WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 2000 >> [2000] EPICAlert 20

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 7.20 [2000] EPICAlert 20


Volume 7.20 November 14, 2000

Published by the Electronic Privacy Information Center (EPIC)
Washington, D.C.

Table of Contents

[1] President Vetoes "Official Secrets Act" Legislation
[2] California Enacts New Privacy Laws
[3] IRS Gains Access to Overseas Credit Card Accounts
[4] Information Brokers Challenge Financial Privacy Rules
[5] Poll Finds Strong Majority Concerned About Online Privacy
[6] "Safe Harbor" Arrangement Begins
[7] EPIC Bookstore - Rethinking PKI and Digital Certificates
[8] Upcoming Conferences and Events

[1] President Vetoes "Official Secrets Act" Legislation

President Clinton on November 4 vetoed legislation that would have madeleaking of government secrets a criminal act (see EPIC Alert 7.19).
The president, in his veto message, said he agreed that some leaks "canbe extraordinarily harmful" to national security. But he agreed withcritics of the provision who argued that the new penalties couldsilence whistle-blowers: "We must never forget that the free flow ofinformation is essential to a democratic society." The provision, whichwas contained in an intelligence spending bill (H.R. 5630), would haveextended penalties that now exist for leaking classified, nationaldefense information, to the leaking of other classified, but nondefensedata that could harm the United States if made public or given toforeign governments.

A broad coalition of public interest groups -- including EPIC -- saidthat the legislation was likely to stifle public debate on importantpolicy matters. Several of the nation's largest news organization --
including CNN, The Washington Post, The New York Times and theNewspaper Association of America -- also appealed to Clinton to vetothe bill. The legislation's opponents said it amounted to thenation's first "Official Secrets Act," and noted that even members ofCongress would be subject to criminal charges for leaking classifiedinformation.

In his veto statement, Clinton said, "As president ... it is myresponsibility to protect not only our government's vital informationfrom improper disclosure but also to protect the rights of citizens toreceive the information necessary for democracy to work." He addedthat it requires a careful balance to reconcile the goals of protectingnational security and the public's right to know. "This legislationdoes not achieve the proper balance."

On November 13, the House voted to again pass the intelligenceauthorization bill, without the controversial secrecy provision.

President Clinton's veto statement is available at:

[2] California Enacts New Privacy Laws

In October, California Governor Gray Davis signed into law six newprivacy measures aimed at protecting consumers' privacy and protectingagainst identity theft. One of the new laws establishes the firstdedicated U.S. privacy protection agency within the Department ofConsumer Affairs. The new Office of Privacy Protection will operate asa central clearinghouse for privacy complaints and will provideinformation, advice and referrals to consumers to help resolve privacydisputes and concerns.

Another law requires businesses to destroy customer records containingpersonal information by shredding them, erasing them or otherwisemaking them unreadable. Two of the laws specifically address thegrowing problem of identify theft. The first allows victims ofidentity theft to seek the assistance of the courts in clearing theirnames and restoring their identities. The second allows those victimsto join law enforcement in accessing a statewide database documentingidentity theft crimes. Under the fifth law, credit card companies willhave to give consumers an opportunity to "opt-out" annually of havingtheir personal information shared. The final law prohibits consumercredit reporting agencies from including medical information, providedfor insurance purposes, in consumer credit reports.

This new package of laws, coupled with the state's strongconstitutional right to privacy, clearly establishes California as theleading U.S. state in the protection of individual privacy.

Press release from the California Department of Consumer Affairsdiscussing the new legislation:

[3] IRS Gains Access to Overseas Credit Card Accounts

A federal judge on October 30 granted the Internal Revenue Service(IRS) access to thousands of MasterCard and American Express creditcard accounts held by U.S. taxpayers in several offshore bankinghavens. U.S. District Judge Adalberto Jordan's order allows the IRS toissue summonses for information concerning charge, debit and creditcards issued by banks in the Cayman Islands, Bahamas and Antigua andBarbuda in 1998 and 1999. Banks in the targeted jurisdictions requirecustomers to open bank accounts before obtaining credit cards, soobtaining the names of cardholders produces the names of bank accountholders as well.

IRS investigators are reportedly interested in reviewing things likecar, boat and airline ticket purchases and hotel and car rentals todetermine whether credit card account holders are living beyond theirreported means. Offshore credit accounts are legal for U.S. taxpayers,
but they are required to file forms with the IRS disclosing them. Thethree nations targeted by the IRS have long been identified by U.S.
authorities as offshore tax havens and centers of money launderering.
An affidavit filed by the IRS with the summons request claimed the U.S.
Treasury loses an estimated $70 billion yearly from individualtaxpayers who use offshore accounts to evade taxes.

Promoters of offshore accounts often claim that they can be used toshelter income because the U.S. government cannot penetrate someforeign banking secrecy laws. But the IRS believed it could avoidthose laws by getting records through the Miami headquarters of thecompanies' Caribbean operations, an approach that Judge Jordanaccepted.

MasterCard International issued a brief statement saying it has "alwayscooperated with, and will continue to cooperate with, investigations bygovernmental agencies." The company added that it is "mindful ofcustomers' privacy concerns."

[4] Information Brokers Challenge Financial Privacy Rules

An industry association representing information brokers -- theIndividual Reference Services Group (IRSG) -- has challenged theFederal Trade Commission's (FTC) newly-enacted financial privacy rules.
As one of the federal agencies promulgating privacy rules under theFinancial Services Modernization Act (Gramm-Leach-Bliley), the FTCdesignated credit headers as a type of personal financial informationsubject to opt-out privacy protections (see EPIC Alert 7.10). Creditheaders, so-called because they are at the top of credit reports,
contain information such as names, addresses, phone numbers, and SocialSecurity numbers. IRSG companies sell credit header information todirect marketers, private investigators, and other information brokers.

The IRSG complaint, filed in the U.S. District Court for the Districtof Columbia, alleges that the FTC credit header rule unlawfully expandsthe definition of non-public personal information contained in thelegislation, and that it improperly supersedes the Fair CreditReporting Act, which has not traditionally protected credit headerinformation. The FTC contends that its rulemaking follows the law'slegislative intent.

In related privacy news, the Social Security number provisionscontained in the Commerce-Justice-State appropriations bill weresingled out in a veto threat letter sent by President Clinton toCongress before the election recess. The Social Security numberprovisions are opposed by consumer and privacy groups (see EPIC Alert7.18). The provisions are still included in the appropriations billwhich has yet to pass and is pending before the current lame duckCongress.

The FTC's final financial privacy rules (PDF) are available at:
See President Clinton's letter threatening to veto the Commerce-
Justice-State Appropriations bill:

[5] Poll Finds Strong Majority Concerned About Online Privacy

A newly released Gallup poll finds that a majority of Americans areconcerned about their privacy on the Internet. The Gallup survey,
which was commissioned by the MedicAlert Foundation, an emergencymedical information service, questioned individuals' willingness totransmit personal health information over the Internet.

As a result of privacy concerns, only seven percent of all respondentssaid that they would be willing to store or transmit personal healthinformation on the Internet. Seventy-seven percent of respondentsconsidered the privacy of their health and medical information to bevery important, and 84 percent said that they would be concerned ifthat information was made available to others without their consent.

Whereas 90 percent of respondents said that they trust their own doctorto keep their personal health information private and secure, onlyeight percent would trust an Internet website to do the same. Thirtypercent said that they would be more willing to disclose thisinformation on the Internet if they could be assured of its privacy andsecurity.

A summary of the results of the Gallup survey is available at:

[6] "Safe Harbor" Arrangement Begins

On November 1, the long-negotiated Safe Harbor agreement formally wentinto effect. Safe Harbor allows U.S. companies to voluntarilysubscribe to a set of principles and procedures for the handling ofdata originating in the European Union. The EU Data ProtectionDirective requires that an adequate level of privacy protection existbefore any personal information can be transferred to a third country.
The European Commission has agreed that any U.S. company thatsubscribes to Safe Harbor should be deemed to be providing an adequatelevel of privacy protection for such data.

The U.S. Department of Commerce maintains the official list of U.S.
companies that join the arrangement. Both the European Commission andU.S. government officials are expected to monitor the number ofcompanies that join over the next few months. Due to earlieropposition from the European Parliament to the agreement, the EuropeanCommission is expected to review the arrangement by the middle of nextyear.

Since the beginning of the month, only one U.S. entity -- TRUSTe -- hasjoined the system.

To see the Safe Harbor list, as well as related materials:

Past comments on Safe Harbor are available from the TransAtlanticConsumer Dialogue:

[7] EPIC Bookstore - Rethinking PKI and Digital Certificates

Rethinking Public Key Infrastructures and Digital Certificates:
Building in Privacy by Stefan A. Brands
As paper-based communication and transaction mechanisms are replacedby automated ones, traditional forms of security such as photographsand handwritten signatures are becoming outdated. Most securityexperts believe that digital certificates offer the best technologyfor safeguarding electronic communications. They are already widelyused for authenticating and encrypting email and software, andeventually will be built into any device or piece of software thatmust be able to communicate securely. There is a serious problem,
however, with this unavoidable trend: unless drastic measures aretaken, everyone will be forced to communicate via what will be themost pervasive electronic surveillance tool ever built. There willalso be abundant opportunity for misuse of digital certificates byhackers, unscrupulous employees, government agencies, financialinstitutions, insurance companies, and so on.

In this book Stefan Brands proposes cryptographic building blocksfor the design of digital certificates that preserve privacy withoutsacrificing security. Such certificates function in much the sameway as cinema tickets or subway tokens: anyone can establish theirvalidity and the data they specify, but no more than that.
Furthermore, different actions by the same person cannot be linked.
Certificate holders have control over what information is disclosed,
and to whom. Subsets of the proposed cryptographic building blockscan be used in combination, allowing a cookbook approach to the designof public key infrastructures. Potential applications includeelectronic cash, electronic postage, digital rights management,
pseudonyms for online chat rooms, health care information storage,
electronic voting, and even electronic gambling.

EPIC Publications:

"Privacy & Human Rights 2000: An International Survey of Privacy Lawsand Developments," David Banisar, author (EPIC 2000).
Price: $20.

This survey, by EPIC and Privacy International, reviews the state ofprivacy in over fifty countries around the world. The survey examinesa wide range of privacy issues including, data protection, telephonetapping, genetic databases, ID systems and freedom of informationlaws.

"The Privacy Law Sourcebook 2000: United States Law, InternationalLaw, and Recent Developments," Marc Rotenberg, editor (EPIC 2000).
Price: $40.

The "Physicians Desk Reference of the privacy world." An invaluableresource for students, attorneys, researchers and journalists who needan up-to-date collection of U.S. and International privacy law, aswell as a comprehensive listing of privacy resources.

"Cryptography and Liberty 2000: An International Survey of EncryptionPolicy," Wayne Madsen and David Banisar, editors (EPIC 2000).
Price: $20.

EPIC's third survey of encryption policies around the world. Theresults indicate that the efforts to reduce export controls on strongencryption products have largely succeeded, although severalgovernments are gaining new powers to combat the perceived threats ofencryption to law enforcement.

"Filters and Freedom - Free Speech Perspectives on Internet ContentControls," David Sobel, editor (EPIC 1999). Price: $20.

A collection of essays, studies, and critiques of Internet contentfiltering. These papers are instrumental in explaining why filteringthreatens free expression.

Additional titles on privacy, open government, free expression,
computer security, and crypto, as well as films and DVDs can beordered through the EPIC Bookstore:

[8] Upcoming Conferences and Events

Election 2000: Implications for Science & Technology. WashingtonScience Policy Alliance. November 15, 2000. Washington, DC. For moreinformation:
2000 BNA Public Policy Forum: e-commerce and internet regulation.
November 15-16, 2000. Tysons Corner, VA. For more information:
Privacy by Design: The Future of Privacy Compliance and Business.
Zero-Knowledge Systems. November 19-21, 2000. Le Château Montebello,
Quebec. For more information:

Managing the Privacy Revolution. Privacy and American Business'sSeventh Annual Conference. November 28-30, 2000. Washington, DC. Formore information:
Government Secrecy in a New Administration and a New Century.
Information Security Oversight Office and the James Madison Project.
December 5, 2000. Washington, DC. For more information:
16th Annual Computer Security Applications Conference (ACSAC).
December 11-15, 2000. New Orleans, Louisiana. For more information:
Network and Distributed System Security Symposium (NDSS '01). InternetSociety. February 7-9, 2001. San Diego, CA. For more information:

EUROSEC 2001: Forum sur la Sécurité des Systèmes d'Information. XPConseil. March 13-15, 2001. Paris, France. For more information:

Online, Offshore and Cross-Border: Regulating Global E-Commerce.
Washington College of Law, American University. March 30, 2001.
Washington, DC. For more information:
First International Conference on Human Aspects of the InformationSociety. Information Management Research Institute, University ofNorthumbria at Newcastle. April 9-11, 2001. Newcastle upon Tyne,
England. For more information:

Subscription Information

The EPIC Alert is a free biweekly publication of the ElectronicPrivacy Information Center. A Web-based form is available forsubscribing or unsubscribing at:
To subscribe or unsubscribe using email, send email with the subject: "subscribe" (no quotes) or"unsubscribe".

Back issues are available at:

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and tosend notices about EPIC activities. We do not sell, rent or share ourmailing list. We also intend to challenge any subpoena or other legalprocess seeking access to our mailing list. We do not enhance (linkto other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your email addressfrom this list, please follow the above instructions under"subscription information". Please contact if you haveany other questions.

About EPIC

The Electronic Privacy Information Center is a public interestresearch center in Washington, DC. It was established in 1994 tofocus public attention on emerging privacy issues such as the ClipperChip, the Digital Telephony proposal, national ID cards, medicalrecord privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Actlitigation, and conducts policy research. For more information,
e-mail, or write EPIC, 1718Connecticut Ave., NW, Suite 200, Washington, DC 20009.
+1 202 483 1140 (tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic PrivacyInformation Center, contributions are welcome and fullytax-deductible. Checks should be made out to "EPIC" and sent to1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009.

Your contributions will help support Freedom of Information Act andFirst Amendment litigation, strong and effective advocacy for theright of privacy and efforts to oppose government regulation ofencryption and expanding wiretapping powers.

Thank you for your support.

END EPIC Alert 7.20


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback