WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 2001 >> [2001] EPICAlert 15

Database Search | Name Search | Recent Alerts | Noteup | LawCite | Help

EPIC Alert 8.15 [2001] EPICAlert 15 (17 August 2001)




EPIC ALERT




Volume 8.15 August 17, 2001

Published by the Electronic Privacy Information Center (EPIC)
Washington, D.C.

http://www.epic.org/alert/EPIC_Alert_8.15.html

Table of Contents



[1] Groups Update Microsoft XP and Passport Complaint
[2] EPIC Challenges Adequacy of FBI Search for Carnivore Documents
[3] Court Orders Report on Use of Secret Keystroke Monitor
[4] Judiciary Protects Privacy of Electronic Court Filings
[5] Tampa Narrowly Approves Face Recognition Spy Cameras
[6] EPIC Bill-Track: New Bills in Congress
[7] EPIC Bookstore - In Code: A Mathematical Journey
[8] Upcoming Conferences and Events


[1] Groups Update Microsoft XP and Passport Complaint


EPIC and a coalition of 13 civil liberties and consumer advocacygroups have filed a supplement to a complaint filed last month withthe Federal Trade Commission (FTC). The supplement adds toallegations that Microsoft has engaged in unfair and deceptive tradepractices by linking the Passport identification and authenticationsystem to the Windows XP operating system. The submission includesadditional information regarding technical flaws in the Passportdesign and contains allegations that the system is not compliant withthe Children's Online Privacy Protection Act (COPPA).

The new filing also addresses recent changes that Microsoft has madeto the Passport system. In the wake of the earlier FTC complaint,
Microsoft reduced the amount of information required to register forPassport. However, the system still requires that users identify theire-mail address, country, state, and zip code. Since e-mail addressesare personally identifiable, this change does not address privacyrisks presented by the creation of a centralized database ofindividuals' information. Microsoft also asserts that the integrationof the Platform for Privacy Preferences (P3P) will increase privacyprotections in Internet Explorer 6. The supplement addresses thisissue, demonstrating that P3P does not address even basic FairInformation Practices such as access and security.

The complaint identifies flaws in Kids Passport and asserts thatinvestigation is warranted into whether the system is compliant withCOPPA. Microsoft has not complied with the most basic requirements ofthe children's privacy law, such as presenting a prominent link to aprivacy policy for sites targeted to children. In addition, the KidsPassport system unnecessarily collects personal information fromchildren. Other popular children's sites collect only a username andpassword. However, Microsoft continues to require a personally-
identifiable e-mail address from children.

A number of other privacy risks associated with the Passport systemare addressed in the supplement. For instance, Passport does notallow users to delete their personal information from the system.
Passport also has a privacy policy that is subject to change at thewhim of Microsoft. The absence of strong privacy protection, coupledwith the risks inherent in centrally storing millions of users'
personal information, could likely result in severe privacyviolations.

EPIC and the other groups allege that Microsoft's guarantees ofprivacy and security in light of these flaws constitutes a violationof federal consumer protection law. The supplement concludes with arequest for an investigation into Microsoft and an injunction againstMicrosoft to prevent further unfair and deceptive practices.

Supplemental Materials in Support of Pending Complaint and Request forInjunction, Request for Investigation and for Other Relief:

http://www.epic.org/privacy/consumer/MS_complaint2.pdf
Original complaint to the FTC alleging unfair and deceptive tradepractices:

http://www.epic.org/privacy/consumer/MS_complaint.pdf


[2] EPIC Challenges Adequacy of FBI Search for Carnivore Documents


In motion papers filed in U.S. District Court in Washington on August9, EPIC asserts that the FBI has violated the Freedom of InformationAct (FOIA) by conducting an inadequate search for internal recordsconcerning the controversial Carnivore surveillance system. EPIC'ssubmission alleges that the Bureau failed to seek relevant documentsfrom various legal and policy offices likely to possess information onCarnivore, and requests discovery designed to fully examine theadequacy of the document search.

EPIC filed suit against the FBI and the Justice Department over a yearago, after the agencies failed to respond to a request to expedite theprocessing of documents relating to Carnivore. The FBI subsequentlyagreed to expedite its search (which otherwise would have takenseveral years), and made its "final" release of documents in January2001. Since that time, the Bureau has prepared an itemized accountingof withheld material in support of a motion for summary judgment,
which was filed on August 1. The accounting indicates thatapproximately 2000 pages of material were located at two Bureaucomponents -- the Electronic Surveillance Technology Section (ESTS) inQuantico, Virginia, and the Contracts Unit at FBI Headquarters -- butno other locations.

In support of its motion, EPIC cites the Congressional testimony ofseveral FBI and Justice Department officials who stated that Carnivorehad been the subject of substantial "internal review" within the FBIand DOJ, and that the two agencies had "briefed many members of theCongressional staff" prior to Carnivore's public exposure. Despitethat testimony, the FBI has failed to account for any documentsrelating to such internal reviews or staff briefings. In fact, thereleased documents deal only with technical aspects of Carnivore,
rather than the legal and policy implications of the surveillancetechnique. EPIC notes in its motion that no documents have yet beenlocated at key FBI and DOJ components, including the FBI's Office ofGeneral Counsel.

The FBI's report on the results of its search effort leads to only twopotential conclusions. Either the Bureau has failed to meet its legalobligation under FOIA to conduct a comprehensive search for relevantdocuments, or the agency never evaluated the legal and policyimplications of the Carnivore system before it was deployed.

More information on EPIC's Carnivore FOIA litigation, including therecent challenge to the FBI's document search, is available at:

http://www.epic.org/privacy/carnivore/



[3] Court Orders Report on Use of Secret Keystroke Monitor


In the first case of its kind, a federal court in New Jersey hasordered the FBI to disclose information concerning the surreptitiousinstallation of a keystroke monitor used to capture a suspect's PGPencryption passphrase. In an order issued on August 7, U.S. DistrictJudge Nicholas Politan directed the government to produce a report"detailing how the key logger device functions" by August 31. Todate, the technique has only been described publicly as "specializedcomputer software, firmware and/or hardware." The government hasvigorously opposed disclosure of any specific details.

Judge Politan said he "harbors serious concerns" about the legality ofthe FBI's use of the system, noting that the information provided bythe government thus far is so sketchy that understanding the technique"defies the human experience of this Court." He continued:

In this new age of rapidly evolving technology, the court cannot make a determination as to the lawfulness of the government's search ... without knowing specifically how the search was effectuated. This requires an understanding of how the key logger device functions. In most, if not all search and seizure cases, the court ... understands the particular method by which the search is executed. ...
Because of the advanced technology used the Court does not have the benefit of such an understanding.

The government had argued that revealing the details of the systemwould jeopardize national security and endanger FBI personnel. In anaffidavit filed with the court, Donald Kerr, the director of the FBIlaboratory, said "there are only a limited number of effectivetechniques available to the FBI to cope with encrypted data, one ofwhich is the 'key logger system.'" If investigative targets learn howthe system works, they could circumvent it, he said.

Selected court documents on the Scarfo case, including Judge Politan'sAugust 7 order, are available at:

http://www.epic.org/crypto/scarfo.html


[4] Judiciary Protects Privacy of Electronic Court Filings


The Judicial Conference Committee on Court Administration and CaseManagement has released a recommended policy on electronic access tocourt files. The recommendation includes many protections to enhanceindividuals' privacy with respect to personal identifiers that appearin case files. These identifiers, including Social Security numbers(SSNs), dates of birth, and financial account numbers, are regularlymined by information brokers who sell the information to privateinvestigators, law enforcement, and others.

The recommended policy includes provisions for notice to litigants ofthe Internet accessibility of their case files and the need to redactcertain information through the use of court process. Civil casefiles will be redacted for personal data identifiers, including SSNs,
dates of birth, financial account numbers, and names of minorchildren. The Judicial Conference committee decided to delaydevelopment of public remote access to documents in criminal cases, asaccessibility to these documents present safety and law enforcementrisks. The body will re-examine the treatment of criminal case filesin the upcoming two years. In regards to bankruptcy cases, thecommittee recommended redaction of the SSN and account numbers. Inaddition, the body recommended an amendment to bankruptcy statutes toallow for more liberal sealing of cases.

Many of the committee's recommendations had been suggested in EPIC'sformal comments filed with the Judicial Conference and testimonypresented to the committee with oversight of electronic case filesearlier this year. EPIC recommended that certain sensitive personalinformation should be redacted from civil case files. Court officersand litigants in civil cases would have access to the complete file.
In the context of criminal cases, the public would have access to theindictment and final disposition of the court. However,
pre-indictment information, unexecuted warrants, and presentencereports would be limited to court officers and parties. In thecontext of bankruptcy files, EPIC advocated a system where sensitiveinformation would be segregated and collected on separate formsprotected from public access.

In September, the full Judicial Conference will meet and consider thepolicy and its recommendations.

Report on Privacy and Public Access to Electronic Case Files:

http://www.uscourts.gov/Press_Releases/att81501.pdf
EPIC's comments on electronic public access to case files:

http://www.epic.org/open_gov/ecfcomments.html


[5] Tampa Narrowly Approves Face Recognition Spy Cameras


On August 2, 2001, the City Council of Tampa, Florida voted 4-3against a motion requesting that the city terminate its contract withVisionics, makers of the "Face-It" face recognition software installedin cameras in the Ybor City district. The vote allows the city tocontinue using the Visionics system, which scans the faces of peoplein public areas and compares facial features to those stored in adatabase of mugshots.

Earlier this year, face recognition technology was surreptitiouslyused to scan faces in this year's Super Bowl crowd. Since then, therehas been much public opposition to the technology and other relatedmethods of surveillance, in Tampa and elsewhere. Ever since June,
when the software and cameras were first installed in Ybor City, manypeople have protested this technology by wearing masks and makingobscene gestures in front of the cameras.

Other U.S. cities have also been considering incorporating facerecognition technology as one of their law enforcement techniques. Thecity of Virginia Beach recently received a $150,000 grant from theVirginia Department of Criminal Justice Services and is now seeking anadditional $50,000 from taxpayers to put towards the installation ofthis software at the oceanfront. Virginia Beach police are especiallyinterested in using the technology to find criminals with outstandingwarrants, sex offenders, and missing children.

Opposition and privacy issues associated with the technology havecaused public officials to be reticent about using it. The Tampa CityCouncil vote was not unanimous by any means, nor have public officialsin Virginia Beach shown strong support for installing face recognitiontechnology in their city. Use of the technology was also consideredbut ultimately rejected by the organizers of the 2002 Winter Olympicsin Salt Lake City, Utah.

One of the main privacy issues raised by face recognition technologyis that there is no regulation for how captured data is stored; whohas access to the information; and how long it is kept in the system.
Without regulation, those with access to the system have the potentialto abuse information in the system without accountability. A numberof privacy groups and the International Biometric Group (an industrygroup) have advocated protections in law for this data.

For the latest news and information on face recognition and relatedsurveillance technology, see:

http://www.epic.org/privacy/facerecognition/



[6] EPIC Bill-Track: New Bills in Congress


*House*

H.R.2615 Patient Privacy Act of 2001. To repeal sections 1173(b) and1177(a)(1) of the Social Security Act, and for other purposes.
Sponsor: Rep Paul, Ron (R-TX). Latest Major Action: 7/24/2001 Referredto House committee: House Ways and Means; House Government Reform.

H.R.2680 To authorize the grant program for elimination of thenationwide backlog in analyses of DNA samples at the level necessaryto completely eliminate the backlog and obtain a DNA sample from everyperson convicted of a qualifying offense. Sponsor: Rep Andrews, RobertE. (D-NJ). Latest Major Action: 7/31/2001 Referred to House committee:
House Judiciary.

H.R.2720 To amend the privacy provisions of the Gramm-Leach-BlileyAct.. Sponsor: Rep Markey, Edward J. (D-MA). Latest Major Action:
8/2/2001 Referred to House committee: House Financial Services.

H.R.2730 To amend the Gramm-Leach-Bliley Act to provide for uniformnational financial privacy standards for financial institutions, andfor other purposes. Sponsor: Rep Sessions, Pete (R-TX). Latest MajorAction: 8/2/2001 Referred to House committee: House FinancialServices.

H.R.2738 To amend title 5, United States Code, to clarify that allprotections offered under the Freedom of Information Act and PrivacyAct apply to members of the uniformed services to the same extent andin the same manner as to any other individual. Sponsor: Rep Boucher,
Rick (D-VA). Latest Major Action: 8/2/2001 Referred to Housecommittee: House Government Reform.

H.R.2752 To protect school web pages from fraud and related activity.
Sponsor: Rep Ferguson, Mike (R-NJ). Latest Major Action: 8/2/2001Referred to House committee: House Judiciary.

H.R.2778 To protect ability of law enforcement to effectivelyinvestigate and prosecute illegal gun sales and protect the privacy ofthe American people. Sponsor: Rep McCarthy, Carolyn (D-NY). LatestMajor Action: 8/2/2001 Referred to House committee: House Judiciary.

*Senate*

S.1253 Gun Sale Anti-Fraud and Privacy Protection Act. A bill toprotect ability of law enforcement to effectively investigate andprosecute illegal gun sales and protect the privacy of the Americanpeople. Sponsor: Sen Schumer, Charles E. (D-NY). Latest Major Action:
7/26/2001 Referred to Senate committee: Senate Judiciary.

S.1276 To provide for the establishment of a new counterintelligencepolygraph program for the Department of Energy, and for otherpurposes. A bill to provide for the establishment of a newcounterintelligence polygraph program for the Department of Energy,
and for other purposes. Sponsor: Sen Domenici, Pete V. (R-NM). LatestMajor Action: 7/31/2001 Referred to Senate committee: Senate ArmedServices.


EPIC Bill Track: Tracking Privacy, Speech, and Cyber-Liberties Billsin the 107th Congress, is available at:

http://www.epic.org/privacy/bill_track.html


[7] EPIC Bookstore - In Code: A Mathematical Journey


In Code: A Mathematical Journey, by Sarah Flannery with David Flannery
http://www.powells.com/cgi-bin/partner?partner_id=24075&cgi=search/
search&searchtype=isbn&searchfor=0761123849
In this remarkable book, Sarah Flannery, an Irish cryptographer,
mathematician, and teenager, writes about a ground-breaking encryptionsystem that she developed, called the Cayley-Purser algorithm. Thesystem, which is a fast and secure public-key encryption system forencoding data on the Internet, won Sarah the Irish Young Scientist ofthe Year award in 1999, when she was just 16. A security flaw hassince been identified in the system; however, this only caused Sarahto work harder and conduct further research to try to find a patch forthe flaw.

"In Code" has been described as a fresh, modest, and inspiring accountof a mathematical education that offers many insights intocryptography. Sarah interweaves mathematical puzzles with a personalnarrative, making her story intellectual, engaging, and adventurous.



EPIC Publications:

"Filters and Freedom 2.0: Free Speech Perspectives on Internet ContentControls," (EPIC 2001). Price: $20.
http://www.epic.org/bookstore/filters2.0/

A collection of essays, studies, and critiques of Internet contentfiltering. These papers are instrumental in explaining why filteringthreatens free expression.



"The Consumer Law Sourcebook 2000: Electronic Commerce and the GlobalEconomy," Sarah Andrews, editor (EPIC 2000). Price: $40.
http://www.epic.org/cls/

The Consumer Law Sourcebook provides a basic set of materials forconsumers, policy makers, practitioners and researchers who areinterested in the emerging field of electronic commerce. The focus ison framework legislation that articulates basic rights for consumersand the basic responsibilities for businesses in the online economy.



"Privacy & Human Rights 2000: An International Survey of Privacy Lawsand Developments," David Banisar, author (EPIC 2000).
Price: $20. http://www.epic.org/phr/

This survey, by EPIC and Privacy International, reviews the state ofprivacy in over fifty countries around the world. The survey examinesa wide range of privacy issues including, data protection, telephonetapping, genetic databases, ID systems and freedom of informationlaws.



"The Privacy Law Sourcebook 2000: United States Law, InternationalLaw, and Recent Developments," Marc Rotenberg, editor (EPIC 2000).
Price: $40. http://www.epic.org/pls/

The "Physicians Desk Reference of the privacy world." An invaluableresource for students, attorneys, researchers and journalists who needan up-to-date collection of U.S. and International privacy law, aswell as a comprehensive listing of privacy resources.



"Cryptography and Liberty 2000: An International Survey of EncryptionPolicy," Wayne Madsen and David Banisar, authors (EPIC 2000).
Price: $20. http://www.epic.org/crypto&/

EPIC's third survey of encryption policies around the world. Theresults indicate that the efforts to reduce export controls on strongencryption products have largely succeeded, although severalgovernments are gaining new powers to combat the perceived threats ofencryption to law enforcement.



Additional titles on privacy, open government, free expression,
computer security, and crypto, as well as films and DVDs can beordered through the EPIC Bookstore: http://www.epic.org/bookstore/



[8] Upcoming Conferences and Events


Healthcare Transactions and Code Sets, Privacy, Data Security andHIPAA/GLB Compliance: The Future of Technology, the Internet and EDIin Healthcare. The Health Colloquium at Harvard and the HIPAA SummitConference Series. August 19-22, 2001. Cambridge, MA. For moreinformation: http://www.ehc-info.com/

Call for Committee Nominations - September 7, 2001. Study on Privacyin the Information Age. National Research Council, Computer Scienceand Telecommunications Board. For more information:
http://www.cstb.org/

The Broadband Economy: The Emerging Market System in Bandwidth.
Columbia Institute for Tele-Information (CITI). September 14, 2001.
New York, NY. For more information: http://www.citi.columbia.edu/

Privacy Compliance. UC Berkeley Extension. September 18, 2001. SanFrancisco, CA. For more information:
http://www.unex.berkeley.edu/eng/br350/3-1.html
Key Drivers for 3G Wireless: Will 3G Deliver its Promise? ColumbiaInstitute for Tele-Information (CITI). September 20, 2001. New York,
NY. For more information: http://www.citi.columbia.edu/

WorkSurv: A Seminar on the Technical, Legal & Business Issues ofWorkplace Surveillance. Privacy Foundation. September 25, 2001.
Denver, CO. For more information:
http://www.privacyfoundation.org/worksurv.asp
Health Information Privacy: Dialogue with the Stakeholders. RileyInformation Services, Inc. September 28, 2001. Ottawa, Canada. Formore information: http://www.rileyis.com/seminars/

Privacy2001: Information, Security & Ethics for the New Century.
Technology Policy Group. October 3-4, 2001. Cleveland, OH. For moreinformation: http://www.privacy2000.org/

Call for Proposals - October 15, 2001. CFP 2002: The TwelfthConference on Computers, Freedom & Privacy. April 16-19, 2002. SanFrancisco, CA. For more information: http://www.cfp2002.org/

Privacy: The New Management Imperative - Chief Privacy OfficerTraining Program. Southern Methodist University and Privacy Council.
October 15-17, 2001. Dallas, TX. For more information:
http://execdev.cox.smu.edu/

Nurturing the Cybercommons, 1981-2021. Computer Professionals forSocial Responsibility (CPSR) 20th Anniversary Conference and WienerAward Dinner. October 19-21, 2001. Ann Arbor, MI. For moreinformation: http://www.cpsr.org/

The New HIPAA Privacy Rule: Guiding Your Clients Through theImplementation Process. Practising Law Institute. October 24, 2001.
New York, NY. For more information: http://www.pli.edu/

The Third National HIPAA Summit: From Theory to Practice - FromPlanning to Implementation. October 24-26, 2001. Washington, DC. Formore information: http://www.hipaasummit.com/

The 29th Research Conference on Communication, Information andInternet Policy. Telecommunications Policy Research Conference.
October 27-29, 2001. Alexandria, VA. For more information:
http://www.tprc.org/

The 8th Annual Centre for Applied Cryptographic Research (CACR)
Information Security Workshop: The Human Face of Privacy Technology.
University of Waterloo and Information and Privacy Commission/Ontario.
November 1-2, 2001. Toronto, Ontario. For more information:
http://www.cacr.math.uwaterloo.ca/

Workshop on Security and Privacy in Digital Rights Management 2001.
Eighth Association for Computing Machinery (ACM) Conference onComputer and Communications Security. November 5, 2001. Philadelphia,
PA. For more information: http://www.star-lab.com/sander/spdrm/

Privacy: The New Management Imperative - Chief Privacy OfficerTraining Program. Cambridge University and Privacy Council. November5-8, 2001. Cambridge, England. For more information:
kturnerprivacycouncil.com
Learning for the Future. Business for Social Responsibility's NinthAnnual Conference. November 7-9, 2001. Seattle, WA. For moreinformation: http://www.bsr.org/events/2001.asp
Information Operations: Applying Power in the Information Age. Jane'sInformation Group. November 14-15, 2001. Washington, DC. For moreinformation:
http://www.janes.com/security/conference/info_op/info_op.shtml
Call for Papers - December 1, 2001. 11th Annual EICAR & 3rd EuropeanAnti-Malware Conference. European Institute for Computer Anti-VirusResearch (EICAR). June 8-11, 2002. Berlin, Germany. For moreinformation: http://conference.eicar.org/


Subscription Information


The EPIC Alert is a free biweekly publication of the ElectronicPrivacy Information Center. A Web-based form is available forsubscribing or unsubscribing at:

http://www.epic.org/alert/subscribe.html
To subscribe or unsubscribe using email, send email toepic-newsepic.org with the subject: "subscribe" (no quotes) or"unsubscribe".

Back issues are available at:

http://www.epic.org/alert/


Privacy Policy


The EPIC Alert mailing list is used only to mail the EPIC Alert and tosend notices about EPIC activities. We do not sell, rent or share ourmailing list. We also intend to challenge any subpoena or other legalprocess seeking access to our mailing list. We do not enhance (linkto other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your email addressfrom this list, please follow the above instructions under"subscription information". Please contact infoepic.org if you haveany other questions.


About EPIC


The Electronic Privacy Information Center is a public interestresearch center in Washington, DC. It was established in 1994 tofocus public attention on emerging privacy issues such as the ClipperChip, the Digital Telephony proposal, national ID cards, medicalrecord privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Actlitigation, and conducts policy research. For more information,
e-mail infoepic.org, http://www.epic.org or write EPIC, 1718Connecticut Ave., NW, Suite 200, Washington, DC 20009.
+1 202 483 1140 (tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic PrivacyInformation Center, contributions are welcome and fullytax-deductible. Checks should be made out to "EPIC" and sent to1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009.
Or you can contribute online athttp://www.guidestar.org/aol/search/report/report.adp?ein=52-2225921
Your contributions will help support Freedom of Information Act andFirst Amendment litigation, strong and effective advocacy for theright of privacy and efforts to oppose government regulation ofencryption and expanding wiretapping powers.

Thank you for your support.

END EPIC Alert 8.15


.


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback
URL: http://www.worldlii.org/int/journals/EPICAlert/2001/15.html