WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 2000 >> [2000] EPICAlert 19

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 7.19 [2000] EPICAlert 19


Volume 7.19 October 31, 2000

Published by the Electronic Privacy Information Center (EPIC)
Washington, D.C.

Table of Contents

[1] Federal Filtering Mandate Moves Toward Enactment
[2] Opposition Grows to "Anti-Leak" Secrecy Legislation
[3] U.S. Copyright Office Announces Exceptions to DMCA
[4] International NGOs Oppose Draft Computer Crime Convention
[5] U.S. Implements Relaxed Encryption Export Controls
[6] IETF Issues New RFCs on Cookies
[7] EPIC Bookstore - Secrets and Lies
[8] Upcoming Conferences and Events

[1] Federal Filtering Mandate Moves Toward Enactment

Despite strong opposition from education, library and civil libertiesorganizations, Congress appears to be on the verge of adopting amandatory requirement for schools and libraries to install Internetfiltering software (see EPIC Alert 7.17). The filtering mandate wasattached to the appropriations bill for the Departments of Labor,
Health and Human Services, and Education by Sen. John McCain (R-AZ)
and Rep. Ernest Istook (R-OK). Although the $350 billion spendingbill is currently tied up in partisan wrangling, the White House andRepublican leaders appear to have reached an agreement on thefiltering provision.

The bill would require schools and libraries to use "technologyprotection measures" to block access to obscenity and childpornography on all computers and material "harmful to minors" on allcomputers used by minors. It would also require schools and librariesto hold public hearings on creating "Internet safety policies," acomponent of which would include the mandatory technological solution.

Congress is moving ahead with the filtering mandate despite growingevidence that filtering systems block access to valuable material thatis not even arguably "pornographic." A joint report released lastweek by EPIC and -- "Mandated Mediocrity: BlockingSoftware Gets a Failing Grade" -- illustrates the dangers of blockingsoftware in public schools. The report documents how N2H2's popularsoftware package "Bess" blocks access to a large number of educationaland political webpages.

If, as now appears likely, the filtering mandate is enacted into law,
the issue is likely to reach the courts, where prior legislation onInternet content regulation, such as the Communications Decency Actand Child Online Protection Act have been ruled unconstitutional.
EPIC participated in the challenges to those earlier measures and willlikely join other organizations in challenging mandatory filteringrequirements.

In a related development, three U.S.-based websites today re-posted aprogram that reveals a list of Web sites blocked by the Cyber Patrolfiltering software package. The site operators had been coerced intoremoving the program because of Cyber Patrol's claim that doing sowould violate its copyright. But a First Circuit Court of Appealsreview of a lower court decision last month confirmed the operators'
belief that they are not bound by the earlier ruling. In a furthervindication of the operators' position, final copyright lawregulations issued last week by the Library of Congress recognize theimportant free speech rights at stake, and exempt from the new digitalcopyright law any "reverse engineering" of, or unauthorized access to,
filtering software in order to expose lists of blocked sites (see item3, below).

Additional information on the Cyber Patrol case is available at:

The EPIC/Peacefire report "Mandated Mediocrity: Blocking Software Getsa Failing Grade" is available at:

[2] Opposition Grows to "Anti-Leak" Secrecy Legislation

President Clinton is being urged to veto legislation that wouldgreatly increase the secrecy of government information and possiblyauthorize intrusive investigations. The provision, which Congresspassed on a voice vote, is being compared to Britain's infamous"Official Secrets Act." The legislation, which was enacted withoutpublic hearings as part of the Intelligence Authorization Act (H.R.
4392), criminalizes the disclosure by government officials of a broadarray of classified or "classifiable" information. "Classifiable"
information is any unclassified information which a governmentofficial later determines should have been classified but was not.
Although the law only applies to disclosures by government employees,
investigators could subpoena journalists' notebooks, computer disks,
phone records, and other private information in order to pursuegovernment leakers.

The "anti-leak" legislation was requested by the Central IntelligenceAgency, which claims its operations have been compromised by newspaperarticles based on leaks of classified information. Although JusticeDepartment officials assert that the provision was narrowly draftedand merely fills gaps in existing disclosure laws, many journalistsand free speech advocates oppose the bill. Representing the two endsof the political spectrum, Reps. Bob Barr (R-GA) (a former CIAattorney) and John Conyers (D-MI) have both voiced opposition to thebill. Barr lambasted the bill in the House, stating, "Thislegislation contains a provision that will create -- make no mistakeabout it, with not one day of hearings, without one moment of publicdebate, without one witness -- an official secrets act."

