WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 1999 >> [1999] EPICAlert 19

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 6.19 [1999] EPICAlert 19


Volume 6.19 November 11, 1999

Published by the Electronic Privacy Information Center (EPIC)
Washington, D.C.

Table of Contents

[1] Drivers' Privacy Protection Case Heard by Supreme Court
[2] Privacy Advocates Call on FTC to Halt Online Profiling
[3] Appellate Judges Slam Internet Censorship Law
[4] Intelligence Funding Bill Requires Report on ECHELON
[5] IETF Rejects Proposal on Internet Wiretaps
[6] TRUSTe Fails to Launch Investigation into RealNetworks
[7] EPIC Bookstore -- Genetic Secrets
[8] Upcoming Conferences and Events

[1] Drivers' Privacy Protection Case Heard by Supreme Court

On November 10, the Supreme Court heard oral arguments in Reno v.
Condon. The case involves the constitutionality of the 1994 Driver'sPrivacy Protection Act (DPPA), which prohibited the dissemination ofinformation contained in state driving records.

In the lower courts, the state of South Carolina had argued that theDPPA unconstitutionally infringed on state powers, in particular theTenth Amendment right of states to regulate commerce within their ownborders. The Government had argued that the DPPA was a valid exerciseof the 14th Amendment, which has been interpreted as providing someprivacy protections.

In oral argument before the Supreme Court, both sides focused on theconstitutionality of federal efforts to regulate the procedures of astate agency. Seth Waxman, Solicitor General of the United States,
argued that Congress can legislate on drivers' records since thefederal government has the authority to regulate interstate commerce asimplicated in the selling of drivers' records to private entities.
Charles Condon, Attorney General of South Carolina, repeatedly assertedthat the law places an undue burden on state agencies and employees.

A recent bill, the Department of Transportation and Related AgenciesAppropriations Act for Fiscal Year 2000, will likely protect theprivacy of state driving records regardless of the Court decides Renov. Condon. The new legislation denies transportation funding to statesthat do not obtain explicit opt-in consent before selling ordistributing information contained in driving records.

EPIC submitted a friend-of-the-court brief in the Condon case, arguingin support of the DPPA. The brief is available at:
For more information about Reno v. Condon, see:

[2] Privacy Advocates Call on FTC to Halt Online Profiling

At a workshop on "online profiling," panelists from EPIC, Junkbusters,
the Center for Media Education, Privacy Times, and Privacy Journalcalled for the Federal Trade Commission (FTC) to immediately halt thepractice of online profiling, launch an investigation into the privacyand consumer implications of the practice, and provide recommendationsfor proper privacy legislation. The workshop, held jointly by the FTCand the National Telecommunications and Information Administration(NTIA) of the Department of Commerce, took place on November 8.

Online profiling is the collection of detailed online behavior fromuniquely identified Internet users. Online behavior generally refersto records about pages that were viewed and products or servicespurchased. Many online advertisers use online profiling in order totarget advertisements according this past behavior.

The privacy concerns arise because this information is not collectedwith the knowledge or consent of the consumer and is often connected topersonally identifiable information like a name or address. Onlinebehavior can potentially reveal information not only about interests orhobbies, but also medical conditions, sexual preferences, and politicalor religious beliefs. The collection of such information also givesmany businesses an unfair advantage in encouraging customers to buyproducts.

At the workshop, a consortium of online advertisers known as theNetwork Advertising Initiative (NAI) presented a self-regulatoryproposal to stave off regulation of data collected over the Internet.
The proposal includes notice of what information is collected and howit is used and an opt-out so that consumers can request to not havetheir information collected from them. EPIC finds the proposalinsufficient due to the lack of enforcement by other similarself-regulating agencies like TRUSTe (see item 6, below) and the undueburden that opt-out places on individuals to stop informationcollection that often occurs without their awareness.

A joint press release issued by the privacy groups to halt onlineprofiling is at:
Details about the Public Workshop on "On-line Profiling" are available:

[3] Appellate Judges Slam Internet Censorship Law

Two federal appellate judges harshly questioned the constitutionalityof the Child Online Protection Act (COPA) on November 4. COPA wouldprohibit commercial Web site operators from exposing children under 17to sexually explicit material that is deemed "harmful to minors." Thejudges suggested that COPA may violate the First Amendment by notspecifying which community's standards would apply when assessingcontent on the Internet.

Soon after President Clinton signed COPA into law last year, it waschallenged by a coalition of cyber-rights groups and Web publishers,
including EPIC and the ACLU. In February, U.S. District Judge Reedissued a preliminary injunction blocking enforcement of COPA, statingthat the law would likely fail to survive judicial scrutiny. Thegovernment appealed the decision to the U.S. Court of Appeals for theThird Circuit in Philadelphia.

In court last Thursday, Senior U.S. Circuit Judge Leonard I. Garthasked the Justice Department's lawyer how the phrase "contemporarycommunity standards" can be defined, given that the Internet is aglobal communications medium. "It seems to me that in terms of theWorld Wide Web, what that statute contemplates is that we would beremitted to the most severe community standards -- perhaps those inIran or Iraq -- where the exposure of a woman's face is deemed tobe improper," Garth said.

Judge Theodore A. McKee expressed concern with the law's provision thatWeb site operators could avoid criminal sanctions by instituting ageverification mechanisms, such as credit-card numbers, to restrictaccess by minors. McKee noted that such a screening process could havea chilling effect on adults who would be forced to reveal personalinformation in order to access material on sensitive subjects, such ashomosexuality.

Both McKee and Garth openly questioned whether it is possible tocreate legislation that satisfies the First Amendment and controlschildren's access to harmful content. Garth said, "I'm not at all surethat, in light of the Web, one can structure legislation which cancontrol" access to online content.

For more information on COPA and the full text of Judge Reed's districtcourt ruling, see:

[4] Intelligence Funding Bill Requires Report on ECHELON

The House of Representatives has approved a provision that wouldrequire the intelligence agencies to jointly provide Congress with adetailed analysis of the legal standards they apply when conductingsignals intelligence, including electronic surveillance. Therequirement grows out of the controversy surrounding Project ECHELON, aglobal surveillance network coordinated by the National SecurityAgency.

The reporting requirement is contained in the final version of theIntelligence Authorization Act for Fiscal Year 2000, which is expectedto be approved by the Senate. The report must be submitted in bothclassified and unclassified form to the Intelligence and Judiciarycommittees of the House and Senate within 60 days of final passage. Itmust disclose the legal standards for interception of communicationswhen such interception may result in the acquisition of informationfrom a communication to or from United States persons; for intentionaltargeting of the communications to or from United States persons; forreceipt from non-United States sources of information pertaining tocommunications to or from United States persons; and for disseminationof information acquired through the interception of the communicationsto or from United States persons.

The reporting requirement was added to the appropriations bill at theinsistence of Rep. Bob Barr (R-GA). In a statement released after theHouse passage of the bill, Barr said, "If American intelligenceagencies are intercepting, receiving or distributing communicationsinvolving our citizens without court orders, or legal authority, theyare doing so outside the bounds of the Constitution. If ProjectECHELON exists as reported, all Americans who care about the integrityof our Constitution should be concerned."

Last spring, Rep. Porter Goss (R-FL), chairman of the HouseIntelligence Committee, requested access to legal memoranda onsurveillance authority prepared by NSA's General Counsel, but theagency rebuffed the request citing "attorney-client privilege." (SeeEPIC Alert 6.08).

[5] IETF Rejects Proposal on Internet Wiretaps

In a public, plenary session on November 10, members of the InternetEngineering Task Force (IETF) decided overwhelmingly not to developtechnical standards that would facilitate wiretapping of Internetcommunications. After an hour-long debate, the IETF members resolvedthe question of whether the standards group should build the kind ofsurveillance capabilities that are mandated for telephone systems bythe controversial Communications Assistance to Law Enforcement Act(CALEA). The Internet Engineering Steering Group and the InternetArchitecture Board will soon publish a formal IETF position paper basedon the consensus of the membership.

Prior to the debate, a group of computer security, cryptography, law,
and policy experts sent an open letter to the IETF urging rejection ofwiretap standards. They said that "such a development would harmnetwork security, result in more illegal activities, diminish users'
privacy, stifle innovation, and impose significant costs on developersof communications."

The rejected proposal arose when some IETF members asserted that CALEArequired such Internet standards. With the emergence of Internettelephony, some have argued that the law should now be read to coverthe Internet. That view, however, is countered by the legislativehistory of the 1994 law, which clearly stated that CALEA "does notrequire reengineering of the Internet, nor does it impose prospectivelyfunctional requirements on the Internet."

The text of the open letter to the IETF is available at:
The legislative history of CALEA is available at:

[6] TRUSTe Fails to Launch Investigation into RealNetworks

On November 1, the New York Times reported on the discovery made byindependent security consultant Richard Smith that online softwaredistributor RealNetworks was collecting information about the musictastes of 13.5 million Real product users without their knowledge.
Despite initially indicating that it would launch an investigation intoits licensee RealNetworks, the TRUSTe privacy certificationorganization has chosen not to pursue an inquiry, citing a loophole inthe existing license agreement. TRUSTe claims to provide adequateprivacy guidelines and oversight of privacy violations for companiesthat it certifies.

RealJukebox (software downloaded through the site of RealNetworks) wassurreptitiously scanning computer hard drives for music files andtransmitting information about the genre of music, the format of themusic files, and the type of connected music player used back toRealNetworks. This information was also tied to personal informationpreviously collected through registration forms. After the activitiesof the RealJukebox software became public, RealNetworks provided asoftware "patch" that would prevent the further transmission ofinformation.

TRUSTe refused to launch an investigation since RealNetworks did nottechnically violate any part of its license agreement. The TRUSTelicense agreement only covers information collected from individualsover a website. TRUSTe claimed that since the information collectionand transmission occurred through software downloaded at a site, therewas in fact no violation of the license agreement. TRUSTe did announceplans to change its license agreement to include software downloadedthrough a website.

This is not the first time that TRUSTe has failed to launch aninvestigation into an apparent violation of one of its licensees. InMarch, Microsoft was found to be including Globally Unique Identifiers(GUIDs) within Microsoft Office 1998 that would allow all documents andvisits to Microsoft operated websites to be tied with personalinformation provided through earlier software registrations. As in thecase of RealNetworks, TRUSTe found that Microsoft did not violate theTRUSTe license agreement and refused to perform an investigation.

Remedies for Real users may still be available; several class actionlawsuits have been filed alleging that RealNetworks violated variousfederal and state laws by secretly collecting data.

For more information on the RealNetworks and Microsoft privacyIncidents, see:

[7] EPIC Bookstore -- Genetic Secrets

Genetic Secrets: Protecting Privacy and Confidentiality in the GeneticEra by Mark A. Rothenstein
Twenty-three articles by professionals from law, medicine, bioethics,
public health, science policy, clinical genetics, philosophy, and otherfields grapple with new issues of medical privacy and confidentialitybrought about by recent advances in genetic research. Coverage includestopics such as genetic information in the schools, laws to regulate theuse of genetic information, environmental population screening, publichealth lessons from the HIV experience, European data protection law,
and implications of testing for health and life insurance. The bookconcludes with a recommendation of a framework for deciding futurepolicy written by the editor.

EPIC Publications:

"The Privacy Law Sourcebook: United States Law, International Law, andRecent Developments," Marc Rotenberg, editor (EPIC 1999). Price: $50.

The "Physicians Desk Reference of the privacy world." An invaluableresource for students, attorneys, researchers and journalists who needan up-to-date collection of US and International privacy law, as wellas a comprehensive listing of privacy resources.

"Filters and Freedom - Free Speech Perspectives on Internet ContentControls," David Sobel, editor (EPIC 1999). Price: $20.

A collection of essays, studies, and critiques of Internet contentfiltering. These papers are instrumental in explaining why filteringthreatens free expression.

"Cryptography and Liberty: An International Survey of CryptographyPolicy" Wayne Madsen and David Banisar, editors, (EPIC 1999). Price:

An international survey of encryption policies around the world. Surveyresults show that in the vast majority of countries, cryptography maybe freely used, manufactured, and sold without restriction, with theU.S. being a notable exception.

"Privacy and Human Rights 1999: An International Survey of Privacy Lawsand Developments" David Banisar, Simon Davies, editors, (EPIC 1999).
Price: $15.

An international survey of the privacy and data protection laws foundin 50 countries around the globe. This report outlines theconstitutional and legal conditions of privacy protection, andsummarizes important issues and events relating to privacy andsurveillance.

Additional titles on privacy, open government, free expression,
computer security, and crypto, as well as films and DVDs can be orderedthrough the EPIC Bookstore:

[8] Upcoming Conferences and Events

Washington, D.C., USA Internet Engineering Task Force (IETF) Meeting.
November 7-12, 1999. Omni Shoreham Hotel. Washington, D.C. For moreinformation:
The 1999 BNA Public Policy Forum: E-Commerce and Internet Regulation.
November 15, 1999. Mayflower Hotel. Washington, D.C. For moreinformation:

Call for Papers -- Impacts of Economic Liberalization on IT Productionand Use. The Information Society. Manuscripts due November 15, 1999.
For more information:
Call for Papers -- Telecommunications: The Bridge to Globalization inthe Information Society. International Telecommunications Society.
Abstracts due November 15, 1999. For more information:
PDD-63 Congressional Research Service Seminar. November 19, 1999.
James Madison Building, Library of Congress. For more information:
Annual Computer Security Applications Conference: Practical Solutionsto Real Security Problems. December 6-10, 1999. Radisson ResortScottsdale. Phoenix, Arizona. For more information:

Integrating Government with New Technologies '99 Policy vs Technology:
Service Integration in the New Environments - A two-day Seminar andTraining Session. December 13-14, 1999. Government Conference Center.
Ottawa, Canada. For more information:
Surveillance Expo '99. December 13-15, 1999. Doubletree Hotel. CrystalCity, Virginia. For more information:
PEN/Newman's Own Eighth Annual First Amendment Award. Nominations dueDecember 31, 1999. For more information:
RSA 2000. The ninth annual RSA Data Security Conference and Expo.
January 16-20, 2000. San Jose McEnery Convention Center. San Jose, CA.
For more information:

Santa Clara University Computer and High Technology Journal Symposiumon Internet Privacy. February 11-12, 2000. For more information:
Telecommunications: The Bridge to Globalization in the InformationSociety. Biennial Conference of the International TelecommunicationsSociety. July 2-5, 2000. For more information:

Subscription Information

The EPIC Alert is a free biweekly publication of the Electronic PrivacyInformation Center. A Web-based form is available for subscribing orunsubscribing at:
To subscribe or unsubscribe using email, send email with the subject: "subscribe" (no quotes) or"unsubscribe".

Back issues are available at:

About EPIC

The Electronic Privacy Information Center is a public interest researchcenter in Washington, DC. It was established in 1994 to focus publicattention on emerging privacy issues such as the Clipper Chip, theDigital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale of personal information. EPIC is sponsoredby the Fund for Constitutional Government, a non-profit organizationestablished in 1974 to protect civil liberties and constitutionalrights. EPIC publishes the EPIC Alert, pursues Freedom of InformationAct litigation, and conducts policy research. For more information,
e-mail, or write EPIC, 666Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544 9240(tel), +1 202 547 5482 (fax).

If you'd like to support the work of the Electronic Privacy InformationCenter, contributions are welcome and fully tax-deductible. Checksshould be made out to "The Fund for Constitutional Government" and sentto EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003.

Your contributions will help support Freedom of Information Act andFirst Amendment litigation, strong and effective advocacy for the rightof privacy and efforts to oppose government regulation of encryptionand expanding wiretapping powers.

Thank you for your support.

END EPIC Alert 6.19


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback