WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 1999 >> [1999] EPICAlert 5

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 6.05 [1999] EPICAlert 5


Volume 6.05 March 25, 1999

Published by the Electronic Privacy Information Center (EPIC)
Washington, D.C.

Register today for the 1999 Computers, Freedom and Privacy Conference April 6-8, 1999, Washington, DC

Table of Contents

[1] Public Outcry Kills "Know Your Customer" Banking Rules
[2] House Judiciary Committee Approves SAFE Crypto Bill
[3] EPIC Files Amicus Brief in Encryption Control Challenge
[4] Microsoft Tracks Users, But Watchdog is Mute
[5] Administration Names Privacy Counselor
[6] New Study Gives School Filtering a Failing Grade
[7] EPIC Bill-Track: New Bills in Congress
[8] Upcoming Conferences and Events

[1] Public Outcry Kills "Know Your Customer" Banking Rules

Following an unprecedented outpouring of public opposition, thefederal bank regulatory agencies on March 23 withdrew theircontroversial "Know Your Customer" proposal. The proposed rules wouldhave required banks to closely monitor their customers' bank accountsand report any "suspicious activity" to the federal government.

Donna Tanoue, Chair of the Federal Deposit Insurance Corporation, saidin a statement:

Privacy is important to Americans, and we have e-mails, letters,
and postcards from more than 250,000 individuals to prove it.
Virtually all of them say the same thing: "I don't want anyone prying into my personal financial affairs, regardless of the reason." The Federal Deposit Insurance Corporation (FDIC) got that message . . . We need to be more sensitive to privacy in every context. We need to take privacy concerns into account in any regulatory proposal that touches upon the personal finances of bank customers, regardless of our objectives. When bank regulation can excite and unite individuals across the country, and in all walks of life, we have to pay attention.

The rules were proposed jointly by the FDIC, the Board of Governorsof the Federal Reserve System, the Office of the Comptroller of theCurrency, and the Office of Thrift Supervision in December 1998.
They would have required all banks to demand more identification fromtheir customers, determine their usual banking patterns and reportany unusual transactions to the federal government in the form of"Suspicious Activity Reports."

The rules were widely opposed by privacy, conservative andlibertarian groups. The FDIC received 257,000 comments opposing theproposal; only 100 comments supported the rules. A number of bankinggroups, including the American Bankers Association, also came outagainst the regulations. Nearly a dozen bills were introduced inCongress that would have prohibited the rules from being adopted, andthe Senate approved a resolution last week calling for the proposalto be withdrawn.

[2] House Judiciary Committee Approves SAFE Crypto Bill

The House Judiciary Committee approved the SAFE encryption bill on March24. The legislation -- the Safety and Freedom through Encryption Act of1999 -- would substantially relax U.S. export controls on encryption.
The bill also contains a controversial provision that creates a newfederal crime for the use of encryption to conceal criminal conduct.
EPIC and other civil liberties groups have urged lawmakers to reconsiderthe issue of establishing new criminal offenses involving encryption.

The Judiciary Committee did not consider an amendment offered by Rep.
Bill McCollum (R-FL) that would have limited export relief to only thoseencryption products that "include features or functions providing animmediate access to plaintext capability, if there is lawful authorityfor such immediate access." The McCollum amendment was ruled"non-germane" by Committee Chair Henry Hyde (R-IL). Rep. Zoe Lofgren(D-CA), a co-author of the SAFE bill, characterized the amendment as aresurrection of the discredited "Clipper" key escrow initiative.

The SAFE bill will next be considered by the House InternationalRelations Committee, where the McCollum amendment is likely to beconsidered.

More information on the SAFE bill is available at:

[3] EPIC Files Amicus Brief in Encryption Control Challenge

Continuing its efforts to support pro-encryption lawsuits, EPICcoordinated the submission of a "friend-of-the-court" brief on March 8arguing that U.S. export controls on encryption violate the FirstAmendment. The brief, which was joined by a broad coalition oforganizations and several noted security experts, supports the challengeof Prof. Peter Junger, whose case is now pending before the U.S. Courtof Appeals for the Sixth Circuit.

To communicate ideas and information about cryptography, and toencourage discussion and debate, Prof. Junger unsuccessfully sought agovernment determination that text written in C, Perl and otherhigh-level programming languages (and relating to encryption) could befreely disseminated over the Internet. That dertermination was upheldby the lower court, resulting in the pending appeal.

The following are excerpts from the EPIC brief:

Governmental restrictions on the export of encryption software impede the development of the secure global infrastructure that electronic privacy requires. The Regulations substantially constrain communications over the global Internet: Unless both parties to the communication share encryption software that employs the same cryptographic methods and standards, they cannot communicate privately at all. The Regulations also have a negative impact on the development and availability of effective encryption software even within the United States.
. . .

The mechanisms that secured traditional paper-based communications --
envelopes and locked filing cabinets -- are being replaced by cryptographic security techniques. To require that electronic communications and records be unencrypted is equivalent to requiring that paper communications be sent by postcards instead of in sealed envelopes. Regulations that impose a significant burden on the dissemination of encryption software have a similar effect. If effective encryption is difficult to obtain, the result will be that private messages and records will be vulnerable to unwilling disclosure.

The full text is available at:

[4] Microsoft Tracks Users, But Watchdog is Mute

Industry privacy watchdog TRUSTe announced on March 21 that it would notsanction Microsoft for secretly creating a unique identifier for eachuser of Windows and then transferring that information to the softwarecompany. The decision has fed the growing doubt that industryself-regulation will adequately protect privacy in the absence of legalprotections.

In early March, a consultant discovered that Microsoft's "RegistrationWizard" created a unique number for each user based on their computerhardware. The ID number was transmitted to Microsoft even whenconsumers indicated that they did not want hardware information to betransmitted. The number was also included in a cookie and used toidentify the user for each visit to the Microsoft web site, whichrequires that users accept cookies to access the site. The number wasimbedded in documents created by Microsoft Word, Excel and otherapplications. The company claimed that it was unaware of these featuresand now says it will discard any collected data and fix the bug sometimethis summer.

Privacy advocate Jason Catlett submitted a complaint to TRUSTe, whichwas founded by members of the online industry attempting to forestalllegislation to enforce privacy protections. Microsoft is a foundingmember of TRUSTe and provides $100,000 each year to fund its efforts.

In declining to act, TRUSTe stated, "While this event does not fallwithin the boundaries of the TRUSTe License Agreement, it did, inTRUSTe's opinion, compromise consumer trust and privacy." Explaining whyit declined to sanction Microsoft for its actions, TRUSTe said it "hasdetermined that was in compliance with all TRUSTeprinciples. Had TRUSTe determined that had violated itsstated practices, TRUSTe would have conducted an audit to ascertain thatsufficient remedies had been put in place."

More information on the complaint against Microsoft is available at:

[5] Administration Names Privacy Counselor

A new player has joined the growing team of US officials managing theprivacy issue. Ohio State Professor Peter Swire has been named chiefcounselor for privacy for the Office of Information and RegulatoryAffairs within the Office of Management and Budget.

Swire is most well known for a book that he co-authored with RobertLitan titled "None of Your Business: World Data Flows, ElectronicCommerce and the European Privacy Directive_. The 1998 publication fromthe Brookings Institute explored the potential impact of the EU DataDirective on electronic commerce. The authors recommended thedevelopment of self-regulatory measures to address the European privacychallenge, but failed to look closely at the question of whether thesemeasures would actually protect the privacy interests of US consumers.
The book ignores the history of public concern about privacy in theUnited States as well as the privacy laws that often resulted. Only afew pages are devoted to the Fair Credit Reporting Act and the PrivacyAct. It says nothing about the privacy protections in the Cable PrivacyProtection Act, the Video Privacy Protection Act, the Telephone ConsumerProtection Act or the current efforts to develop privacy protection formedical records and electronic commerce.

The book also provided an alarmist, almost caricature-like, descriptionof privacy protection outside of the United States. Swire and Litanoffered up the specter that personal computers would seen be seized atEuropean airports if the Directive is fully enforced. However, there islittle in the Directive or the twenty year history of privacy protectionin Europe to support this claim and more American cryptographers havebeen stopped by US Customs officials enforcing US export control laws onprivacy tools than European privacy officials.

It remains unclear at this point what specific role and responsibilitySwire will have in the ever-changing mosaic of US privacy policy. Theoffice falls short of the privacy agency that advocates and experts havelong supported, and the focus on the EU Directive seems to miss the muchmore pressing concerns of US citizens. OMB lacks statutory authority toinvestigate privacy issues or pursue privacy complaints. Swire alsorecently traveled to Europe as a consultant to the US Department ofCommerce to lobby European officials not to adopt new privacy laws.

UCLA Professor Jerry Kang, who served in the early days of theAdministration in a role similar to Swire, recently published an articlein the Stanford Law Review calling for the enactment of comprehensiveprivacy legislation for the Internet. It remains to be seen whetherSwire's service in Washington will lead to a greater understanding ofthe pressing need to develop Fair Information Practices to protect theinterests of US citizens.

[6] New Study Gives School Filtering a Failing Grade

A new report, detailing the use of Internet filtering software in Utahpublic schools and libraries, offers a revealing glimpse into thereal-world effects of blocking programs. Produced by the CensorwareProject, the report analyzes approximately 53 million lines of actualuse data obtained from the Utah Education Network (UEN) under the statefreedom of information law. UEN maintains eleven proxy servers whichprovide statewide "filtered" Internet access to all of Utah's publicschools and some of its public libraries. The product used to screenout objectionable content is SmartFilter, a software package produced bySecure Computing.

The data shows that less than 0.4% of all access attempts on the UENsystem were blocked by SmartFilter, despite the overbreadth of theprogram's filtering criteria. "Very few people used the Internet toaccess sexually explicit material, and students were less likely to doso," says the report. "The problem of minors accessing sexually explicitmaterial is considerably less than some organizations would have thepublic and Congress believe."

The report also finds that SmartFilter, like other filtering products,
blocks access to a large amount of socially useful content. Users inUtah were denied access to the Declaration of Independence, the UnitedStates Constitution. the Bible, the Koran, all of Shakespeare's playsand the Adventures of Sherlock Holmes.

Sen. John McCain (R-AZ) and Rep. Bob Franks (R-NJ) have introduced billsin Congress (S. 97 and H.R. 543) that would require libraries andschools to install filtering software as a condition of receivingfederal Internet funds.

The report -- "Censored Internet Access in Utah Public Schools andLibraries" -- is available at:

[7] EPIC Bill-Track: New Bills in Congress

EPIC Bill Track: Tracking Privacy, Speech, and Cyber-Liberties Bills inthe 106th Congress
* House of Representatives *

H.R. 1015. Consumer Credit Report Accuracy and Privacy Act of 1999.
Requires credit agencies to provide one free credit report each year toall consumers. Sponsor: Rep. Lucille Roybal-Allard. Referred to theHouse Committee on Banking and Financial Services.

H.R.1057. Medical Information Privacy and Security Act. Sets generalrules on use and disclosure of medical records. Sponsor: Rep. Edward J.
Markey (D-MA). Referred to the Committee on Commerce, and in addition tothe Committee on the Judiciary.

H.R. 1131. ATM Public Safety and Crime Control Act. Requires banks toput enhanced surveillance cameras in ATM machines to facilitate crimeinvestigations based on FBI recommendations. Sponsor: Rep. JerroldNadler (D-NY). Referred to the Committee on Banking and FinancialServices, and in addition to the Committee on the Judiciary.

H.R. 1159. Protection of Children From On-Line Predators andExploitation Act of 1999. Creates new Child Cybersmuggling Center in theCustoms Service, expands use of wiretapping. Sponsor: Rep. Nancy L.
Johnson (R-CT). Referred to the Committee on Ways and Means, and inaddition to the Committee on the Judiciary.

* Senate *

S. 543. Genetic Information Nondiscrimination in Health Insurance Act of1999. Prohibits workplace, insurance discrimination based on geneticinformation. Sponsor: Sen. Olympia J. Snowe (R-ME).

S.573. Medical Information Privacy and Security Act. Comprehensivemedical privacy bill. Sponsor: Sen. Patrick J. Leahy (D-VT).

S.578. Health Care PIN Act. Weaker comprehensive medical privacy act.
Provides for limited protections on medical records, easy access torecords by industry. Sponsor: Sen. James M. Jeffords (R-VT).

[8] Upcoming Conferences and Events

CYBERSPACE 1999: Crime, Criminal Justice and the Internet. March 29 &
30, 1999. York, UK. Sponsored by the British and Irish Legal EducationTechnology Association (BILETA).

"Computers, Freedom and Privacy: The Global Internet," April 6-8, 1999.
Washington, DC. Sponsored by ACM. Early registration deadline: March 15.
Online registration:

Implementation Strategies for the New Canadian Privacy Law. April 14-15.
Toronto, CA. Sponsored by Centrium Information and Conferencing.

Encryption Controls Workshop. May 13, 1999. Raleigh, NC. Sponsored bythe U.S. Dep't of Commerce. Contact: (202) 482-6031

Subscription Information

The EPIC Alert is a free biweekly publication of the Electronic PrivacyInformation Center. A Web-based form is available for subscribing orunsubscribing at:
To subscribe or unsubscribe using email, send email with the subject: "subscribe" (no quotes) or"unsubscribe".

Back issues are available at:

About EPIC

The Electronic Privacy Information Center is a public interest researchcenter in Washington, DC. It was established in 1994 to focus publicattention on emerging privacy issues such as the Clipper Chip, theDigital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale of personal information. EPIC is sponsoredby the Fund for Constitutional Government, a non-profit organizationestablished in 1974 to protect civil liberties and constitutionalrights. EPIC publishes the EPIC Alert, pursues Freedom of InformationAct litigation, and conducts policy research. For more information,
e-mail, or write EPIC, 666Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544 9240(tel), +1 202 547 5482 (fax).

If you'd like to support the work of the Electronic Privacy InformationCenter, contributions are welcome and fully tax-deductible. Checksshould be made out to "The Fund for Constitutional Government" and sentto EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003.

Your contributions will help support Freedom of Information Act andFirst Amendment litigation, strong and effective advocacy for the rightof privacy and efforts to oppose government regulation of encryption andexpanding wiretapping powers.

Thank you for your support.

END EPIC Alert 6.05


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback