WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 1999 >> [1999] EPICAlert 9

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 6.09 [1999] EPICAlert 9


Volume 6.09 June 10, 1999

Published by the Electronic Privacy Information Center (EPIC)
Washington, D.C.

Table of Contents

[1] EPIC Survey Finds Few Crypto Controls
[2] Banking Official Cites Growing Privacy Concerns
[3] Minnesota Sues Bank for Customer Data Sales
[4] Safe Harbor Sunk?

[5] Arizona Restricts Use of Student Social Security Numbers
[6] Anti-Abortion Webmaster Sues ISP Over Shut-Down
[7] EPIC Bookstore - "Visions of Privacy"

[8] Upcoming Conferences and Events

[1] EPIC Survey Finds Few Crypto Controls

This week the Electronic Privacy Information Center released the secondannual survey of encryption policies around the globe. "Cryptographyand Liberty 1999" finds that few countries restrict the use,
manufacture, or sale of encryption products and services. However,
export controls that allow countries to license products before theymay be shipped overseas continue to be a significant obstacle to thewidespread availability of encryption, according to the report.

Encryption technology is considered essential for online privacy andsecurity. But law enforcement and intelligence agencies have lobbiednational governments to maintain export controls to prevent thewidespread availability of the product. According to the EPIC report,
few countries today impose domestic controls on encryption and there islittle interest in techniques, such as "key escrow" or "key recovery,"
that would enable government access to private messages.

EPIC noted that the OECD Cryptography Guidelines, adopted in 1997 bythe Paris-based organization, are encouraging further liberalization ofcontrols on encryption. In particular, the French government hasbacked off a proposal for key escrow encryption. However, a recentlyadopted agreement on export controls, championed the United States, maylead to more restrictive policies in some Northern European countriesthat previously did not license the export of encryption products.

"Cryptography & Liberty" was conducted with the assistance of membersof the Global Internet Liberty Campaign, an international associationof organizations working to promote free expression and protect privacyon the Internet. The survey was released the same week that the U.S.
Congress considered legislation that would relax export controls in theUnited States. On June 9, the House Intelligence Committee held ahearing on the Security and Freedom through Encryption Act, sponsoredby Rep. Bob Goodlatte (R-VA). The Senate Commerce Committee on June 10considered encryption legislation sponsored by Sen. John McCain (R-AZ).

A separate survey prepared by Professor Lance Hoffman examines theforeign availability of encryption products. The report, "GrowingDevelopment of Foreign Encryption Products in the Face of U.S. ExportRegulations," found that at least 167 foreign cryptographic productsuse strong encryption in the form of these algorithms: Triple DES,
IDEA, BLOWFISH, RC5, or CAST-128. The report also identified 512foreign companies that either manufacture or distribute foreigncryptographic products in at least 67 countries outside the UnitedStates. The report raises further questions about the reasonablenessof U.S. export control policy.

"Cryptography & Liberty 1999" is available online at the EPIC web site.
The bound, paper version of the report can be also purchased on-lineat the EPIC bookstore, which is operated in association

Cryptography and Liberty 1999 (online) is available at:
Cryptography and Liberty 1999 (paper) is available at:
"Growing Development of Foreign Encryption Products" is available at:

[2] Banking Official Cites Growing Privacy Concerns

Comptroller of the Currency John D. Hawke Jr. warned banks on June 7to stop what he called the abusive practice of selling customers'
personal data to telemarketing firms or face possible action byCongress. Hawke, who oversees nationally chartered banks, said thepractice by a few banks raises "serious legal concerns," which hisoffice and other federal banking agencies are examining.

"Unfortunately, there's mounting evidence of an increase in bankingpractices that are at least seamy, if not downright unfair anddeceptive -- practices that virtually cry out for government scrutiny,"
Hawke told bank lending officers at a meeting in San Francisco. "Onemust be troubled about the implications of this practice for thepreservation of customer confidence in the confidentiality of thebank-customer relationship."

The Comptroller's comments came as some members of Congress arepromoting legislation that would give consumers the right to stopaffiliated banks, brokerage firms and insurance companies from sharingpersonal financial data. A bill sponsored by Rep. Jay Inslee (D-WA)
would allow consumers to "opt out" of personal data-sharing amongaffiliated financial companies. The legislation follows a proposalmade last month by President Clinton, who urged Congress to strengthenconsumers' rights when banks and other financial companies attempt toshare information about them (see EPIC Alert 6.07).

In addition, several members of the House Banking Committee havepromised action. Rep. John J. LaFalce (D-NY) plans to introducelegislation to restrict the sharing of information about credit cardcustomers. Rep. Marge Roukema (R-NJ), chair of the House BankingSubcommittee on Consumer Credit, plans hearings on privacy July 21 and22. House Banking Committee Chairman Jim Leach (R-IA) said a lawsuitfiled by the Minnesota Attorney General (see below) shows that privacyis an issue "that demands continued oversight."

The text of the Comptroller General's speech is available at:

[3] Minnesota Sues Bank for Customer Data Sales

Minnesota's Attorney General filed suit on June 8 against U.S. Bank,
charging that the bank violated the Fair Credit Reporting Act and stateconsumer protection laws when it sold confidential customer informationto a telemarketing company. The lawsuit alleges that U.S. Bank soldcustomer data from its own and other databases to MemberWorks Inc.,
a Connecticut telemarketing firm.

Customer information that U.S. Bank allegedly shared with MemberWorksincluded names, addresses, and telephone numbers of primary andsecondary customers, checking account numbers, credit card numbers,
social security numbers, date of birth, account status and frequency ofuse, gender, marital status, homeowner status, occupation, the date thecustomer opened a particular account, average account balance,
year-to-date finance charges for credit card accounts, credit insurancestatus, and information about the customer's most recent purchase bycredit card.

The suit alleges that the bank also allowed MemberWorks to chargecustomer accounts without obtaining written authorization, as requiredby rules established by the National Automated Clearing HouseAssociation. "Minnesota customers who are telemarketed by MemberWorksand its agents are unaware at the time of the solicitation that theircredit card numbers and/or checking account numbers are already in thetelemarketers' possession," the complaint says.

Minnesota Attorney General Mike Hatch charges that U.S. Bank violatedfour specific provisions of the federal Fair Credit Reporting Act. Thesuit also alleges three counts of state law violations -- failing toprevent consumer fraud, false advertising, and deceptive tradepractices. "People are appropriately careful about protecting theirSocial Security number, checking, and credit card information," Hatchsaid in a statement after the suit was filed. "When a bank hands outthis information to the highest bidder, it has to answer to itscustomers and to the Attorney General's office."

Additional information on the Minnesota litigation (including the textof the complaint) is available at:

[4] Safe Harbor Sunk?

Early reports on the day-long meeting at the end of May between topnegotiators for the United States and the European Union suggest thatthere will be no agreement on the "Safe Harbor" proposal before theU.S.-EU summit in Germany later this month. The Department of Commercehas been urging officials of the European Union to agree that the U.S.
system of "self-regulation" provides adequate privacy protection andthat no further legislation is necessary to protect the interests ofEuropean citizens whose personal information is processed in the UnitedStates.

European privacy officials participated in extensive meetings with U.S.
trade officials but were unable to resolve key questions aboutenforcement, access, and implementation. A group of experts wroterecently:

Data protection rules only contribute to the protection of individuals to the extent to which they are followed in practice.
In an entirely voluntary scheme such as this compliance with the rules must be at least guaranteed by an independent investigative mechanism for complaints and sanctions which must be, on the one hand dissuasive and, on the other give individual compensation where appropriate.

Consumer and privacy organizations on both sides of the Atlantic alsoobjected to the Safe Harbor proposal. The Trans Atlantic ConsumerDialogue, representing sixty consumer groups in the United States andEurope, adopted a resolution last month in opposition to the SafeHarbor proposal. This week Jim Murray, President of the EuropeanConsumers Organization (BEUC), wrote to Jacques Santer, President ofthe European Commission, and EC Members Mario Monti and Emma Bonino toexpress further concern about the Safe Harbor proposal. Mr. Murraysaid that, "Without simple and effective complaint and redressprocedures, the proposed U.S. regime would not have sufficientdeterrents to prevent abuse of consumer rights, even in flagrantcases."

The text of the Safe Harbor Proposal is available at:
The Trans Atlantic Consumer Dialogue resolution is available at:
The European Consumers' Organization website:

[5] Arizona Restricts Use of Student Social Security Numbers

Newly-enacted legislation in Arizona prohibits the use of SocialSecurity numbers as a student identification numbers in universities.
Wisconsin enacted such a similar law last year. The Arizona bill (SB1399) prohibits a university under the jurisdiction of the Arizonaboard of regents or a community college district under the jurisdictionof the state board of directors for community colleges from assigning astudent an identification number which is identical to, or incorporatesany portion of, the student's Social Security number. The restrictionbecomes effective on June 30, 2002.

The bill also prohibits universities and community college districtsfrom displaying a student's Social Security number or any fourconsecutive digits of a student's Social Security number on theInternet or on any publicly accessible document. The legislationallows a student to consent to the use of his or her Social Securitynumber as their ID number and stipulates that community colleges anduniversities can electronically transfer data and are not prohibitedfrom complying with any federal reporting requirements.

More information on the privacy implications of the misuse of SocialSecurity numbers is available at:

[6] Anti-Abortion Webmaster Sues ISP Over Shut-Down

The operator of a controversial anti-abortion website has filed a $250million breach of contract suit against his former service provider.
Otis O'Neal Horsley filed suit against MindSpring Enterprises Inc. in aGeorgia state court earlier this week, alleging breach of contract forthe shutting down of the "Nuremberg Files" site, which featuredpictures of aborted fetuses and the names of doctors providing abortionservices.

Horsley alleges the Atlanta-based ISP damaged his political campaign tostop legal abortion and his ability to solicit financial support whenit shut down the site in February. MindSpring began a review of thesite after an Oregon jury found some of Horsley's colleagues in theanti-abortion movement in violation of the federal access to abortionclinic law in January. Although Horsley was not a defendant in thecase, the Nuremberg Files site was a central element of the trial.

The Web site solicited and posted information such as where abortiondoctors lived, their work habits, vehicle descriptions and tag numbers,
places of worship and details about their families. He listed names ofabortion doctors on the site and crossed out the names of doctors whohad been killed.

[7] EPIC Bookstore - "Visions of Privacy"

A new collection of articles, edited by Colin J. Bennettt and RebeccaGrant, offers fresh and intriguing perspectives on the timeless problemof privacy protection. Available now at the EPIC Bookstore.

"As the world moves into the twenty-first century, cellular systems,
high-density data storage, and the Internet are just a few of the newtechnologies that promise great advances in productivity andimprovements in the quality of life. Yet these new technologies alsothreaten personal privacy. A surveillance society, in which theindividual has little control over personal information, may be thelogical result of deregulation, globalization, and a massdata-processing capacity." - From the introduction.

"Visions of Privacy: Policy Choices for the Digital Age"
(University of Toronto Press 1999). List $22.95.

[8] Upcoming Conferences and Events

INET 99. San Jose, Calif., June 22-25, 1999. Sponsored by theInternet Society. Contact:

Privacy Laws & Business 12th Annual International Conference -- "NewData Protection Law: Issues, Solutions, Action." June 28-30, 1999, StJohn's College, Cambridge, United Kingdom. Contact: Privacy Laws &
Business, Tel: + 44 (0) 181 423 1300, Fax: + 44 (0) 181 423 4536,
e-mail:, or
National Coalition to Protect Political Freedom, 3rd Annual Meeting.
Georgetown University Law Center, Washington, DC. July 9-10, 1999.
Contact: Kit Gage 301-587-7442,
Jurisdiction: Building Confidence in a Borderless Medium. QueenElizabeth Hotel, Montreal, Canada, July 26-27, 1999. Sponsored by theInternet Law and Policy Forum. Contact: Marilyn Malenfant+1.514.744.0408 or

ABA Annual Conference, Section of International Law and Practice.
"Privacy Issues in Electronic Commerce." August 9, 1999. Atlanta,
Georgia. Contact
The 21st International Conference on Privacy and Personal DataProtection. Hong Kong, September 13-14, 1999. A distinguished groupof over 50 speakers/panelists from overseas and Hong Kong will explorethe theme of "Privacy of Personal Data, Information Technology &
Global Business in the Next Millennium."" Sponsored by the Office ofthe Privacy Commissioner for Personal Data in Hong Kong. Contact:
"A Privacy Agenda for the 21st Century."" Sept 15. Hong Kong Conventionand Exhibition Centre, Hong Kong PRC. Contact:

Information Security Solutions Europe 1999. Oct 4-6. Maritim proArteHotel, Berlin, Germany. contact

RSA 2000. The ninth annual RSA Data Security Conference and Expo. SanJose McEnery Convention Center. San Jose, CA. January 16-20, 2000,

Subscription Information

The EPIC Alert is a free biweekly publication of the Electronic PrivacyInformation Center. A Web-based form is available for subscribing orunsubscribing at:
To subscribe or unsubscribe using email, send email with the subject: "subscribe" (no quotes) or"unsubscribe".

Back issues are available at:

About EPIC

The Electronic Privacy Information Center is a public interest researchcenter in Washington, DC. It was established in 1994 to focus publicattention on emerging privacy issues such as the Clipper Chip, theDigital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale of personal information. EPIC is sponsoredby the Fund for Constitutional Government, a non-profit organizationestablished in 1974 to protect civil liberties and constitutionalrights. EPIC publishes the EPIC Alert, pursues Freedom of InformationAct litigation, and conducts policy research. For more information,
e-mail, or write EPIC, 666Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544 9240(tel), +1 202 547 5482 (fax).

If you'd like to support the work of the Electronic Privacy InformationCenter, contributions are welcome and fully tax-deductible. Checksshould be made out to "The Fund for Constitutional Government" and sentto EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003.

Your contributions will help support Freedom of Information Act andFirst Amendment litigation, strong and effective advocacy for the rightof privacy and efforts to oppose government regulation of encryption andexpanding wiretapping powers.

Thank you for your support.

END EPIC Alert 6.09


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback