WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 2000 >> [2000] EPICAlert 16

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 7.16 [2000] EPICAlert 16


Volume 7.16 September 13, 2000

Published by the Electronic Privacy Information Center (EPIC)
Washington, D.C.

Table of Contents

[1] EPIC Testifies on Online Privacy Bills before Congress
[2] FBI and DOJ Continue to Oppose Disclosure of Carnivore Info
[3] GAO Study Finds that Government Websites Fail on Privacy
[4] New Polls Show Public Support for Privacy Policies
[5] FTC Seeks Public Comment on Security of Financial Data
[6] EPIC Bill-Track: New Bills in Congress
[7] EPIC Bookstore - The Privacy Law Sourcebook 2000
[8] Upcoming Conferences and Events

[1] EPIC Testifies on Online Privacy Bills before Congress

On September 6, EPIC Executive Director Marc Rotenberg testifiedbefore the House Judiciary Committee on three bills now pending inCongress -- the Electronic Communications Privacy Act of 2000, theDigital Privacy Act of 2000, and the Notice of Electronic MonitoringAct of 2000. The first two bills would strengthen the federal wiretapstatute. The third bill would require employers to notify employeeswhen they conduct electronic surveillance.

Rotenberg said that EPIC favors proposals to strengthen the standardsand oversight for wiretapping. "We support the provisions that wouldextend current reporting requirements, clarify the scope of theexclusionary rule, establish a high standard for the issuance ofwarrants for pen register and trap and trace devices, as well asaccess to locational information."

Rotenberg noted that EPIC opposed passage of the CommunicationsAssistance for Law Enforcement Act (CALEA) in 1994, relying in part oninformation contained in the federal wiretap reports that revealedthat wiretapping was hardly ever used in cases involving kidnapping orbombings, as the FBI had alleged. Both bills pending in Congresswould extend the reporting requirements to new forms of electronicsurveillance.

Rotenberg also said that strengthening the "pen register" and "trapand trace" provisions in the federal wiretap statute was necessarybecause of recent concerns about the scope of the FBI's Carnivoremonitoring system and ongoing questions about the appropriate standardfor access to transactional data. EPIC is currently seekinginformation describing the Carnivore surveillance system in a widelyreported Freedom of Information Act case (see
[2] below).

On the proposal to require notice of electronic monitoring conductedin the workplace, Rotenberg said that a stronger measure isappropriate and necessary to safeguard privacy. "If the bill remainsa notice-only measure, we would strongly urge the Committee to add aprovision that would require the notice to be available by means ofthe World Wide Web. That would prevent intimidation of employees seenreading the notice (a common problem with paper notices) and wouldalso help the labor market function by enabling prospective employeesto evaluate the privacy policies of prospective employers."

He recommended that workplace privacy legislation incorporate FairInformation Practices and follow provisions in existing privacy U.S.
Laws, as well as the International Labour Organization privacyguidelines.

EPIC's Testimony before the House Judiciary Committee:
For more information, visit the EPIC Wiretap Page:

[2] FBI and DOJ Continue to Oppose Disclosure of Carnivore Info

As Congressional committees convened hearings on the FBI's Carnivoresurveillance system, the Bureau and the Department of Justice continueto oppose efforts to publicize important information about the designand capabilities of the invasive technology. The agencies recentlymoved to dismiss EPIC's lawsuit seeking disclosure of informationabout Carnivore, and have belatedly indicated that the full results ofan "independent review" of the system probably will not be madepublic.

On July 12, one day after the initial media coverage of Carnivore,
EPIC filed a Freedom of Information Act (FOIA) request seeking thepublic release of all FBI records concerning the system, including thesource code, other technical details, and legal analyses addressingthe potential privacy implications of the technology. On July 18,
after Carnivore had become a major issue of public concern, EPIC askedthe Justice Department to expedite the processing of its request. WhenDOJ failed to respond within the statutory deadline, EPIC filed suitin U.S. District Court seeking the immediate release of allinformation concerning Carnivore. (See EPIC Alert 7.15).

At an emergency hearing held on August 2, U.S. District Judge JamesRobertson ordered the FBI to report back to the court by August 16 andto identify the amount of material at issue and the Bureau's schedulefor releasing it. The FBI subsequently reported that 3000 pages ofresponsive material were located, but refused to commit to a date forthe completion of processing. EPIC immediately sought a court orderrequiring the FBI to release the material by December 1, 2000 -- whenthe Justice Department plans to release the results of an "independentreview" of the Carnivore system.

In response to EPIC's motion for a disclosure deadline, the JusticeDepartment and the FBI on August 24 moved to dismiss the lawsuit,
claiming that the court has no authority to order the release ofCarnivore documents by any particular date. EPIC responded to thegovernment motion on September 1.

As it was moving to dismiss the FOIA suit, the Justice Departmentfinally revealed the details of its proposed independent review of theCarnivore system. In the request for proposals released on August 24,
DOJ acknowledged that the complete report of the reviewers probablywill not be made available to the public:

The contractor will document the results of the technical review into a draft and final report that the Department will *make public to the maximum extent that is consistent with otherwise applicable law or contractual obligations and with preserving the effectiveness of Carnivore* as a tool for effectuating court-ordered interceptions of electronic communications or related information.
(emphasis added).

USA Today has reported that most of the universities that hadinitially expressed an interest in performing the review are unwillingto do so under the conditions imposed by DOJ. Regardless of itsoutcome, EPIC continues to believe that the proposed independentreview is no substitute for the public disclosure of informationconcerning Carnivore, consistent with the requirements of the FOIA.

More information on EPIC's FOIA litigation, and the DOJ independentreview, is available at:

[3] GAO Study Finds that Government Websites Fail on Privacy Policies

On September 12, the General Accounting Office (GAO) released itsstudy of government website privacy policies and how they conform toFair Information Practices as formulated by the Federal TradeCommission (FTC). The results of the study found that ninety-sevenpercent of government websites failed to address the FTC FairInformation Practices of notice, choice, access, and security. Earlierthis year, a group of House Republicans asked for the study inresponse to the FTC's own recommendation to Congress for legislationover private sector websites.

Of the sixty-five government agency websites surveyed, eighty-fivepercent posted a privacy policy. In addition, fourteen percent of thenotices stated that the website allowed cookies to be placed bythird-parties. Third-party cookies, often used for online profilingby Internet advertising companies, have been the focus of recentprivacy controversies.

While some, on the basis of the GAO's study, have concluded that theresults are evidence that Congress should not be looking intoregulating Internet privacy in the private sector, others have pointedout that citizens already have rights and protections under thePrivacy Act of 1974. The Privacy Act requires government agencies toprovide the full range of Fair Information Practices including access,
purpose specification, use limitation, and data integrity principlesnot fully provided in the FTC's formulation. Also, unlike commercialwebsites, the privacy protections available to visitors to governmentweb pages do not depend on the website operator's own statedpractices.

The GAO Study (1500K PDF) is available online at:
An online version of the Privacy Act of 1974:

[4] New Polls Show Public Support for Privacy

On August 20, the Pew Internet & American Life Project released areport, "Trust and Privacy Online: Why Americans Want to Rewrite theRules," examining the public's attitudes towards privacy and theInternet. The survey of over 2,000 adults found that the majority ofinterviewed online users want the presumption of privacy on theInternet but do not possess the necessary technical knowledge abouthow their privacy may be invaded or how to protect themselves.

The report also documented that 86 percent of Internet users supportan opt-in standard for privacy protection, diverging from the opt-outfavored by the Federal Trade Commission and industry-sponsoredself-regulatory groups. The survey also found that 84 percent ofthose surveyed were concerned about unknown third parties accessingtheir personal information, while 68 percent were concerned abouthackers obtaining their credit card numbers. In addition, while 62percent of those have been online for a short amount of time areconcerned about privacy online, 50 percent of those who have beenonline for more than three years continue to share those sentiments.

A separate survey conducted by Yankelovich Partners found a similarwidespread concern about privacy on the Internet. The survey of over1,000 adults found that 90 percent of respondents felt that privacywas the most pressing concern when shopping online, rating higher thanprices and return policies. The survey also found that 79 percent ofrespondents leave websites when required to provide personalinformation to proceed.

"Trust and Privacy Online: Why American Want to Rewrite the Rules" isavailable at:
An archive of surveys of public attitudes towards Internet privacy isavailable at:

[5] FTC Seeks Public Comment on Security of Financial Data

On August 31, the Federal Trade Commission (FTC) began solicitingpublic comments on the portion of Gramm-Leach-Bliley, the FinancialServices Modernization Act, addressing safeguards and security fornonpublic financial data. Section 501(b) of Gramm-Leach-Blileyrequired the FTC and other agencies with jurisdiction over financialinstitutions to establish rules setting security standards forpersonal financial information. The notice from the FTC does notpropose a rule for security, but instead requests comment on the scopeand specificity of such a rule, as well as how it should work withguidelines produced by other government agencies with jurisdictionover financial institutions.

In related news, the comment period for the Department of Justicestudy on bankruptcy and privacy has been extended to September 22 (seeEPIC Alert 7.15). The study will examine both the privacy of personaldata submitted in the course of bankruptcy filings as well as whethersuch data can be declared as an asset in bankruptcy proceedings.

For more information about the Gramm-Leach-Bliley Safeguards Rule:
For more information on the DOJ Privacy and Bankruptcy study:

[6] EPIC Bill-Track: New Bills in Congress


H.R.4987. Digital Privacy Act of 2000. Updates wiretap statute toinclude greater reporting requirements, higher standards for use ofpen registers, and restrictions on government access to cellular phonelocation information. Sponsor: Rep. Barr, Bob (R-GA). Referred toHouse Committee on the Judiciary.

H.R.5018. Electronic Communications Privacy Act of 2000. Updateswiretap statute to include stored electronic communication. Alsoexpands reporting requirements and raises the legal standard for useof pen registers. Sponsor: Rep. Canady, Charles T. (R-FL). Referred toHouse Committee on the Judiciary, Subcommittee on the Constitution.


S.2360. Freedom From Behavioral Profiling Act of 2000. AmendsGramm-Leach-Bliley (Financial Services Modernization Act) to requireconsent before financial institutions can disclose information about acustomer's purchasing habits or financial practices. Sponsor: Sen.
Shelby, Richard C. (R-AL). Read twice and referred to the Committee onBanking, Housing, and Urban Affairs.

S.2857. Privacy Policy Enforcement in Bankruptcy Act of 2000. Preventspersonal data such as a name, address, or credit card number toclaimed as an asset in bankruptcy proceedings. Sponsor: Sen. Leahy,
Patrick J. (D-VT). Read twice and referred to the Committee on theJudiciary.

S.2928. Consumer Internet Privacy Enhancement Act. Requires commercialwebsites to provide notice and opt-out when collecting personalinformation. Notably, also pre-empts state laws regarding Internetprivacy. Sponsor: Sen. McCain, John (R-AZ). Referred to SenateCommittee on Commerce, Science, and Transportation.

EPIC Bill Track: Tracking Privacy, Speech, and Cyber-Liberties Billsin the 106th Congress, is available at:

[7] EPIC Bookstore - The Privacy Law Sourcebook 2000


The Privacy Law Sourcebook 2000: United States Law, International Law,
and Recent Developments edited by Marc Rotenberg

The Privacy Law Sourcebook is the first one-volume resource forstudents, attorneys, researchers and journalists who need acomprehensive collection of US and International privacy law, as wellas a fully up-to-date section on recent developments. Includes thefull texts of most major privacy laws and directives such as the FCRA,
the Privacy Act, FOIA, Family Education Rights and Privacy Act, Rightto Financial Privacy Act, Privacy Protection Act, Cable CommunicationsPolicy Act, ECPA, Video Privacy Protection Act, OECD PrivacyGuidelines, OECD Crytpography Guidelines, European Union Directivesfor both Data Protection and Telecommunications, and more. The PrivacyLaw Sourcebook is updated and expanded for 2000 to include the newCanadian privacy law, the final documents for the Safe Harborarrangement, and recent opinions from the European Commission oncompliance with the EU Data Directive. Also included is an extensivesection on privacy resources with useful web sites and contactinformation for privacy agencies, organizations, and publications.

EPIC Publications:

"Cryptography and Liberty 2000: An International Survey of EncryptionPolicy," Wayne Madsen and David Banisar, editors, (EPIC 2000).
Price: $20.

EPIC's third survey of encryption policies around the world. Theresults indicate that the efforts to reduce export controls on strongencryption products have largely succeeded, although severalgovernments are gaining new powers to combat the perceived threats ofencryption to law enforcement.

"Filters and Freedom - Free Speech Perspectives on Internet ContentControls," David Sobel, editor (EPIC 1999). Price: $20.

A collection of essays, studies, and critiques of Internet contentfiltering. These papers are instrumental in explaining why filteringthreatens free expression.

"Privacy and Human Rights 1999: An International Survey of Privacy Lawsand Developments," David Banisar, Simon Davies, editors, (EPIC 1999).
Price: $15.

An international survey of the privacy and data protection laws foundin 50 countries around the globe. This report outlines theconstitutional and legal conditions of privacy protection, andsummarizes important issues and events relating to privacy andsurveillance.

Additional titles on privacy, open government, free expression,
computer security, and crypto, as well as films and DVDs can beordered through the EPIC Bookstore:

[8] Upcoming Conferences and Events

Panel on Online Privacy. DC Internet Society. September 13, 2000.
Library of Congress, Madison Building. Washington, DC. For moreinformation:
Online Privacy Technologies Workshop. National Telecommunications andInformation Administration, Department of Commerce. September 19,
2000. Washington, DC. For more information:
Health Information Privacy: A Dialogue with the Stakeholders.
September 21, 2000. Ottawa, Canada. For more information:
International Forum on Surveillance by Design. Organized by PrivacyInternational, the American Civil Liberties Union, and Quintessenz.
September 22, 2000. London, England. For more information:
KnowRight 2000 - InfoEthics Europe. Austrian Computer Society andUNESCO. September 26-29, 2000. Vienna, Austria. For more information:
The Public Voice in Privacy Policy. EPIC and Privacy International.
September 27, 2000. Venice, Italy. For more information:

Media, Democracy & The Constitution. The Fund for ConstitutionalGovernment. September 27, 2000. National Press Club. Washington, DC.
For more information:
One World, One Privacy: 22nd Annual International Conference onPrivacy and Personal Data Protection. September 28-30, 2000. Venice,
Italy. For more information:

Drawing the Blinds: Reconstructing Privacy in the Information Age.
CPSR's Annual Conference and Wiener Award Dinner. October 14, 2000.
Philadelphia, PA. For more information:

Privacy: A Social Research Conference. New School University. October5-7, 2000. New York, NY. For more information:

Call for Papers. Online, Offshore and Cross-Border: Regulating GlobalE-Commerce. Washington College of Law, American University. October15, 2000. For more information:
Measuring & Analyzing Online Customer Behavior. International Qualityand Productivity Center. October 23-24, 2000. Chicago, IL. For moreinformation:
Privacy2000: Information and Security in the Digital Age. October 31-
November 1, 2000. Columbus, Ohio. For more information:
Mealey's Internet Law 101 Conference. November 1-2, 2000. TysonsCorner, VA. For more information:
2000 BNA Public Policy Forum: e-commerce and internet regulation.
November 15-16, 2000. Tysons Corner, VA. For more information:

Subscription Information

The EPIC Alert is a free biweekly publication of the ElectronicPrivacy Information Center. A Web-based form is available forsubscribing or unsubscribing at:
To subscribe or unsubscribe using email, send email with the subject: "subscribe" (no quotes) or"unsubscribe".

Back issues are available at:

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and tosend notices about EPIC activities. We do not sell, rent or share ourmailing list. We also intend to challenge any subpoena or other legalprocess seeking access to our mailing list. We do not enhance (linkto other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your email addressfrom this list, please follow the above instructions under"subscription information". Please contact if you haveany other questions.

About EPIC

The Electronic Privacy Information Center is a public interestresearch center in Washington, DC. It was established in 1994 tofocus public attention on emerging privacy issues such as the ClipperChip, the Digital Telephony proposal, national ID cards, medicalrecord privacy, and the collection and sale of personal information.
EPIC is sponsored by the Fund for Constitutional Government, anon-profit organization established in 1974 to protect civil libertiesand constitutional rights. EPIC publishes the EPIC Alert, pursuesFreedom of Information Act litigation, and conducts policy research.
For more information, e-mail, orwrite EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic PrivacyInformation Center, contributions are welcome and fullytax-deductible. Checks should be made out to "The Fund forConstitutional Government" and sent to EPIC, 1718 ConnecticutAve., NW, Suite 200, Washington, DC 20009.

Your contributions will help support Freedom of Information Act andFirst Amendment litigation, strong and effective advocacy for theright of privacy and efforts to oppose government regulation ofencryption and expanding wiretapping powers.

Thank you for your support.

END EPIC Alert 7.16


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback