WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 1999 >> [1999] EPICAlert 18

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 6.18 [1999] EPICAlert 18


Volume 6.18 November 3, 1999

Published by the Electronic Privacy Information Center (EPIC)
Washington, D.C.

Table of Contents

[1] Proposed Federal Medical Privacy Regulations Released
[2] Internet Censorship Case Goes to Appeals Court
[3] Privacy Left Out of Financial Modernization Bill
[4] Comments Sought on Proposed Key-Recovery Standard
[5] Appeals Court Permits Warrantless Thermal-Imaging Searches
[6] Protection of FIDNet Spurs Calls to Weaken FOIA
[7] EPIC Bookstore -- Code: And Other Laws of Cyberspace
[8] Upcoming Conferences and Events

[1] Proposed Federal Medical Privacy Regulations Released

On October 29, the President presented a set of proposed federalregulations protecting the privacy of electronically stored medicalrecords. The regulations -- produced by the Department of Health andHuman Services (HHS) in concert with multiple federal agencies -- arethe first federal protections of medical privacy. The Department ofHealth and Human Services began drafting the regulations when Congressfailed to pass federal legislation covering medical privacy on August21 of this year. The rules are available for public comment over thenext sixty days.

The regulations, mandated by the Health Insurance Portability andAccountability Act of 1996 (HIPAA), would apply to all health plansand many health care providers, as well as health care clearinghousessuch as billing companies. However, under the HIPAA provision, theHHS regulations may cover only electronic data; paper records andverbal communications are not covered.

The HHS regulations also fail to provide a private right of action andleave open significant questions about how the rules will be enforced.
The government would be able to impose civil and criminal penalties.

Privacy advocates, while commending the White House for moving forwardon the medical privacy regulations after Congress failed to meet itsself-imposed deadline for the passage of legislation, nonetheless saidthat comprehensive legislation would be necessary to ensure the privacyof medical records.

Notice of Proposed Rulemaking, "Standards for Privacy of IndividuallyIdentifiable Health Information"

HHS Medical Privacy Regulations
HHS Medical Privacy Regulations [PDF]
Remarks by the President on Medical Privacy, October 29, 1999

[2] Internet Censorship Case Goes to Appeals Court

The legal battle to protect free speech on the Internet resumestomorrow in Philadelphia. The U.S. Court of Appeals for the ThirdCircuit will hear oral arguments in the government's appeal of a lowercourt decision blocking enforcement of the Child Online Protection Act(COPA). The case against COPA -- brought by EPIC, the ACLU and otherorganizations - has been pending before the appellate court since theJustice Department filed its appeal in April. The appellate panelhearing the appeal consists of Judges McKee, Garin and Nygaard.

The government's appeal challenges the finding of Judge Lowell A. Reed,
Jr. that the new Internet censorship law would restrict free speech inthe "marketplace of ideas." Judge Reed's February 1 ruling enjoinsenforcement of COPA, the statutory successor to the CommunicationsDecency Act (CDA), which the Supreme Court struck down in June 1997.
The legal challenge to COPA was filed on behalf of 17 organizationspublishing information on the World Wide Web. In granting apreliminary injunction against COPA, Judge Reed found that theplaintiffs were likely to succeed on their claim that the law "imposesa burden on speech that is protected for adults." The ruling cameafter a six-day hearing which featured testimony from website operatorswho provide free information about fine art, news, gay and lesbianissues and sexual health for women and the disabled, and who all fearthat COPA would force them to shut down their websites.

In his 49-page opinion, Judge Reed listed 68 separate "findings offact" to support his decision. The judge considered evidence that COPAimposed technological and economic burdens on speakers, but concludedthat ultimately the relevant inquiry is the "burden imposed on theprotected speech, not the pressure placed on the pocketbooks or bottomlines of the plaintiffs."

The full text of the Judge Reed's decision, and complete information onthe legal challenge, is available at:

In another Internet censorship case, the Tenth Circuit issued adecision on November 2 striking down a New Mexico law that sought tocriminalize the online distribution of material that is "harmful tominors." The text of the decision is available at:

[3] Privacy Left Out of Financial Modernization Bill

S. 900, the Financial Services Modernization Bill of 1999, seeks toremove barriers to mergers in the banking and financial industry. Thebill, voted on today in the Senate and tomorrow in the House, alsolargely abandons consumer control over the sharing of informationbetween financial institutions and marketing companies.

The current version of the legislation arose out of two separatebills in Congress. H.R. 10, the Financial Services Act of 1999,
contained limited provisions for consumer control of personal financialinformation including: guarantees of information security, norequirement for consent to the distribution of information to third-
parties, annual notice of privacy procedures, and the restricteduse of account numbers and access codes. S. 900 originally had noprivacy provisions. Due to the differences in the two bills, aHouse/Senate conference was held to reconcile the privacy provisionsof the legislation.

The final conference bill provides that financial institutions mustprovide disclosure about privacy policies, and would restrict accountnumbers and access codes from marketers -- but continues to omitopt-out consent before information is distributed to nonaffiliatedthird parties. With the conference committee revisions, S. 900 erodesany expectation of consumer control over personal financialinformation. The legislation does not, however, pre-empt statefinancial privacy laws with stronger consumer protections.

EPIC, along with other privacy and consumer advocacy groups, opposesthe bill since it provides inadequate consumer control over financialinformation. Despite the efforts of privacy-minded legislators such asSens. Richard Shelby (R-AL) and Richard Bryan (D-NV) and Rep. EdwardMarkey (D-MA), the bill is expected to be passed by both the Senate andthe House and signed into law by the President sometime next week.

[4] Comments Sought on Proposed Key-Recovery Standard

The final deadline is approaching for submission of comments on federal"key recovery" standards. The Department of Commerce is seeking publiccomments on proposed "technical specifications for accomplishing therecovery of keys used for encryption." The specifications arecontained in a report issued by the Technical Advisory Committee toDevelop a Federal Information Processing Standard for the Federal KeyManagement Infrastructure, which was chartered by the Department in1996. The Committee was established to provide technical advice on anencryption key recovery standard for use by Federal agencies to allowfor "continued government access to encrypted information in the eventof the unavailability (e.g., loss due to unavailability of criticalpersonnel) of the encryption/decryption key(s)."

Techniques for "key-recovery" or "key-escrow" have long beencontroversial, dating back to the unveiling of the infamous ClipperChip in 1993.

Comments must be submitted no later than November 4, and can be sent to<>.

The text of the Committee's report, as well as other informationconcerning its work, is available online at:

[5] Appeals Court Permits Warrantless Thermal-Imaging Searches

The Ninth Circuit Court of Appeals, in a split opinion, has held thatthe police did not violate the Fourth Amendment when they used athermal imaging device to search for evidence of marijuana cultivation.
The thermal imager detected high levels of heat emission in anapartment indicating the presence of heat lamps used in growingmarijuana.

The defendant Kyllo claimed that the thermal scan intruded intoactivities within his home, in which he had an expectation of privacy,
and that the police were required to obtain a warrant before conductingthe search.

Judge Hawkins, writing for the court, said that "the use of thermalimaging technology in this case did not constitute a search undercontemporary Fourth Amendment standards." The court said that theemissions were "waste heat," entitled to no more privacy than thegarbage that is placed on the street. The court said that there wasno government intrusion into activities in Kyllo's home, in which heexpected privacy, rather there was simply a measurement of heatemissions radiating from his home.

Writing in dissent, Judge Noonan said that the warrantless use of theAgema 210 clearly violated the Fourth Amendment.

I have no doubt that Kyllo did have an expectation of privacy as to what was going on in the interior of his house and that this expectation was infringed by the government's use of the Agema 210 although the machine itself never penetrated into the interior.
The closest analogy is use of a telescope that, unknown to the homeowner, is able from a distance to see into his or her house and report what he or she is reading or writing. Such an enhancement of normal vision by technology, permitting the government to discern what is going on in the home, violates the Fourth Amendment.

Both the Washington state Supreme Court and the Montana Supreme Courthave held that thermal imaging is a search under their respective stateconstitutions.

USA v. Kyllo, 96-3033 (CA9 1999) 2566eb00658118/b686f731840272eb882567e7005de14a?OpenDocument#top

[6] Protection of FIDNet Spurs Calls to Weaken FOIA

As reported by the National Journal's Technology Daily on October 20,
the Department of Justice is putting together a proposal to repeal partof the Freedom of Information Act (FOIA) in order to implement theFederal Intrusion Detection Network (FIDNet).

Details about FIDNet, a plan to monitor nationwide communications inthe interest of "critical infrastructure protection," first emergedin July. While many of the details surrounding the eventualestablishment of FIDNet are still unclear, part of the original planinvolved monitoring private sector computer networks. To encouragethe cooperation of businesses, the government had previously promisedcompanies that the information about businesses necessary for theoperation of FIDNet would remain confidential.

The Freedom of Information Act became law in 1966, ensuring the rightof citizens to access federal agency records. Many companies areworried that information revealed through FOIA requests via theirinvolvement in FIDNet would publicly reveal weaknesses in networksecurity or threaten the confidentiality of business negotiations.
While FOIA does offer exemptions for certain types of information,
companies argue that there is no guarantee that all information wouldremain confidential once provided to the government.

In response to the reluctance of businesses to cooperate with FIDNetunder the present FOIA conditions, the Administration is in the processof developing proposals to repeal parts of FOIA to garner privatesector compliance. These plans have already received criticism inCongress.

For more information about FOIA, see the EPIC Open Government page:

FIDNet will also be the topic of an upcoming event, "The Government'sRole in Computer Surveillance and The Federal Intrusion DetectionNetwork", to be held jointly by the Association for Computing Machinery(ACM) and Stanford University on November 9. For more information, see:

[7] EPIC Bookstore -- Code: And Other Laws of Cyberspace

Code: And Other Laws of Cyberspace by Lawrence Lessig. This book will come out on December 1 but can be ordered now.)

An exciting examination of the core values of cyberspace-intellectualproperty, free speech, and privacy -- from one of America's mostbrilliant young legal theorists.

Lawrence Lessig "has staked out a role as one of academia's avant-gardethinkers about cyberspace and the law." - Wall Street Journal
How should we regulate cyberspace? Can we? It's a cherished belief oftechies and net denizens everywhere that cyberspace is fundamentally,
unalterably impossible to regulate. Thus the legendary freedom of theNet. Lawrence Lessig warns that, if we're not careful, we'll wake upone day to discover that the character of cyberspace has changed outfrom under us. Commercial forces will dictate the change, andarchitecture-the very structure of cyberspace itself-will dictate theform our interactions can and cannot take.

The author of the classic paper "Reading the Constitution inCyberspace," Lessig shows how code can make a domain, site, or networkfree or restrictive; how architectures influence people's behavior andthe values they adopt; and how changes in code affect the pressingissues of free speech, intellectual property, and privacy incyberspace.

EPIC Publications:

"The Privacy Law Sourcebook: United States Law, International Law, andRecent Developments," Marc Rotenberg, editor (EPIC 1999). Price: $50.

The "Physicians Desk Reference of the privacy world." An invaluableresource for students, attorneys, researchers and journalists who needan up-to-date collection of US and International privacy law, as wellas a comprehensive listing of privacy resources.

"Filters and Freedom - Free Speech Perspectives on Internet ContentControls," David Sobel, editor (EPIC 1999). Price: $20.

A collection of essays, studies, and critiques of Internet contentfiltering. These papers are instrumental in explaining why filteringthreatens free expression.

"Cryptography and Liberty: An International Survey of CryptographyPolicy" Wayne Madsen and David Banisar, editors, (EPIC 1999). Price:

An international survey of encryption policies around the world. Surveyresults show that in the vast majority of countries, cryptography maybe freely used, manufactured, and sold without restriction, with theU.S. being a notable exception.

"Privacy and Human Rights 1999: An International Survey of Privacy Lawsand Developments" David Banisar, Simon Davies, editors, (EPIC 1999).
Price: $15.

An international survey of the privacy and data protection laws foundin 50 countries around the globe. This report outlines theconstitutional and legal conditions of privacy protection, andsummarizes important issues and events relating to privacy andsurveillance.

Additional titles on privacy, open government, free expression,
computer security, and crypto, as well as films and DVDs can be orderedthrough the EPIC Bookstore:

[8] Upcoming Conferences and Events

Washington, D.C., USA Internet Engineering Task Force (IETF) Meeting.
November 7-12, 1999. Omni Shoreham Hotel. Washington, D.C. For moreinformation:
Public Workshop on "Online Profiling" -- November 8, 1999. NationalTelecommunications and Information Administration, Commerce and FederalTrade Commission. For more information:
Consumer Privacy in the Next Decade: New Trends, Forces and Directionsand The All New Practitioner's Privacy Policy Workshop. Privacy &
American Business' Sixth Annual National Conference. November 8-10,
1999. Hyatt Regency Hotel. Arlington, VA. For more information:
ID and Authentication 2000. Smart Card Forum. November 8-11, 1999. Formore information:
The Government's Role in Computer Surveillance and the FederalIntrusion Detection Network (FIDNet). Association for ComputingMachinery and Stanford University. November 9, 1999. Kresge Auditorium,
Stanford University. For more information:
The 1999 BNA Public Policy Forum: E-Commerce and Internet Regulation.
November 15, 1999. Mayflower Hotel. Washington, D.C. For moreinformation:

Call for Papers -- Impacts of Economic Liberalization on IT Productionand Use. The Information Society. Manuscripts due November 15, 1999.
For more information:
Call for Papers -- Telecommunications: The Bridge to Globalization inthe Information Society. International Telecommunications Society.
Abstracts due November 15, 1999. For more information:
Annual Computer Security Applications Conference: Practical Solutionsto Real Security Problems. December 6-10, 1999. Radisson ResortScottsdale. Phoenix, Arizona. For more information:

Integrating Government with New Technologies '99 Policy vs Technology:
Service Integration in the New Environments - A two-day Seminar andTraining Session. December 13-14, 1999. Government Conference Center.
Ottawa, Canada. For more information:
Surveillance Expo '99. December 13-15, 1999. Doubletree Hotel. CrystalCity, Virginia. For more information:
PEN/Newman's Own Eighth Annual First Amendment Award. Nominations dueDecember 31, 1999. For more information:
RSA 2000. The ninth annual RSA Data Security Conference and Expo.
January 16-20, 2000. San Jose McEnery Convention Center. San Jose, CA.
For more information:

Telecommunications: The Bridge to Globalization in the InformationSociety. Biennial Conference of the International TelecommunicationsSociety. July 2-5, 2000. For more information:

Subscription Information

The EPIC Alert is a free biweekly publication of the Electronic PrivacyInformation Center. A Web-based form is available for subscribing orunsubscribing at:
To subscribe or unsubscribe using email, send email with the subject: "subscribe" (no quotes) or"unsubscribe".

Back issues are available at:

About EPIC

The Electronic Privacy Information Center is a public interest researchcenter in Washington, DC. It was established in 1994 to focus publicattention on emerging privacy issues such as the Clipper Chip, theDigital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale of personal information. EPIC is sponsoredby the Fund for Constitutional Government, a non-profit organizationestablished in 1974 to protect civil liberties and constitutionalrights. EPIC publishes the EPIC Alert, pursues Freedom of InformationAct litigation, and conducts policy research. For more information,
e-mail, or write EPIC, 666Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544 9240(tel), +1 202 547 5482 (fax).

If you'd like to support the work of the Electronic Privacy InformationCenter, contributions are welcome and fully tax-deductible. Checksshould be made out to "The Fund for Constitutional Government" and sentto EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003.

Your contributions will help support Freedom of Information Act andFirst Amendment litigation, strong and effective advocacy for the rightof privacy and efforts to oppose government regulation of encryptionand expanding wiretapping powers.

Thank you for your support.

END EPIC Alert 6.18


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback