WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 2000 >> [2000] EPICAlert 1

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 7.01 [2000] EPICAlert 1


Volume 7.01 January 12, 2000

Published by the Electronic Privacy Information Center (EPIC)
Washington, D.C.

Table of Contents

[1] Supreme Court Upholds Drivers' Privacy Law
[2] White House Releases "Cyber-Terrorism" Plan
[3] EPIC Comments on Use of the Internet for Campaign Activity
[4] EPIC Releases Survey of Online Privacy Policies
[5] Update on Safe Harbor Negotiations
[6] EPIC Job Announcements
[7] EPIC Bookstore -- Database Nation
[8] Upcoming Conferences and Events
THIS JUST IN: As the Alert "goes to press," the U.S. Commerce Department has released the final revision of its encryption export control regulations. The new rules maintain a complex and burdensome licensing scheme and retain substantial restrictions on the ability to exchange information concerning encryption. The next issue of the Alert will contain additional information on the export control revisions.

[1] Supreme Court Upholds Drivers' Privacy Law

In an opinion released today, the Supreme Court has unanimously heldthat Congress did not exceed its constitutional authority when itenacted legislation establishing privacy safeguards for motor vehiclerecords held by state agencies. Several states challenged the DriversPrivacy Protection Act, arguing that Congress had violated the TenthAmendment.

Central to the Court's decision in Condon v. Reno was the fact thatinformation obtained by state motor vehicle agencies is now routinelysold in interstate commerce. The Court, in an opinion by ChiefJustice Rehnquist, said that "the motor vehicle information which theStates have historically sold is used by insurers, manufacturers,
direct marketers, and others engaged in interstate commerce to contactdrivers with customized solicitations. The information is also usedin the stream of interstate commerce by various public and privateentities for matters related to interstate motoring. Because drivers'
information is, in this context, an article of commerce, its sale orrelease into the interstate stream of business is sufficient tosupport congressional regulation."

The Supreme Court rejected the argument made by South Carolina thatthe Drivers Privacy Protection Act violated the Tenth Amendment,
holding that "the DPPA does not require the States in their sovereigncapacity to regulate their own citizens. The DPPA regulates the Statesas the owners of databases."

EPIC filed an amicus brief in the case arguing in support of theDrivers Privacy Protection Act. EPIC said in its brief:

The Drivers Privacy Protection Act safeguards the personal information of licensed drivers from improper use or disclosure. It is a valid exercise of federal authority in that it seeks to protect a fundamental privacy interest. It restricts the activities of states only to the extent that it concerns the subsequent use or disclosure of the information in a manner unrelated to the original purpose for which the personal information was collected. The states should not impermissibly burden the right to travel by first compelling the collection of sensitive personal information and then subsequently disclosing the same information for unrelated purposes.

The decision is remarkable, particularly in light of recent caseswhere the Supreme Court has typically deferred to state TenthAmendment claims and struck down federal statutes or claims brought infederal court.

The decision in Condon v. Reno (US 2000) is available at:
EPIC's Amicus Brief in Condon v. Reno is available at:

[2] White House Releases "Cyber-Terrorism" Plan

The White House on January 7 released a national plan to protectAmerica's computer systems from unauthorized intrusions. Included inthe proposal is the establishment of the controversial FederalIntrusion Detection Network (FIDNET) which would monitor activity ongovernment computer systems. The plan also calls for theestablishment of an "Institute for Information InfrastructureProtection" and a new program that will offer college scholarships tostudents in the field of computer security in exchange for publicservice commitments.

The initiative is an outgrowth of recommendations made in the October1997 report of the President's Commission on Critical InfrastructureProtection (PCCIP) and in Presidential Decision Directive 63 (PDD 63)
on Critical Infrastructure Protection issued in May 1998.

In its report "Critical Infrastructure Protection and the Endangermentof Civil Liberties," released in October 1998, EPIC noted that thePCCIP had proposed
the development of a large-scale monitoring strategy for communications networks. Borrowing techniques that have been applied to hostile governments and foreign agents, the PCCIP brings the Cold War home with an open-ended proposal to conduct ongoing surveillance on the communications of American citizens.

EPIC noted in its report that "these proposals are more of a threatto our system of ordered liberty than any single attack on ourinfrastructure could ever be." Last year, EPIC filed a series ofFreedom of Information Act requests seeking the details of theseinitiatives.

President Clinton acknowledged the privacy concerns when he announcedthe new initiative. "It is essential that we do not undermine libertyin the name of liberty. I will continue to work equally hard touphold the privacy rights of the American people as well as theproprietary rights of American businesses," he said.

The text of the "National Plan for Information Systems Protection" andother relevant material -- including EPIC's report "CriticalInfrastructure Protection and the Endangerment of Civil Liberties --
is available at:

[3] EPIC Comments on Use of the Internet for Campaign Activity

EPIC submitted comments to the Federal Election Commission on January4 in response to the FEC's Notice of Inquiry about the use of theInternet for campaign activity. The FEC is conducting a review todetermine whether to amend the Federal Election Campaign Act toregulate the creation of Web pages supporting particular candidates.
The Commission seeks to evaluate whether websites created byindividuals constitute contributions or expenditures and whetherhyperlinks to candidate websites should be regarded as in-kindcontributions.

EPIC urged the Commission to refrain from regulating political speechonline and to sustain the Internet's capacity as a vehicle fordemocracy and debate. The paper noted that -- unlike print, radio,
and television -- the Internet is a unique medium of communicationwith a capacity to transfer messages to vast audiences at little or nocost. Moreover, determining the costs associated with the utility ormaintenance of web sites is difficult if not impossible particularlywhen individuals use their computers to post information about diversetopics. EPIC also warned the Commission that requiring individualswho create Web sites that strongly advocate the election or defeat ofa candidate to identify themselves in disclaimer statements wouldimpede speech and violate the constitutional protection of anonymity.

The paper asserted that the Commission should welcome political speechon the Web and recognize the Internet's potential to expand democraticdebate and deliberation. EPIC explained: "Regulating speech on theInternet could deter the individual and grassroots efforts that wouldpossibly gain visibility only on the Web. Just as individuals canhang banners on their front yards or post bumper stickers on theircar, they should be able to express their viewpoints on the Web freeof reporting obligations or abstract cost assessments."

The comments EPIC submitted to the FEC are available at:

[4] EPIC Releases Survey of Online Privacy Policies

In an effort to educate the online shopper during the past holidayseason, EPIC released its survey of the privacy policies of the top100 e-commerce sites -- "Surfer Beware III: Privacy Policies WithoutPrivacy Protection" -- on December 17.

"Surfer Beware III" found that few of high-traffic websites offeredadequate privacy protection. In fact, not a single one of themfulfilled important elements of Fair Information Practicesinvestigated in the survey. Fair Information Practices serve as basicguidelines for safeguarding personal information. Also alarming wasthe significant proportion (35 out of 100) of shopping sites thatallowed profile-based advertising networks to operate. Theseadvertising networks present a stealthy and invasive way in that thirdparties -- companies that display banner advertisements -- aretracking online behavior without the knowledge of the Internet user.

EPIC Executive Director Marc Rotenberg concluded that, "On balance, wethink that consumers are more at risk today than they were in 1997,
when we first examined privacy practices on the web. The profiling ismore extensive and the marketing techniques are more intrusive.
Anonymity, which remains crucial to privacy on the Internet, is beingsqueezed out by the rise of electronic commerce." To improve privacyprotection on the web, Rotenberg added that legally enforceablestandards of protection and more techniques enabling anonymity arenecessary.

"Surfer Beware III: Privacy Policies without Privacy Protection" isavailable at:

[5] Update on Safe Harbor Negotiations

Safe Harbor negotiations between the U.S. Department of Commerce andthe European Union continue although both sides remain outwardlyoptimistic about a long-awaited agreement. The latest in a long lineof estimated deadlines is this upcoming March.

The Safe Harbor proposal, a U.S.-sponsored set of principles that U.S.
companies would abide by to protect personal data of EU citizens, hasbeen the subject of debate for almost two years. As EU citizens havestrong legal protections over their personal information via the 1995EU Data Protection Directive, European authorities are attempting toseek guarantees that those protections will continue when the data isin the hands of U.S. companies. As the United States has nocomprehensive laws protecting personal information in the hands of theprivate sector, much of the debate has centered on how the Safe HarborPrinciples would be enforced.

The lack of enforcement and the overall weakness of the last draft ofthe Safe Harbor Principles released on November 15 have been pointedout in comments submitted by the TransAtlantic Consumer Dialogue(TACD) -- a coalition of EU and US consumer groups -- and by theArticle 29 Working Group -- an expert panel of Privacy Commissionersestablished to oversee the implementation of the EU Data ProtectionDirective. Despite opposition from the aforementioned groups andothers, on December 13, the semi-annual EU-US summit was expectedunveil an agreement between the negotiating parties. Shortly beforethe summit, it was announced that no such agreement had yet beenreached.

Related to the ongoing debates, on January 11, the European Commissionannounced that it would take France, Luxembourg, the Netherlands,
Germany, and Ireland to court for failing to implement the EU DataProtection Directive in national law. The EU Data ProtectionDirective has come under fire for failing to gain statutory support insome of its member countries. However, this recent actiondemonstrates that European authorities continue to take implementationof the Directive seriously.

TACD Comments on the Latest Draft of the Safe Harbor Principles (seealso EPIC Alert 6.20):
Article 29 Working Group Opinion on the Safe Harbor Principles:

[6] EPIC Job Announcements

EPIC will be filling two new job openings in the upcoming months. TheInternet Activist position requires someone with an interest in civilliberties issues and a strong technical background to maintaininternal equipment and work on web projects. The Policy Analystopening seeks a person with the same civil liberties focus who wouldwork on research and writing projects and monitor legislation.

Applications are due on March 1, 2000. Please send resumes and coverletters to

The complete job announcements can be found at:

[7] EPIC Bookstore -- Database Nation

EPIC is pleased to announce the publication of "Database Nation: TheDeath of Privacy in the 21st Century" by noted author SimsonGarfinkel.

Fifty years ago George Orwell imagined a future in which privacy wasvanquished by a totalitarian state that used spies and videosurveillance to maintain control. In 2000 we find that the threats toour privacy are not coming from a monolithic "Big Brother", but --
even harder to grapple with -- hundreds of sources, not seeking tocontrol us, merely to market to us, track us, count us, or streamlinepaperwork. The result, though, is still as chilling as "1984".

"Database Nation" explores the many threats to privacy in the TwentyFirst century and warns its readers, as Orwell's 1984 did before, thatthe cost of inaction will be the loss of freedom. It has alreadyreceived widespread critical acclaim:

"This is a chilling compendium of the myriad methods government and industry have devised to catalog and profile the preferences of American citizens. It is an essential handbook in the fight against the insidious erosion of a right so dear that freedom itself depends on it."

The Hon. Edward J. Markey U.S. House of Representatives
Database Nation by Simson Garfinkel is a graphic and blistering indictment of the burgeoning technologies used by business,
government, and others to invade the self - yourselves - and restrict both your freedom to participate in power and your freedom from abuses of power. The right of privacy is a constitutionally protected right, and its erosion or destruction undermines democratic society as it generate, in one circumstance after another, a new kind of serfdom. This book is one that you're entitled to take very personally."

Ralph Nader, Consumer Advocate
"Simson has captured the depth and breadth of our ever-increasing privacy problems, demonstrating their insidious nature and the extreme difficulties that they present for all of us. This book is hugely important. It should be read by everyone. Wonderfully readable. Five stars."

Peter G. Neumann Principal Scientist, SRI-CRL Author, Inside Risks
Database Nation is now available for sale at the EPIC Bookstore.

Garfinkel, "Database Nation: The Death of Privacy in the 21st Century":
Database Nation website:
EPIC Bookstore:

[8] Upcoming Conferences and Events

RSA 2000. The ninth annual RSA Data Security Conference and Expo.
January 16-20, 2000. San Jose McEnery Convention Center. San Jose, CA.
For more information:

Privacy, Security & Confidentiality of Medical Records 2000: ComplyingWith New HIPAA Regulations. NonProfit Management. One Day Seminars.
Various Locations and Times. For more information:
Cyberspace and Privacy: A New Legal Paradigm? February 7, 2000.
Stanford Law School. Stanford, CA. For more information: or
Santa Clara University Computer and High Technology Journal Symposiumon Internet Privacy. February 11-12, 2000. For more information:
E-Commerce and Privacy: Implementing the New Law. Riley InformationServices. February 21, 2000. Westin Hotel, Ottawa. For moreinformation:

Financial Cryptography '00. International Financial CryptographyAssociation. February 21-24, 2000. InterIsland Hotel. Anguilla,
British West Indies. For more information:

The New Wave of Privacy Protection in Canada. BC Freedom ofInformation and Privacy Association and Riley Information Services.
March 9-10, 2000. Hotel Vancouver. Vancouver, British Columbia. Formore information:
Entrust SecureSummit 2000. May 1-4, 2000. Hyatt Regency Dallas atReunion. Dallas, Texas. For more information:
Shaping the Network: The Future of the Public Sphere in Cyberspace.
Computer Professionals for Social Responsibility (CPSR). Call forPapers -- Abstracts Due February 15. May 20-23, 2000. Seattle,
Washington. For more information:
Telecommunications: The Bridge to Globalization in the InformationSociety. Biennial Conference of the International TelecommunicationsSociety. July 2-5, 2000. For more information:

Subscription Information

The EPIC Alert is a free biweekly publication of the Electronic PrivacyInformation Center. A Web-based form is available for subscribing orunsubscribing at:
To subscribe or unsubscribe using email, send email with the subject: "subscribe" (no quotes) or"unsubscribe".

Back issues are available at:

About EPIC

The Electronic Privacy Information Center is a public interest researchcenter in Washington, DC. It was established in 1994 to focus publicattention on emerging privacy issues such as the Clipper Chip, theDigital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale of personal information. EPIC is sponsoredby the Fund for Constitutional Government, a non-profit organizationestablished in 1974 to protect civil liberties and constitutionalrights. EPIC publishes the EPIC Alert, pursues Freedom of InformationAct litigation, and conducts policy research. For more information,
e-mail, or write EPIC, 666Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544 9240(tel), +1 202 547 5482 (fax).

If you'd like to support the work of the Electronic Privacy InformationCenter, contributions are welcome and fully tax-deductible. Checksshould be made out to "The Fund for Constitutional Government" and sentto EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003.

Your contributions will help support Freedom of Information Act andFirst Amendment litigation, strong and effective advocacy for the rightof privacy and efforts to oppose government regulation of encryptionand expanding wiretapping powers.

Thank you for your support.

END EPIC Alert 7.01


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback