WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 2001 >> [2001] EPICAlert 14

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 8.14 [2001] EPICAlert 14


Volume 8.14 July 31, 2001

Published by the Electronic Privacy Information Center (EPIC)
Washington, D.C.

Table of Contents

[1] Privacy Groups File FTC Complaint About Windows XP
[2] Court Hears Arguments on Use of Secret Keystroke Monitor
[3] House Adopts Carnivore Reporting Requirements
[4] FBI Nominee Questioned on Computer Privacy Issues
[5] Groups Petition Agencies to Improve Financial Privacy
[6] EPIC Bill-Track: New Bills in Congress
[7] EPIC Bookstore - Striking a Balance: ePrivacy in the Workplace
[8] Upcoming Conferences and Events

[1] Privacy Groups File FTC Complaint About Windows XP

On July 26, EPIC and thirteen other public interest groups filed aformal complaint with the Federal Trade Commission regarding WindowsXP, Microsoft's new operating system. The complaint alleges that thissystem and associated services such as Hailstorm, Passport, andE-Wallet, are intended to profile, track, and monitor millions ofInternet users, and therefore Microsoft is engaging in unfair anddeceptive trade practices in violation of Section 5 of the FederalTrade Commission Act.

The complaint examines in detail the privacy threats of Passport,
Hailstorm, Hotmail, the MSN network of Web sites, and the productactivation and registration procedures for Windows XP. It examineshow each of these services collects and discloses detailed personalinformation about users without sufficient guarantees of privacy orsecurity, and often without any real knowledge or consent. Itdemonstrates how Passport account information is shared among thirdparty Web-sites; how Windows XP users are forced to create a Passportaccount to use Internet communications features (such as instantmessaging); how Hailstorm essentially strips users of their right tocontrol their personal information; how Hotmail users areautomatically signed up for a Passport account without notice or evenan opt-out facility; and how Microsoft misleads consumers when it saysthat information gathered through product activation will not belinked to personally identifiable information. The complaintconcludes that the far-reaching and inter-connected nature of theseInternet business activities, coupled with the extraordinary marketdominance of Microsoft, constitutes a unique threat to the privacy ofcomputer users.

In terms of relief, the complainants request the FTC to initiate aninvestigation into the information collection practices of Windows XPand other services, and to order Microsoft to revise XP registrationprocedures; to block the sharing of Passport information amongMicrosoft properties absent explicit consent; to allow users ofWindows XP to gain access to Microsoft web sites without disclosingtheir actual identity; and to enable users of Windows XP to easilyintegrate services provided by non-Microsoft companies for onlinepayment, electronic commerce, and other Internet-based commercialactivity.

The complaint is available at:

[2] Court Hears Arguments on Use of Secret Keystroke Monitor

In a case that could have a significant impact on the conduct ofhigh-tech police investigations, a federal judge in Newark, New Jerseyheard arguments on July 30 on a motion to disclose informationconcerning the FBI's surreptitious installation of a "key logger" on asuspect's computer. The mechanism was used to capture the suspect'sPGP encryption passphrase. In the first known case of its kind, thedefense is seeking discovery that would allow analysis of thetechnique, which has only been described publicly as "specializedcomputer software, firmware and/or hardware." The government isvigorously opposing disclosure.

U.S. District Court Judge Nicholas Politan directed attorneys fordefendant Nicodemo Scarfo, Jr. to file a supplemental brief addressingtheir need for information describing the secret technique by August1; the government was ordered to respond by August 3.

The details are important for two reasons. First, the FBI installedthe logger with a standard search warrant rather than a wiretapauthorization. FBI pen register records, however, indicate that Scarfoaccessed his online account numerous times while his computer wassubject to monitoring. The defense argues that the logging mechanismmust be evaluated to determine whether it could have captured onlineactivity (which would have required a wiretap order).

The defense also argues that the technique may have violated theFourth Amendment by facilitating a "general search." While the courtorder authorizing the installation specified that Scarfo's encryptionpassphrase was the target of the search, it appears that allinformation entered into the computer was subject to capture.

The technique employed in the case is similar to procedures that wouldhave been authorized in legislation proposed by the ClintonAdministration in 1999. The draft legislation, known as theCyberspace Electronic Security Act (CESA), would have amended currentlaw to authorize "the alteration of hardware or software that allowsplaintext to be obtained even if attempts were made to protect itthrough encryption." The CESA proposal, which was dropped in the faceof strong public opposition, would have given law enforcementofficials the power to enter private premises surreptitiously toinstall a "recovery device." (See EPIC Alert 6.13).

Selected court documents on the Scarfo case are available at:

[3] House Adopts Carnivore Reporting Requirements

Following a recommendation made by EPIC last year in Congressionaltestimony, the House of Representatives has established new reportingrequirements for the use of the Carnivore Internet surveillance device(also known as DCS 1000) and other similar systems by law enforcementagents. These requirements were outlined in an amendment offered byRep. Bob Barr (R-GA), which passed as part of the Department ofJustice's annual appropriations bill, H.R. 2215.

The Barr Amendment requires the Attorney General and the Director ofthe FBI to submit annual reports to Congress, detailing suchinformation as the number of times Carnivore was used in the pastfiscal year and the criteria and procedures for submitting, reviewing,
and approving requests to use Carnivore.

Carnivore was developed to monitor e-mail and other online activitiesof suspected criminals. Privacy advocates argue that the system istoo invasive, and fear that it grants the government too much power inmonitoring citizens' private online activities by requiring Internetservice providers to give law enforcement full access to their datatraffic.

A spokesman for Rep. Dick Armey (R-TX) said that the legislation"sends a message [to the FBI] that Congress is watching and there willbe accountability if this system is used."

The bill was referred to the Senate Judiciary Committee on July 24.
If it passes the Senate, the Attorney General and the FBI Directorwill be required to submit their first report to Congress no laterthan 30 days after the end of Fiscal Year 2001.

For background information on Carnivore, see:

Proposed Carnivore reporting requirements, as specified in H.R. 2215:

[4] FBI Nominee Questioned on Computer Privacy Issues

The Senate Judiciary Committee today concluded the second and finalday of hearings on the nomination of Robert S. Mueller to be the nextDirector of the FBI. Several days prior to the confirmation hearings,
EPIC sent a letter to the Committee, urging it to question the nomineeon his views on privacy and freedom of information issues. Several ofthe issues addressed in the letter were raised during the hearings.

On the first day of the confirmation hearings, in response to aquestion from Sen. Orrin Hatch (R-UT), Mr. Mueller laid out afour-tier hierarchy for the investigation of computer crimes. Inpriority order, Mr. Mueller said he would like to see the FBI focusmost heavily on computer intrusions and denial of service attacks;
theft of intellectual property and corporate espionage; fraud andchild pornography; and finally, the theft of high-tech hardware.

On the second day of the hearings, Sen. Maria Cantwell (D-WA) directlyasked Mr. Mueller about the FBI's high-tech investigative techniquesand the potentially invasive implications of systems such as Carnivoreand the FBI's "key logger" system (specifically referring to theScarfo case). Mr. Mueller stated that the FBI's newest technological"investigative tools" are "cutting edge" and "second to none." Hewent on to say that the "rapid advances" of these investigative toolshave led to "privacy concerns that we have to address." Stating thathe is "sensitive to the concerns relating to privacy," Mr. Muellernoted that he has "already had meetings with privacy groups"
concerning Carnivore and that he hopes that "technology overtakes thenecessity for using" such systems in the future.

Committee Chairman Patrick Leahy (D-VT) picked up where Sen. Cantwellleft off, questioning Mr. Mueller about the recent Supreme Courtdecision in Kyllo v. U.S., where the warrantless use of thermalimaging devices was found to violate the Fourth Amendment (see EPICAlert 8.11). Mr. Mueller said that this was an area where "lawenforcement needed guidance from the Supreme Court," although hepointed out that the Kyllo decision was "not a unanimous decision."
Mr. Mueller went on to say that regarding issues "where there is a lawenforcement tool, [and] there are privacy issues implicated . . . wedo have to look at each of those issues and be cognizant of theprivacy interests involved." The nominee said that in the future, hewould like to be "sit down and get the input from a number ofdifferent people with different concerns . . . [and be] responsive tothose concerns and do so without the necessity of perhaps going to acourt or a third party."

EPIC's letter to the Senate Judiciary Committee is available at:

[5] Groups Petition Agencies to Improve Financial Privacy

EPIC and a coalition of consumer and civil liberties groups havepetitioned federal agencies to improve financial privacy protectionsunder the Gramm-Leach-Bliley Act (GLBA). The petition requests thatthe agencies begin a new rulemaking to ensure that consumers receiveclear and concise notice and convenient methods of opting-out ofinformation sharing.

In recent months, consumers received GLBA privacy notices thatcontained information describing the opt-out process. However, thenotices were often lengthy and difficult to read. Many employedlanguage rife with double-negatives and confusing sentence structure.
A study conducted by a readability expert concluded that most policieswere written at a third or fourth-year college reading level. As aresult of confusing privacy notices and the burden placed on consumersby opt-out mechanisms, the American Banking Association has estimatedthat less than one percent of consumers have opted-out under the GLBA.

In order to inform consumers fully of their rights and to encourageopting-out, the petition suggests specific language to clarify rightsand mechanisms that will facilitate opting out. EPIC will continue tofollow developments surrounding the GLBA and financial privacy, andadvocate the adoption of an opt-in standard for privacy.

Coalition Petition to Federal Agencies to Improve GLBA PrivacyRequirements:

[6] EPIC Bill-Track: New Bills in Congress


H.R.2215 21st Century Department of Justice AppropriationsAuthorization Act. To authorize appropriations for the Department ofJustice for fiscal year 2002, and for other purposes. Sponsor: RepSensenbrenner, F. James, Jr. (R-WI). Latest Major Action: 7/24/2001Referred to Senate committee: House Judiciary; Senate Judiciary

S.1215 Dpartments of Commerce, Justice, and State, the Judiciary, andRelated Agencies Appropriations Act, 2002. An original bill makingappropriations for the Departments of Commerce, Justice, and State,
the Judiciary, and related agencies for the fiscal year endingSeptember 30, 2002, and for other purposes. Sponsor: Sen Hollings,
Ernest F. (D-SC). Latest Major Action: 7/20/2001 Placed on SenateLegislative Calendar under General Orders. Calendar No. 95.
Committees: Senate Appropriations.

S.1234. A bill to amend title 18, United States Code, to provide thatcertain sexual crimes against children are predicate crimes for theinterception of communications, and for other purposes. Sponsor: SenHatch, Orrin G. (R-UT). Latest Major Action: 7/25/2001 Referred toSenate committee: Senate Judiciary.

S.1242. A bill to amend the Fair Credit Reporting Act to provide fordisclosure of credit-scoring information by creditors and consumerreporting agencies. Sponsor: Sen Schumer, Charles E. (D-NY). LatestMajor Action: 7/25/2001 Referred to Senate committee: Senate Banking,
Housing, and Urban Affairs.

EPIC Bill Track: Tracking Privacy, Speech, and Cyber-Liberties Billsin the 107th Congress, is available at:

[7] EPIC Bookstore - Striking a Balance: e-Privacy in the Workplace

Striking a Balance: e-Privacy in the Workplace by the Business forSocial Responsibility Education Fund
With the American Management Association finding that nearly 3/4 ofmajor businesses monitor their employees, the Business for SocialResponsibility Education Fund has released a report arguing thatemployers should accommodate workers' privacy. The report finds thatnot accommodating privacy in the workplace can result in a lack ofemployee trust, creativity, and health. Accordingly, the studyrecommends that employers accommodate some fundamental privacy rightsfor their employees. These include notice, employee participation indrafting a monitoring policy, and employee access to informationcollected under the policy.

EPIC Publications:

"Filters and Freedom 2.0: Free Speech Perspectives on Internet ContentControls," (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet contentfiltering. These papers are instrumental in explaining why filteringthreatens free expression.

"The Consumer Law Sourcebook 2000: Electronic Commerce and the GlobalEconomy," Sarah Andrews, editor (EPIC 2000). Price: $40.

The Consumer Law Sourcebook provides a basic set of materials forconsumers, policy makers, practitioners and researchers who areinterested in the emerging field of electronic commerce. The focus ison framework legislation that articulates basic rights for consumersand the basic responsibilities for businesses in the online economy.

"Privacy & Human Rights 2000: An International Survey of Privacy Lawsand Developments," David Banisar, author (EPIC 2000).
Price: $20.

This survey, by EPIC and Privacy International, reviews the state ofprivacy in over fifty countries around the world. The survey examinesa wide range of privacy issues including, data protection, telephonetapping, genetic databases, ID systems and freedom of informationlaws.

"The Privacy Law Sourcebook 2000: United States Law, InternationalLaw, and Recent Developments," Marc Rotenberg, editor (EPIC 2000).
Price: $40.

The "Physicians Desk Reference of the privacy world." An invaluableresource for students, attorneys, researchers and journalists who needan up-to-date collection of U.S. and International privacy law, aswell as a comprehensive listing of privacy resources.

"Cryptography and Liberty 2000: An International Survey of EncryptionPolicy," Wayne Madsen and David Banisar, authors (EPIC 2000).
Price: $20.

EPIC's third survey of encryption policies around the world. Theresults indicate that the efforts to reduce export controls on strongencryption products have largely succeeded, although severalgovernments are gaining new powers to combat the perceived threats ofencryption to law enforcement.

Additional titles on privacy, open government, free expression,
computer security, and crypto, as well as films and DVDs can beordered through the EPIC Bookstore:

[8] Upcoming Conferences and Events

Healthcare Transactions and Code Sets, Privacy, Data Security andHIPAA/GLB Compliance: The Future of Technology, the Internet and EDIin Healthcare. The Health Colloquium at Harvard and the HIPAA SummitConference Series. August 19-22, 2001. Cambridge, MA. For moreinformation:

The Broadband Economy: The Emerging Market System in Bandwidth.
Columbia Institute for Tele-Information (CITI). September 14, 2001.
New York, NY. For more information:

Key Drivers for 3G Wireless: Will 3G Deliver its Promise? ColumbiaInstitute for Tele-Information (CITI). September 20, 2001. New York,
NY. For more information:

Health Information Privacy: Dialogue with the Stakeholders. RileyInformation Services, Inc. September 28, 2001. Ottawa, Canada. Formore information:

Call For Submissions - August 3, 2001. Workshop on Security andPrivacy in Digital Rights Management 2001. Eighth Association forComputing Machinery (ACM) Conference on Computer and CommunicationsSecurity. November 5, 2001. Philadelphia, PA. For more information:

Privacy2001: Information, Security & Ethics for the New Century.
Technology Policy Group. October 3-4, 2001. Cleveland, OH. For moreinformation:

Privacy: The New Management Imperative - Chief Privacy OfficerTraining Program. Southern Methodist University and Privacy Council.
October 15-17, 2001. Dallas, TX. For more information:

Nurturing the Cybercommons, 1981-2001. Computer Professionals forSocial Responsibility (CPSR) 20th Annual Meeting. October 19-21, 2001.
Ann Arbor, MI. For more information:

The Third National HIPAA Summit: From Theory to Practice - FromPlanning to Implementation. October 24-26, 2001. Washington, DC. Formore information:

The 29th Research Conference on Communication, Information andInternet Policy. Telecommunications Policy Research Conference.
October 27-29, 2001. Alexandria, VA. For more information:
The 8th Annual Centre for Applied Cryptographic Research (CACR)
Information Security Workshop: The Human Face of Privacy Technology.
University of Waterloo and Information and Privacy Commission/Ontario.
November 1-2, 2001. Toronto, Ontario. For more information:

Privacy: The New Management Imperative - Chief Privacy OfficerTraining Program. Cambridge University and Privacy Council. November5-8, 2001. Cambridge, England. For more information:
Learning for the Future. Business for Social Responsibility's NinthAnnual Conference. November 7-9, 2001. Seattle, WA. For moreinformation:

Subscription Information

The EPIC Alert is a free biweekly publication of the ElectronicPrivacy Information Center. A Web-based form is available forsubscribing or unsubscribing at:
To subscribe or unsubscribe using email, send email with the subject: "subscribe" (no quotes) or"unsubscribe".

Back issues are available at:

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and tosend notices about EPIC activities. We do not sell, rent or share ourmailing list. We also intend to challenge any subpoena or other legalprocess seeking access to our mailing list. We do not enhance (linkto other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your email addressfrom this list, please follow the above instructions under"subscription information". Please contact if you haveany other questions.

About EPIC

The Electronic Privacy Information Center is a public interestresearch center in Washington, DC. It was established in 1994 tofocus public attention on emerging privacy issues such as the ClipperChip, the Digital Telephony proposal, national ID cards, medicalrecord privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Actlitigation, and conducts policy research. For more information,
e-mail, or write EPIC, 1718Connecticut Ave., NW, Suite 200, Washington, DC 20009.
+1 202 483 1140 (tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic PrivacyInformation Center, contributions are welcome and fullytax-deductible. Checks should be made out to "EPIC" and sent to1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009.
Or you can contribute online at
Your contributions will help support Freedom of Information Act andFirst Amendment litigation, strong and effective advocacy for theright of privacy and efforts to oppose government regulation ofencryption and expanding wiretapping powers.

Thank you for your support.

END EPIC Alert 8.14


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback