacturer of a NICcard and a user's 48-bit Ethernet address. This has led some criticsto claim that every packet a user sends out onto the Internet usingIPv6 will have the user's "fingerprints" on it. Unlike IP addressesunder IPv4, which can be changed, IPv6 addresses will be permanentlyembedded in hardware. In that respect, IPv6 raises many of the sameissues that surrounded the launch of the Intel Pentium III, whichcontains a "Processor Serial Number" (PSN) that is capable of uniquelyidentifying the user of a particular computer. Both IPv6 and the PSNpresent potential challenges to online anonymity, which is afundamental guarantee of both privacy and free expression on theInternet.

Additional information on IPv6 is available at:

Additional information on the Intel Pentium III PSN is available at:

[3] Congress Enacts Drivers' Privacy Protections

H.R. 2084, the Department of Transportation and Related AgenciesAppropriations Act for FY2000, contains two key privacy protections forautomobile drivers. The first prevents what could have resulted in theestablishment of a national ID system; the second creates newprotections for drivers' license information. The bill has beenapproved by Congress and is expected to be signed by the President.

The first key provision in the bill repeals Section 656(b) of theIllegal Immigration Reform and Immigrant Responsibility Act of 1996,
which required Social Security numbers to be displayed electronicallyor through other means on all drivers' licenses. While the statute wasintended to prevent illegal immigrants (who do not legally possessSocial Security numbers) from using false drivers' licenses asidentification, including Social Security numbers on all licenses couldundermine privacy and actually increase fraud. Even considering thesubstantial risks of including SSNs on drivers' licenses, the NationalHighway Traffic Safety Administration (NHTSA) chose to expand on 656(b)
by mandating national format standards for drivers' licenses -- ineffect, creating a national ID system. The new legislation is intendedto prevent such a result.

The second provision in the bill places new restrictions on the abilityof state motor vehicle administrations to sell drivers' licenseinformation. In a significant advance for privacy, state DMVs, beforereceiving any of the federal funds provided in the bill, would have toreceive the explicit permission from a driver to distribute or sell anyof his or her information. The information includes drivers' licensephotographs, Social Security numbers, and medical or disabilityinformation.

Congress' new approach to protecting drivers' license informationpresents an alternative to the Drivers Privacy Protection Act (DPPA),
which will be reviewed in an upcoming Supreme Court case, Reno v.
Condon (see EPIC Alert 6.11). Unlike the DPPA -- which prohibits therelease of all information contained in drivers' records -- H.R. 2084merely prohibits any federal transportation funding for states thatrelease personal data without prior consent.

More information about the risks of widespread use of Social Securitynumbers, is available at:

EPIC's response to NHTSA's expansion of 656(b) can be found at:

[4] Appeals Court to Review Bernstein Crypto Decision

The U.S. Court of Appeals for the Ninth Circuit has granted the JusticeDepartment's motion for rehearing in the closely watched encryptioncase Bernstein v. DOJ. The case will be re-argued before an 11-judge"en banc" panel of the court on December 16 in San Francisco. On June21, the Department filed its petition, seeking to overturn the recentopinion of a Ninth Circuit panel holding that encryption source code isscientific expression protected by the First Amendment.

The federal appeals court ruled on May 6 that federal regulations thatprohibit the dissemination of encryption source code violate the FirstAmendment. The court found that the regulations are anunconstitutional prior restraint on speech because they "grantboundless discretion to government officials" and have "effectivelychilled [cryptographers] from engaging in valuable scientificexpression." The case was initiated by researcher Daniel Bernstein,
who sought government permission to export source code he had written.
EPIC was both co-counsel and coordinator of a "friend-of-the-court"
(amicus) brief in the case, arguing against the government controls onprivacy-enhancing technology. Civil liberties and privacyorganizations have consistently opposed restrictions on thedissemination of encryption technology, and welcomed the Bernsteindecision as a major breakthrough. The opinion was notable for itsrecognition of the threats to privacy that citizens face today and therole of encryption in protecting information.

In seeking the Ninth Circuit's reconsideration of the case, the JusticeDepartment argued that the May 6 decision
rests on fundamental errors regarding First Amendment and severability law. As a result of those errors,
the panel has placed the entire encryption export regime in jeopardy. The potential consequences of repudiating the President's decisions regarding encryption export controls are grave and far-reaching.
Before the views of the panel majority become the law of this Circuit, and unrestricted export of encryption products receives this Court's imprimatur, further review is imperative.

The Clinton Administration has announced that it will release revisedregulations on encryption exports by December 15 -- one day before thescheduled re-argument in the Bernstein case (see EPIC Alert 6.15). Itis unclear what effect those revisions might have on the Bernsteinlitigation.

Information on encryption export controls, including the text of theBernstein decision and the EPIC amicus brief, is available at the EPICCryptography Archive:

[5] FCC Issues New Rule on Phone Customer Data Privacy

The Federal Communications Commission has issued a new rule on"customer proprietary network information," or CPNI. The 1996Telecommunications Act defines CPNI to include such personal data aswhen, where and for how long telephone calls are placed. Section 222 ofthe Act prohibits telephone companies from accessing this information(except for reasons such as billing or to detect fraud) or disclosingthis data to third parties, without customer approval.

The new rule, issued on October 1, exempts personal informationcollected from the sale of telephone equipment and "informationservices" from CPNI restrictions. This would allow telephone companiesto use and distribute records collected from the sale of telephones,
answering machines and telephone wiring and directory assistance calls.
The new rule would also permit telephone companies to separate theirsolicitation of customer approval from notice of customer rights undersection 222. This provision would allow companies to sendsolicitations for approval months after a customer has received anexplanation of the significance of approving access to CPNI. Further,
the FCC has changed the previous rules governing how telephonecompanies could prove that approval had been granted. Currently,
customers are protected by an electronic flagging system. The new rulewould only require that telephone companies' records clearly establishthat customer approval had been granted.

The FCC's previous CPNI rule is being litigated. On August 18, theTenth Circuit Court of Appeals ruled that regulations developed by theFCC to implement the privacy provisions of the 1996 TelecommunicationsAct violate the First Amendment rights of telephone companies todisclose the detailed calling records of their customers (see EPICAlert 6.13). The FCC has filed a petition for reconsideration of thatdecision.

The text of the new FCC rule on CPNI is available at:

[6] Survey Ranks States on Privacy Protection

A new survey conducted by the Privacy Journal ranks California andMinnesota as the strongest states in protecting personal privacy. Thetop ten states, according to the survey, are (in alphabetical order)
California, Connecticut, Florida, Hawaii, Illinois, Massachusetts,
Minnesota, New York, Rhode Island, and Wisconsin.

California was ranked first, despite losing points for its demands forfingerprints and Social Security numbers to get a driver's license.
Its courts and its constitution provide the strongest privacyprotection in the nation, according to the publication, and it hasprobably the strongest collection of laws protecting personalinformation.

Minnesota's state government and legislature have strong records onprotecting privacy, Privacy Journal noted, even though its newsorganizations have regarded privacy protections as restrictions on therelease of government documents and have traditionally resisted them.
The state has the most sophisticated enforcement scheme for monitoringstate and local agencies' compliance with a state law permittingcitizens to inspect and correct records about themselves.

The rankings place the states in four tiers, based on their laws, courtdecisions, and administrative actions. Privacy Journal rates thestates on several factors, including whether they protect privacy intheir constitutions; have laws protecting financial, medical, library,
and government files; and have fair credit reporting laws stronger thanthe federal law.

"If the federal government had been ranked like a state it would haveplaced in the third tier -- but barely," according to Privacy JournalPublisher Robert Ellis Smith. Federal laws do not protect medicalrecords nor provide access to them, they do not protect library recordsat all, and federal laws have only partial protection for financialrecords. On the other hand, federal protection for personalinformation in government files exceeds the protections in nearly allstates. "But, if we had included anti-privacy actions by Congress in1996, the federal government would have ended up with a negativescore," Smith said.

Privacy Journal judged four states "not on the radar screen" because oftheir inadequate privacy protections. They are Idaho, Missouri, SouthCarolina, and Texas. "Citizens in these states are very vulnerable,"
Smith said. "We could find no protections at all in Texas," he said.

The full listing of the 50 states, along with the criteria for ratingthe states, is available at the Privacy Journal's web site:

[7] EPIC Bookstore - The End of Privacy

"The End of Privacy," by Charles J. Sykes
As Justice Louis Brandeis suggested more than a century ago, privacy
-- the right to be let alone -- is the most valued, if not the mostcelebrated, right enjoyed by Americans. But in the face of computer,
video, and audio technology, aggressive and sophisticated marketingdatabases, state and federal "wars" against crime and terrorism, newlaws governing personal behavior, and an increasingly-intrusive media,
all of us find our personal space and freedom under attack.

In The End of Privacy, Charles Sykes traces the roots of privacy in ournation's founding and Constitution, and reveals its inexorable erosionin our time. From our homes and offices to the Presidency, Sykesdefines what we have lost, citing example after example of citizens whohave had their conversations monitored, movements surveilled, medicaland financial records accessed, sexual preferences revealed, homesinvaded, possessions confiscated, and even lives threatened - all inthe name of some alleged higher social or governmental good. Sykesconcludes by suggesting steps by which we might begin to recover theterritory we've lost: our fundamental right to our own lives.

Additional titles -- including EPIC publications -- on privacy, opengovernment, free expression, computer security, and crypto, as well asfilms and DVDs can be ordered through the EPIC Bookstore:

[8] Upcoming Conferences and Events

The Internet Security Conference (TISC). October 11-15, 1999. BostonWorld Trade Center. Boston, MA. For more information:
Virtual Money, Privacy, and the Internet. October 20, 1999. TheIndependent Institute Conference Center. Oakland, CA. For moreinformation:
Public Workshop on "Online Profiling" -- November 8, 1999. NationalTelecommunications and Information Administration, Commerce and FederalTrade Commission. Submissions and requests to participate due October18, 1999. For more information:
Consumer Privacy in the Next Decade: New Trends, Forces and Directionsand The All New Practitioner's Privacy Policy Workshop. Privacy &
American Business' Sixth Annual National Conference. November 8-10,
1999. Hyatt Regency Hotel. Arlington, VA. For more information:
The 1999 BNA Public Policy Forum: E-Commerce and Internet Regulation.
November 15, 1999. Mayflower Hotel. Washington, D.C. For moreinformation:

Annual Computer Security Applications Conference: Practical Solutionsto Real Security Problems. December 6-10, 1999. Radisson ResortScottsdale. Phoenix, Arizona. For more information:

Integrating Government with New Technologies '99 Policy vs Technology:
Service Integration in the New Environments - A two-day Seminar andTraining Session. December 13-14, 1999. Government Conference Center.
Ottawa, Canada. For more information:
Surveillance Expo '99. December 13-15, 1999. Doubletree Hotel. CrystalCity, Virginia. For more information:
PEN/Newman's Own Eighth Annual First Amendment Award. Nominations dueDecember 31, 1999. For more information:
RSA 2000. The ninth annual RSA Data Security Conference and Expo.
January 16-20, 2000. San Jose McEnery Convention Center. San Jose, CA.
For more information:

Subscription Information

The EPIC Alert is a free biweekly publication of the ElectronicPrivacy Information Center. A Web-based form is available forsubscribing or unsubscribing at:
To subscribe or unsubscribe using email, send email with the subject: "subscribe" (no quotes) or"unsubscribe".

Back issues are available at:

About EPIC

The Electronic Privacy Information Center is a public interestresearch center in Washington, DC. It was established in 1994 to focuspublic attention on emerging privacy issues such as the Clipper Chip,
the Digital Telephony proposal, national ID cards, medical recordprivacy, and the collection and sale of personal information. EPIC issponsored by the Fund for Constitutional Government, a non-profitorganization established in 1974 to protect civil liberties andconstitutional rights. EPIC publishes the EPIC Alert, pursues Freedomof Information Act litigation, and conducts policy research. For moreinformation, e-mail, or write EPIC,
666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 5449240 (tel), +1 202 547 5482 (fax).

If you'd like to support the work of the Electronic Privacy InformationCenter, contributions are welcome and fully tax-deductible. Checksshould be made out to "The Fund for Constitutional Government" and sentto EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003.

Your contributions will help support Freedom of Information Act andFirst Amendment litigation, strong and effective advocacy for the rightof privacy and efforts to oppose government regulation of encryptionand expanding wiretapping powers.

Thank you for your support.

END EPIC Alert 6.16


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback