WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 2000 >> [2000] EPICAlert 5

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 7.05 [2000] EPICAlert 5


Volume 7.05 March 22, 2000

Published by the Electronic Privacy Information Center (EPIC)
Washington, D.C.

Table of Contents

[1] Revised Safe Harbor Proposal Released
[2] New Survey Shows Strong Support for Privacy Laws
[3] Echelon Surveillance Controversy Heats Up in Europe
[4] Cyber Patrol Hackers Face Legal Proceedings
[5] Problems with Online Advertising Persist
[6] EPIC Submits Comments on Legal Barriers to E-Commerce
[7] EPIC Bookstore -- EPIC Publications
[8] Upcoming Conferences and Events

[1] Revised Safe Harbor Proposal Released

On March 17, the International Trade Administration of the U.S.
Department of Commerce publicly released the current version of theSafe Harbor proposal. The Safe Harbor negotiations between Americanand European authorities have dragged on for more than two years, andthis most recent version of the principles represents some progress.

EU citizens are currently legally protected by the EU Data ProtectionDirective which prevents information from being sent to jurisdictionsthat do not offer similarly adequate protections. Safe Harbor is avoluntary arrangement coordinated by the Dept. of Commerce for thepurpose of satisfying the adequacy requirement of the EU Directive.
The new proposal sets out obligations that American companies wouldhave to provide to European data subjects including: notice, choice(opt-in for sensitive information, opt-out otherwise), onwardtransfer, security, data integrity, access and enforcement. Companieschoosing to join Safe Harbor can do so in several ways includingjoining self-regulatory programs that adhere to these guidelines. Inall the various options, the Federal Trade Commission (FTC) would haveultimate enforcement authority over any company's compliance with theprinciples.

While U.S. negotiators prematurely announced that an agreement hadbeen reached, significant issues still remain. Enforcement remains akey issue in the arrangement. Both self-regulatory programs and theFTC do not have a good record in following up on privacy complaints intheir jurisdictions. Further, many of the provisions in the SafeHarbor proposal, such as the access provision, provide fewer rights toEuropean citizens than would otherwise be available under the DataDirective. In addition, the Safe Harbor principles would offerlittle direct support for greater privacy protections for U.S.
consumers despite growing public support (see item

At the end of this month, the Article 31 Committee, charged withoverseeing the implementation of the EU Directive, will meet and voteon whether or not to accept the proposal. After the expectedapproval, the EU Commission could review the arrangement as early asthis May.

On the U.S. side, the proposal is subject to public comment untilMarch 28, 2000. The Commerce Department requests that all commentsbe submitted electronically in an HTML format to the following emailaddress: If your organization does not havethe technical ability to provide comments in an HTML format, pleaseforward them in the body of the email, or in a Word or WordPerfectformat. If necessary, hard copies of comments can be mailed to theElectronic Commerce Task Force, U.S. Department of Commerce, Room2009, 14th and Constitution Ave., NW, Washington DC 20230, or faxedto 202-501-2548. Please direct any questions to Becky Richards or 202-482-5227.

EPIC recommends that commentators consider whether the currentself-regulatory approach provides an adequate level of privacyprotection.

The current set of Safe Harbor Principles is available at:
Information and news on the EU Data Protection Directive:

[2] New Survey Shows Strong Support for Privacy Laws

A survey conducted by Harris Interactive demonstrates strong publicsupport for legal protections over personal information. Fifty-sevenpercent of respondents said "the government should pass laws now forhow personal information can be collected and used on the Internet".
In comparison, only 15 percent expressed support for allowing industrygroups to develop voluntary privacy standards.

Other statistics produced by the survey shed light on growing concernsabout privacy. Forty-one percent of online consumers were veryconcerned over the use of personal information by Internet companies.
The last time the same question was asked in 1998, only 31 percent ofrespondents were similarly concerned. The survey also addressed therecent online profiling business models. When asked about whetherthey were comfortable with websites merging browsing habits withreal-life identities, fully 68 percent were "not at all comfortable"
and an additional 21 percent were "not very comfortable."

The poll appeared in the March 20 issue of Business Week and isavailable online at:

[3] Echelon Surveillance Controversy Heats Up in Europe

Public concern over the Echelon surveillance system is growing inEurope. Next week in Strasbourg, France, the European Commissionintends to issue a statement about Echelon, communicationssurveillance, and allegations of U.S. industrial espionage, accordingto Graham Watson, chairman of the European Parliament's Citizens'
Rights Committee. The Commission -- the official government body ofthe European Union -- has previously denied knowledge of documents orfactual information concerning these issues.

During the same plenary session, the European Parliament will be askedto establish a formal commission of inquiry into communicationssurveillance. The motion to appoint a commission has been proposed bythe Parliament's Green grouping. Early this week, the group wasreporting that 130 of the required 160 signatures had already beenobtained in support of their proposal.

The Commission statement scheduled for next week will respondspecifically to the "Interception Capabilities 2000" report, which waspresented to the Citizens' Rights Committee on February 23 by Britishjournalist Duncan Campbell. Since then, the controversy has beensignificantly enlarged by a series of publications and briefings fromJames Woolsey, who served as Director of the Central IntelligenceAgency from 1993 to 1995. In his most recent statement, an op-ed inthe Wall Street Journal published on March 17, Woolsey told Europeansto "get real" about U.S. spying. Woolsey referred to examples citedby Campbell where surveillance had taken place against two Frenchcompanies and stated, "That's right, my continental friends, we havespied on you because you bribe". Both companies involved, Thomson-CSFand Airbus Industrie, quickly issued statements denying Woolsey'scharges.

This spring, Campbell is working with EPIC in Washington, DC asSenior Research Fellow and is currently preparing a new report oncommunications surveillance issues. The new report, scheduled forpublication in early May, will focus on the activities of the NationalSecurity Agency and the resulting civil liberties issues. The reportwill provide a suggested roadmap for proposed Congressional hearingsinto NSA activities.

The European Parliament report, "Interception Capabilities 2000" (inPDF format) is available at:
Four other reports in the same series on the "Development ofsurveillance technology and risk of abuse of economic information" areavailable at:

[4] Cyber Patrol Hackers Face Legal Proceedings

A federal judge in Boston issued a temporary restraining order onMarch 17, prohibiting further distribution on the Internet of aprogram that discloses a list of the sites that the filtering programCyber Patrol blocks and reveals the password that parents use toenable the filtering software. U.S. District Judge Edward F.
Harrington ordered the removal of the "cphack" program, created byMatthew Skala of Canada and Eddy L. O. Jansson of Sweden, and bannedits use by anyone working with the two cryptography experts. Theruling also bans further publication of the bypass codes and binariesby any other sites that may have obtained access to the information.

Mattel and a subsidiary, Microsystems Software Inc., which sellsCyber Patrol, filed suit against Skala and Jansson on March 15.
Microsystems claims that the pair violated U.S. copyright laws byreverse-engineering Cyber Patrol, which is prohibited in its licensingagreements, and then distributing the source code and binaries thatenable users to bypass the software's encryption scheme. Skala andJansson published the "cphack" program March 11 and provided adetailed description of their reverse-engineering methodology.

The "cphack" program reveals a list of more than 100,000 sites thatCyber Patrol deems unsuitable for children. Among the blocked sitesare all of the student organizations at Carnegie Mellon University andall journalism-related Usenet groups, as well as information aboutfeminism, chess and food. Cyber Patrol claims to protect childrenfrom sites containing violence, hate or pornography.

Another court hearing has been scheduled for March 27. No defenselawyers were present at the March 17 hearing.

For more information about filtering software and their free speechimplications, visit the homepage of the Internet Free ExpressionAlliance:

[5] Problems with Online Advertising Persist

Online profiling has not gone away.

While DoubleClick released a statement on March 2 vowing not to joinonline profiles to real-life identities, concerns about the company'stracking of Internet users have not ended. DoubleClick continues touse invisible images embedded in web pages, also referred to as "webbugs," to track users. The advertising company also continues tomaintain two separate websites -- the Internet Address Finder( and the Get Away From It All Sweepstakes site( -- both of which collect personal information. Inaddition, South Carolina Attorney General Charles Condon has joinedattorney generals from both Michigan and New York State ininvestigating DoubleClick's information collection and use practices.

Other online advertising companies have had to scale back their plansto personally identify online profiles as well. Online advertiser24/7 has voluntarily refused to capitalize on its capability to joinpersonal information to online profiles. As reported in the WallStreet Journal on March 20, several companies with online operationshave started to restrict information available to their advertisers.
Procter & Gamble, General Motors, and the Ford Motor Company have allstarted to limit the information transmitted to online advertisersDoubleClick, Real Media, and MatchLogic.

For more information about "web bugs" and online profiling, visitRichard Smith's page on Internet Privacy:

For archived news reports and an analysis of the DoubleClickcontroversy:

[6] EPIC Submits Comments on Legal Barriers to E-Commerce

On March 17, EPIC responded to the Department of Commerce's Requestfor Public Comment on Legal Barriers to Electronic Commerce.

In its submission, EPIC said that legally enforceable privacyprotections, the free use and availability of cryptography and theformation of international consumer protection standards would greatlypromote trust and confidence in electronic commerce and removebarriers to its full development. In its submission, EPIC argues thatin developing national policies in each of these three key areas, theU.S. Government should co-operate with its international partners andbe influenced by the sound principles set out in the relatedOrganization for Economic Co-Operation and Development (OECD)

The text of EPIC's response to the Department of Commerce is availableonline at:
The Request for Public Comment and submitted comments are availableat:
Copies of the OECD guidelines on privacy, cryptography, and consumerprotection in electronic commerce can be found at:

[7] EPIC Bookstore -- EPIC Publications

EPIC Publications:

"The Privacy Law Sourcebook: United States Law, International Law, andRecent Developments," Marc Rotenberg, editor (EPIC 1999). Price: $50.

The "Physicians Desk Reference of the privacy world." An invaluableresource for students, attorneys, researchers and journalists who needan up-to-date collection of U.S. and International privacy law, as wellas a comprehensive listing of privacy resources.

"Filters and Freedom - Free Speech Perspectives on Internet ContentControls," David Sobel, editor (EPIC 1999). Price: $20.

A collection of essays, studies, and critiques of Internet contentfiltering. These papers are instrumental in explaining why filteringthreatens free expression.

"Cryptography and Liberty: An International Survey of CryptographyPolicy," Wayne Madsen and David Banisar, editors, (EPIC 1999). Price:

An international survey of encryption policies around the world. Surveyresults show that in the vast majority of countries, cryptography maybe freely used, manufactured, and sold without restriction, with theU.S. being a notable exception.

"Privacy and Human Rights 1999: An International Survey of Privacy Lawsand Developments," David Banisar, Simon Davies, editors, (EPIC 1999).
Price: $15.

An international survey of the privacy and data protection laws foundin 50 countries around the globe. This report outlines theconstitutional and legal conditions of privacy protection, andsummarizes important issues and events relating to privacy andsurveillance.

Additional titles on privacy, open government, free expression,
computer security, and crypto, as well as films and DVDs can beordered through the EPIC Bookstore:

[8] Upcoming Conferences and Events

***** Big Brother Awards Nominations ***** Awards to be presented atthe Computers, Freedom, and Privacy 2000 Conference in Toronto,
Canada. For more information and submission of nominees:

Is It Any of Your Business? Consumer Information, Privacy, and theFinancial Services Industry. Federal Deposit Insurance Corporation.
March 23, 2000. Seidman Center Auditorium. Arlington, VA. For moreinformation:
Privacy, Security & Confidentiality of Medical Records 2000: ComplyingWith New HIPAA Regulations. NonProfit Management. One Day Seminars.
Various Locations and Times. For more information:
Chief Privacy Officer (CPO) Program 2000. Privacy & American Business.
For more information:

Federal Trade Commission Advisory Committee on Online Privacy andSecurity. Series of Meetings. Federal Trade Commission Headquarters.
Washington, DC. For more information:

HIPAA Security and Privacy Requirements: A How To Blueprint forCompliance. MIS Training Institute. Two-day Seminars. VariousLocations and Times. For more information:
Call for Papers -- Freedom of Expression in the Information Age.
Stanford Journal of International Law. Deadline April 15, 2000. Formore information:

Access Act Reform: The Destruction of Records and Proposed Access ActAmendments. Riley Information Services. May 1, 2000. Westin Hotel.
Ottawa, Canada. For more information:

Entrust SecureSummit 2000. May 1-4, 2000. Hyatt Regency Dallas atReunion. Dallas, TX. For more information:
Call for Papers -- 16th Annual Computer Security ApplicationsConference. Deadline May 12, 2000. Sheraton Hotel. New Orleans, LA.
December 11-15, 2000. For more information:

Electronic Government: New Challenges for Public Administration andLaw. May 18, 2000. Center for Law, Public Administration, andInformatization of Tilburg University, Netherlands. For moreinformation:

Shaping the Network: The Future of the Public Sphere in Cyberspace.
Computer Professionals for Social Responsibility (CPSR). May 20-23,
2000. Seattle, WA. For more information:
Telecommunications: The Bridge to Globalization in the InformationSociety. Biennial Conference of the International TelecommunicationsSociety. July 2-5, 2000. For more information:
KnowRight 2000 - InfoEthics Europe. Austrian Computer Society andUNESCO. September 26-29, 2000. Vienna, Austria. For more information:
Privacy2000: Information and Security in the Digital Age. November 29,
2000. Adam's Mark Hotel. Columbus, Ohio. For more information:

Subscription Information

The EPIC Alert is a free biweekly publication of the Electronic PrivacyInformation Center. A Web-based form is available for subscribing orunsubscribing at:
To subscribe or unsubscribe using email, send email with the subject: "subscribe" (no quotes) or"unsubscribe".

Back issues are available at:

About EPIC

The Electronic Privacy Information Center is a public interest researchcenter in Washington, DC. It was established in 1994 to focus publicattention on emerging privacy issues such as the Clipper Chip, theDigital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale of personal information. EPIC is sponsoredby the Fund for Constitutional Government, a non-profit organizationestablished in 1974 to protect civil liberties and constitutionalrights. EPIC publishes the EPIC Alert, pursues Freedom of InformationAct litigation, and conducts policy research. For more information,
e-mail, or write EPIC, 666Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544 9240(tel), +1 202 547 5482 (fax).

If you'd like to support the work of the Electronic Privacy InformationCenter, contributions are welcome and fully tax-deductible. Checksshould be made out to "The Fund for Constitutional Government" and sentto EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003.

Your contributions will help support Freedom of Information Act andFirst Amendment litigation, strong and effective advocacy for the rightof privacy and efforts to oppose government regulation of encryptionand expanding wiretapping powers.

Thank you for your support.

END EPIC Alert 7.05


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback