WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 2000 >> [2000] EPICAlert 2

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 7.02 [2000] EPICAlert 2


Volume 7.02 February 3, 2000

Published by the Electronic Privacy Information Center (EPIC)
Washington, D.C.

Table of Contents

[1] EPIC Calls for Withdrawal of FIDNET at Senate Hearing
[2] DoubleClick Faces Lawsuit Over Change in Privacy Practices
[3] Privacy Groups Challenge Proposed FBI Wiretap Standards
[4] New Crypto Export Regulations: Still Not De-Control
[5] Industry Targets DVD Copying in Digital Copyright Suits
[6] Clinton Proposes Privacy Protections in State of Union Address
[7] EPIC Bookstore -- Critical Infrastructure Report
[8] Upcoming Conferences and Events

[1] EPIC Calls for Withdrawal of FIDNET at Senate Hearing

This week the Senate Judiciary Committee reviewed the Administration'scomputer security plan. Civil liberties organizations have criticizedthe National Plan for Information Systems Protection, saying it woulddramatically expand government surveillance of the nation'scommunications networks. They have singled out the Federal IntrusionDetection Network -- FIDNET -- as raising far-reaching threats toAmerican citizens.

Testifying before the committee, Marc Rotenberg, Executive Director ofthe Electronic Privacy Information Center (EPIC), called the FIDNETproposal contrary to "the spirit of the federal wiretap statute, theplain language of the federal Privacy Act, and the history of theFourth Amendment." He said that "the FIDNET proposal, as currentlyconceived, must simply be withdrawn.

EPIC also released a government memo at the hearing, obtained underthe Freedom of Information Act, which indicates that the U.S.
Department of Justice is aware that the FIDNET proposal may violateU.S. law. Other records obtained by EPIC show that the governmentwill use credit card records and telephone toll records as part of itsintrusion detection system. John Tritak, Director of the CriticalInfrastructure Assurance Office, was unable to answer questions put tohim by the committee members regarding what type of personalinformation would be collected by FIDNET.

Rotenberg charged that backers of the security plan were "trying toapply twentieth century notions of national defense to twenty-firstcentury problems of communications security."

Last year, EPIC warned that a similar "critical infrastructureprotection" proposal posed risks to the civil liberties of Americans.
The revised security plan discusses privacy issues in a number ofplaces, but civil liberties organizations contend that the plan islong on rhetoric and short on safeguards. "The plan lacks the legalprotections and independent oversight that would be necessary toprevent abuse," said Rotenberg.

Also testifying at the hearing was Frank Cilluffo, Senior PolicyAnalyst, Center for Strategic and International Studies. The SenateSubcommittee is chaired by Senator John Kyl (R-AZ). Senator Kyl saidthat future hearings will be held on the proposal and that governmentwitnesses will be called to answer specific legal and technicalquestions about the design and operation of FIDNET.

EPIC Testimony on "CyberAttack: The National Protection Plan and itsPrivacy Implications": [PDF]

EPIC Critical Infrastructure Protection Resources Page:

Memo from Ronald D. Lee, Associate Deputy Attorney General, Departmentof Justice to Jeffrey Hunker, Director, Critical InfrastructureAssurance Office regarding the National Information Systems ProtectionPlan, March 8, 1999 (obtained by EPIC under the Freedom of InformationAct):
Memo from Jeffrey Hunker, CIAO to CICG Members regarding "OffsiteMaterials" (obtained by EPIC under the Freedom of Information Act):
White House "National Plan for Information Systems Protection"
(January 7, 2000):
Executive Summary of "National Plan for Information SystemsProtection" (January 7, 2000)

[2] DoubleClick Faces Lawsuit Over Privacy Practices

DoubleClick, one of the largest advertisers on the World Wide Web, hastaken a dramatic new approach in learning about Internet users --
finding out their names and addresses. The move by the company towardpersonally identifying all the information it collects previously drewfire from privacy advocates and now from private citizens.

The change in DoubleClick's strategy was not unexpected by privacyadvocates who have been following their recent acquisitions. In lateNovember, DoubleClick completed a merger with market research firmAbacus Direct. From the dramatic increase in information, DoubleClickhopes to find out more about all Internet users in order to providetargeted one-to-one advertising. Prior to the merger, DoubleClick hadbeen learning about Internet users through the use of cookietechnology -- an Internet protocol that allows for uniqueidentification and tracking. While DoubleClick had been collectingpersonal information before, correlating existing information it hasalready accumulated from Internet users with the data in the Abacusdatabase requires access to personally identifying information such asa name. For that reason, DoubleClick formed the Abacus Alliance -- anunnamed group of Internet websites that will pass on personalinformation to the advertiser.

On January 28, attorneys in California filed a lawsuit alleging thatDoubleClick had unlawfully represented that it was only collectingnon-personally identifying information. Judnick's attorneys are askingfor an injunction against DoubleClick that would prevent any furthercollection of personal information without written consent, an easyway for Internet users to destroy any personal information inDoubleClick's possession, and the destruction of all personalinformation collected without consent in the past.

For more information about DoubleClick and its recent merger withAbacus Direct, see:

[3] Privacy Groups Challenge Proposed FBI Wiretap Standards

On January 20, EPIC and other Internet privacy advocacy groups asked afederal appeals court to block new rules that would enable the FBI todictate the design of the nation's communication infrastructure. Thechallenged rules would enable the Bureau to track the physicallocations of cellular phone users and potentially monitor Internettraffic.

In a brief filed with the U.S. Court of Appeals for the District ofColumbia Circuit, EPIC, the American Civil Liberties Union (ACLU) andthe Electronic Frontier Foundation (EFF) said that the rules --
contained in a Federal Communications Commission (FCC) decision issuedlast August -- could result in a significant increase in governmentinterception of digital communications.

The court challenge involves the Communications Assistance for LawEnforcement Act (CALEA), a controversial law enacted by Congress in1994, which requires the telecommunications industry to design itssystems in compliance with FBI technical requirements to facilitateelectronic surveillance. In negotiations over the last few years, theFBI and industry representatives were unable to agree upon thosestandards, resulting in the recent FCC ruling. EPIC, ACLU and EFFparticipated as parties in the FCC proceeding and argued that theprivacy rights of Americans must be protected.

The groups' court filing asserts that the FCC ruling exceeds therequirements of CALEA and frustrates the privacy interests protectedby federal statutes and the Fourth Amendment. Among other things, theCommission order would require telecommunications providers todetermine the physical locations of cellular phone users and deliver"packet-mode communications" -- such as those that carry Internettraffic -- to law enforcement agencies.

The privacy groups are being represented on a pro bono basis by KurtWimmer and Gerard J. Waldron, attorneys at the Washington law firm ofCovington & Burling, and Carlos Perez-Albuerne, an attorney at theBoston law firm of Choate, Hall & Stewart. Oral argument in the courtchallenge to the CALEA standards is scheduled for May 17, 2000.

In a related development, the Internet Engineering Task Force (IETF)
has published a draft document explaining its decision not to considerrequirements for wiretapping as part of the process for creating andmaintaining IETF standards. Among other things, the draft notes that"[a]dding a requirement for wiretapping will make the designsconsiderably more complex, thereby jeopardizing the security ofcommunications …"

Background materials on CALEA, including the brief filed by EPIC, ACLUand EFF, are available at EPIC's website:

The draft IETF document on wiretapping standards is available at:

[4] New Crypto Export Regulations: Still Not De-Control

The U.S. Commerce Department released its revised encryption exportregulations on January 12. While the new rules will allow for theexport of a wide variety of "retail" encryption products, they fallshort of the Clinton Administration's promise to deregulate theprivacy-enhancing technology. Following the release of the newregulations, EPIC joined the American Civil Liberties Union (ACLU) andthe Electronic Frontier Foundation (EFF) in announcing that the groupswill continue to press pending constitutional litigation challengingencryption controls.

While recognizing that the Administration has taken a positive andlong-overdue step with its latest revisions, the cyber-libertiesgroups believe that the fundamental constitutional defects of theencryption export regime have not been remedied. Specifically:

- The new regulations, like the old ones, impose special requirementson Internet speech, contrary to the Supreme Court's 1997 ruling inReno v. ACLU. The regulations require that the government be notifiedof any electronic "export" of publicly available encryption sourcecode, and prohibit electronic "export" to certain countries. Yetpeople may freely send the same information anywhere on paper.

- The export regulations are still a completely discretionarylicensing scheme. They continue to require licenses for a largeamount of communication protected by the First Amendment, includingtransmitting source code that is not "publicly available," source codethat is "restricted," source code forming an "open cryptographicinterface," and various forms of object code.

- While the new regulations appear to permit free posting ofencryption source code to Internet discussion lists, such posting maybe illegal if the poster has 'reason to know' that it will be read bya person in one of the seven regulated countries (such as Cuba).

- The new regulations still ban providing information on how to createor use some encryption technology as prohibited "technicalassistance." Software publishers can be fined or imprisoned forhelping people to use their code. These same limitations do not applyto non-encryption source code.

In a highly-publicized court case, mathematician Daniel Bernstein haschallenged the export control laws on First Amendment grounds.
Professor Bernstein claims that his right to publish his ownencryption software and share his research results with others overthe Internet is being unconstitutionally restricted by thegovernment's controls. Bernstein won his case at the trial level, andlast year won an appeal in the Ninth Circuit Court of Appeals. Priorto the release of the new regulations, the court had granted thegovernment's request that the appeal be reconsidered by a larger "enbanc" panel of eleven judges, but recently sent the case back to thethree-judge panel that originally heard it for further considerationin light of the new regulations.

A similar case challenging the constitutionality of the export ruleswas brought by the ACLU of Ohio on behalf of Ohio law professor PeterJunger, who wished to publish an electronic version of an encryptionprogram he wrote. The case is pending in the Sixth Circuit FederalCourt of Appeals. EPIC has participated as a "friend-of-the-court" inboth the Bernstein and Junger cases.

The text of the revised encryption regulations is available at:

[5] Industry Targets DVD Copying in Digital Copyright Suits

The movie industry has filed lawsuits in California, New York, andConnecticut to prevent Internet sites from distributing informationabout the DVD Content Scrambling System. A federal judge in adistrict court in New York granted a preliminary injunction January 20against three defendants who provided the decoding software on theirWeb sites. A judge in a California state court granted a preliminaryinjunction the following day against 21 defendants. The contendedprogram, DeCSS, created by a Norwegian programmer, allows users todecode the encryption used on DVDs.

The California case was filed by the DVD Copy Control Association, anindustry trade group, after Christmas against 72 Web sites andindividuals who had either published information about DeCSS orprovided a link to the information from their sites. The DVD-CCAclaims that the defendants are violating their trade secrets bydiscussing the source code used to bypass the DVD encryption schemethrough reverse engineering. The defendants, however, assert that thepurpose of the DeCSS is not to engage in illegal duplication of DVDsbut rather to allow DVDs to operate on computers using the Linuxoperating system. The Global Internet Liberty Campaign, a coalitionof more than 50 civil liberties groups worldwide, issued a statementclaiming that the DVD-CCA's assault could have a severe impact on freeexpression: "We believe that intellectual property owners should notbe allowed to expand their property rights at the expense of freespeech -- particularly when the speech in question explains howcompanies have prevented the dissemination of new scientific ideas."

The New York case and a companion case in a Connecticut federal courtwere filed on Jan. 15 and center upon the Digital Millennium CopyrightAct, a 1998 law that prohibits the distribution of products that cancircumvent copy protection schemes. The Motion Picture Association ofAmerica, as well as six other movie studios, are plaintiffs. Criticsassert that the decoding of encryption schemes is crucial toresearching, developing, and testing information processing systems.
The Electronic Frontier Foundation is providing legal counsel todefendants both in California and New York.

The Global Internet Liberty Campaign statement is available at:
Testimony of EPIC Executive Director Marc Rotenberg on the DigitalMillennium Copyright Act (June 5, 1998) is available at:
The Electronic Frontier Foundation maintains an archive of courtmaterial relating to the DVD-CCA case at:

EFF also maintains an archive of court material relating to the MPAADVD cases at:

[6] Clinton Proposes Privacy Protections in State of Union Address

In President Clinton's State of the Union speech on January 27, hebrought attention to the growing need to protect personal informationin the next century.

After referring to the recent growth of information technology, hereminded his audience that technology has to be carefully directed inorder to assure that its reach does not compromise societal values.
Additionally, he said, "First and foremost, we have to safeguard ourcitizens' privacy."

Specifically, he mentioned the ongoing rule-making process overmedical privacy regulations, the need for stronger protections overfinancial records, and more work on preventing genetic discriminationfrom insurers and employers.

The full text of the President's speech is available at:

[7] EPIC Bookstore -- Critical Infrastructure Report

Critical Infrastructure Protection and the Endangerment of CivilLiberties: An Assessment of the President's Commission on CriticalInfrastructure Protection (PCCIP) by Wayne Madsen.
Excerpt from the Executive Summary:

On July 15, 1997, President Clinton signed Executive Order 13010,
which established the President's Commission on CriticalInfrastructure Protection (PPCIP). The Executive Order listed eightsectors that the PCCIP was to examine for security vulnerabilities.
They are: telecommunications, electrical power systems, gas and oilstorage and transportation, banking and finance, transportation, watersupply systems, emergency services, and continuity of government.

President Clinton appointed retired Air Force General Robert T. Marshto chair the PCCIP. Although the commission, its Steering Committee,
and its Advisory Committee were composed of members of government andindustry, the membership of the three bodies consisted of a majorityof military and intelligence representatives.

PCCIP's report, issued in October 1997, contained many recommendationsthat have the potential to curtail a number of important civilliberties, including freedom of speech and freedom of information.
Although the report concluded there was no evidence of an "impendingcyber attack which could have a debilitating effect on the nation'scritical infrastructure," it did recommend a new bureaucratic securityestablishment with expansive authority. If not properly monitored andcontrolled, these new national security structures andintelligence-sharing networks, in addition to those that alreadyexist, may, instead of protecting the national infrastructure, be usedby the government and private corporations to further erode theprivacy of U.S. and foreign citizens.

Additional titles on privacy, open government, free expression,
computer security, and crypto, as well as films and DVDs can beordered through the EPIC Bookstore:

[8] Upcoming Conferences and Events

Privacy, Security & Confidentiality of Medical Records 2000: ComplyingWith New HIPAA Regulations. NonProfit Management. One Day Seminars.
Various Locations and Times. For more information:
Federal Trade Commission Advisory Committee on Online Privacy andSecurity. Series of Meetings. Federal Trade Commission Headquarters.
Washington, D.C. For more information:

Cyberspace and Privacy: A New Legal Paradigm? February 7, 2000.
Stanford Law School. Stanford, CA. For more information: or
Santa Clara University Computer and High Technology Journal Symposiumon Internet Privacy. February 11-12, 2000. For more information:
Government Technology Conference 2000. February 14-18, 2000. AustinConvention Center. Austin, TX. For more information:
E-Commerce and Privacy: Implementing the New Law. Riley InformationServices. February 21, 2000. Westin Hotel, Ottawa. For moreinformation:

Financial Cryptography '00. International Financial CryptographyAssociation. February 21-24, 2000. InterIsland Hotel. Anguilla, BritishWest Indies. For more information:

The New Wave of Privacy Protection in Canada. BC Freedom of Informationand Privacy Association and Riley Information Services. March 9-10,
2000. Hotel Vancouver. Vancouver, British Columbia. For moreinformation:
HIPAA Security and Privacy Requirements: A How To Blueprint forCompliance. MIS Training Institute. Two-day Seminars. Various Locationsand Times. For more information:
Entrust SecureSummit 2000. May 1-4, 2000. Hyatt Regency Dallas atReunion. Dallas, Texas. For more information:
Shaping the Network: The Future of the Public Sphere in Cyberspace.
Computer Professionals for Social Responsibility (CPSR). Call forPapers -- Abstracts Due February 15. May 20-23, 2000. Seattle,
Washington. For more information:
Telecommunications: The Bridge to Globalization in the InformationSociety. Biennial Conference of the International TelecommunicationsSociety. July 2-5, 2000. For more information:

Subscription Information

The EPIC Alert is a free biweekly publication of the Electronic PrivacyInformation Center. A Web-based form is available for subscribing orunsubscribing at:
To subscribe or unsubscribe using email, send email with the subject: "subscribe" (no quotes) or"unsubscribe".

Back issues are available at:

About EPIC

The Electronic Privacy Information Center is a public interest researchcenter in Washington, DC. It was established in 1994 to focus publicattention on emerging privacy issues such as the Clipper Chip, theDigital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale of personal information. EPIC is sponsoredby the Fund for Constitutional Government, a non-profit organizationestablished in 1974 to protect civil liberties and constitutionalrights. EPIC publishes the EPIC Alert, pursues Freedom of InformationAct litigation, and conducts policy research. For more information,
e-mail, or write EPIC, 666Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544 9240(tel), +1 202 547 5482 (fax).

If you'd like to support the work of the Electronic Privacy InformationCenter, contributions are welcome and fully tax-deductible. Checksshould be made out to "The Fund for Constitutional Government" and sentto EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003.

Your contributions will help support Freedom of Information Act andFirst Amendment litigation, strong and effective advocacy for the rightof privacy and efforts to oppose government regulation of encryptionand expanding wiretapping powers.

Thank you for your support.

END EPIC Alert 7.02


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback