WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 2000 >> [2000] EPICAlert 14

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 7.14 [2000] EPICAlert 14


Volume 7.14 July 27, 2000

Published by the Electronic Privacy Information Center (EPIC)
Washington, D.C.

Table of Contents

[1] Congress Examines FBI Carnivore Surveillance System
[2] New Bill Would Require Notice of Workplace Monitoring
[3] European Commission Adopts Safe Harbor Data Principles
[4] Microsoft Offers Security Patch for Third-Party Cookies
[5] EPIC Bill-Track: New Bills in Congress
[6] Resources Available for National High School Debate Topic
[7] EPIC Bookstore - The Electronic Privacy Papers
[8] Upcoming Conferences and Events

[1] Congress Examines FBI Carnivore Surveillance System

On July 24, the House Judiciary Committee convened a hearing on theFederal Bureau of Investigation's controversial Internet surveillanceprogram, Carnivore. The Committee hoped to shed light on the largelyunknown capabilities of the program, as well as to solicit feedbackfrom Carnivore's critics.

Carnivore is an advanced packet sniffer which the FBI installs on anInternet Service Provider's (ISP) backbone to scan and record selectedcommunications. Carnivore scans all of an ISP's Internet traffic,
looking for and recording relevant messages. It is Carnivore'sability to monitor large amounts of communications, as well as itsstill unknown configuration potential, that has raised concerns amongmembers of Congress and privacy and civil liberties advocates.

The FBI faced stiff bi-partisan questioning over Carnivore, led byReps. Jerrold Nadler (D-NY) and Bob Barr (R-GA). Both representativesexpressed skepticism about the FBI's assurances that Carnivore was a"surgical" instrument that is actually less intrusive than a standardwiretap, and both were curious as to why the FBI had not informedCongress about Carnivore earlier.

Witnesses on a second panel were also highly critical of the Bureau.
Barry Steinhardt of the ACLU said the use of Carnivore is like "awiretap capable of accessing the contents of all of the phonecompany's customers." This, he stated, was a direct violation of theFourth Amendment's requirement of narrow and targeted searches,
designed to protect both the privacy of individuals and the ability ofthe government to conduct searches. Like many members of theCommittee, Steinhardt was skeptical of the FBI's "trust us" approach.

One of the consistent criticisms of the Carnivore program is that verylittle information on its use and capabilities has been made public.
In the interest of the fullest possible public disclosure, EPICsubmitted a Freedom of Information Act request to the FBI on July 12seeking the disclosure of all information relating to Carnivore.

Testimony presented at the House Judiciary Committee hearing:
The hearing can be viewed in its entirety over the web at:

More on the history of FBI monitoring of Internet communications andthe "digital telephony" law (or CALEA) is available at the EPICWiretap Page:

[2] New Bill Would Require Notice of Workplace Monitoring

Bi-partisan legislation introduced in both houses of Congress wouldprevent employers from secretly monitoring the communications andcomputer use of their employees. The "Notice of Electronic MonitoringAct" (S.2898 and H.R.4908) would require employers to give "clear andconspicuous notice" to their employees if they intend to read e-mail,
monitor keystrokes or Web activity, or listen to telephoneconversations. The bill was introduced on July 20 by Sen. CharlesSchumer (D-NY) and Reps. Charles Canady (R-FL) and Bob Barr (R-GA).

The proposed legislation would not prohibit electronic monitoring, norwould it require employers to give notice each time they monitor anemployee's activity. Instead, employers would be required to provideworkers with initial notices when they are hired, and then annuallyand whenever there are changes to the company's monitoring policy.
Monitoring could be conducted without notice if there is reason tobelieve the employee is engaging in conduct harmful to the employer oranother employee.

The required notification would have to specify the type of computeruse that would be monitored, how the monitoring would be accomplished,
the frequency of the monitoring, the kinds of information that wouldbe obtained, and how the information would be stored, used ordisclosed. Employees would be able to sue employers for civil damagesif electronic monitoring is conducted without the required notice.

Workplace monitoring has become increasingly common in recent years --
an American Management Association report found that forty-fivepercent of major U.S. firms record and review employee communicationsand activities on the job -- but the courts have generally providedemployees with little recourse. Privacy advocates have longmaintained that providing notice of a monitoring policy should, as abare minimum, be required before employers can engage in such invasiveactivities.

Another privacy-related bill was introduced on July 26 by Sens. JohnMcCain (R-AZ), John Kerry (D-MA), and Spencer Abraham (R-MI). Thebi-partisan Internet privacy legislation would require all commercialwebsites to make clear disclosures about their information collectionpractices. The mandatory disclosures would be enforced by the FederalTrade Commission. The Senate Commerce Committee plans to holdhearings on the proposal in September.

The American Management Association's 1999 survey, "WorkplaceMonitoring and Surveillance," is available at:

[3] European Commission Adopts Safe Harbor Data Principles

On July 26, the European Commission finalized its decision to approvethe latest U.S. Safe Harbor proposal, thereby ending two years ofnegotiations between the U.S. Department of Commerce and the EuropeanUnion on the transborder flows of European citizens' personal data.
The agreement allows companies to voluntarily abide to a set ofprinciples protecting data belonging to EU citizens. However, thearrangement will not offer any increase in protections for U.S.

The Commission decided to approve this agreement in spite of aforceful resolution by the European Parliament adopted on July 5 thatthe agreement needed to be re-negotiated in order to provide adequateprotection (see EPIC Alert 7.13). Acknowledging the Parliament'scriticisms, the Commission went ahead with the adoption of Safe Harborand promised to re-open negotiations on the arrangement if theremedies available to European citizens prove inadequate. EU memberstates will have 90 days to put the Commission's decision into effectand companies may join Safe Harbor starting in November.

In other international news, the Group of Eight (G8) has issued acharter on the "Global Information Society." The group, whichcomprises the top eight industrial countries in the world, met lastweek in Okinawa for its annual summit. The charter recognizes theneed to promote consumer trust and confidence in the electronicmarketplace (in particular by providing reliable means of settlingcross-border disputes), developing "effective and meaningful" privacyprotections, and ensuring the security of stored data. Addressing theissue of cyber-crime, the Group stated that it will continue topromote dialogue and co-operation between governments and industry.
Building on its earlier meeting in May of this year with industrygroups, the Group re-affirmed the need to tackle urgent securityissues such as hacking, viruses, and critical infrastructure.

Information regarding the European Commission's adoption of SafeHarbor:
The European Parliament resolution is available at:
The G8 Communique from the Okinawa meeting is available at:

[4] Microsoft Offers Security Patch for Third-Party Cookies

On July 20, Microsoft announced that it was introducing a betasecurity patch for the next version of Internet Explorer that wouldallow for better management of web cookies. The test version of thepatch should be available to the public by the end of August.

According to preliminary descriptions, the patch will offer severalfeatures that will allow users to control cookies more effectively.
The browser will be able to differentiate between first-party andthird-party cookies and the default setting will warn the user when apersistent third-party cookie is being served. Persistent third-partycookies are used heavily by Internet advertisers, such as DoubleClick,
to track computer users' activities. In addition, the newfunctionality will allow Internet users to delete all cookies with asingle click and will make information about security and privacy moreeasily accessible. The security patch does not, however, increaseconsumer control over the use of first-party cookies prevalent oncommercial websites.

The cookie management features follow on the heels of other recentsecurity patches issued by Microsoft correcting data leak issues. InMay, the company released a patch for the popular Outlook program thatwould turn off cookies in email messages.

In related news, the newly created non-profit Privacy Foundation hasannounced its first initiative, the creation of a Privacy Center atthe University of Denver. The Privacy Center will be a research andeducation organization that seeks to investigate new technology andinform the public on how to protect themselves from privacy invasions.
Richard Smith, noted Internet privacy expert, is the Chief TechnologyOfficer for the organization.

Information about the security patch is available at:
For cookie management software and other privacy enhancingtechnologies, visit the EPIC Online Guide to Practical Privacy Tools:
For more information about the Privacy Foundation's new researchcenter:

[5] EPIC Bill-Track: New Bills in Congress


H.R.4311. Identity Theft Protection Act of 2000. Institutesconfirmations of changes of address, annually distributed free creditreports, and access to information held by individual referenceservices providers (see also S.2328). Sponsor: Rep. Hooley, Darlene(D-OR). Referred to the Subcommittee on Financial Institutions andConsumer Credit.

H.R.4857. Privacy and Identity Protection Act of 2000. Far-reachinglaw that would restrict government uses of the social security numberand create regulations over the sale and purchase and sale of socialsecurity numbers by the private sector (see also S.2876). Sponsor:
Rep. Shaw, E. Clay, Jr. (R-FL). Forwarded by Subcommittee to FullHouse Ways and Means Committee (Amended) by Voice Vote.

H.R.4908 Notice of Electronic Monitoring Act. Amends the ElectronicCommunications Privacy Act to require employers to provide notice toemployees of electronic monitoring unless the employer believes theemployee is engaged in harmful activity (see also S.2898). Sponsor:
Rep. Canady, Charles T. (R-FL). Referred to the House Committee on theJudiciary.


S.2328. Identity Theft Prevention Act of 2000. Institutesconfirmations of changes of address, annually distributed free creditreports, and access to information held by individual referenceservices providers (see also H.R.4311). Sponsor: Sen. Feinstein,
Dianne (D-CA). Read twice and referred to the Committee on Banking,
Housing, and Urban Affairs.

S.2554. Amy Boyer's Law. Would limit display of social securitynumbers. Sponsor: Sen. Gregg, Judd (R-NH). Read twice and referred tothe Committee on Finance.

S.2871. Social Security Number Privacy Act of 1999. Amends theGramm-Leach-Bliley Act (see S.900) to prohibit financial institutionsfrom selling social security numbers. Sponsor: Sen. Shelby, Richard C.
(R-AL). Read twice and referred to the Committee on Banking, Housing,
and Urban Affairs.

S.2876. Privacy and Identity Protection Act of 2000. Far-reaching lawthat would restrict government uses of the social security number andcreate regulations over the sale and purchase and sale of socialsecurity numbers by the private sector (see also H.R.4857). Sponsor:
Sen. Bunning, Jim (R-KY). Read twice and referred to the Committee onFinance.

S.2898. Notice of Electronic Monitoring Act. Amends the ElectronicCommunications Privacy Act to require employers to provide notice toemployees of electronic monitoring unless the employer believes theemployee is engaged in harmful activity (see also H.R. 4908). Sponsor:
Sen. Schumer, Charles E. (D-NY). Read twice and referred to theCommittee on the Judiciary.

EPIC Bill Track: Tracking Privacy, Speech, and Cyber-Liberties Billsin the 106th Congress, is available at:

[6] Resources Available for National High School Debate Topic

In response to requests for information regarding the 2000-2001National High School Debate Topic, "Resolved: that the United Statesfederal government should significantly increase protection of privacyin one or more of the following areas: employment, medical records,
consumer information, search and seizure," EPIC has produced a webpagecontaining links to relevant websites, litigation, court cases, andsurveys. A brief essay on the subject is also included.

We at EPIC are encouraged that the national debate topic relates toprivacy issues, and hope that the ideas and discussions produced willbecome part of the larger debate on privacy.

The National High School Debate Topic Resources page is at:

[7] EPIC Bookstore - The Electronic Privacy Papers

The Electronic Privacy Papers: Documents on the Battle for Privacy inthe Age of Surveillance by Bruce Schneier, David Banisar
While most books on privacy and security issues in cyberspace simplygive accounts of debates on the issues, The Electronic Privacy Papersdocuments the war
practically salvo by salvo. Authors Schneier andBanisar present the actual government and industry documents, whichcover both legal and technical matters. The information includesresearch reports on the value of wiretaps, influential speeches andarticles, and actual legislation that has gone before Congress. Manyof the government documents, although legally available to the publicthrough the Freedom of Information Act, were improperly kept secretuntil several lawsuits eventually forced their release. These"hidden" papers exhibit the FBI's push for government access to allelectronic communications, report on how increased government accesscould also increase the opportunities for computer crime, and recordthe conflict between those who favor private encryption technology andthose who'd make illegal encryption systems that don't allowgovernment agencies access to decryption keys. Legislation andSupreme Court decisions on these disputes are also presented. Thisbook will give you a clear understanding of both sides of the debateand will provide insight into the strategies that both government andprivacy advocates use in attempt to achieve their desired result.

EPIC Publications:

"Cryptography and Liberty 2000: An International Survey of EncryptionPolicy," Wayne Madsen and David Banisar, editors, (EPIC 2000).
Price: $20.

EPIC's third survey of encryption policies around the world. Theresults indicate that the efforts to reduce export controls on strongencryption products have largely succeeded, although severalgovernments are gaining new powers to combat the perceived threats ofencryption to law enforcement.

"The Privacy Law Sourcebook: United States Law, International Law, andRecent Developments," Marc Rotenberg, editor (EPIC 1999). Price: $50.

The "Physicians Desk Reference of the privacy world." An invaluableresource for students, attorneys, researchers and journalists who needan up-to-date collection of U.S. and International privacy law, as wellas a comprehensive listing of privacy resources.

"Filters and Freedom - Free Speech Perspectives on Internet ContentControls," David Sobel, editor (EPIC 1999). Price: $20.

A collection of essays, studies, and critiques of Internet contentfiltering. These papers are instrumental in explaining why filteringthreatens free expression.

"Privacy and Human Rights 1999: An International Survey of Privacy Lawsand Developments," David Banisar, Simon Davies, editors, (EPIC 1999).
Price: $15.

An international survey of the privacy and data protection laws foundin 50 countries around the globe. This report outlines theconstitutional and legal conditions of privacy protection, andsummarizes important issues and events relating to privacy andsurveillance.

Additional titles on privacy, open government, free expression,
computer security, and crypto, as well as films and DVDs can beordered through the EPIC Bookstore:

[8] Upcoming Conferences and Events

CPSR Meeting on Privacy & Security. August 15, 2000. TorontoCypherpunks/Webgrrls. Toronto, Canada. For more information:

First International Hackers Forum. The Green Planet. August 18-20,
2000. Zaporozhye, Ukraine. For more information:
Surveillance Expo 2000. August 28-30, 2000. Arlington, VA. For moreinformation:
Health Information Privacy: A Dialogue with the Stakeholders.
September 21, 2000. Westin Hotel. Ottawa, Canada. For moreinformation:
KnowRight 2000 - InfoEthics Europe. Austrian Computer Society andUNESCO. September 26-29, 2000. Vienna, Austria. For more information:
One World, One Privacy: 22nd Annual International Conference onPrivacy and Personal Data Protection. September 28-30, 2000. Venice,
Italy. For more information:

Privacy: A Social Research Conference. New School University. October5-7, 2000. New York, NY. For more information:

Privacy2000: Information and Security in the Digital Age. October 31-
November 1, 2000. Columbus, Ohio. Adam's Mark Hotel. For moreinformation:

Subscription Information

The EPIC Alert is a free biweekly publication of the ElectronicPrivacy Information Center. A Web-based form is available forsubscribing or unsubscribing at:
To subscribe or unsubscribe using email, send email with the subject: "subscribe" (no quotes) or"unsubscribe".

Back issues are available at:

About EPIC

The Electronic Privacy Information Center is a public interestresearch center in Washington, DC. It was established in 1994 tofocus public attention on emerging privacy issues such as the ClipperChip, the Digital Telephony proposal, national ID cards, medicalrecord privacy, and the collection and sale of personal information.
EPIC is sponsored by the Fund for Constitutional Government, anon-profit organization established in 1974 to protect civil libertiesand constitutional rights. EPIC publishes the EPIC Alert, pursuesFreedom of Information Act litigation, and conducts policy research.
For more information, e-mail, orwrite EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic PrivacyInformation Center, contributions are welcome and fullytax-deductible. Checks should be made out to "The Fund forConstitutional Government" and sent to EPIC, 1718 ConnecticutAve., NW, Suite 200, Washington, DC 20009.

Your contributions will help support Freedom of Information Act andFirst Amendment litigation, strong and effective advocacy for theright of privacy and efforts to oppose government regulation ofencryption and expanding wiretapping powers.

Thank you for your support.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and tosend notices about EPIC activities. We do not sell, rent or share ourmailing list. We also intend to challenge any subpoena or other legalprocess seeking access to our mailing list. We do not enhance (linkto other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your email addressfrom this list, please follow the above instructions under"subscription information". Please contact if you haveany other questions.

END EPIC Alert 7.14


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback