Volume 8.21 October 24, 2001
 Anti-Terrorism Legislation Nears Final Passage  Groups Urge FTC to Take Action on Microsoft XP  White House Supports "Cyber Security" FOIA Exception  Policy Briefing: Security or Surveillance?  Three Big Online Firms to Use Controversial Rating System  EPIC Bill-Track: New Bills in Congress  EPIC Bookstore - The Dream Machine  Upcoming Conferences and Events
In a 357-66 vote, the House approved a "compromise" version of anti-terrorism legislation early on Wednesday, October 24. The new version of the bill, which is expected to be taken up by the Senate later Wednesday or Thursday, was negotiated by a House-Senate conference committee in a process begun last week to reconcile the differences between the House and Senate versions of the legislation. The bill is likely to be on the President's desk by the end of the week.
The new bill imposes a four-year sunset provision on its electronic surveillance amendments, whereas provisions of the original House version expired after five years and the Senate version did not contain a sunset provision. In addition, the compromise anti- terrorism bill contains an amendment included by House Majority Leader Richard Armey (D-Texas) requiring an audit trail when a device such as Carnivore is used under pen register/trap and trace authority. This small victory, which EPIC had earlier advocated, will permit some judicial oversight of the FBI's controversial Carnivore device.
The House had voted (337-79) on October 15 to substitute a modified version of the Senate bill, H.R. 3108, in place of its own bipartisan measure, H.R. 2975, which included more civil liberties protections. This vote took place one day after the Senate voted 96-1 to approve S. 1510, the Uniting and Strengthening America (USA) Act, which significantly expanded government surveillance authority, reduced judicial oversight, and created a wide range of new terrorist crimes, including computer hacking (see EPIC Alert 8.20). A House-Senate conference to reconcile the two versions, originally scheduled to take place October 17, was concluded this week despite the anthrax-related shutdown that has frozen much of the activity on Capitol Hill.
The legislation covers an array of terrorism-related issues such as changes in immigration and detention laws, but the surveillance and wiretap amendments received the most congressional and public attention.
Text of Senate anti-terrorism bill (S. 1510):
Text of House anti-terrorism bill (H.R. 3108):
EPIC's analysis of the original Justice Department proposal, the Anti-Terrorism Act (ATA) of 2001:
EPIC and a coalition of consumer and privacy organizations have renewed their calls for Federal Trade Commission action to protect consumers from the privacy risks associated with Windows XP and Passport. In a letter sent to the FTC, the organizations criticized the Commission for not upholding its statutory duty to protect consumers in light of the planned release of Windows XP on October 25. Since August, when the organizations last submitted information to the FTC detailing numerous privacy issues associated with XP and Passport, the Agency has taken no public action to protect consumers.
The letter was addressed to Timothy Muris, the new FTC Chairman, who recently announced that the agency would no longer advocate that legislation was necessary to protect consumers' privacy. However, under the Federal Trade Commission Act, the agency is charged with protecting consumer interests, and specifically with preventing unfair or deceptive practices in commerce.
The letter supplements the earlier FTC filings with a list of major Microsoft security lapses that have endangered users' privacy and security. These security lapses further support the claims made in earlier filings that Microsoft has misled consumers by making representations that Passport will increase user privacy and security. The letter also notes that despite a series of serious security breaches at Microsoft, the Windows XP operating system will request that users obtain a Passport for the first six attempts in connecting to the Internet.
The letter, which was also sent to key legislative oversight committees, emphasizes the remedies sought in the original findings and further requests that the FTC "disgorge any personal information collected fraudulently and deceptively through XP and Passport."
Letter to Timothy Muris urging action on Windows XP and Passport:
EPIC Page on Microsoft Passport:
President Bush reportedly will support legislative proposals to withhold "cyber security" information from disclosure under the Freedom of Information Act (FOIA). Such protection has long been sought by private companies that have been unwilling to share with the government information concerning computer system vulnerabilities. Open government advocates have opposed such legislation, noting that existing FOIA exemptions already protect such material from disclosure if the affected company considers it confidential.
In a letter to the chairman of the National Security and Telecommunications Advisory Committee (NSTAC), Bush said he will "support a narrowly crafted exception ... to protect information about corporations' and other organizations' vulnerabilities to information warfare and malicious hacking." The letter was obtained by the Associated Press, and appears to be a response to a letter the NSTAC chair sent to the President in June, lobbying for an FOIA exception for "critical infrastructure protection" data. NSTAC, echoing a frequent industry request, also urged support for a limitation on "potential legal liabilities" that might result from disclosures of information revealing vulnerabilities in computer systems. Bush apparently has not taken a position on the liability issue. The June NSTAC letter was recently obtained by EPIC pursuant to a request under the Federal Advisory Committee Act.
Administration support for the "cyber security" provision came less than a week after Attorney General John Ashcroft directed federal agencies to review more closely decisions to release documents under the FOIA. In a memorandum issued on October 12, Ashcroft announced that the Justice Department will defend in court agency decisions to withhold information if there is a "sound legal basis" for the withholding. Under the previous policy issued by former Attorney General Reno in 1993, DOJ would only defend agency withholding decisions if they sought to prevent a "foreseeable harm" that would result from disclosure.
The NSTAC correspondence to the President on "cyber security" is available at:
EPIC's Congressional testimony on proposed legislation to exempt "cyber security" data from the FOIA is available at:
Attorney General Ashcroft's memorandum on FOIA policy is available at:
On Monday, October 22, EPIC and the Privacy Foundation sponsored a policy briefing at the National Press Club in Washington, D.C. to explore the implications of new systems for identification and tracking on personal privacy. Questions considered included the reliability of face recognition technology, the limitations of national ID cards, and the potential for regulating future identification technology.
John Woodward, a senior policy analyst at the RAND Corporation, spoke on recent developments in biometrics and facial recognition technology, noting several difficulties with current face recognition systems.
Richard Smith, Chief Technology Officer of the Privacy Foundation, focused his comments on a technical evaluation of the leading face recognition software made by Visionics, called "FaceIt," demonstrating the weaknesses in the system by showing that it could not correctly correlate two pictures of a suspected terrorist.
Marc Rotenberg, the event's moderator, played a five-minute audio track, found on the Oracle website, of Larry Ellison's argument for a National ID card, placing an image of Mr. Ellison in front of the speaker's podium. Ellison said, "We have been so busy protecting ourselves against our government, we have made it impossible for our government to protect us . . . . [we must give law enforcement] the tools -- like databases and ID cards -- and the latitude to protect us. And if we do, our liberties and our lives will be saved together." Robert Ellis Smith, editor of the Privacy Journal and an expert on the history of national ID cards, concentrated his comments on two areas of concern: the purpose of national ID cards, and the intrusion of a national ID card requirement on personal privacy.
Whitfield Diffie, Distinguished Engineer at Sun Microsystems, was less skeptical of the potential for face recognition technology to improve dramatically. He predicted that, in the next 10 years, we would become accustomed to a society with "ubiquitous recognition," where every storekeeper and government official would have access to a database with face scans to obtain the identities of individuals with whom they are interacting. He was also skeptical about the role of policy to regulate the multiple private and public uses of such technology.
Jeffery Rosen, law professor at George Washington law school and legal affairs editor at the New Republic, emphasized the critical role of regulation in controlling the significant expansion of government power though technology, referring to his experiences in surveying England's use of face recognition technology to show the wide potential for misuse of such a system.
Additional panels and briefings on related topics are expected to be held at the Press Club in the coming weeks.
Details of Richard Smith's tests on facial recognition systems:
"A Cautionary Tale for a New Age of Surveillance." Jeffrey Rosen, New York Times Magazine, October 7, 2001:
EPIC's face recognition page:
Three of the largest online companies -- America Online, Microsoft's MSN and Yahoo -- announced on October 23 that they will use a controversial rating system to label content on their websites. The system, developed by the Internet Content Rating Association (ICRA), encourages content providers to rate their online material using a set of uniform labels "to allow or disallow access to websites based on the information declared in the label." Previous efforts to promote the system have been unsuccessful, partly due to the fact that a browser configured to display only sites bearing labels would deny access to the vast majority of online content (which is not labeled).
Despite ICRA's claim that its rating system enjoys "broad support from ... the First Amendment community," it and similar systems have long been opposed by free expression advocates. One of the objections to rating schemes has been the belief that such systems, although touted as a means of preventing government regulation of online content, are in fact likely to facilitate official censorship. When the Bertelsmann Foundation in Germany proposed an international rating system in 1999, members of the Global Internet Liberty Campaign (GILC) pointed out the danger of such a proposal:
First, the existence of a standardized rating system for Internet content -- with the accompanying technical changes to facilitate blocking -- would allow governments to mandate the use of such a regime. By requiring compliance with an existing ratings system, a state could avoid the burdensome task of creating a new content classification system while defending the ratings protocol as voluntarily created and approved by private industry. ...
Second, the imposition of civil or criminal penalties for "mis-rating" Internet content is likely to follow any widespread deployment of a rating and blocking regime. A state-imposed penalty system that effectively deters misrepresentations would likely be proposed to facilitate effective "self-regulation."
According to ICRA, the "ICRAfilter" (which recognizes labels and blocks content accordingly) will be released in spring 2002 and will work on all versions of Windows from '95 upward and will operate independently of any browser.
ICRA's October 23 press release is available at:
The GILC statement on Internet rating systems is available at:
EPIC's publication, "Filters & Freedom 2.0: Free Speech Perspectives on Internet Content Controls," is available at:
H.R.3108 USA Act of 2001. To deter and punish terrorist acts in the United States and around the world, to enhance law enforcement investigatory tools, and for other purposes. Sponsor: Rep Sensenbrenner, F. James, Jr. (R-WI). Latest Major Action:10/11/2001 Passed/agreed to in Senate: Passed Senate without amendment by Yea-Nay Vote. 96 - 1. Record Vote Number: 302.
H.R.3120 Airline Check for Terrorist Act. To provide for a study on the feasibility of giving airlines access by computer to lists of suspected terrorists. Sponsor: Rep Keller, Ric (R-FL). Latest Major Action: 10/12/2001 Referred to House committee: House Judiciary.
H.R.3129 Customs Border Security Act of 2001. To authorize appropriations for fiscal years 2002 and 2003 for the United States Customs Service for antiterrorism, drug interdiction, and other operations, for the Office of the United States Trade Representative, for the United States International Trade Commission, and for other purposes. Sponsor: Rep Crane, Philip M. (R-IL). Latest Major Action: 10/16/2001 Referred to House committee: House Ways and Means.
H.R.3146 Netizens Protection Act of 2001. To restrict the transmission of unsolicited electronic mail messages. Sponsor: Rep Smith, Christopher H. (R-NJ). Latest Major Action:10/16/2001 Referred to House committee: House Energy and Commerce.
S.1534 Department of National Homeland Security Act of 2001. A bill to establish the Department of National Homeland Security. Sponsor: Sen Lieberman, Joseph I. (D-CT). Latest Major Action: 10/11/2001 Referred to Senate committee: Senate Governmental Affairs.
S.1568. A bill to prevent cyberterrorism. Sponsor: Sen Hatch, Orrin G. (R-UT). Latest Major Action: 10/18/2001 Referred to Senate committee: Senate Judiciary.
EPIC Bill Track: Tracking Privacy, Speech, and Cyber-Liberties Bills in the 107th Congress, is available at:
The Dream Machine: J.C.R. Licklider and the Revolution That Made Computing Personal, by M. Mitchell Waldrop.
The Dream Machine is the first in-depth portrait of J.C.R. Licklider and his dream of a "human-computer symbiosis," which forever changed the course of culture and science. This 2001 book tells the story of technological advancement, from World War II to the present. J.C.R. Licklider, an MIT psychologist working in the Pentagon in the 1960s, was determined to show the world that computers did not have to be large, frightening mainframes that processed punch cards. Instead, he saw an exciting new device with the potential to revolutionize our lives.
Well-written and researched, the Dream Machine is an exciting and intellectual story, capturing the passion of the great technological adventure that is the history of the computer and the people who made it all possible.
M. Mitchell Waldrop recently spoke at the New America Foundation on the topic, "The Roots of the Computer Revolution: What Information Technology Today Owes to Government Investment and the Vision of J. C. R. Licklider."
"Privacy & Human Rights 2001: An International Survey of Privacy Laws and Developments," (EPIC 2001). Price: $20. http://www.epic.org/bookstore/phr2001/
This survey, by EPIC and Privacy International, reviews the state of privacy in over fifty countries around the world. The survey examines a wide range of privacy issues including, data protection, telephone tapping, genetic databases, ID systems and freedom of information laws.
"The Privacy Law Sourcebook 2001: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2001). Price: $40. http://www.epic.org/bookstore/pls2001/
The "Physicians Desk Reference of the privacy world." An invaluable resource for students, attorneys, researchers and journalists who need an up-to-date collection of U.S. and International privacy law, as well as a comprehensive listing of privacy resources.
"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20. http://www.epic.org/bookstore/filters2.0/
A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression.
"The Consumer Law Sourcebook 2000: Electronic Commerce and the Global Economy," Sarah Andrews, editor (EPIC 2000). Price: $40. http://www.epic.org/cls/
The Consumer Law Sourcebook provides a basic set of materials for consumers, policy makers, practitioners and researchers who are interested in the emerging field of electronic commerce. The focus is on framework legislation that articulates basic rights for consumers and the basic responsibilities for businesses in the online economy.
"Cryptography and Liberty 2000: An International Survey of Encryption Policy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price: $20. http://www.epic.org/crypto&/
EPIC's third survey of encryption policies around the world. The results indicate that the efforts to reduce export controls on strong encryption products have largely succeeded, although several governments are gaining new powers to combat the perceived threats of encryption to law enforcement.
EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at:
EPIC Bookstore http://www.epic.org/bookstore/
"EPIC Bookshelf" at Powell's Books http://www.powells.com/features/epic/epic.html
The Third National HIPAA Summit: From Theory to Practice - From Planning to Implementation. October 24-26, 2001. Washington, DC. For more information: http://www.hipaasummit.com/
The 29th Research Conference on Communication, Information and Internet Policy. Telecommunications Policy Research Conference. October 27-29, 2001. Alexandria, VA. For more information: http://www.tprc.org/
The 8th Annual Centre for Applied Cryptographic Research (CACR) Information Security Workshop: The Human Face of Privacy Technology. University of Waterloo and Information and Privacy Commission/Ontario. November 1-2, 2001. Toronto, Ontario. For more information: http://www.cacr.math.uwaterloo.ca/
Symposium on Privacy and Security 2001. Foundation for Data Protection and Information Security. November 1-2, 2001. Zurich, Switzerland. For more information: http://www.privacy-security.ch/
Workshop on Security and Privacy in Digital Rights Management 2001. Eighth Association for Computing Machinery (ACM) Conference on Computer and Communications Security. November 5, 2001. Philadelphia, PA. For more information: http://www.star-lab.com/sander/spdrm/
Privacy: The New Management Imperative - Chief Privacy Officer Training Program. Cambridge University and Privacy Council. November 5-8, 2001. Cambridge, England. For more information: firstname.lastname@example.org
Learning for the Future. Business for Social Responsibility's Ninth Annual Conference. November 7-9, 2001. Seattle, WA. For more information: http://www.bsr.org/events/2001.asp
Privacy and Security in the Digital Age: The Global Summit 2001. November 13-14, 2001. New York, NY. For more information: http://www.globalprivacysummit.net/
Information Operations: Applying Power in the Information Age. Jane's Information Group. November 14-15, 2001. Washington, DC. For more information: http://www.janes.com/security/conference/info_op/info_op.shtml
Information Gathering in the 21st Century. Seton Hall Law School. November 16, 2001. South Orange, NJ. For more information: email@example.com
Managing Privacy of Health Information. The Canadian Institute. November 19-20, 2001. Vancouver, British Columbia. For more information: http://www.CanadianInstitute.com/
CPO and Privacy Practitioners Workshop. Privacy & American Business and Privacy Council. November 27, 2001. Washington, DC. For more information: firstname.lastname@example.org
First Privacy Expo 2001. Privacy & American Business and Privacy Council. November 27-29, 2001. Washington, DC. For more information: email@example.com
Eighth Annual National "Managing the NEW Privacy Revolution" Conference. Privacy & American Business and Privacy Council. November 28-29, 2001. Washington, DC. For more information: firstname.lastname@example.org
Call for Papers - December 1, 2001. 11th Annual EICAR & 3rd European Anti-Malware Conference. European Institute for Computer Anti-Virus Research (EICAR). June 8-11, 2002. Berlin, Germany. For more information: http://conference.eicar.org/
Privacy By Design 2001: Building Privacy for Better Business. ZeroKnowledge. December 3-5, 2001. Montreal, Canada. For more information: http://www.zeroknowledge.com/privacybydesign2001/
Get Noticed: Effective Financial Privacy Notices. Federal Trade Commission. December 4, 2001. Washington, DC. For more information: http://www.ftc.gov/bcp/workshops/glb/
Call for Papers - December 10, 2001. Workshop on Privacy Enhancing Technologies 2002. April 14-15, 2002. San Francisco, CA. For more information: http://www.pet2002.org/
17th Annual Computer Security Applications Conference (ACSAC). Applied Computer Security Associates. December 10-14, 2001. New Orleans, LA. For more information: http://www.acsac.org/
Chief Privacy Officer Skills Development Workshop. PRIVA-C and Select Knowledge. January 14-16, 2002 and February 18-20, 2002. Dallas, TX. For more information: http://www.priva-c.com/cpoworkshop/
CFP 2002: The Twelfth Conference on Computers, Freedom & Privacy. April 16-19, 2002. San Francisco, CA. For more information: http://www.cfp2002.org/
Subscribe/unsubscribe via Web interface:
Subscribe/unsubscribe via email:
To: email@example.com Subject line: "unsubscribe EPIC_NEWS" Body text: [email address at which you are subscribed]
Back issues are available at:
The EPIC Alert displays best in a fixed-width font, such as Courier.
The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe your email address from this list, please follow the above instructions under "subscription information". Please contact firstname.lastname@example.org if you would like to change your subscription email address, or if you have any other questions.
The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, e-mail email@example.com, http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax).
If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at http://www.guidestar.org/partners/helping/gs_report.jsp?npoId=715209
Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers.
Thank you for your support.