WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 2002 >> [2002] EPICAlert 15

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 9.15 [2002] EPICAlert 15


Volume 9.15 August 9, 2002

Published by the Electronic Privacy Information Center (EPIC)
Washington, D.C.

Table of Contents

[1] FTC Announces Action Against Microsoft Passport
[2] Court Orders DOJ to Disclose Names of 9/11 Detainees
[3] OECD Announces Computer Security Guidelines
[4] EPIC Files Brief in Online Offender Registry Case
[5] EPIC Argues Police Must Be Present for Online Search
[6] Eli Lilly Settles With States; NTIA to Hold ENUM Forum
[7] EPIC Bookstore - Trust Us, We're Experts
[8] Upcoming Conferences and Events

[1] FTC Announces Action Against Microsoft Passport

The Federal Trade Commission (FTC) yesterday announced a consentorder with Microsoft regarding the Passport identification andauthentication system. Prompted by a complaint submitted by EPIC andfourteen leading consumer groups, the FTC's investigation found thatMicrosoft had violated federal consumer protection law prohibitingunfair and deceptive trade practices.

In July and August 2001, EPIC -- joined by groups includingJunkbusters, Consumers Union, US PIRG and the Consumer Federation ofAmerica -- submitted detailed complaints to the Commission. Thecomplaints described the serious privacy implications of MicrosoftWindows XP and Microsoft Passport, and alleged that the collection anduse of personal information by the company would violate Section 5 ofthe Federal Trade Commission Act. After the complaints were filed,
the company experienced a series of serious security breaches,
including a vulnerability that would have allowed a person to stealinformation within the Microsoft Wallet service.

The FTC yesterday found that Microsoft made a series of falserepresentations about Passport. First, the company, despiteguarantees to the contrary, did not employ reasonable methods toprotect the privacy of personal information collected by Passport.
Second, the company falsely represented that the Passport Walletservice provided extra security over standard e-commerce transactions.
Third, the company did not disclose that Passport tracked users'
visits to web sites, when in fact a log of user activity wasmaintained by the company for months. Fourth, Kids' Passport failedto provide parental control over collection of information online.

The order requires Microsoft to implement a new information securityprogram. A third-party auditor will check compliance with thisprogram within one year, and Microsoft must reassess its informationsecurity practices every two years. Further, Microsoft is prohibitedfrom making future false representations about the Passport service.
Microsoft is bound by the order for 20 years, and fines can be leviedfor non-compliance.

The FTC will accept public comment on the order until September 9,

FTC Consent Order:

FTC Complaint:

EPIC's Sign Out of Passport Page:

EPIC's Passport Investigation Docket Page:

[2] Court Orders DOJ to Disclose Names of 9/11 Detainees

In a decision issued on August 2, U.S. District Judge Gladys Kesslerdirected the Justice Department to disclose, no later than August 19,
the identities of more than 1,000 individuals detained in connectionwith the government's September 11 terrorist investigation. Under theorder, detainees desiring confidentiality of their identities can filestatements requesting non-disclosure. The judicial decision marks asignificant defeat for government secrecy in the wake of the terroristattacks. EPIC joined with a coalition of other groups in seeking thedisclosure of the information under the Freedom of Information Act(FOIA) and serves as co-counsel in the case.

The Justice Department had argued that releasing the detainees' namesand other information could undermine the September 11 investigationand harm national security. Disclosure would subject the detainees topossible intimidation or coercion, the government argued, and provideterrorists with a potential "road map" of the investigation. JudgeKessler found the government's argument "unpersuasive" and concludedthat "the public's interest in learning the identities of thosearrested and detained is essential to verifying whether the governmentis operating within the bounds of the law."

The FOIA lawsuit was filed by the Center for National SecurityStudies, EPIC, and 21 other organizations, including the AmericanCivil Liberties Union, Human Rights Watch and Amnesty InternationalUSA. The plaintiffs argued that the detentions constituted secretarrests that violated longstanding legal requirements compelling thegovernment to account for the individuals it incarcerates.

"The Court fully understands and appreciates that the first priorityof the executive branch in a time of crisis is to ensure the physicalsecurity of its citizens," Judge Kessler wrote. "By the same token,
the first priority of the judicial branch must be to ensure that ourgovernment always operates within the statutory and constitutionalconstraints which distinguish a democracy from a dictatorship."

The Justice Department has appealed the ruling and asked Judge Kesslerto delay enforcement of her order pending resolution of the appeal.

The court's decision is available at:

EPIC has produced a resource page with background on the litigation:

[3] OECD Announces Computer Security Guidelines

The Organization for Economic Cooperation and Development (OECD) hasreleased principles for computer security that emphasize democracy,
transparency, privacy, and education. The OECD principles areintended to protect important civil society values as countries andprivate sector organizations go forward with computer security plans.

EPIC Research Director Sarah Andrews served on the OECD expert panelas the civil society representative, and consulted with computersecurity experts, public policy experts, and NGO participants in thePublic Voice project during the year-long development of theguidelines.

The OECD, based in Paris, is a thirty-member organization of leadingindustrial nations in North America, Europe and East Asia. Over theyears, the OECD has produced several important policy frameworks forinformation technology in such areas as privacy, cryptography, andelectronic commerce.

The original OECD Security Guidelines were promulgated in 1992. Thenew Guidelines seek to take account of the development of networkcomputing and the growth of commercial services, as well as theresponse of governments to the events of September 11.

The OECD Security Guidelines set out nine principles: Awareness,
Responsibility, Response, Ethics, Democracy, Risk Assessment, SecurityDesign and Implementation, Security Management, and Reassessment.
Each principle is followed by a definition and then a one paragraphdescription. Taken as a whole, the principles emphasize the jointresponsibility of all participants to promote network security. TheGuidelines also draw attention to important democratic goals in thedesign of security policy, including and specifically stating that:

Security should be implemented in a manner consistent with the values recognised by democratic societies including the freedom to exchange thoughts and ideas, the free flow of information, the confidentiality of information and communication, the appropriate protection of personal information, openness and transparency.

The OECD also adopted a principle on Risk Assessment that states:

Risk assessment identifies threats and vulnerabilities and should be sufficiently broad-based to encompass key internal and external factors, such as technology, physical and human factors, policies and third-party services with security implications. Risk assessment will allow determination of the acceptable level of risk and assist the selection of appropriate controls to manage the risk of potential harm to information systems and networks in light of the nature and importance of the information to be protected. Because of the growing interconnectivity of information systems, risk assessment should include consideration of the potential harm that may originate from others or be caused to others.

A similar proposal was under consideration by the OECD in 1992 but wasnot adopted at that time.

Regrettably, the OECD adopted the authoritarian "culture of security"
as the tagline for its most recent effort. But overall the Guidelinesare a welcome contribution to the computer security field, and shouldpromote policies that are more responsive to civil society intereststhan some of the recent proposals of national governments.

OECD Guidelines for the Security of Information Systems and Networks:

OECD Governments Launch Drive to Improve Security of Online Networks:

The Public Voice:

[4] EPIC Files Brief in Online Offender Registry Case

EPIC filed an amicus brief with the Supreme Court on August 5, urgingthe Court to uphold a circuit court ruling that the Alaska "Megan'sLaw" statute violates the Constitution. EPIC argues that themandatory online dissemination of a sex offender registry is excessivewhen weighed against the statutory purpose of protecting people in thegeographic vicinity of released offenders.

The Alaska law is the state's adaptation of federal legislationrequiring public notification of the locations of convicted sexoffenders upon their release. Commonly called "Megan's Law," thefederal law directing such notification was enacted in 1996 after theslaying of Megan Kanka, a seven-year-old New Jersey girl, by aneighbor who had been released after serving time for sex offenses.

The federal appellate court determined that that the Alaska law,
permitting inclusion of names, addresses, descriptions, and otherprivate information in a sex offender registry to be posted on theInternet, violated the ex post facto clause of the Constitutionbecause the information included in the registry was too broad and themethods of gathering that information were extremely burdensome. Mostimportantly, the appeals court found that the intent of protectingthose in the geographical area from individuals required to registerwas not furthered by allowing people all over the world to access thepersonal data included in the registry.

EPIC's amicus brief focuses on the effect of Internet dissemination ofstigmatizing information collected by the government. EPIC arguesthat the government has a duty to impose safeguards and limitationsupon its dissemination of private, stigmatizing information that itcollects, especially when such information would otherwise beeffectively unavailable but is made readily accessible worldwidethrough government action.

EPIC's resource page with background information on the case:

EPIC's amicus brief is available at:

[5] EPIC Argues Police Must Be Present for Online Search

On July 26, EPIC filed an amicus brief in the Eighth Circuit arguingthat police officer presence is required during the service of awarrant on an ISP. EPIC argues that the service of a search warrantby fax machine doesn't adequately safeguard Fourth Amendment guaranteeof a "reasonable" search. EPIC's brief details the history of U.S.
search and seizure law, which has mandated officer presence at theservice of a warrant since the 1700s.

The case arose in October 2000, when police officers in Minnesotabegan investigating Dale Robert Bach for potential child pornographycrimes. As part of the investigation, an officer obtained a searchwarrant to be served upon Yahoo, an Internet service provider inCalifornia. Minnesota requires that an officer be present at theservice of a search warrant. However, rather than adhering to therequirements provided by Minnesota law, the officer investigating Bachserved the search warrant on Yahoo by fax. Upon receiving the fax,
Yahoo employees retrieved all data from Bach's account, includingdeleted email messages. Yahoo then mailed the disk to Minnesota,
where the data became evidence in Bach's federal criminal trial.

At trial, Bach moved to have the evidence suppressed, citingviolations of the Minnesota statute as well as a federal statute. Thedistrict court held that the evidence should be suppressed as thesearch was illegal under both federal and state laws. EPIC's briefurges the appellate court to uphold this ruling, because officerpresence is a historical and crucial procedural safeguard guaranteeingFourth Amendment protections.

There are more than 140 million Internet users in the United States;
thus, the court's resolution of this case could potentially affect theprivacy interests of millions of citizens.

EPIC's Bach Page:

EPIC's amicus brief is available at:

[6] Eli Lilly Settles With States; NTIA to Hold ENUM Forum

New York and seven other states have settled an investigation ofpharmaceutical company Eli Lilly, which accidentally disclosed over600 personally-identifiable e-mail addresses of individuals who signedup for an online messaging service. The messaging service sentsubscribers a daily reminder to take Prozac, a prescriptionanti-depressant. In July 2001, the ACLU alerted federal authoritiesto the privacy violation.

Under the settlement agreement, the company agreed to improve internalinformation security standards. The company will issue informationsecurity reports, and undergo independent compliance reviews. Thecompany also paid $160,000 to the eight states for attorney fees andinvestigative costs. In January 2002, Eli Lilly settled a federalinvestigation of the same matter, but was not required to pay monetarydamages. Individuals who were harmed by the disclosure may stillbring suit against the company.

The Department of Commerce's National Telecommunications InformationAgency (NTIA) will hold a roundtable on Electronic Numbering (ENUM) onAugust 14, 2002. ENUM is a technology that enables a user to storecontact information that can be accessed by another person through theuse of a single number. For instance, a person could store fax,
voice, and voicemail numbers, as well as e-mail and home addresses,
all in a single ENUM account. By using the ENUM associated with theaccount, another person could access all the personal contactinformation contained within that account.

ENUM may become a widely-used technology to facilitate convenientcommunications. However, its privacy implications have not beenadequately addressed. The ENUM database would be public andsearchable by anyone. It is likely that marketers, spammers, andmalicious actors will mine the database for personal contactinformation. Since there are no statutory protections in placeregulating the use of ENUM contact information, marketers and spammersmay use the contact information for junk mail, unsolicited commerciale-mail, and other forms of commercial solicitations.

Lilly's Multi-State Settlement Agreement:

The ACLU's Complaint:

EPIC's ENUM resource page:

NTIA ENUM Public Meeting Notice:

[7] EPIC Bookstore - Trust Us, We're Experts

Trust Us, We're Experts: How Industry Manipulates Science and GamblesWith Your Future, by Sheldon Rampton and John Stauber (Putnam 2001).

At a recent Federal Trade Commission (FTC) workshop on telemarketing,
Jim Miller, former FTC Chairman and now Washington lobbyist, presenteda study showing that predictive dialers, the systems that allowtelemarketers to phone many persons at the same time, should not beeliminated because they lower costs for consumers. Miller's report,
sponsored by the "Consumer Choice Coalition," glossed over objectionsto predictive dialers, which result in hang-up calls to phonesubscribers. While calculating in detail the costs of newtelemarketing regulations to industry, Miller did not attempt toaccount for the lost time and frustration caused by predictivedialers. A little digging shows that no consumers seem to be membersof the Consumer Choice Coalition -- rather, it is a "cross-industrycoalition of companies and associations."

In "Trust Us, We're Experts," Sheldon Rampton and John Stauber'ssecond book on the public relations (PR) industry, the reader iswarned about the role that Miller and other experts play in the publicpolicy process. These experts, supported by massive funding fromindustry, formulate clever studies that ward off regulators andlegislators. In some cases, these experts even endanger the public.

The authors illustrate a formula for industry advocacy. First,
experts are acquired to present the appearance of neutral, third-partysupport. Third-party advocacy is well-recognized as a force forcreating credibility, and in fact, it is the first guideline in adeveloping field called "persuasive computing," which seeks to developcomputer interfaces that alter individuals' behavior. Second,
industry groups grow "astroturf" -- that is, fake grassroots supportfor their position. This usually takes the form of letters tonewspapers and legislators from concerned citizens who are quietlyremunerated for their support. Third, well-organized PR firms sendout pre-written news stories that are republished by busy journalists,
sometimes in full as original news.

PR techniques are also used to distract the public from public healthhazards. A typical approach is to deny that the hazard exists at all.
But when denial is no longer tenable, PR experts advise companies toblame the problem on other hazards, or on the victim himself. Whenblame can no longer be assigned, they claim that assigningresponsibility to the company will result in lost jobs or bankruptcy.

While these approaches sound simple and predictable, they have beeneffective in duping the public repeatedly. The authors illustrate howthey successfully delayed or stopped regulations to protectindividuals from known toxins, including asbestos, tobacco, vinylchloride, and conditions such as silicosis. They were even effectivein stalling the removal of lead from gasoline, despite the fact thatlead has been a known toxin for centuries.

The book is full of surprises, including a description of a softwareprogram called "Outrage" that helps companies manage potential PRproblems. The software advises companies to "deflect, defer, dismiss,
or defeat" negative attention, depending on the situation. Companiescan even purchase "crisis management" consulting packages to ward offnegative media attention.

The authors do present solutions to lessen the impact of industryexperts on public policy. One important practice, which was recentlyadopted by the prestigious New England Journal of Medicine, is torefuse to publish any study where the sponsor has the right topre-publication review and veto -- in essence, the ability to withholdunfavorable results from public view. The authors also suggest thatresearch from other countries be relied upon to evaluate publicpolicy. Researchers in other countries sometimes have exposedindustrial hazards decades before American experts. But, mostimportantly, the authors urge us to question authority. Collectively,
whether the issue is privacy, pesticides, or global warming, we needto pay more attention to the man behind the curtain.

- Chris Hoofnagle

EPIC Publications:

"Privacy & Human Rights 2001: An International Survey of Privacy Lawsand Developments," (EPIC 2001). Price: $20.

This survey, by EPIC and Privacy International, reviews the state ofprivacy in over fifty countries around the world. The survey examinesa wide range of privacy issues including, data protection, telephonetapping, genetic databases, ID systems and freedom of informationlaws.

"The Privacy Law Sourcebook 2001: United States Law, InternationalLaw, and Recent Developments," Marc Rotenberg, editor (EPIC 2001).
Price: $40.

The "Physicians Desk Reference of the privacy world." An invaluableresource for students, attorneys, researchers and journalists who needan up-to-date collection of U.S. and International privacy law, aswell as a comprehensive listing of privacy resources.

"Filters and Freedom 2.0: Free Speech Perspectives on Internet ContentControls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet contentfiltering. These papers are instrumental in explaining why filteringthreatens free expression.

"The Consumer Law Sourcebook 2000: Electronic Commerce and the GlobalEconomy," Sarah Andrews, editor (EPIC 2000). Price: $40.

The Consumer Law Sourcebook provides a basic set of materials forconsumers, policy makers, practitioners and researchers who areinterested in the emerging field of electronic commerce. The focus ison framework legislation that articulates basic rights for consumersand the basic responsibilities for businesses in the online economy.

"Cryptography and Liberty 2000: An International Survey of EncryptionPolicy," Wayne Madsen and David Banisar, authors (EPIC 2000).
Price: $20.

EPIC's third survey of encryption policies around the world. Theresults indicate that the efforts to reduce export controls on strongencryption products have largely succeeded, although severalgovernments are gaining new powers to combat the perceived threats ofencryption to law enforcement.

EPIC publications and other books on privacy, open government, freeexpression, crypto and governance can be ordered at:

EPIC Bookstore

"EPIC Bookshelf" at Powell's Books

[8] Upcoming Conferences and Events

IT and Law. University of Geneva, University of Bern, SwissAssociation of IT and Law. September 9-10, 2002. Geneva, Switzerland.
For more information:

ILPF Conference 2002: Security v. Privacy. Internet Law & PolicyForum. September 17-19, 2002. Seattle, WA. For more information:

Privacy2002: Information, Security & New Global Realities. TechnologyPolicy Group. September 24-26, 2002. Cleveland, OH. For moreinformation:

Privacy in Ubicomp 2002: Workshop on Socially-informed Design ofPrivacy-enhancing Solutions in Ubiquitous Computing. Held as part ofUBICOMP 2002. September 29, 2002. Goeteborg, Sweden. For moreinformation:

Shrinking World, Expanding Net. Computer Professionals for SocialResponsibility (CPSR). October 5, 2002. Cambridge, MA. For moreinformation:

Bridging the Digital Divide: Challenge and Opportunities. 3rd WorldSummit on Internet and Multimedia. October 8-11, 2002. Montreux,
Switzerland. For more information:

2002 WSEAS International Conference on Information Security (ICIS'02). World Scientific and Engineering Academy and Society. October14-17, 2002. Rio de Janeiro, Brazil. For more information:

IAPO Privacy & Security Conference. International Association ofPrivacy Officers. October 16-18, 2002. Chicago, IL. For moreinformation:

Privacy Trends: Complying With New Demands. Riley Information ServicesInc. and the Commonwealth Centre for Electronic Governance. October22, 2002. Ottawa, Canada. For more information:

3rd Annual Privacy and Security Workshop: Privacy & Security: TotallyCommitted. Centre for Applied Cryptographic Research, University ofWaterloo and the Information and Privacy Commissioner/Ontario.
University of Toronto. November 7-8, 2002. Toronto, Canada. For moreinformation:

First Hawaii Biometrics Conference. Windward Community College,
Pacific Center for Advanced Technology Training (PCATT). November10-13, 2002. Waikiki, HI. For more information:

Transformations in Politics, Culture and Society. Inter-
Disciplinary.Net. December 6-8, 2002. Brussels, Belgium. For moreinformation:

18th Annual Computer Security Applications Conference (ACSAC):
Practical Solutions to Real Security Problems. Applied ComputerSecurity Associates. December 9-13, 2002. Las Vegas, NV. For moreinformation:

Third Annual Privacy Summit. International Association of PrivacyOfficers. February 26-28, 2003. Washington, DC. For more information:

CFP2003: 13th Annual Conference on Computers, Freedom, and Privacy.
Association for Computing Machinery (ACM). April 1-4, 2003. New York,
NY. For more information:

Subscription Information

Subscribe/unsubscribe via Web interface:

Subscribe/unsubscribe via email:

Subject line: "subscribe" or "unsubscribe" (no quotes)

Help with subscribing/unsubscribing:

Subject: "help" (no quotes)

Back issues are available at:

The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and tosend notices about EPIC activities. We do not sell, rent or share ourmailing list. We also intend to challenge any subpoena or other legalprocess seeking access to our mailing list. We do not enhance (linkto other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your email addressfrom this list, please follow the above instructions under"subscription information". Please contact if you wouldlike to change your subscription email address, if you areexperiencing subscription/unsubscription problems, or if you have anyother questions.

About EPIC

The Electronic Privacy Information Center is a public interestresearch center in Washington, DC. It was established in 1994 tofocus public attention on emerging privacy issues such as the ClipperChip, the Digital Telephony proposal, national ID cards, medicalrecord privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Actlitigation, and conducts policy research. For more information,
e-mail, or write EPIC, 1718Connecticut Ave., NW, Suite 200, Washington, DC 20009.
+1 202 483 1140 (tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic PrivacyInformation Center, contributions are welcome and fullytax-deductible. Checks should be made out to "EPIC" and sent to1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009.
Or you can contribute online at:

Drink coffee, support civil liberties, get a tax deduction, and learnLatin at the same time! Receive a free "sed quis custodietipsos custodes?" coffee mug with donation of $75 or more.

Your contributions will help support Freedom of Information Act andFirst Amendment litigation, strong and effective advocacy for theright of privacy and efforts to oppose government regulation ofencryption and expanding wiretapping powers.

Thank you for your support.

END EPIC Alert 9.15


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback