WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 2002 >> [2002] EPICAlert 10

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 9.10 [2002] EPICAlert 10


Volume 9.10 May 23, 2002

Published by the Electronic Privacy Information Center (EPIC)
Washington, D.C.

Table of Contents

[1] Coalition Urges European Parliament to Vote Against Data Retention
[2] Legislation Moves on Privacy, Spam, Identity Theft, and SSNs
[3] Minnesota Passes ISP Privacy Law
[4] EPIC Files Amicus Brief Contesting Surveillance of TV Use
[5] Supreme Court Retains Ban on COPA Enforcement
[6] Microsoft "Dream" Includes A Passport For Every Person
[7] EPIC Bookstore - Youth, Pornography, and the Internet
[8] Upcoming Conferences and Events

[1] Coalition Urges European Parliament to Vote Against Data Retention

In an open letter sent to all Members of the European Parliament("EP"), more than 40 civil liberties organizations from 15 countriesaround the world strongly recommended that Members vote againstgeneral data retention of communications by law enforcementauthorities. The vote, scheduled for May 29 in Brussels, is critical,
as it constitutes the major step before the final adoption of the newEU Telecommunications Directive. It may have serious consequences onthe manner in which data retention is currently regulated in theUnited States and other countries around the world.

On May 29, the EP must vote to accept language already agreed upon byits parliamentary committees that opposes data retention, but it alsohas to vote on new amendments pushed by the Council and some EPMembers that favor data retention and generalized surveillance ofcommunications. The upcoming vote is one of the last chances for theCouncil of the EU and some EU Member State governments to try tooppose the EP’s position on data retention by pressuring Members tosupport compromise language that would allow for data retention. Thusfar, the EP has always opposed data retention and general andexploratory surveillance of electronic communications.

The letter recommends that EP Members strongly oppose data retentionand take a vigorous stand against the repeated post-9/11 attempts byEuropean law enforcement authorities, the Council, and some EU MemberState governments to pressure the European Parliament into acceptingdata retention as a necessary measure to achieve the “right balancebetween security and privacy." Those governmental institutionswould like to compel communications service providers to routinelycapture and archive information detailing traffic and localizationdata of telephone calls, e-mail, and other communications of theirusers, without the need for a judge and in a preventive andgeneralized fashion.

The international coalition’s statement asserts that such a positionis contrary to the most respected international human rightsconventions and case law (e.g. the European Convention on HumanRights, the European Union Charter of Fundamental Rights, and the caselaw of the European Court of Human Rights). These instruments fullysupport the letter’s position, and specify that, when permitted, dataretention must be a necessary, appropriate, proportionate andtemporary measure. This is inconsistent with the Council’s position,
which would allow the preventive and general control of electroniccommunications for future and hypothetical criminal investigations.

The statement also refers to the opinions adopted by key players inthe legislative process. The EP Committee on Citizens' Freedoms andRights, Justice and Home Affairs, and EU privacy commissioners haveconsistently opposed data retention, affirming that, except forbilling and other business-related purposes, it should be prohibited,
unless used in exceptional cases and authorized by judicial or othercompetent authorities on a case-by-case basis. If not limited to suchstrictures, data retention would violate the fundamental rights ofprivacy and data protection, freedom of expression, and presumption ofinnocence.

The letter further emphasizes the importance of the upcoming vote.
Until now, no major industrialized country in the world has everallowed government-imposed retention requirements for electroniccommunications. Because of the cross-border nature of Internetcommunications, a pro-data retention vote at the EP would likely havenegative repercussions for Americans and citizens of other countries.
In the United States, current regulations do not require dataretention, even after the enactment of sweeping anti-terrorismlegislation known as the USA PATRIOT Act.

The coalition's letter is available on the Global Internet LibertyCampaign (GILC) Web site at:

Individuals are also encouraged to endorse the letter, and may doso on until May 28:

EPIC's new Data Retention Web page lists the latest news, theinternational instruments referred to in the letter, and the mostcurrent documents subject to the May 29 EP vote:

Verbatim reports of the May 29 EP vote will be available the nextday at:

[2] Legislation Moves on Privacy, Spam, Identity Theft, and SSNs

Congress has been active in moving bills on online privacy, spam,
identity theft, and Social Security numbers (SSNs) in recent weeks.

In the Senate, the Commerce Committee has reported out S. 2201, theOnline Privacy Protection Act. The bill, introduced by Sen. ErnestHollings (D-SC), is a compromise measure that is significantly weakerthan Sen. Hollings' prior Internet privacy bill, the Consumer PrivacyProtection Act, which was introduced in May 2000. The current billcontains strong provisions for privacy, including opt-in protectionsfor "sensitive information," a right to access dossiers assembled onconsumers, and a private right of action that allows individuals tosue wrongdoers in their local small claims court. However, the billdoes have some weaknesses: Web sites could still collect personallyidentifying information, such as name and address, by only givingnotice and providing the ability to opt-out. The bill also contains asafe harbor provision that would immunize some Web sites fromaccountability. Additionally, the bill would preempt state efforts toprovide greater privacy protections.

The Senate Commerce Committee also approved S. 630, the Controllingthe Assault of Non-Solicited Pornography and Marketing Act of 2001(CAN SPAM Act of 2001). The legislation, introduced by Sen. ConradBurns (R-MT), would create an opt-out regime for unsolicitedcommercial e-mail. The bill creates criminal penalties for thefalsification of commercial e-mail headers, and prohibits "misleading"
subject lines. Enforcement of the Act would lie with the FederalTrade Commission, State Attorneys General, and Internet ServiceProviders.

The Senate Judiciary Committee reported out S. 1742, the Restore YourIdentity Act of 2001. The bill was introduced by Sen. Maria Cantwell(D-WA), and includes important protections for victims of identitytheft. It requires companies to provide business records regardingextension of credit and other transactions to individuals who havebeen victimized. Additionally, the bill allows victims to place ablock on their credit report so that information relating to theidentity theft does not become part of their credit file.

The Senate Judiciary Committee also approved S. 848, Sen. DianneFeinstein's (D-CA) Social Security Number Misuse Prevention Act of2001. The legislation essentially codifies business practices thatlead to unnecessary use of the SSN and identity theft. It also allowsbroad uses of the identifier by law enforcement and by health careproviders. Effective legislation would curb common uses of the SSN.
Sen. Feinstein's legislation would legitimize these common uses.

The Online Personal Privacy Act (S. 2201):

EPIC Testimony on the Online Personal Privacy Act:

The Controlling the Assault of Non-Solicited Pornography andMarketing Act of 2001 (S. 630):

The Social Security Number Misuse Prevention Act of 2001 (S. 848):

The Restore Your Identity Act of 2001 (S. 1742):

[3] Minnesota Passes ISP Privacy Law

Minnesota Governor Jesse Ventura has signed into law S.F. 2908, a billthat limits Internet Service Providers' (ISPs) use of personalinformation and regulates the transmission of unsolicited commerciale-mail. S.F. 2908 was sponsored by State Sen. Steve Kelley and passedby unanimous vote in the Minnesota Senate, despite vigorous lobbyingcampaigns by ISP giant America Online and others.

The bill brings Minnesota into the forefront on the debate overwhether federal legislation should override state attempts to protectprivacy. States have been more successful in passing privacylegislation in recent years, as anti-privacy lobbyists have paralyzedfederal legislators. Over 20 states have enacted anti-spam laws, andothers have established opt-in financial privacy regimes andprotections against identity theft that surpass federal law.

Article one of the Minnesota bill requires ISPs to give notice andobtain user authorization before disclosing customer contactinformation, browsing history, or the contents of data-storageservices. The bill allows this authorization to be based on either anopt-in or opt-out regime, as long as the user is given conspicuousnotice of how to exercise the option in the service agreement.
Exemptions for disclosure exist where there is a warrant oradministrative subpoena. Litigants in civil court actions can obtainuser information where the requestor can demonstrate a "compellingneed" for disclosure.

Article two of the bill places limits on the transmission of spam. Itprohibits the falsification of unsolicited commercial e-mail headers,
requires that the subject line carry an "ADV" label, and that themessage include either a toll-free phone number or accurate e-mailaddress that permits removal from the mailing list.

Both articles of the bill provide for a private right of action,
attorney's fees, and liquidated damages. The bill takes effect inMarch 2003.

S.F. 2908:

[4] EPIC Files Amicus Brief Contesting Surveillance of TV Use

On May 13, EPIC (joined by several other civil liberties and consumergroups) filed an amicus brief in federal court for the CentralDistrict of California arguing that a court order requiring SONICblueto electronically spy on its "personal television" customers wasprocedurally and substantively improper. "Personal television," alsoknown as a Digital Video Recorder (DVR) or Personal Video Recorder(PVR), is a box very similar to a VCR. The added features of a DVR orPVR, such as an ad-skipping button, are particularly upsetting to thetelevision studios, who have sued SONICblue on a variety of copyrightinfringement theories.

As part of that lawsuit, the television studios sought discovery fromSONICblue, requesting all usage data that the company had on itscustomers, such as what shows were recorded, watched, forwarded tofriends, etc. Because the ReplayTV 4000 product does not transmitthis sort of data back to the company, SONICblue had no data toprovide to the plaintiffs. At the studios' request, the court orderedSONICblue to re-engineer its product so that software will beinstalled in the ReplayTV box in users' homes, where it will silentlyrecord TV usage data and transmit that data back to SONICblue. Aspart of the court order, SONICblue is then required to turn that dataover the entertainment studios.

SONICblue filed objections to the court order on May 10. The companyalso requested, and was granted, a stay of the ordered surveillancewhile the lead judge considers the issue. EPIC, joined by the Centerfor Digital Democracy (CDD), Computer Professionals for SocialResponsibility (CPSR), Consumer Action, Electronic Frontier Foundation(EFF), Media Access Project (MAP), Public Knowledge, and the PrivacyFoundation, filed an amicus brief, joining SONICblue in thoseobjections.

In its brief, EPIC argued that the court order exceeds the scope ofpermissible discovery in litigation. In particular, a party isentitled to discover only that information which is already in aparty's possession -- there is no provision mandating prospectivecollection of data, especially if such collection results in productre-engineering. Moreover, the order infringes on individuals' privacyrights and intellectual freedom. Historically, a person's home hasbeen deemed to be an especially private place, where third parties maynot intrude. By compelling the installation of software in a person'shome, that seclusion will be violated. The compelled surveillancealso invades intellectual freedom -- people would be chilled fromwatching certain programs, whether unpopular, controversial, orsexually explicit -- if they knew that an electronic record would becreated, in perpetuity, about their viewing choices.

Additional information about the case, including a copy of EPIC'samicus brief, is available online at:

EPIC maintains a Web page on Digital Rights Management and itsimplications for privacy at:

[5] Supreme Court Retains Ban on COPA Enforcement

The Supreme Court has preserved an injunction barring enforcement ofthe Child Online Protection Act (COPA), ruling that the controversiallaw raises unresolved free speech questions that must be decided bythe lower courts before the law's constitutionality can be fullyassessed.

COPA, signed into law in October 1998, makes it a federal crime to usethe Internet to communicate "for commercial purposes" materialconsidered "harmful to minors," with penalties of up to $150,000 foreach day of violation and up to six months in prison. Civil libertiesgroups, including the American Civil Liberties Union (ACLU) and EPIC,
challenged the law shortly after its passage, arguing that COPAviolates the First Amendment.

In February 1999, the federal district court in Philadelphia issued aninjunction preventing the government from enforcing COPA. That courtheld that COPA was invalid because there is no way for Web speakers toprevent minors from accessing "harmful" material on the Web withoutalso burdening adults seeking access to protected speech. AlthoughCOPA provides a defense if Web speakers restrict access by requiring acredit card or adult access code, either option was held to burdenfree speech.

The Third Circuit Court of Appeals affirmed in June 2000, finding thatCOPA was unconstitutional on a different ground. "Because of thepeculiar geography-free nature of cyberspace, [COPA's] communitystandards test would essentially require every Web communication toabide by the most restrictive community's standards."

The Supreme Court questioned the validity of the only conclusionreached by the appellate court -- that COPA's reliance on "communitystandards" renders the law unconstitutional -- but did notconclusively resolve the issue. It is now up to the Third Circuit todecide whether to rule based on the facts the lower court used, or tosend the case back down for a full trial before the district court.

Ann Beeson, Litigation Director of ACLU's Technology and LibertyProgram, who argued the case before the Supreme Court in November,
said that "the Court clearly had enough doubts about this broadcensorship law to leave in place the ban."

Supreme Court Decision (May 13, 2002):


[6] Microsoft "Dream" Includes A Passport For Every Person

According to a business plan introduced into evidence in the Microsoftantitrust trial, the company's "dream" with the Passport onlineidentification and authentication system was to "create the largestand most leveragable database of profiles on the planet" and "[a]
subscription relationship with every user on the Internet." Microsoftalready claims the existence of 200 million Passport accounts.

Testimony of Microsoft Vice President David Cole indicated that whilethey were urging individuals to reveal personal information, thecompany had no idea of how it was going to provide promised Hailstormservices. Responding to a June 2001 e-mail from his supervisorregarding provision of a base set of Hailstorm services, Cole statedthat "there's nobody that really knew how that was going to work orhow that could possibly work."

Cole later testified that Microsoft's goal was to encourage "users toconsume personalized content and services and therefore they need tosign up for a Passport" [sic]. After collecting personal information,
Microsoft's strategy was to leverage "contextual understanding foremergence." That is, Microsoft intends to use the personal data inorder to improve profiling for ad targeting, and eventually to upgradethe individual to a paid membership account.

Last week, Eastside Journal and Newsbytes reported that Microsoftchanged the privacy preferences of Hotmail users by adding newinformation sharing options to the e-mail system. Users reported thattwo boxes had appeared in the Hotmail preferences section that wereset to enable e-mail and demographic information sharing.

EPIC and a coalition of consumer groups have filed a series ofcomplaints with the FTC alleging that Microsoft's Passport service isdesigned to profile users and target them for unwanted advertising andspam. EPIC has advised individuals to "Sign Out" of Passport -- thatis, individuals should avoid using the service altogether.

Microsoft Antitrust Trial Transcript, Volume 21, Morning Session,
April 22, 2002:

EPIC's "Sign Out of Passport" Page:

[7] EPIC Bookstore - Youth, Pornography, and the Internet

Youth, Pornography, and the Internet. Edited by Dick Thornburgh andHerbert S. Lin, National Research Council.

On May 2, the National Academies released this comprehensive study,
which examines different approaches to protecting underage personsfrom pornography on the World Wide Web, online sexual predators, andother material on the Internet that may be considered inappropriate.
The report notes that the Internet is a valuable educational tool, andthat certain methods of "protection" have dire consequences, such as asevere limitation of online resources, for children and adults alike.
It attests that, despite the existence of restrictive technologiessuch as filters that block certain Web sites, the most important andeffective tool for protecting children from online threats is parentalinvolvement and supervision.

The study, chaired by Herb Lin and former Attorney General DickThornburgh, also raises questions about the ambiguity of terms such as"pornography" and "children," which can be subjectively applied indifferent ways. To solve the dilemma of conflicting definitions of"pornography," the report uses the term "inappropriate sexuallyexplicit material." As for whether a six-year-old and asixteen-year-old both classify as "children" when it comes to theirexposure to information online, the report contests that highereducation requires access to a larger amount of information, and thuschildren of different ages have different online needs.

There is also the question of the impact of public policy onprotecting children from material that is considered to be harmful.
The study concludes that the most effective regulation of thismaterial would not be to get rid of it entirely, but rather to createincentives for providers of such material to take action to ensurethat minors cannot access that material. The report also mentionsthat a different approach would be to use public policy to promoteInternet safety education and awareness for parents and children.

"Youth, Pornography, and the Internet" discusses these and otherissues, plus strategies, technological tools, and policy options thatwill help children and parents learn to make safe and appropriatedecisions when it comes to their experiences online.

More information on the report:

Related EPIC Publication, Filters & Freedom 2.0: Free SpeechPerspectives on Internet Content Controls:

EPIC Publications:

"Privacy & Human Rights 2001: An International Survey of Privacy Lawsand Developments," (EPIC 2001). Price: $20.

This survey, by EPIC and Privacy International, reviews the state ofprivacy in over fifty countries around the world. The survey examinesa wide range of privacy issues including, data protection, telephonetapping, genetic databases, ID systems and freedom of informationlaws.

"The Privacy Law Sourcebook 2001: United States Law, InternationalLaw, and Recent Developments," Marc Rotenberg, editor (EPIC 2001).
Price: $40.

The "Physicians Desk Reference of the privacy world." An invaluableresource for students, attorneys, researchers and journalists who needan up-to-date collection of U.S. and International privacy law, aswell as a comprehensive listing of privacy resources.

"Filters and Freedom 2.0: Free Speech Perspectives on Internet ContentControls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet contentfiltering. These papers are instrumental in explaining why filteringthreatens free expression.

"The Consumer Law Sourcebook 2000: Electronic Commerce and the GlobalEconomy," Sarah Andrews, editor (EPIC 2000). Price: $40.

The Consumer Law Sourcebook provides a basic set of materials forconsumers, policy makers, practitioners and researchers who areinterested in the emerging field of electronic commerce. The focus ison framework legislation that articulates basic rights for consumersand the basic responsibilities for businesses in the online economy.

"Cryptography and Liberty 2000: An International Survey of EncryptionPolicy," Wayne Madsen and David Banisar, authors (EPIC 2000).
Price: $20.

EPIC's third survey of encryption policies around the world. Theresults indicate that the efforts to reduce export controls on strongencryption products have largely succeeded, although severalgovernments are gaining new powers to combat the perceived threats ofencryption to law enforcement.

EPIC publications and other books on privacy, open government, freeexpression, crypto and governance can be ordered at:

EPIC Bookstore

"EPIC Bookshelf" at Powell's Books

[8] Upcoming Conferences and Events

** The Public Voice in Internet Policy Making. June 22, 2002.
Washington, DC. The Electronic Privacy Information Center (EPIC) willhost a one-day public symposium to discuss the future of our rightsand freedoms in the information age. The event is being hosted inconjunction with INET 2002 and is free and open to the public. Formore information: **

15th Annual Computer and Technology Law Institute. University of TexasSchool of Law. May 29-31, 2002. Austin, TX. For more information:

Call For Papers - June 1, 2002 (special recognition for outstandingstudent papers). 18th Annual Computer Security Applications Conference(ACSAC): Practical Solutions to Real Security Problems. AppliedComputer Security Associates. December 9-13, 2002. Las Vegas, Nevada.
For more information:

Third Annual Institute on Privacy Law. Practising Law Institute. June3-4, 2002, San Francisco, CA; June 24-25, New York, NY. For moreinformation:

Big Brother Is Watching: The Independent Policy Forum. The IndependentInstitute. June 6, 2002. Oakland, CA. For more information:

Save Privacy: Grenzverschiebungen im Digitalen Zeitalter. The HeinrichBöll Foundation. June 7-8, 2002. Berlin, Germany. For moreinformation:

Second Annual Information, Networks and Technology Institute. BerkeleyCenter for Law and Technology, University of Texas School of Law. June13-14, 2002. San Jose, CA. For more information:

Privacy Paradox: The Gain of Security vs. Privacy's Loss. StrategicResearch Institute. June 17-18, 2002. Chicago, IL. For moreinformation:

INET 2002. Internet Crossroads: Where Technology and Policy Intersect.
Internet Society. June 18-21, 2002. Washington, DC. For moreinformation:

IViR International Copyright Law Summer Course. Royal NetherlandsAcademy of Arts and Sciences. July 8-12, 2002. Amsterdam, Netherlands.
For more information:

O'Reilly Open Source Convention. O'Reilly and Associates. July 22-26,
2002. San Diego, CA. For more information:

Cyberwar, Netwar and the Revolution in Military Affairs: Real Threatsand Virtual Myths. International School on Disarmament and Research onConflicts (ISODARCO). August 3-13, 2002. Trento, Italy. For moreinformation:

ILPF Conference 2002: Security v. Privacy. Internet Law & PolicyForum. September 17-19, 2002. Seattle, WA. For more information:

Privacy2002. Technology Policy Group. September 24-26, 2002.
Cleveland, OH. For more information:

Subscription Information

Subscribe/unsubscribe via Web interface:

Subscribe/unsubscribe via email:

Subject line: "subscribe" or "unsubscribe" (no quotes)

Help with subscribing/unsubscribing:

Subject: "help" (no quotes)

Back issues are available at:

The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and tosend notices about EPIC activities. We do not sell, rent or share ourmailing list. We also intend to challenge any subpoena or other legalprocess seeking access to our mailing list. We do not enhance (linkto other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your email addressfrom this list, please follow the above instructions under"subscription information". Please contact if you wouldlike to change your subscription email address, if you areexperiencing subscription/unsubscription problems, or if you have anyother questions.

About EPIC

The Electronic Privacy Information Center is a public interestresearch center in Washington, DC. It was established in 1994 tofocus public attention on emerging privacy issues such as the ClipperChip, the Digital Telephony proposal, national ID cards, medicalrecord privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Actlitigation, and conducts policy research. For more information,
e-mail, or write EPIC, 1718Connecticut Ave., NW, Suite 200, Washington, DC 20009.
+1 202 483 1140 (tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic PrivacyInformation Center, contributions are welcome and fullytax-deductible. Checks should be made out to "EPIC" and sent to1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009.
Or you can contribute online at:

Drink coffee, support civil liberties, get a tax deduction, and learnLatin at the same time! Receive a free "sed quis custodietipsos custodes?" coffee mug with donation of $75 or more.

Your contributions will help support Freedom of Information Act andFirst Amendment litigation, strong and effective advocacy for theright of privacy and efforts to oppose government regulation ofencryption and expanding wiretapping powers.

Thank you for your support.

END EPIC Alert 9.10


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback