WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 1999 >> [1999] EPICAlert 6

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 6.06 [1999] EPICAlert 6


Volume 6.06 April 22, 1999

Published by the Electronic Privacy Information Center (EPIC)
Washington, D.C.

Table of Contents

[1] FTC Proposes Rules for Kids' Privacy Protection
[2] Encryption Bill Introduced in Senate
[3] Know Your Passenger: FAA Introduces New Screening Rules
[4] Online Anonymity Under Attack in the Courts
[5] Justice Department Appeals Internet Censorship Ruling
[6] "Orwell Awards" Presented to Biggest U.S. Privacy Invaders
[7] EPIC Bill-Track: New Bills in Congress
[8] Upcoming Conferences and Events

[1] FTC Proposes Rules for Kids' Privacy Protection

The Federal Trade Commission issued proposed rules on April 20designed to protect the privacy of children on the Internet. Theproposed rules, which would apply to certain commercial websites, isthe FTC's first step in the implementation of the Children's OnlinePrivacy Protection Act, which Congress enacted last October. Theintended goal of the statute is to put parents in control ofinformation collected online from children under 13.

"Protecting kids who surf the Internet has been a top priority of theCommission's online privacy initiative," said FTC Chairman RobertPitofsky. "This proposed rule aims to achieve that goal by puttingparents in control of personal information that is collected fromtheir children on the Web. The proposed rule also providesflexibility to accommodate varied business practices and the fast paceof technological change."

The proposed FTC rules, which are subject to public comment, apply tocommercial websites directed to, or that knowingly collect informationfrom, children under 13. With certain exceptions, these sites wouldhave to obtain parental consent before collecting, using, ordisclosing personal information from children. To inform parents oftheir information practices, these sites also would be required toprovide notice on the site and to parents about their policies withrespect to the collection, use and disclosure of children's personalinformation.

Under the proposed rules, sites must give parents a choice as towhether their child's information can be disclosed to third parties,
and give parents a chance to prevent further use or future collectionof personal information from their child. Parents must also, uponrequest, be given access to the personal information collected fromtheir child and a means of reviewing that information.

Written comments on the proposed rules will be accepted until June 11,
1999. Comments may be submitted by e-mail to

More information on children's privacy, including the text of theproposed FTC rules, is available at:

[2] Encryption Bill Introduced in Senate

Senator John McCain (R-AZ) on April 14 introduced the Promote ReliableOn-Line Transactions to Encourage Commerce and Trade (PROTECT) Act of1999 (S.798), which is designed to promote international electroniccommerce and limit the power of the federal government to mandateencryption requirements for the domestic market. The bill prohibitsmandatory access to encryption keys or key recovery information by theUnited States government or the government of any state. The billwould also permit the export of unlimited strength encryption tomembers of NATO, the Organization for Economic Cooperation andDevelopment (OECD), and the Association of Southeast Asian Nations(ASEAN). Exports to other nations would limited to strengths of64-bits.

The bill would require the National Institute of Standards andTechnology (NIST) to complete work on the Advanced Encryption Standard(AES) by January 1, 2002. It further stipulates that productsadhering to the standard will be permitted to be exported "consistentwith the national security requirements of the United States." ThePROTECT Act also establishes an Encryption Export Advisory Board whichwould periodically determine the availability of various encryptionproducts abroad and make necessary recommendations to the Secretary ofCommerce to amend export regulations on encryption.

Notably, the bill does not include a criminalization provision likethe one included in the SAFE Act currently pending in the House ofRepresentatives. That provision would create a new federal crime forthe use of encryption in the commission of a felony.

The introduction of the legislation is also significant because itappears to signal a change in Sen. McCain's position on the encryptionissue. As Chairman of the Senate Commerce Committee, Sen. McCain hasin the past opposed any liberalization of existing encryption policy.

Additional information on encryption, including the text of thePROTECT Act, is available at:

[3] Know Your Passenger: FAA Introduces New Screening Rules

The Federal Aviation Administration proposed new rules on April 20 forincreasing airline security by requiring that all airlines conductcomputerized profiling of all passengers on domestic flights. The newprogram, called Computer Assisted Passenger Screening (CAPS), woulduse data from airline computers and secret profiling standards toselect passengers for additional questioning and searches.

Under the new rules, airlines would select passengers for increasedscrutiny based on internal profiling standards. They would alsorandomly select some passengers for the "deterrent value that wouldincrease airline passenger safety." The FAA funded the program,
paying the carriers over $10 million to develop CAPS. The new rules'
details on who would be targeted by the automated systems are notrevealed for security reasons. However, the Department of Justice hasdetermined that the rules raise no civil liberties concerns.

The rules are based on the recommendations of the White HouseCommissioner on Aviation Safety and Security, led by Vice PresidentAl Gore. The Gore Commission issued its report in 1997 and wascriticized by a coalition of groups for its intrusive proposals. Theproposed rules recognize that there have been few actual incidents ofthe sort that CAPS seeks to address (the only one reported was in1979), but links unrelated occurrences such as the World Trade Centerbombing and the accidental crash of TWA Flight 800 as justificationfor the stringent new procedures. The FAA estimates that it will costbetween $50 million and $70 million to implement the program, whichwill be paid by the airlines and presumably passed onto passengers.

Comments are due on the proposal by June 18, 1999. They can bee-mailed to More information on the proposedrules, airline security and privacy issues is available at:

[4] Online Anonymity Under Attack in the Courts

Several recent court cases around the country highlight anincreasingly popular litigation tactic: the use of civil discovery tounmask the identities of anonymous Internet posters. In the last fewmonths, a growing number of corporations have issued subpoenas toInternet service providers (ISPs) and operators of online messageboards seeking to identify and locate individuals who posted materialthat the companies, for one reason or another, find objectionable.
Brian Payea, a spokesman for Lycos, recently told Salon Magazine thatthe firm receives subpoenas on "pretty close to a regular basis." Theunderlying allegations in these cases include defamation, misappropri-
ation of trade secrets and securities law violations. Many observersworry, however, that the legal tactic can easily be used to intimidatepotential critics into silence and destroy the anonymity that hascontributed to the Internet's explosive growth.

The recent cases, which include actions filed by Raytheon, Shoney'sand Wade Cooke Financial, raise serious issues concerning the rightsof anonymous Internet users and the procedural protections they shouldbe entitled to before their identities are disclosed. At present,
there is no legal guidance in this area. The federal ElectronicCommunications Privacy Act (ECPA) doesn't even require the issuance ofsubpoenas when a private party seeks a subscriber's identity from anISP; only government agencies are required to present a legal demandfor such information. While many service providers (such as AmericaOnline) provide in their terms of service that they will not disclosesubscriber information to private parties without a subpoena, most arenot obligated to notify a subscriber that a subpoenas has beenreceived. Even when the subscriber is notified of a pending demandfor identifying information, there are no established judicialprocedures that would enable "John Doe" to argue in support of hisanonymity.

While many of the pending cases involve serious charges of allegedwrongdoing, there is no mechanism currently in place to distinguishbetween someone who is hiding behind their anonymity to commit a crimeor other wrongful act, and someone who is, for instance, shieldingtheir identity for whistle-blowing purposes or to communicateanonymously in an HIV-support group or on a message board for batteredwomen. Until the courts or Congress establish basic ground rules forthese cases, the number of subpoenas -- legitimate and otherwise --
is likely to increase.

[5] Justice Department Appeals Internet Censorship Ruling

The U.S. Department of Justice on April 2 appealed a lower courtdecision enjoining enforcement of the Child Online Protection Act(COPA). The case against COPA -- brought by EPIC, the ACLU and otherorganizations -- now moves to the U.S. Court of Appeals for the ThirdCircuit. Appellate briefs are likely to be filed sometime thissummer.

The government appeal will challenge the finding of Judge Lowell A.
Reed, Jr. that the new Internet censorship law would restrict freespeech in the "marketplace of ideas." Judge Reed's February 1 rulingenjoins enforcement of COPA, the statutory successor to theCommunications Decency Act (CDA), which the Supreme Court struck downin June 1997. The legal challenge to COPA was filed on behalf of 17organizations publishing information on the World Wide Web. Ingranting a preliminary injunction against COPA, the court held thatthe plaintiffs are likely to succeed on their claim that the law"imposes a burden on speech that is protected for adults." The rulingcame after a six-day hearing which featured testimony from websiteoperators who provide free information about fine art, news, gay andlesbian issues and sexual health for women and the disabled, and whoall fear that COPA would force them to shut down their websites.

In his 49-page opinion, Judge Reed listed 68 separate "findings offact" to support his decision. The judge considered evidence thatCOPA imposed technological and economic burdens on speakers, butconcluded that ultimately the relevant inquiry is the "burden imposedon the protected speech, not the pressure placed on the pocketbooks orbottom lines of the plaintiffs."

The full text of the Judge Reed's decision, and complete informationon the legal challenge, is available at:

[6] "Orwell Awards" Presented to Biggest U.S. Privacy Invaders

Privacy International presented its first Orwell Awards on April 7 tothe worst corporate and government privacy invaders in the UnitedStates. Privacy International's Director, Simon Davies, said theawards were designed to raise awareness of the erosion of privacyrights in the U.S. "Surveillance over our private lives has reached adangerous new level. It's time to turn the spotlight around and shineit on the invaders." The awards were presented at the Computers,
Freedom and Privacy (CFP99) conference in Washington, DC.

A total of five awards were announced, but most recipients were not onhand to receive them. The winner in the "Worst Public Official"
category was Rep. Bill McCollum (R-FL) for his numerous activities inCongress opposing privacy, including pushing through a law increasingwiretapping approved last year, several bills promoting the creationof a national ID card, opposition to efforts to improve financialprivacy, and his recent efforts to amend the SAFE encryption bill tomandate key escrow. Runners-up were New York Mayor Rudolph Giuliani(for his suggestion to take DNA samples of all children at birth) andAmbassador David Aaron and White House Advisor Ira Magaziner (fortheir travels around the world promoting encryption restrictions andopposing privacy laws).

The Federal Depository Insurance Corporation received the award for"Most Invasive Proposal" for its "Know Your Customer" proposal (seeEPIC Alert 6.05). The runners-up were the Communications Assistancefor Law Enforcement Act (CALEA) and the FAA's Airline ID Program. The"Greatest Corporate Invader" award went to Elensys Inc., a Woburn,
Massachusetts company that has secretly collected the pharmacy recordsof millions of consumers from 15,000 pharmacies nationwide. Therunners-up were Intel for the Pentium III Processor Serial Number(designed to identify and track users) and ImageData for its attemptsto create a national database of drivers license photographs.

The "Lifetime Menace" award went to the Federal Bureau ofInvestigation for its activities over the past 80 years, includingCALEA, COINTELPRO, and its efforts on information warfare. Runners-upwere the Direct Marketing Association, the National Security Agency,
and credit bureau TransUnion Corp. Finally, Microsoft Corp. receivedthe "People's Choice" award for the Global User ID Number, OpenProfiling System, and the proposed P3P standard. The other candidateswere Intel, President Clinton and Special Prosecutor Kenneth Starr.

Two "Brandeis" Awards were presented to individuals who have made anoutstanding contribution to the protection of privacy, as well as tovictims of privacy invasion who have successfully fought back. PhilZimmermann, author of the encryption program Pretty Good Privacy, andDiana Mey, a West Virginia housewife who successfully took on Searstelemarketers, were the recipients this year.

More information on the awards can be found at:

[7] EPIC Bill-Track: New Bills in Congress


H.R. 1345. Eliminates requirement that states collect SSNs forrecreational licenses. Introduced by Obey (D-WI). Referred to theCommittee on Ways and Means.

H.R. 1426. Money Laundering Prevention Act of 1999. Expands rules onmoney laundering. Requires banks to better identify account holders.
Introduced by Waters (D-CA). Referred to the Committee on Banking andFinancial Services.

H.R. 1450. Personal Information Privacy Act of 1999. Limits sale ofcredit information, SSNs, drivers photographs. Introduced by RepKleczka, Gerald D. (D-WI). Referred to the Committee on Ways andMeans, and in addition to the Committees on Banking and FinancialServices, and the Judiciary.

H.R. 1471. Money Laundering Prevention Act of 1999. Expands rules onmoney laundering. Requires banks to better identify account holders.
Introduced by Waters (D-CA). Referred to the Committee on Banking andFinancial Services.


S. 753. Financial Services Act of 1999. Prohibits obtaining financialinformation under false pretenses. Requires FTC to issue interimreport on consumer privacy. Exempts law enforcement & financialinstitutions. Sponsor Sen Daschle, Thomas A. (D-ND). Referred to theCommittee on Banking.

S. 759. Inbox Privacy Act of 1999. Anti-spam bill. Sponsor SenMurkowski, Frank H. (R-AS). Referred to the Committee on Commerce.

S. 781. Telephone Privacy Act of 1999. Requires 2 party consent forrecording telephone calls. Sponsor: Sen Feinstein, Dianne (D-CA).
Referred to the Committee on the Judiciary.

S. 782. Patients' Telephone Privacy Act of 1999. Limits health careproviders recording of patients phone calls. Sponsor: Sen Feinstein,
Dianne (D-CA). Referred to the Committee on the Judiciary.

S. 798. Promote Reliable On-Line Transactions to Encourage Commerceand Trade (PROTECT) Act of 1999. Slightly relaxes export controls oncryptography. Sponsor Sen McCain, John (R-AZ). Referred to theCommittee on Commerce.

S. 800. Wireless Communications and Public Safety Act of 1999. Limitsuse of cellular location information for non-safety emergency uses.
Sponsor: Sen Burns, Conrad R (R-MT). Referred to the Committee onCommerce, Science, and Transportation.

S. 809. Online Privacy Protection Act of 1999. Requires FTC to setrules on collection of personal information by online services and webpages. Creates broad safe harbor protections for industry. Sponsor:
Sen Burns, Conrad R. (R-MT). Referred to the Committee on Commerce,
Science, and Transportation .

[8] Upcoming Conferences and Events

Encryption Controls Workshop. May 13, 1999. Raleigh, NC. Sponsored bythe U.S. Dep't of Commerce. Contact: (202) 482-6031
INET 99. San Jose, Calif., June 22-25, 1999. Sponsored by theInternet Society. Contact:

Subscription Information

The EPIC Alert is a free biweekly publication of the Electronic PrivacyInformation Center. A Web-based form is available for subscribing orunsubscribing at:
To subscribe or unsubscribe using email, send email with the subject: "subscribe" (no quotes) or"unsubscribe".

Back issues are available at:

About EPIC

The Electronic Privacy Information Center is a public interest researchcenter in Washington, DC. It was established in 1994 to focus publicattention on emerging privacy issues such as the Clipper Chip, theDigital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale of personal information. EPIC is sponsoredby the Fund for Constitutional Government, a non-profit organizationestablished in 1974 to protect civil liberties and constitutionalrights. EPIC publishes the EPIC Alert, pursues Freedom of InformationAct litigation, and conducts policy research. For more information,
e-mail, or write EPIC, 666Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544 9240(tel), +1 202 547 5482 (fax).

If you'd like to support the work of the Electronic Privacy InformationCenter, contributions are welcome and fully tax-deductible. Checksshould be made out to "The Fund for Constitutional Government" and sentto EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003.

Your contributions will help support Freedom of Information Act andFirst Amendment litigation, strong and effective advocacy for the rightof privacy and efforts to oppose government regulation of encryption andexpanding wiretapping powers.

Thank you for your support.

END EPIC Alert 6.06


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback