WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 1999 >> [1999] EPICAlert 20

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 6.20 [1999] EPICAlert 20


Volume 6.20 December 6, 1999

Published by the Electronic Privacy Information Center (EPIC)
Washington, D.C.

Table of Contents

[1] EPIC Files Suit for NSA Memos on Surveillance Authority
[2] EPIC, ACLU and EFF Challenge New FBI Wiretap Rules
[3] Consumer Groups Respond to "Safe Harbor" Proposal
[4] Draft Crypto Regulations Fall Short of Earlier Promises
[5] Advocates Call on FTC, Companies to Stop Secret Profiling
[6] AOL Subscriber Privacy Preferences Expiring
[7] Holiday Shopping at the EPIC Bookstore
[8] Upcoming Conferences and Events

[1] EPIC Files Suit for NSA Memos on Surveillance Authority

The Electronic Privacy Information Center asked a federal court onDecember 3 to order the release of controversial documents concerningpotential government surveillance of American citizens. EPIC'slawsuit seeks the public disclosure of internal National SecurityAgency (NSA) documents discussing the legality of the agency'sintelligence activities.

NSA refused to provide the documents to the House IntelligenceCommittee earlier this year, resulting in an unusual public reprimandof the secretive spy agency. Rep. Porter J. Goss, chairman of theoversight panel, wrote in a committee report in May that NSA'srationale for withholding the legal memoranda was "unpersuasive anddubious." He noted that if NSA lawyers "construed the Agency'sauthorities too permissively, then the privacy interests of thecitizens of the United States could be at risk." Soon after therelease of the Intelligence Committee report, EPIC submitted a Freedomof Information Act (FOIA) request to NSA for the documents. Despitethe FOIA's time limit of 20 working days, the agency has not respondedto EPIC's request.

The surveillance activities of the NSA have recently come underincreased scrutiny, with published reports indicating that the agencyis coordinating a massive global interception initiative known asECHELON. The current issue of the New Yorker magazine reports that ittook NSA only 11 months to fill three years' worth of planned storagecapacity for intercepted Internet traffic.

The legal basis for NSA's interception activities is a critical issuethat EPIC plans to evaluate in a comprehensive study to be releasedearly next year. That study will be conducted by Duncan Campbell, aScottish investigative journalist and TV producer. Earlier this year,
Campbell was appointed a consultant to the European Parliament andprepared a technology assessment report on ECHELON and communicationsintelligence which contained the first public documentary evidence ofthe global surveillance system. Campbell will be working with EPIC asa Senior Research Fellow for several months to produce a report forpresentation at anticipated congressional hearings on the topic ofsignals intelligence agencies, the Fourth Amendment and human rights.

More information on ECHELON is available at the EchelonWatch website,
which is administered by the American Civil Liberties Union:
Duncan Campbell's report for the European Parliament is available at:

[2] EPIC, ACLU and EFF Challenge New FBI Wiretap Rules

EPIC joined with the American Civil Liberties Union and the ElectronicFrontier Foundation on November 18 in a court challenge to block newrules that would enable the FBI to dictate the design of the nation'scommunication infrastructure. The challenged rules would allow theBureau to track the physical locations of cellular phone users andmonitor Internet traffic. In petitions to the U.S. Courts of Appealsfor the District of Columbia Circuit and the Ninth Circuit, the groupssay that the rules -- contained in a Federal Communications Commission(FCC) decision issued in August (see EPIC Alert 6.13) -- could resultin a significant increase in government interception of digitalcommunications.

The court challenge involves the Communications Assistance for LawEnforcement Act ("CALEA"), a controversial law enacted by Congress in1994, which requires the telecommunications industry to design itssystems in compliance with FBI technical requirements to facilitateelectronic surveillance. In negotiations over the last few years, theFBI and industry representatives were unable to agree upon thosestandards, resulting in the recent FCC ruling. EPIC, ACLU and EFFparticipated as parties in the FCC proceeding.

The court filings assert that the FCC ruling exceeds the requirementsof CALEA and frustrates the privacy interests protected by federalstatutes and the Fourth Amendment. The groups assert that the FBI isseeking surveillance capabilities that far exceed the powers lawenforcement has had in the past and is entitled to under the law. Thecase will likely define the privacy standards for the nation'stelecommunication networks, including the cellular systems and theInternet.

The privacy groups are being represented on a pro bono basis by KurtWimmer and Gerard J. Waldron, partners at the Washington law firm ofCovington & Burling. Separate challenges to the FCC CALEA rules havebeen filed by the U.S. Telecom Association, the CellularTelecommunications Industry Association and the Center for Democracyand Technology. All of the petitions have been consolidated forfurther proceedings.

Background materials on CALEA, including documents filed by EFF, ACLUand EFF with the Federal Communications Commission, are available atEPIC's website:

[3] Consumer Groups Respond to "Safe Harbor" Proposal

U.S. and European Consumer organizations have submitted comments tothe Department of Commerce regarding the "Safe Harbor" proposal thatwould allow U.S. firms to self-certify privacy practices whenprocessing data on European citizens. The TransAtlantic ConsumerDialogue (TACD) said that the Safe Harbor proposal "still fails toprovide adequate data protection for the transfer of personalinformation from citizens in EU countries to companies in the UnitedStates." The groups urged the adoption of stronger measures to ensurethat "the loss of consumer privacy is not the cost of the informationeconomy."

The organizations said that "little progress has been made in theeffort to ensure consumer access to their personal information held bybusinesses and there is still no significant mechanism to enforceprivacy principles in the United States." The consumer organizationsurged negotiators to view privacy as a fundamental human right, notsimply a commercial matter. They said that the Safe Harbor processshould extend principles of data protection and further urgedcomprehensive coverage for citizens outside of Europe. They addedthat further steps should be taken to ensure that the Safe Harborprinciple complies with Fair Information Practices, particularly inthe areas of notice, consent, purpose specification, access,
enforcement and non-discrimination.

The statement was endorsed by the European Consumer Association(BEUC), the Consumer Federation of America, the Center for MediaEducation, the Consumer Project on Technology, the Electronic PrivacyInformation Center, the National Consumers League, and USPIRG for theTrans Atlantic Consumer Dialogue (TACD).

The TransAtlantic Consumer Dialogue is a forum of U.S. and EU consumerorganizations which develops joint consumer policy recommendations forthe U.S. government and European Union to promote the consumerinterest in EU and U.S. policy making. It includes more than sixtyconsumer organizations from the United States and Europe.

The following materials are available:

Department of Commerce, International Safe Harbor Privacy Principles(15 November 1999)
TACD Comments on Safe Harbor (3 December 1999)
TACD Resolution on Safe Harbor (April 1999)
Trans Atlantic Consumer Dialogue

[4] Draft Crypto Regulations Fall Short of Earlier Promises

When the Clinton Administration announced a new encryption policy inSeptember (see EPIC Alert 6.15), some observers were quick to concludethat the end of the controversial U.S. export controls was finally athand. Others (including EPIC) took a "wait and see" approach pendingthe release of final regulations implementing the new policy. A draftis now being circulated by the Administration, and the proposal isreceiving largely negative reviews.

Contrary to the claims made in September, the draft regulations wouldimpose a complex and confusing classification and licensing scheme onexports of encryption hardware and software. Many products would besubject to a "technical review" by export officials. The standardsfor such reviews are not spelled out in the regulations, leavingofficials with almost complete discretion and export applicants withlittle legal recourse.

Another confusing aspect of the draft is its use of the term "retail"
to describe those products that would be entitled to liberal exportconditions. The effect on freeware encryption products and opensource development projects is not clear.

One positive surprise is contained in the draft regulations.
Encryption source code would be eligible for export under certainconditions. Current restrictions on source code have been the subjectof great controversy over the last few years, leading to litigationchallenging the export rules as a "prior restraint" on academic andscientific expression. The U.S. Court of Appeals for the NinthCircuit ruled earlier this year in the Bernstein case that the sourcecode restrictions do, indeed, violate the First Amendment (see EPICAlert 6.07). That ruling is now being reviewed "en banc" by the NinthCircuit.

A final version of the new rules is expected to be issued aroundDecember 15. The text of the draft is available at:

[5] Advocates Call on FTC, Companies to Stop Secret Profiling

Privacy and consumers groups and a leading security expert have askedthe Federal Trade Commission to require software makers to close aloophole in many popular email systems that allows senders of bulkcommercial email to track the surfing behavior of people who merelyread the email.

Security expert Richard M. Smith said, "Web browser cookies and emailmessages don't mix. Web surfing is supposed to be anonymous, but withthe cookie leak security hole, companies can easily match our Emailaddresses to the Web sites we visit. I hope that Netscape, Microsoftand other software makers will quickly patch this hole."

Many email readers display email messages using a Web browser. If themessage contains graphics retrieved from the Web when the mail isopened, the loophole allows the recipient to be assigned a uniqueserial number in a "cookie," which will later be silently transmittedas the recipient surfs the Web. Many companies encode the recipient'semail address in the URL (web address) of the graphic, so that theirservers can match the cookie to the email address.

Jason Catlett, President of Junkbusters Corp. said, "Cookie leaks arethe bug from spammers that keeps on bugging. It's intolerable thatemail can be used to silently zap a nametag onto you that might bescanned by a site you visit later. It's like secretly bar-codingpeople with invisible ink."

At the FTC's hearings on online profiling last month, privacy groupscalled for an immediate halt to online profiling, warning that in theabsence of effective legal safeguards personal information would begathered secretly by marketing companies. Andrew Shen, Policy Analystat EPIC, said that "The lack of government action continues to placethe average user -- unaware of the tracking and surveillancetechnologies at work -- at the mercy of companies that often abusetheir privacy."

The organizations that urged an investigation of the "cookie leak"
included Junkbusters, the Center for Media Education, the PrivacyRights Clearinghouse, the Consumer Project on Technology, theCommercial Alert, the Private Citizen Inc., the Electronic FrontierFoundation, and the Electronic Privacy Information Center.

The groups' press release on the "Cookie Leak" announcement isavailable at:
Richard Smith's paper, "The Cookie Leak Security Hole in HTML EmailMessages," is available at:

[6] AOL Subscriber Privacy Preferences Expiring

America Online (AOL) recently sent a message to its twenty millionsubscribers advising them that their declared privacy preferences willexpire in early December. In what will become an annual chore, allAOL users will have to opt-out -- take it upon themselves to makespecific requests -- not to receive advertisements via mail, email, orpop-up messages.

While AOL spokesmen said that their privacy policy has always beenupfront about the need for annual revisions, EPIC expects most AOLsubscribers will be surprised that they have to reiterate theirprivacy preferences. AOL's action underscores the problems with"opt-out" procedures, which unfairly place the burden of privacyprotection on individuals. "Opt-out" has become the preferredindustry means of addressing privacy concerns, and forms the basis ofmany of the "self-regulatory" initiatives advanced as alternatives tolegal privacy protections.

AOL also rents subscriber lists with personal account information tomarketers, but AOL subscribers who have already opted-out of thatpractice will not have to renew that part of their preferences.

[7] Holiday Shopping at the EPIC Bookstore

Planning to buy a book, video, or DVD this holiday season? Visit theEPIC Bookstore for all the greatest books on privacy, free speech andonline liberty. And just in time for the holidays, we've updated ourvideo section to include a new selection of top films.

This holiday season EPIC features on DVD the blockbuster hit "TheMatrix" with all-time cyberstar Keanu Reeves, Gene Hackman's repriseas a surveillance specialist in "Enemy of the State," and thecaptivating "Dark City."

The Matrix

Amazon reviewers: 4.5
" . . .one of the most exhilarating sci-fi/action movies of the 1990s.
Set in the not too distant future, we find a young man named Neo(Keanu Reeves). A software techie by day and a computer hacker bynight, he sits alone at home by his monitor, waiting for a sign, untilone night a mysterious woman named Trinity (Carrie-Anne Moss)
introduces him to Morpheus (Laurence Fishburne). A messiah of sorts,
Morpheus presents Neo with the truth about his world by shedding lighton the dark secrets that have troubled him for so long: "You've feltit your entire life, that there's something wrong with the world. Youdon't know what it is, but it's there, like a splinter in your mind,
driving you mad." Morpheus shows Neo what the Matrix is -- a realitybeyond reality that controls all of their lives in a way that Neo canbarely comprehend."

Enemy of the State

Amazon reviewers: 4.5
"Robert Clayton Dean (Will Smith) is a lawyer with a wife and familywhose happily normal life is turned upside down after a chance meetingwith a college buddy (Jason Lee) at a lingerie shop. Unbeknownst tothe lawyer, he's just been burdened with a videotape of acongressman's assassination. Hot on the tail of this tape is aruthless group of National Security Agents commanded by abelligerently ambitious fed named Reynolds (Jon Voight). Usingsurveillance from satellites, bugs, and other sophisticated snoopingdevices, the NSA infiltrates every facet of Dean's existence, tracingeach physical and digital footprint he leaves. Driven by acuteparanoia, Dean enlists the help of a clandestine former NSA operativenamed Brill (Gene Hackman), and Enemy of the State kicks intohigh-intensity hyperdrive."

Dark City

Amazon reviewers: 4.5
In a city where it is always night, aliens conduct secret experimentsto learn what makes us human. Meanwhile, his memory mostly gone,
Sewell is suspected of being a serial killer, and finds he now hastelekinetic powers. Richly plotted sci-fi has striking set design andexcellent use of special effects; complex, with a new surprise everyfew minutes. - Leonard Maltin's Movie & Video Guide
EPIC Books - "Our Favorites"
EPIC Videos
EPIC Publications

[8] Upcoming Conferences and Events

Annual Computer Security Applications Conference: Practical Solutionsto Real Security Problems. December 6-10, 1999. Radisson ResortScottsdale. Phoenix, Arizona. For more information:

Integrating Government with New Technologies '99 Policy vs Technology:
Service Integration in the New Environments - A two-day Seminar andTraining Session. December 13-14, 1999. Government Conference Center.
Ottawa, Canada. For more information:
Surveillance Expo '99. December 13-15, 1999. Doubletree Hotel. CrystalCity, Virginia. For more information:
PEN/Newman's Own Eighth Annual First Amendment Award. Nominations dueDecember 31, 1999. For more information:
RSA 2000. The ninth annual RSA Data Security Conference and Expo.
January 16-20, 2000. San Jose McEnery Convention Center. San Jose, CA.
For more information:

Cyberspace and Privacy: A New Legal Paradigm? February 7, 2000.
Stanford Law School. Stanford, CA. For more information: or
Santa Clara University Computer and High Technology Journal Symposiumon Internet Privacy. February 11-12, 2000. For more information:
Telecommunications: The Bridge to Globalization in the InformationSociety. Biennial Conference of the International TelecommunicationsSociety. July 2-5, 2000. For more information:

Subscription Information

The EPIC Alert is a free biweekly publication of the Electronic PrivacyInformation Center. A Web-based form is available for subscribing orunsubscribing at:
To subscribe or unsubscribe using email, send email with the subject: "subscribe" (no quotes) or"unsubscribe".

Back issues are available at:

About EPIC

The Electronic Privacy Information Center is a public interest researchcenter in Washington, DC. It was established in 1994 to focus publicattention on emerging privacy issues such as the Clipper Chip, theDigital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale of personal information. EPIC is sponsoredby the Fund for Constitutional Government, a non-profit organizationestablished in 1974 to protect civil liberties and constitutionalrights. EPIC publishes the EPIC Alert, pursues Freedom of InformationAct litigation, and conducts policy research. For more information,
e-mail, or write EPIC, 666Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544 9240(tel), +1 202 547 5482 (fax).

If you'd like to support the work of the Electronic Privacy InformationCenter, contributions are welcome and fully tax-deductible. Checksshould be made out to "The Fund for Constitutional Government" and sentto EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003.

Your contributions will help support Freedom of Information Act andFirst Amendment litigation, strong and effective advocacy for the rightof privacy and efforts to oppose government regulation of encryptionand expanding wiretapping powers.

Thank you for your support.

END EPIC Alert 6.20


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback