You are here:
WorldLII >>
Databases >>
EPIC Alert >>
1999 >>
[1999] EPICAlert 9
Database Search
| Name Search
| Recent Articles
| Noteup
| LawCite
| Help
EPIC Alert 6.09 [1999] EPICAlert 9
EPIC ALERT
Volume 6.09 June 10, 1999
Published by the Electronic Privacy Information Center (EPIC)
Washington, D.C.
http://www.epic.org
Table of Contents
[1] EPIC Survey Finds Few Crypto Controls
[2] Banking Official Cites Growing Privacy Concerns
[3] Minnesota Sues Bank for Customer Data Sales
[4] Safe Harbor Sunk?
[5] Arizona Restricts Use of Student Social Security Numbers
[6] Anti-Abortion Webmaster Sues ISP Over Shut-Down
[7] EPIC Bookstore - "Visions of Privacy"
[8] Upcoming Conferences and Events
[1] EPIC Survey Finds Few Crypto Controls
This week the Electronic Privacy Information Center released the secondannual survey of encryption policies around the globe. "Cryptographyand
Liberty 1999" finds that few countries restrict the use,
manufacture, or sale of encryption products and services. However,
export controls that allow countries to license products before theymay be shipped overseas continue to be a significant obstacle
to thewidespread availability of encryption, according to the report.
Encryption technology is considered essential for online privacy andsecurity. But law enforcement and intelligence agencies have
lobbiednational governments to maintain export controls to prevent thewidespread availability of the product. According to the EPIC
report,
few countries today impose domestic controls on encryption and there islittle interest in techniques, such as "key escrow" or "key
recovery,"
that would enable government access to private messages.
EPIC noted that the OECD Cryptography Guidelines, adopted in 1997 bythe Paris-based organization, are encouraging further liberalization
ofcontrols on encryption. In particular, the French government hasbacked off a proposal for key escrow encryption. However, a recentlyadopted
agreement on export controls, championed the United States, maylead to more restrictive policies in some Northern European countriesthat
previously did not license the export of encryption products.
"Cryptography & Liberty" was conducted with the assistance of membersof the Global Internet Liberty Campaign, an international
associationof organizations working to promote free expression and protect privacyon the Internet. The survey was released the same
week that the U.S.
Congress considered legislation that would relax export controls in theUnited States. On June 9, the House Intelligence Committee
held ahearing on the Security and Freedom through Encryption Act, sponsoredby Rep. Bob Goodlatte (R-VA). The Senate Commerce Committee
on June 10considered encryption legislation sponsored by Sen. John McCain (R-AZ).
A separate survey prepared by Professor Lance Hoffman examines theforeign availability of encryption products. The report, "GrowingDevelopment
of Foreign Encryption Products in the Face of U.S. ExportRegulations," found that at least 167 foreign cryptographic productsuse
strong encryption in the form of these algorithms: Triple DES,
IDEA, BLOWFISH, RC5, or CAST-128. The report also identified 512foreign companies that either manufacture or distribute foreigncryptographic
products in at least 67 countries outside the UnitedStates. The report raises further questions about the reasonablenessof U.S.
export control policy.
"Cryptography & Liberty 1999" is available online at the EPIC web site.
The bound, paper version of the report can be also purchased on-lineat the EPIC bookstore, which is operated in association withAmazon.com.
Cryptography and Liberty 1999 (online) is available at:
http://www2.epic.org/reports/crypto1999.html
Cryptography and Liberty 1999 (paper) is available at:
http://www.amazon.com/exec/obidos/ISBN=1893044033/electronicprivacA
"Growing Development of Foreign Encryption Products" is available at:
http://www.computerprivacy.org/
[2] Banking Official Cites Growing Privacy Concerns
Comptroller of the Currency John D. Hawke Jr. warned banks on June 7to stop what he called the abusive practice of selling customers'
personal data to telemarketing firms or face possible action byCongress. Hawke, who oversees nationally chartered banks, said thepractice
by a few banks raises "serious legal concerns," which hisoffice and other federal banking agencies are examining.
"Unfortunately, there's mounting evidence of an increase in bankingpractices that are at least seamy, if not downright unfair anddeceptive
-- practices that virtually cry out for government scrutiny,"
Hawke told bank lending officers at a meeting in San Francisco. "Onemust be troubled about the implications of this practice for
thepreservation of customer confidence in the confidentiality of thebank-customer relationship."
The Comptroller's comments came as some members of Congress arepromoting legislation that would give consumers the right to stopaffiliated
banks, brokerage firms and insurance companies from sharingpersonal financial data. A bill sponsored by Rep. Jay Inslee (D-WA)
would allow consumers to "opt out" of personal data-sharing amongaffiliated financial companies. The legislation follows a proposalmade
last month by President Clinton, who urged Congress to strengthenconsumers' rights when banks and other financial companies attempt
toshare information about them (see EPIC Alert 6.07).
In addition, several members of the House Banking Committee havepromised action. Rep. John J. LaFalce (D-NY) plans to introducelegislation
to restrict the sharing of information about credit cardcustomers. Rep. Marge Roukema (R-NJ), chair of the House BankingSubcommittee
on Consumer Credit, plans hearings on privacy July 21 and22. House Banking Committee Chairman Jim Leach (R-IA) said a lawsuitfiled
by the Minnesota Attorney General (see below) shows that privacyis an issue "that demands continued oversight."
The text of the Comptroller General's speech is available at:
http://www.occ.treas.gov/ftp/release/99-51a.txt
[3] Minnesota Sues Bank for Customer Data Sales
Minnesota's Attorney General filed suit on June 8 against U.S. Bank,
charging that the bank violated the Fair Credit Reporting Act and stateconsumer protection laws when it sold confidential customer
informationto a telemarketing company. The lawsuit alleges that U.S. Bank soldcustomer data from its own and other databases to
MemberWorks Inc.,
a Connecticut telemarketing firm.
Customer information that U.S. Bank allegedly shared with MemberWorksincluded names, addresses, and telephone numbers of primary andsecondary
customers, checking account numbers, credit card numbers,
social security numbers, date of birth, account status and frequency ofuse, gender, marital status, homeowner status, occupation,
the date thecustomer opened a particular account, average account balance,
year-to-date finance charges for credit card accounts, credit insurancestatus, and information about the customer's most recent purchase
bycredit card.
The suit alleges that the bank also allowed MemberWorks to chargecustomer accounts without obtaining written authorization, as requiredby
rules established by the National Automated Clearing HouseAssociation. "Minnesota customers who are telemarketed by MemberWorksand
its agents are unaware at the time of the solicitation that theircredit card numbers and/or checking account numbers are already
in thetelemarketers' possession," the complaint says.
Minnesota Attorney General Mike Hatch charges that U.S. Bank violatedfour specific provisions of the federal Fair Credit Reporting
Act. Thesuit also alleges three counts of state law violations -- failing toprevent consumer fraud, false advertising, and deceptive
tradepractices. "People are appropriately careful about protecting theirSocial Security number, checking, and credit card information,"
Hatchsaid in a statement after the suit was filed. "When a bank hands outthis information to the highest bidder, it has to answer
to itscustomers and to the Attorney General's office."
Additional information on the Minnesota litigation (including the textof the complaint) is available at:
http://www.ag.state.mn.us/home/files/news/pr_usbank1_06091999.html
[4] Safe Harbor Sunk?
Early reports on the day-long meeting at the end of May between topnegotiators for the United States and the European Union suggest
thatthere will be no agreement on the "Safe Harbor" proposal before theU.S.-EU summit in Germany later this month. The Department
of Commercehas been urging officials of the European Union to agree that the U.S.
system of "self-regulation" provides adequate privacy protection andthat no further legislation is necessary to protect the interests
ofEuropean citizens whose personal information is processed in the UnitedStates.
European privacy officials participated in extensive meetings with U.S.
trade officials but were unable to resolve key questions aboutenforcement, access, and implementation. A group of experts wroterecently:
Data protection rules only contribute to the protection of individuals to the extent to which they are followed in practice.
In an entirely voluntary scheme such as this compliance with the rules must be at least guaranteed by an independent investigative
mechanism for complaints and sanctions which must be, on the one hand dissuasive and, on the other give individual compensation
where appropriate.
Consumer and privacy organizations on both sides of the Atlantic alsoobjected to the Safe Harbor proposal. The Trans Atlantic ConsumerDialogue,
representing sixty consumer groups in the United States andEurope, adopted a resolution last month in opposition to the SafeHarbor
proposal. This week Jim Murray, President of the EuropeanConsumers Organization (BEUC), wrote to Jacques Santer, President ofthe
European Commission, and EC Members Mario Monti and Emma Bonino toexpress further concern about the Safe Harbor proposal. Mr. Murraysaid
that, "Without simple and effective complaint and redressprocedures, the proposed U.S. regime would not have sufficientdeterrents
to prevent abuse of consumer rights, even in flagrantcases."
The text of the Safe Harbor Proposal is available at:
http://www.ita.doc.gov/ecom
The Trans Atlantic Consumer Dialogue resolution is available at:
http://www.tacd.org/meeting1/electronic.html#safe
The European Consumers' Organization website:
http://www.beuc.org/
[5] Arizona Restricts Use of Student Social Security Numbers
Newly-enacted legislation in Arizona prohibits the use of SocialSecurity numbers as a student identification numbers in universities.
Wisconsin enacted such a similar law last year. The Arizona bill (SB1399) prohibits a university under the jurisdiction of the Arizonaboard
of regents or a community college district under the jurisdictionof the state board of directors for community colleges from assigning
astudent an identification number which is identical to, or incorporatesany portion of, the student's Social Security number. The
restrictionbecomes effective on June 30, 2002.
The bill also prohibits universities and community college districtsfrom displaying a student's Social Security number or any fourconsecutive
digits of a student's Social Security number on theInternet or on any publicly accessible document. The legislationallows a student
to consent to the use of his or her Social Securitynumber as their ID number and stipulates that community colleges anduniversities
can electronically transfer data and are not prohibitedfrom complying with any federal reporting requirements.
More information on the privacy implications of the misuse of SocialSecurity numbers is available at:
http://www.epic.org/privacy/ssn/
[6] Anti-Abortion Webmaster Sues ISP Over Shut-Down
The operator of a controversial anti-abortion website has filed a $250million breach of contract suit against his former service provider.
Otis O'Neal Horsley filed suit against MindSpring Enterprises Inc. in aGeorgia state court earlier this week, alleging breach of contract
forthe shutting down of the "Nuremberg Files" site, which featuredpictures of aborted fetuses and the names of doctors providing
abortionservices.
Horsley alleges the Atlanta-based ISP damaged his political campaign tostop legal abortion and his ability to solicit financial support
whenit shut down the site in February. MindSpring began a review of thesite after an Oregon jury found some of Horsley's colleagues
in theanti-abortion movement in violation of the federal access to abortionclinic law in January. Although Horsley was not a defendant
in thecase, the Nuremberg Files site was a central element of the trial.
The Web site solicited and posted information such as where abortiondoctors lived, their work habits, vehicle descriptions and tag
numbers,
places of worship and details about their families. He listed names ofabortion doctors on the site and crossed out the names of doctors
whohad been killed.
[7] EPIC Bookstore - "Visions of Privacy"
A new collection of articles, edited by Colin J. Bennettt and RebeccaGrant, offers fresh and intriguing perspectives on the timeless
problemof privacy protection. Available now at the EPIC Bookstore.
"As the world moves into the twenty-first century, cellular systems,
high-density data storage, and the Internet are just a few of the newtechnologies that promise great advances in productivity andimprovements
in the quality of life. Yet these new technologies alsothreaten personal privacy. A surveillance society, in which theindividual
has little control over personal information, may be thelogical result of deregulation, globalization, and a massdata-processing
capacity." - From the introduction.
"Visions of Privacy: Policy Choices for the Digital Age"
(University of Toronto Press 1999). List $22.95.
http://www.epic.org/bookstore/
[8] Upcoming Conferences and Events
INET 99. San Jose, Calif., June 22-25, 1999. Sponsored by theInternet Society. Contact: http://www.isoc.org/inet99/
Privacy Laws & Business 12th Annual International Conference -- "NewData Protection Law: Issues, Solutions, Action." June 28-30,
1999, StJohn's College, Cambridge, United Kingdom. Contact: Privacy Laws &
Business, Tel: + 44 (0) 181 423 1300, Fax: + 44 (0) 181 423 4536,
e-mail: infoprivacylaws.co.uk, or http://www.privacylaws.co.uk
National Coalition to Protect Political Freedom, 3rd Annual Meeting.
Georgetown University Law Center, Washington, DC. July 9-10, 1999.
Contact: Kit Gage 301-587-7442, kgageigc.org
Jurisdiction: Building Confidence in a Borderless Medium. QueenElizabeth Hotel, Montreal, Canada, July 26-27, 1999. Sponsored by theInternet
Law and Policy Forum. Contact: Marilyn Malenfant+1.514.744.0408 or malenfantilpf.org.
ABA Annual Conference, Section of International Law and Practice.
"Privacy Issues in Electronic Commerce." August 9, 1999. Atlanta,
Georgia. Contact http://www.abanet.org/annual/99/home.html
The 21st International Conference on Privacy and Personal DataProtection. Hong Kong, September 13-14, 1999. A distinguished groupof
over 50 speakers/panelists from overseas and Hong Kong will explorethe theme of "Privacy of Personal Data, Information Technology
&
Global Business in the Next Millennium."" Sponsored by the Office ofthe Privacy Commissioner for Personal Data in Hong Kong. Contact:
iccasiaonline.net
"A Privacy Agenda for the 21st Century."" Sept 15. Hong Kong Conventionand Exhibition Centre, Hong Kong PRC. Contact: rotenbergepic.org.
Information Security Solutions Europe 1999. Oct 4-6. Maritim proArteHotel, Berlin, Germany. contact http://www.eema.org/isse/
RSA 2000. The ninth annual RSA Data Security Conference and Expo. SanJose McEnery Convention Center. San Jose, CA. January 16-20,
2000,
Contact: http://www.rsa.com/rsa2000/
Subscription Information
The EPIC Alert is a free biweekly publication of the Electronic PrivacyInformation Center. A Web-based form is available for subscribing
orunsubscribing at:
http://www.epic.org/alert/subscribe.html
To subscribe or unsubscribe using email, send email toepic-newsepic.org with the subject: "subscribe" (no quotes) or"unsubscribe".
Back issues are available at:
http://www.epic.org/alert/
About EPIC
The Electronic Privacy Information Center is a public interest researchcenter in Washington, DC. It was established in 1994 to focus
publicattention on emerging privacy issues such as the Clipper Chip, theDigital Telephony proposal, national ID cards, medical record
privacy,
and the collection and sale of personal information. EPIC is sponsoredby the Fund for Constitutional Government, a non-profit organizationestablished
in 1974 to protect civil liberties and constitutionalrights. EPIC publishes the EPIC Alert, pursues Freedom of InformationAct litigation,
and conducts policy research. For more information,
e-mail infoepic.org, http://www.epic.org or write EPIC, 666Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544 9240(tel),
+1 202 547 5482 (fax).
If you'd like to support the work of the Electronic Privacy InformationCenter, contributions are welcome and fully tax-deductible.
Checksshould be made out to "The Fund for Constitutional Government" and sentto EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington,
DC 20003.
Your contributions will help support Freedom of Information Act andFirst Amendment litigation, strong and effective advocacy for the rightof privacy and efforts to oppose government regulation
of encryption andexpanding wiretapping powers.
Thank you for your support.
END EPIC Alert 6.09
.
WorldLII:
Copyright Policy
|
Disclaimers
|
Privacy Policy
|
Feedback
URL: http://www.worldlii.org/int/journals/EPICAlert/1999/9.html