Current law makes it a crime to disclose classified information if thedisclosure aids a foreign government, exposes covert intelligenceagents or relates to national defense. The breadth of the newlegislation is subject to dispute, with critics saying it would covervirtually all classified information, and the Justice Departmentclaiming that it includes only disclosures of information that wouldharm national security. The legislation's critics believe that thisambiguity would have a chilling effect on public debate.

Although White House officials had initially signed off on thelegislation, opinion within the Administration is reportedly changingin response to the strong opposition to the bill. The president hasuntil Nov. 4 to act on the measure. Opponents of the secrecyprovision are also seeking the passage of new legislation to delay theeffective date of the criminal liability provision of the secrecy billuntil 2002.

Additional details, including contact information for key members ofCongress, is available at the website of the Government AccountabilityProject:

[3] U.S. Copyright Office Announces Exceptions to DMCA

On October 27, the U.S. Copyright Office issued its final ruleimplementing the anti-circumvention provisions of the DigitalMillennium Copyright Act (DMCA). The statutory provisions prohibitthe circumvention of technical measures that prevent the unauthorizedcopying, transmission or access of copyrighted works, subject to thisrulemaking of the Copyright Office.

The final rule establishes two exceptions to the anti-circumventionprovisions. The first exception will allow users of Internet contentfiltering programs to view lists of websites blocked by such software.
The Copyright Office recognized a First Amendment interest in accessto this information and stated the need for circumvention in thisinstance "since persons who wish to criticize and comment on themcannot ascertain which sites are contained in the lists unless theycircumvent." This exception to the DMCA rule will likely impact theongoing public debate about filters. In March, two programmers whorevealed the list of thousands of websites blocked by the Internetfiltering program Cyber Patrol faced charges of copyright violation(see EPIC Alert 7.05). The second exception is for software programsthat malfunction or are damaged and fail to permit lawful use. Theexceptions went into effect on October 28 and will be re-evaluated in2003.

The American Library Association (ALA), in conjunction with theAmerican Association of Law Libraries, the Medical Library Associationand the Special Libraries Association, have argued for broaderexceptions. The library groups, as well as educational associationsand technical experts, believe that restrictive anti-circumventionprovisions could restrict public access to copyrighted works,
especially if digital publishers move towards a pay-per-use model.
In a public statement, the ALA stated that "users of digitalinformation will have fewer rights and opportunities than users ofprint information."

In 1998, EPIC Executive Director Marc Rotenberg testified inopposition to the DMCA, stating that the bill would diminish onlineprivacy and warned that "the anti-circumvention language in section1201 is extraordinarily broad and will have all sorts of unintendedconsequences." EPIC said that the "crime of circumvention should bespecifically linked to the actual infringing act and not simply theuse of a particular technique that may or may not be harmful." EPICalso recommended the development of techniques to protect copyrightedworks that did not track the activities of Internet users. Some ofthese concerns were addressed in the final version of the DMCA butothers were not.

American Library Association (ALA) Office for Information TechnologyPolicy's Anti-Circumvention Page:
U.S. Copyright Office, Rulemaking on Exemptions from Prohibition onCircumvention:
EPIC Testimony before the House Committee on International Relationson Copyright and Privacy:

[4] International NGOs Oppose Draft Computer Crime Convention

On October 18, members of the Global Internet Liberty Campaign (GILC),
an international coalition of civil liberties and human rights groups,
voiced their opposition to the Council of Europe's Convention onCyber-Crime. The Cyber-Crime Convention first appeared in April andwas recently discussed at an October 24 meeting of the Group of Eight(G-8) in Berlin.

In a letter addressed to the Council of Europe (COE) Secretary Generaland Committee of Cyber-Crime experts, the groups stated that the drafttreaty runs "contrary to well established norms for the protection ofthe individual, that it improperly extends the police authority ofnational governments, that it will undermine the development ofnetwork security techniques, and that it will reduce governmentaccountability in future law enforcement conduct."

The organizations went on to say that the Convention would requireInternet companies to retain records of customer activity and monitorpersonal communications. The draft Convention would also criminalizecopyright violations and discourage the development of networksecurity tools. Other sections of the international agreement wouldencourage law enforcement access to stored records and encryption keyswithout sufficient legal safeguards and expand surveillance powers.

The Council of Europe plans to finalize its Convention on Cyber-Crimein December. The GILC member letter is still open for signatures fromInternet users' organizations. If you are a member of an organizationthat opposes the Cyber-Crime treaty and seeks to protect the rights ofall Internet users, send an email to

Global Internet Liberty Campaign Member Letter on Council of EuropeConvention on Cyber-Crime:

[5] U.S. Implements Relaxed Encryption Export Controls

On October 19, the U.S. Department of Commerce's Bureau of ExportAdministration (BXA) published an amendment to its export regulationson encryption products. The new rule amends the Export AdministrationRequirements (EAR) and liberalizes exports and re-exports ofencryption products to the fifteen European Union member states plusAustralia, the Czech Republic, Hungary, Japan, New Zealand, Norway,
Poland and Switzerland.

Encryption products may now be exported to these countries and to theoffices of firms, organizations and governments headquartered there,
under license exemption. Exporters may ship these productsimmediately upon filing a commodity classification with the Bureau ofExport Administration without waiting for a full review andclassification. Technical reviews and post-reporting requirements areremoved for consumer products preloaded with encryption software andshort range wireless technologies. Reporting requirements are alsoreduced for foreign-based U.S. distributors including subsidiaries ofU.S. companies. Finally, encryption source code may now be exportedto non-government end users once a classification request is filed.

The Administration announced its intention to update its encryptionpolicy on July 17 in response to the European Union's decision earlierthat month to revise its restrictions on certain "dual use"
technologies. Under the European Union's previous export regime,
encryption products could only be exported to countries outside theEU upon the issuance of a special license from national authorities.
The new regulations allow member states to obtain a single license forthe export of most dual use goods to other member states and tennon-EU countries including the U.S., Canada and Japan. The U.S.
Administration had promised, since January 2000, that it would matchany relaxation on the export of encryption products introduced by theEuropean Union in order to assure the competitiveness of U.S.
companies internationally.

The text of the revised rules are available at:
For more information about the availability of cryptography worldwide,
see "Cryptography & Liberty 2000: An International Survey ofEncryption Policy":

[6] IETF Issues New RFCs on Cookies

The Internet Engineering Task Force (IETF) has posted two new RequestsFor Comments (RFCs) that address privacy issues surrounding the use ofcookies.

RFC 2965 ("HTTP State Management Mechanism") is a proposed standardreplacing RFC 2109, one of the first cookie documentations. Theupdated RFC pays particular attention to the privacy standards forcookie use. The document states that "Informed consent should guidethe design of systems that use cookies." In the protocol, both theserver setting the cookie and the web browser should incorporate aninformed consent standard.

RFC 2964 ("Use of HTTP State Management") discusses Best CurrentPractices for the use of cookies. While pointing out the positivepurposes for cookies, the document also recommends that cookies shouldbe used only with the user's awareness, the user's ability to deletecookies, and assurances that information collected through tracking isnot passed onto third parties without explicit consent.

EPIC's view is that these proposals are a step in the right directionand could help limit several of the current problems with cookiemisuse. At the same time, the RFCs place too much emphasis on"informed consent" and not enough on the ongoing obligations oforganizations that collect personal information that are typicallyfound in privacy standards based on "Fair Information Practices."
EPIC recommends that the RFCs be further revised to comply with theOECD Privacy Guidelines.

The IETF Request For Comments (RFCs) can be found at:
Also check out the EPIC Cookies page:

[7] EPIC Bookstore - Secrets and Lies

Secrets and Lies: Digital Security in a Networked World, by BruceSchneier
Internationally recognized information security expert Bruce Schneierprovides a practical, straightforward guide to understanding andachieving security throughout computer networks. Schneier uses hisextensive field experience with his own clients to dispel the mythsthat can mislead you while trying to build secure systems. He alsoclearly covers everything you'll need to know to protect yourcompany's digital information. And he shows you how to assess yourbusiness and corporate security needs so that you can choose the rightproducts and implement the right processes.

EPIC Publications:

"Privacy & Human Rights 2000: An International Survey of Privacy Lawsand Developments," David Banisar, author (EPIC 2000).
Price: $20.

This survey, by EPIC and Privacy International, reviews the state ofprivacy in over fifty countries around the world. The survey examinesa wide range of privacy issues including, data protection, telephonetapping, genetic databases, ID systems and freedom of informationlaws.

"The Privacy Law Sourcebook 2000: United States Law, InternationalLaw, and Recent Developments," Marc Rotenberg, editor (EPIC 2000).
Price: $40.

The "Physicians Desk Reference of the privacy world." An invaluableresource for students, attorneys, researchers and journalists who needan up-to-date collection of U.S. and International privacy law, aswell as a comprehensive listing of privacy resources.

"Cryptography and Liberty 2000: An International Survey of EncryptionPolicy," Wayne Madsen and David Banisar, editors (EPIC 2000).
Price: $20.

EPIC's third survey of encryption policies around the world. Theresults indicate that the efforts to reduce export controls on strongencryption products have largely succeeded, although severalgovernments are gaining new powers to combat the perceived threats ofencryption to law enforcement.

"Filters and Freedom - Free Speech Perspectives on Internet ContentControls," David Sobel, editor (EPIC 1999). Price: $20.

A collection of essays, studies, and critiques of Internet contentfiltering. These papers are instrumental in explaining why filteringthreatens free expression.

Additional titles on privacy, open government, free expression,
computer security, and crypto, as well as films and DVDs can beordered through the EPIC Bookstore:

[8] Upcoming Conferences and Events

Privacy2000: Information and Security in the Digital Age.
October 31-November 1, 2000. Columbus, Ohio. For more information:
Mealey's Internet Law 101 Conference. November 1-2, 2000. TysonsCorner, VA. For more information:
Call for Papers. First International Conference on Human Aspects ofthe Information Society. Information Management Research Institute,
University of Northumbria at Newcastle. November 10, 2000. Newcastleupon Tyne, England. For more information:
Data Protection and System Design Workshop. Innovation ThroughElectronic Commerce: 3rd International Conference. November 14, 2000.
Manchester, England. For more information:

2000 BNA Public Policy Forum: e-commerce and internet regulation.
November 15-16, 2000. Tysons Corner, VA. For more information:
Privacy by Design: The Future of Privacy Compliance and Business.
Zero-Knowledge Systems. November 19-21, 2000. Le Château Montebello,
Quebec. For more information:

Managing the Privacy Revolution. Privacy and American Business'sSeventh Annual Conference. November 28-30, 2000. Washington, DC. Formore information:
16th Annual Computer Security Applications Conference (ACSAC).
December 11-15, 2000. New Orleans, Louisiana. For more information:
Network and Distributed System Security Symposium (NDSS '01). InternetSociety. February 7-9, 2001. San Diego, CA. For more information:

Online, Offshore and Cross-Border: Regulating Global E-Commerce.
Washington College of Law, American University. March 30, 2001.
Washington, DC. For more information:

Subscription Information

The EPIC Alert is a free biweekly publication of the ElectronicPrivacy Information Center. A Web-based form is available forsubscribing or unsubscribing at:
To subscribe or unsubscribe using email, send email with the subject: "subscribe" (no quotes) or"unsubscribe".

Back issues are available at:

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and tosend notices about EPIC activities. We do not sell, rent or share ourmailing list. We also intend to challenge any subpoena or other legalprocess seeking access to our mailing list. We do not enhance (linkto other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your email addressfrom this list, please follow the above instructions under"subscription information". Please contact if you haveany other questions.

About EPIC

The Electronic Privacy Information Center is a public interestresearch center in Washington, DC. It was established in 1994 tofocus public attention on emerging privacy issues such as the ClipperChip, the Digital Telephony proposal, national ID cards, medicalrecord privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Actlitigation, and conducts policy research. For more information,
e-mail, or write EPIC, 1718Connecticut Ave., NW, Suite 200, Washington, DC 20009.
+1 202 483 1140 (tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic PrivacyInformation Center, contributions are welcome and fullytax-deductible. Checks should be made out to "EPIC" and sent to1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009.

Your contributions will help support Freedom of Information Act andFirst Amendment litigation, strong and effective advocacy for theright of privacy and efforts to oppose government regulation ofencryption and expanding wiretapping powers.

Thank you for your support.

END EPIC Alert 7.19


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback