You are here:
WorldLII >>
Databases >>
EPIC Alert >>
2002 >>
[2002] EPICAlert 15
Database Search
| Name Search
| Recent Articles
| Noteup
| LawCite
| Help
EPIC Alert 9.15 [2002] EPICAlert 15
EPIC ALERT
Volume 9.15 August 9, 2002
Published by the Electronic Privacy Information Center (EPIC)
Washington, D.C.
http://www.epic.org/alert/EPIC_Alert_9.15.html
Table of Contents
[1] FTC Announces Action Against Microsoft Passport
[2] Court Orders DOJ to Disclose Names of 9/11 Detainees
[3] OECD Announces Computer Security Guidelines
[4] EPIC Files Brief in Online Offender Registry Case
[5] EPIC Argues Police Must Be Present for Online Search
[6] Eli Lilly Settles With States; NTIA to Hold ENUM Forum
[7] EPIC Bookstore - Trust Us, We're Experts
[8] Upcoming Conferences and Events
[1] FTC Announces Action Against Microsoft Passport
The Federal Trade Commission (FTC) yesterday announced a consentorder with Microsoft regarding the Passport identification andauthentication
system. Prompted by a complaint submitted by EPIC andfourteen leading consumer groups, the FTC's investigation found thatMicrosoft
had violated federal consumer protection law prohibitingunfair and deceptive trade practices.
In July and August 2001, EPIC -- joined by groups includingJunkbusters, Consumers Union, US PIRG and the Consumer Federation ofAmerica
-- submitted detailed complaints to the Commission. Thecomplaints described the serious privacy implications of MicrosoftWindows
XP and Microsoft Passport, and alleged that the collection anduse of personal information by the company would violate Section 5
ofthe Federal Trade Commission Act. After the complaints were filed,
the company experienced a series of serious security breaches,
including a vulnerability that would have allowed a person to stealinformation within the Microsoft Wallet service.
The FTC yesterday found that Microsoft made a series of falserepresentations about Passport. First, the company, despiteguarantees
to the contrary, did not employ reasonable methods toprotect the privacy of personal information collected by Passport.
Second, the company falsely represented that the Passport Walletservice provided extra security over standard e-commerce transactions.
Third, the company did not disclose that Passport tracked users'
visits to web sites, when in fact a log of user activity wasmaintained by the company for months. Fourth, Kids' Passport failedto
provide parental control over collection of information online.
The order requires Microsoft to implement a new information securityprogram. A third-party auditor will check compliance with thisprogram
within one year, and Microsoft must reassess its informationsecurity practices every two years. Further, Microsoft is prohibitedfrom
making future false representations about the Passport service.
Microsoft is bound by the order for 20 years, and fines can be leviedfor non-compliance.
The FTC will accept public comment on the order until September 9,
2002.
FTC Consent Order:
http://www.ftc.gov/os/2002/08/microsoftagree.pdf
FTC Complaint:
http://www.ftc.gov/os/2002/08/microsoftcmp.pdf
EPIC's Sign Out of Passport Page:
http://www.epic.org/privacy/consumer/microsoft/
EPIC's Passport Investigation Docket Page:
http://www.epic.org/privacy/consumer/microsoft/passport.html
[2] Court Orders DOJ to Disclose Names of 9/11 Detainees
In a decision issued on August 2, U.S. District Judge Gladys Kesslerdirected the Justice Department to disclose, no later than August
19,
the identities of more than 1,000 individuals detained in connectionwith the government's September 11 terrorist investigation. Under
theorder, detainees desiring confidentiality of their identities can filestatements requesting non-disclosure. The judicial decision
marks asignificant defeat for government secrecy in the wake of the terroristattacks. EPIC joined with a coalition of other groups
in seeking thedisclosure of the information under the Freedom of Information Act(FOIA) and serves as co-counsel in the case.
The Justice Department had argued that releasing the detainees' namesand other information could undermine the September 11 investigationand
harm national security. Disclosure would subject the detainees topossible intimidation or coercion, the government argued, and provideterrorists
with a potential "road map" of the investigation. JudgeKessler found the government's argument "unpersuasive"
and concludedthat "the public's interest in learning the identities of thosearrested and detained is essential to verifying
whether the governmentis operating within the bounds of the law."
The FOIA lawsuit was filed by the Center for National SecurityStudies, EPIC, and 21 other organizations, including the AmericanCivil
Liberties Union, Human Rights Watch and Amnesty InternationalUSA. The plaintiffs argued that the detentions constituted secretarrests
that violated longstanding legal requirements compelling thegovernment to account for the individuals it incarcerates.
"The Court fully understands and appreciates that the first priorityof the executive branch in a time of crisis is to ensure
the physicalsecurity of its citizens," Judge Kessler wrote. "By the same token,
the first priority of the judicial branch must be to ensure that ourgovernment always operates within the statutory and constitutionalconstraints
which distinguish a democracy from a dictatorship."
The Justice Department has appealed the ruling and asked Judge Kesslerto delay enforcement of her order pending resolution of the
appeal.
The court's decision is available at:
http://www.epic.org/open_gov/foia/cnssdecision.pdf
EPIC has produced a resource page with background on the litigation:
http://www.epic.org/open_gov/foia/cnss_v_doj.html
[3] OECD Announces Computer Security Guidelines
The Organization for Economic Cooperation and Development (OECD) hasreleased principles for computer security that emphasize democracy,
transparency, privacy, and education. The OECD principles areintended to protect important civil society values as countries andprivate
sector organizations go forward with computer security plans.
EPIC Research Director Sarah Andrews served on the OECD expert panelas the civil society representative, and consulted with computersecurity
experts, public policy experts, and NGO participants in thePublic Voice project during the year-long development of theguidelines.
The OECD, based in Paris, is a thirty-member organization of leadingindustrial nations in North America, Europe and East Asia. Over
theyears, the OECD has produced several important policy frameworks forinformation technology in such areas as privacy, cryptography,
andelectronic commerce.
The original OECD Security Guidelines were promulgated in 1992. Thenew Guidelines seek to take account of the development of networkcomputing
and the growth of commercial services, as well as theresponse of governments to the events of September 11.
The OECD Security Guidelines set out nine principles: Awareness,
Responsibility, Response, Ethics, Democracy, Risk Assessment, SecurityDesign and Implementation, Security Management, and Reassessment.
Each principle is followed by a definition and then a one paragraphdescription. Taken as a whole, the principles emphasize the jointresponsibility
of all participants to promote network security. TheGuidelines also draw attention to important democratic goals in thedesign of
security policy, including and specifically stating that:
Security should be implemented in a manner consistent with the values recognised by democratic societies including the
freedom to exchange thoughts and ideas, the free flow of information, the confidentiality of information and communication,
the appropriate protection of personal information, openness and transparency.
The OECD also adopted a principle on Risk Assessment that states:
Risk assessment identifies threats and vulnerabilities and should be sufficiently broad-based to encompass key internal
and external factors, such as technology, physical and human factors, policies and third-party services with security
implications. Risk assessment will allow determination of the acceptable level of risk and assist the selection of appropriate
controls to manage the risk of potential harm to information systems and networks in light of the nature and importance of
the information to be protected. Because of the growing interconnectivity of information systems, risk assessment should
include consideration of the potential harm that may originate from others or be caused to others.
A similar proposal was under consideration by the OECD in 1992 but wasnot adopted at that time.
Regrettably, the OECD adopted the authoritarian "culture of security"
as the tagline for its most recent effort. But overall the Guidelinesare a welcome contribution to the computer security field, and
shouldpromote policies that are more responsive to civil society intereststhan some of the recent proposals of national governments.
OECD Guidelines for the Security of Information Systems and Networks:
http://www.oecd.org/pdf/M00033000/M00033183.pdf
OECD Governments Launch Drive to Improve Security of Online Networks:
http://www.epic.org/redirect/oecd_redirect.html
The Public Voice:
http://www.thepublicvoice.org/
[4] EPIC Files Brief in Online Offender Registry Case
EPIC filed an amicus brief with the Supreme Court on August 5, urgingthe Court to uphold a circuit court ruling that the Alaska "Megan'sLaw"
statute violates the Constitution. EPIC argues that themandatory online dissemination of a sex offender registry is excessivewhen weighed against the statutory purpose
of protecting people in thegeographic vicinity of released offenders.
The Alaska law is the state's adaptation of federal legislationrequiring public notification of the locations of convicted sexoffenders
upon their release. Commonly called "Megan's Law," thefederal law directing such notification was enacted in 1996 after
theslaying of Megan Kanka, a seven-year-old New Jersey girl, by aneighbor who had been released after serving time for sex offenses.
The federal appellate court determined that that the Alaska law,
permitting inclusion of names, addresses, descriptions, and otherprivate information in a sex offender registry to be posted on theInternet,
violated the ex post facto clause of the Constitutionbecause the information included in the registry was too broad and themethods
of gathering that information were extremely burdensome. Mostimportantly, the appeals court found that the intent of protectingthose
in the geographical area from individuals required to registerwas not furthered by allowing people all over the world to access thepersonal
data included in the registry.
EPIC's amicus brief focuses on the effect of Internet dissemination ofstigmatizing information collected by the government. EPIC
arguesthat the government has a duty to impose safeguards and limitationsupon its dissemination of private, stigmatizing information
that itcollects, especially when such information would otherwise beeffectively unavailable but is made readily accessible worldwidethrough
government action.
EPIC's resource page with background information on the case:
http://www.epic.org/privacy/godfrey/
EPIC's amicus brief is available at:
http://www.epic.org/privacy/otte_v_doe/godfrey_amicus.pdf
[5] EPIC Argues Police Must Be Present for Online Search
On July 26, EPIC filed an amicus brief in the Eighth Circuit arguingthat police officer presence is required during the service of
awarrant on an ISP. EPIC argues that the service of a search warrantby fax machine doesn't adequately safeguard Fourth Amendment
guaranteeof a "reasonable" search. EPIC's brief details the history of U.S.
search and seizure law, which has mandated officer presence at theservice of a warrant since the 1700s.
The case arose in October 2000, when police officers in Minnesotabegan investigating Dale Robert Bach for potential child pornographycrimes.
As part of the investigation, an officer obtained a searchwarrant to be served upon Yahoo, an Internet service provider inCalifornia.
Minnesota requires that an officer be present at theservice of a search warrant. However, rather than adhering to therequirements
provided by Minnesota law, the officer investigating Bachserved the search warrant on Yahoo by fax. Upon receiving the fax,
Yahoo employees retrieved all data from Bach's account, includingdeleted email messages. Yahoo then mailed the disk to Minnesota,
where the data became evidence in Bach's federal criminal trial.
At trial, Bach moved to have the evidence suppressed, citingviolations of the Minnesota statute as well as a federal statute. Thedistrict
court held that the evidence should be suppressed as thesearch was illegal under both federal and state laws. EPIC's briefurges
the appellate court to uphold this ruling, because officerpresence is a historical and crucial procedural safeguard guaranteeingFourth
Amendment protections.
There are more than 140 million Internet users in the United States;
thus, the court's resolution of this case could potentially affect theprivacy interests of millions of citizens.
EPIC's Bach Page:
http://www.epic.org/privacy/bach/
EPIC's amicus brief is available at:
http://www.epic.org/privacy/bach/brief.pdf
[6] Eli Lilly Settles With States; NTIA to Hold ENUM Forum
New York and seven other states have settled an investigation ofpharmaceutical company Eli Lilly, which accidentally disclosed over600
personally-identifiable e-mail addresses of individuals who signedup for an online messaging service. The messaging service sentsubscribers
a daily reminder to take Prozac, a prescriptionanti-depressant. In July 2001, the ACLU alerted federal authoritiesto the privacy
violation.
Under the settlement agreement, the company agreed to improve internalinformation security standards. The company will issue informationsecurity
reports, and undergo independent compliance reviews. Thecompany also paid $160,000 to the eight states for attorney fees andinvestigative
costs. In January 2002, Eli Lilly settled a federalinvestigation of the same matter, but was not required to pay monetarydamages.
Individuals who were harmed by the disclosure may stillbring suit against the company.
The Department of Commerce's National Telecommunications InformationAgency (NTIA) will hold a roundtable on Electronic Numbering (ENUM)
onAugust 14, 2002. ENUM is a technology that enables a user to storecontact information that can be accessed by another person through
theuse of a single number. For instance, a person could store fax,
voice, and voicemail numbers, as well as e-mail and home addresses,
all in a single ENUM account. By using the ENUM associated with theaccount, another person could access all the personal contactinformation
contained within that account.
ENUM may become a widely-used technology to facilitate convenientcommunications. However, its privacy implications have not beenadequately
addressed. The ENUM database would be public andsearchable by anyone. It is likely that marketers, spammers, andmalicious actors
will mine the database for personal contactinformation. Since there are no statutory protections in placeregulating the use of ENUM
contact information, marketers and spammersmay use the contact information for junk mail, unsolicited commerciale-mail, and other
forms of commercial solicitations.
Lilly's Multi-State Settlement Agreement:
http://www.epic.org/privacy/medical/lillyagreement.pdf
The ACLU's Complaint:
http://www.aclu.org/news/2001/n070501b.html
EPIC's ENUM resource page:
http://www.epic.org/privacy/enum/
NTIA ENUM Public Meeting Notice:
http://www.epic.org/redirect/ntia_redirect.html
[7] EPIC Bookstore - Trust Us, We're Experts
Trust Us, We're Experts: How Industry Manipulates Science and GamblesWith Your Future, by Sheldon Rampton and John Stauber (Putnam
2001).
http://www.epic.org/bookstore/powells/redirect/alert915.html
At a recent Federal Trade Commission (FTC) workshop on telemarketing,
Jim Miller, former FTC Chairman and now Washington lobbyist, presenteda study showing that predictive dialers, the systems that allowtelemarketers
to phone many persons at the same time, should not beeliminated because they lower costs for consumers. Miller's report,
sponsored by the "Consumer Choice Coalition," glossed over objectionsto predictive dialers, which result in hang-up calls
to phonesubscribers. While calculating in detail the costs of newtelemarketing regulations to industry, Miller did not attempt toaccount
for the lost time and frustration caused by predictivedialers. A little digging shows that no consumers seem to be membersof the
Consumer Choice Coalition -- rather, it is a "cross-industrycoalition of companies and associations."
In "Trust Us, We're Experts," Sheldon Rampton and John Stauber'ssecond book on the public relations (PR) industry, the reader
iswarned about the role that Miller and other experts play in the publicpolicy process. These experts, supported by massive funding
fromindustry, formulate clever studies that ward off regulators andlegislators. In some cases, these experts even endanger the public.
The authors illustrate a formula for industry advocacy. First,
experts are acquired to present the appearance of neutral, third-partysupport. Third-party advocacy is well-recognized as a force
forcreating credibility, and in fact, it is the first guideline in adeveloping field called "persuasive computing," which
seeks to developcomputer interfaces that alter individuals' behavior. Second,
industry groups grow "astroturf" -- that is, fake grassroots supportfor their position. This usually takes the form of
letters tonewspapers and legislators from concerned citizens who are quietlyremunerated for their support. Third, well-organized
PR firms sendout pre-written news stories that are republished by busy journalists,
sometimes in full as original news.
PR techniques are also used to distract the public from public healthhazards. A typical approach is to deny that the hazard exists
at all.
But when denial is no longer tenable, PR experts advise companies toblame the problem on other hazards, or on the victim himself.
Whenblame can no longer be assigned, they claim that assigningresponsibility to the company will result in lost jobs or bankruptcy.
While these approaches sound simple and predictable, they have beeneffective in duping the public repeatedly. The authors illustrate
howthey successfully delayed or stopped regulations to protectindividuals from known toxins, including asbestos, tobacco, vinylchloride,
and conditions such as silicosis. They were even effectivein stalling the removal of lead from gasoline, despite the fact thatlead
has been a known toxin for centuries.
The book is full of surprises, including a description of a softwareprogram called "Outrage" that helps companies manage
potential PRproblems. The software advises companies to "deflect, defer, dismiss,
or defeat" negative attention, depending on the situation. Companiescan even purchase "crisis management" consulting
packages to ward offnegative media attention.
The authors do present solutions to lessen the impact of industryexperts on public policy. One important practice, which was recentlyadopted
by the prestigious New England Journal of Medicine, is torefuse to publish any study where the sponsor has the right topre-publication
review and veto -- in essence, the ability to withholdunfavorable results from public view. The authors also suggest thatresearch
from other countries be relied upon to evaluate publicpolicy. Researchers in other countries sometimes have exposedindustrial hazards
decades before American experts. But, mostimportantly, the authors urge us to question authority. Collectively,
whether the issue is privacy, pesticides, or global warming, we needto pay more attention to the man behind the curtain.
- Chris Hoofnagle
EPIC Publications:
"Privacy & Human Rights 2001: An International Survey of Privacy Lawsand Developments," (EPIC 2001). Price: $20.
http://www.epic.org/bookstore/phr2001/
This survey, by EPIC and Privacy International, reviews the state ofprivacy in over fifty countries around the world. The survey
examinesa wide range of privacy issues including, data protection, telephonetapping, genetic databases, ID systems and freedom of
informationlaws.
"The Privacy Law Sourcebook 2001: United States Law, InternationalLaw, and Recent Developments," Marc Rotenberg, editor
(EPIC 2001).
Price: $40. http://www.epic.org/bookstore/pls2001/
The "Physicians Desk Reference of the privacy world." An invaluableresource for students, attorneys, researchers and journalists
who needan up-to-date collection of U.S. and International privacy law, aswell as a comprehensive listing of privacy resources.
"Filters and Freedom 2.0: Free Speech Perspectives on Internet ContentControls" (EPIC 2001). Price: $20.
http://www.epic.org/bookstore/filters2.0/
A collection of essays, studies, and critiques of Internet contentfiltering. These papers are instrumental in explaining why filteringthreatens
free expression.
"The Consumer Law Sourcebook 2000: Electronic Commerce and the GlobalEconomy," Sarah Andrews, editor (EPIC 2000). Price:
$40.
http://www.epic.org/cls/
The Consumer Law Sourcebook provides a basic set of materials forconsumers, policy makers, practitioners and researchers who areinterested
in the emerging field of electronic commerce. The focus ison framework legislation that articulates basic rights for consumersand
the basic responsibilities for businesses in the online economy.
"Cryptography and Liberty 2000: An International Survey of EncryptionPolicy," Wayne Madsen and David Banisar, authors (EPIC
2000).
Price: $20. http://www.epic.org/crypto&/
EPIC's third survey of encryption policies around the world. Theresults indicate that the efforts to reduce export controls on strongencryption
products have largely succeeded, although severalgovernments are gaining new powers to combat the perceived threats ofencryption
to law enforcement.
EPIC publications and other books on privacy, open government, freeexpression, crypto and governance can be ordered at:
EPIC Bookstore http://www.epic.org/bookstore/
"EPIC Bookshelf" at Powell's Books http://www.powells.com/features/epic/epic.html
[8] Upcoming Conferences and Events
IT and Law. University of Geneva, University of Bern, SwissAssociation of IT and Law. September 9-10, 2002. Geneva, Switzerland.
For more information: http://www.informatiquejuridique.ch/
ILPF Conference 2002: Security v. Privacy. Internet Law & PolicyForum. September 17-19, 2002. Seattle, WA. For more information:
http://www.ilpf.org/conference2002/
Privacy2002: Information, Security & New Global Realities. TechnologyPolicy Group. September 24-26, 2002. Cleveland, OH. For moreinformation:
http://www.privacy2000.org/privacy2002/
Privacy in Ubicomp 2002: Workshop on Socially-informed Design ofPrivacy-enhancing Solutions in Ubiquitous Computing. Held as part
ofUBICOMP 2002. September 29, 2002. Goeteborg, Sweden. For moreinformation: http://guir.berkeley.edu/privacyworkshop2002/
Shrinking World, Expanding Net. Computer Professionals for SocialResponsibility (CPSR). October 5, 2002. Cambridge, MA. For moreinformation:
http://www.cpsr.org/conferences/annmtg02/
Bridging the Digital Divide: Challenge and Opportunities. 3rd WorldSummit on Internet and Multimedia. October 8-11, 2002. Montreux,
Switzerland. For more information: http://www.internetworldsummit.org/
2002 WSEAS International Conference on Information Security (ICIS'02). World Scientific and Engineering Academy and Society. October14-17,
2002. Rio de Janeiro, Brazil. For more information:
http://www.wseas.org/conferences/2002/brazil/icis/
IAPO Privacy & Security Conference. International Association ofPrivacy Officers. October 16-18, 2002. Chicago, IL. For moreinformation:
http://www.privacyassociation.org/html/conferences.html
Privacy Trends: Complying With New Demands. Riley Information ServicesInc. and the Commonwealth Centre for Electronic Governance.
October22, 2002. Ottawa, Canada. For more information:
http://www.rileyis.com/seminars/
3rd Annual Privacy and Security Workshop: Privacy & Security: TotallyCommitted. Centre for Applied Cryptographic Research, University
ofWaterloo and the Information and Privacy Commissioner/Ontario.
University of Toronto. November 7-8, 2002. Toronto, Canada. For moreinformation: http://www.epic.org/redirect/cacr.html
First Hawaii Biometrics Conference. Windward Community College,
Pacific Center for Advanced Technology Training (PCATT). November10-13, 2002. Waikiki, HI. For more information:
http://biometrics.wcc.hawaii.edu/
Transformations in Politics, Culture and Society. Inter-
Disciplinary.Net. December 6-8, 2002. Brussels, Belgium. For moreinformation: http://www.inter-disciplinary.net/tpcs1.htm
18th Annual Computer Security Applications Conference (ACSAC):
Practical Solutions to Real Security Problems. Applied ComputerSecurity Associates. December 9-13, 2002. Las Vegas, NV. For moreinformation:
http://www.acsac.org/
Third Annual Privacy Summit. International Association of PrivacyOfficers. February 26-28, 2003. Washington, DC. For more information:
http://www.privacyassociation.org/html/conferences.html
CFP2003: 13th Annual Conference on Computers, Freedom, and Privacy.
Association for Computing Machinery (ACM). April 1-4, 2003. New York,
NY. For more information: http://www.cfp.org/
Subscription Information
Subscribe/unsubscribe via Web interface:
http://mailman.epic.org/cgi-bin/mailman/listinfo/epic_news
Subscribe/unsubscribe via email:
To: epic_news-requestmailman.epic.org
Subject line: "subscribe" or "unsubscribe" (no quotes)
Help with subscribing/unsubscribing:
To: epic_news-requestmailman.epic.org
Subject: "help" (no quotes)
Back issues are available at:
http://www.epic.org/alert/
The EPIC Alert displays best in a fixed-width font, such as Courier.
Privacy Policy
The EPIC Alert mailing list is used only to mail the EPIC Alert and tosend notices about EPIC activities. We do not sell, rent or
share ourmailing list. We also intend to challenge any subpoena or other legalprocess seeking access to our mailing list. We do
not enhance (linkto other databases) our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe your email addressfrom this list, please follow the above instructions under"subscription
information". Please contact infoepic.org if you wouldlike to change your subscription email address, if you areexperiencing subscription/unsubscription problems, or if you
have anyother questions.
About EPIC
The Electronic Privacy Information Center is a public interestresearch center in Washington, DC. It was established in 1994 tofocus
public attention on emerging privacy issues such as the ClipperChip, the Digital Telephony proposal, national ID cards, medicalrecord
privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Actlitigation, and conducts policy research. For more information,
e-mail infoepic.org, http://www.epic.org or write EPIC, 1718Connecticut Ave., NW, Suite 200, Washington, DC 20009.
+1 202 483 1140 (tel), +1 202 483 1248 (fax).
If you'd like to support the work of the Electronic PrivacyInformation Center, contributions are welcome and fullytax-deductible.
Checks should be made out to "EPIC" and sent to1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009.
Or you can contribute online at:
http://www.epic.org/donate/
Drink coffee, support civil liberties, get a tax deduction, and learnLatin at the same time! Receive a free epic.org "sed quis
custodietipsos custodes?" coffee mug with donation of $75 or more.
Your contributions will help support Freedom of Information Act andFirst Amendment litigation, strong and effective advocacy for theright of privacy and efforts to oppose government regulation
ofencryption and expanding wiretapping powers.
Thank you for your support.
END EPIC Alert 9.15
.
WorldLII:
Copyright Policy
|
Disclaimers
|
Privacy Policy
|
Feedback
URL: http://www.worldlii.org/int/journals/EPICAlert/2002/15.html
