WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 2003 >> [2003] EPICAlert 2

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 10.02 [2003] EPICAlert 2


Volume 10.02 January 31, 2003

Published by the Electronic Privacy Information Center (EPIC)
Washington, D.C.

Table of Contents

[1] European Commission Orders Microsoft to Modify Passport
[2] Critical Hill Action Pending on "Total Information Awareness"

[3] Opposition to Data Retention Grows in Europe
[4] Public Voice Conference at OECD-APEC Forum on the Digital Economy
[5] FTC, New York Attorney General Take Action to Protect Privacy
[6] Privacy International Seeks Nominations for Big Brother Awards
[7] EPIC Bookstore: The GigaLaw Guide to Internet Law
[8] Upcoming Conferences and Events

[1] European Commission Orders Microsoft to Modify Passport

European governments, seeking to protect the privacy rights ofcomputer users in the European Union, have required Microsoft tomodify Passport, an online authentication system that identifiesInternet users and enables the transfer of personal informationbetween various Web sites around the world. The European UnionWorking Party on Data Protection ("WP29") issued a Report that foundMicrosoft's Passport system violated several EU data protection rules.
The WP29 Report requires Microsoft to better inform users of theirprivacy rights under European laws and more fairly collect and processtheir personal data. The Report also requires Microsoft to make iteasier for Passport users to know what personal information Microsoftand its Passport affiliates collect about them, and to allow users torestrict the use and sharing of that information for commercial andmarketing purposes.

The WP29 Report also gives users the right to indicate on asite-by-site basis which personal information they wish to disclose.
Pursuant to the Report, Microsoft has to make substantial changes toPassport. The Report also discusses competing online authenticationsystems, such as the Liberty Alliance Project, without mandatingspecific changes at this point. The WP29 will continue monitoringfuture developments in those authentication services and companiesdeveloping them will need to follow its guidelines. EuropeanCommissioner Bolkestein said that companies will need to follow theWorking Party Guidelines for all future services.

The outcome in Europe comes almost a year and a half after EPIC and acoalition of consumer and privacy organizations initiated a complaintagainst Microsoft at the Federal Trade Commission in July 2001,
alleging that Passport violated Section 5 of the Federal TradeCommission Act and constituted an "unfair and deceptive tradepractice." The FTC found that Microsoft had in fact made falserepresentations concerning Passport and associated services. The FTCsaid that Microsoft must establish a comprehensive informationsecurity program for Passport, and that it must not misrepresent itspractices of information collection and usage. Microsoft agreed tocomply with the FTC order, as well as to undergo independent auditsevery two years for the next 20 years to ensure compliance.

In March 2002, an EC member submitted questions to the Commissionraising many of the same issues included in EPIC complaints to the FTCand questioned Passport's impact on European consumers' privacy. TheEuropean Commission subsequently promised to look to this issue as amatter of priority. During its discussions with the Commission,
Microsoft had reportedly alleged that its service always complied withEuropean privacy laws because it gave European users the right tochange or delete any personally identifiable information about them.
The WP29's Report makes it now clear that substantial changes arerequired in Passport before the system can be considered in compliancewith European laws.

The Commission's decision has an impact on the online privacy of morethan 250 million Passport users, most of them based in the US, sincePassport does not discriminate between the nationality of its users.
The WP29 Report also urges the development of anonymous andpsuedonymous authentication systems and recommends the development ofsystems that minimize the amount of personal information collected andlimit the use to that which is necessary. Additionally, the Reportemphasizes that users should be given full control over decisionsaffecting the use of their personal data for profiling purposes, andmandates that transfers of personal information to third countries beadequately protected pursuant to European privacy rules.

WP 29's Working Document on on-line authentication services (WP 68)
(January 29, 2003) (PDF):

European Commission press release (Jan. 30, 2003):

Press release by the Article 29 working party (Jan. 29, 2003):

European Union data protection rules:

FTC Consent Order, In the Matter of Microsoft Corporation, File No.

Rotenberg, ed., The Privacy Law Sourcebook (EPIC 2002) (includes theEU Data Protection Directive and the initial WP29 report onauthentication services):

EPIC's Microsoft Passport Investigation Docket:

[2] Critical Hill Action Pending on "Total Information Awareness"

The short-term fate of the controversial Total Information Awareness(TIA) program is likely to be decided within the next two weeks. Acoalition of Senators on January 23 attached an amendment to theomnibus spending bill that would limit the TIA system. Senators RonWyden (D-OR), Dianne Feinstein (D-CA), Jon Corzine (D-NJ), Harry Reid(D-NV), and Barbara Boxer (D-CA) sponsored the measure, which is knownas Amendment 59. Sen. Charles Grassley (R-IA) had offered a similaramendment and supported inclusion of the Wyden amendment in thespending package. The amendment will now be the subject ofnegotiations in a conference between the Senate and the House on theomnibus spending bill.

Under Amendment 59, funding for development of TIA will end 60 daysafter the passage of the omnibus spending bill, unless theintelligence community submits a detailed report to Congress on theprivacy and civil liberties implications of the system. However,
exceptions in the amendment would allow President Bush to approvecontinued funding for TIA if he determines that issuing the report isimpracticable and that a cessation of TIA research would endangernational security. The amendment further requires Congressionalauthorization before TIA is actually deployed by any agency. Theamendment would allow TIA to be deployed only for military purposesoutside the United States and for foreign intelligence activitiesconducted against non-citizens or wholly outside the country.

Individuals wishing to support the TIA moratorium should immediatelycontact the omnibus spending bill conferees in the House ofRepresentatives and the Senate (see link below).

Senate Amendment 59:

H. J. Res. 2, Omnibus Appropriations Bill:

List of House and Senate Conferees:

EPIC Total Information Awareness page:

[3] Opposition to Data Retention Grows in Europe

A multi-party coalition of 38 European Parliament members haverecommended that the European Council and some Member States abandontheir plans to monitor and retain data on people's privatecommunications. Condemning the practice of data retention as aviolation of the European Convention of Human Rights, its case law,
and the EU Data Protection Directive, the group argued for alternativesolutions to fight crime and urged the adoption of stricter limits onthe storage and use of communications for law enforcement. As anexample of less privacy-invasive measures, the coalition argued thatpreservation of data on a case-by-case basis would be more suitable toachieve the objectives pursued by police and security agencies.

Concurrently, in Great Britain, a parliamentary committee has rejectedthe government's current data retention proposal, in which it hadplanned to retain private communications data for up to a year. TheAll Party Internet Group ("APIG"), a parliamentary inquiry panel,
examined the Home Office's data retention scheme, which is part of theAnti-Terrorism Crime & Security Act 2001 ("ATCS"). They concludedthat the government's proposals were impractical, the cost ofretention had been underestimated, and the concept of data retentionappeared to be violating the UK Human Rights Act, which incorporatesthe European Convention on Human Rights into English Law. They alsoshowed that the industry was not willing or able to comply withmandatory data retention requirements, and recommended that the HomeOffice negotiate with industry players a "targeted data preservation"
scheme instead, as a more viable option. In reaction to the report,
the UK government denied some of its findings, rejected the idea ofdata preservation as the most adequate solution to fight crime, andpromised to establish a better dialogue with industry, withoutmentioning how it would address civil liberties issues. The HomeOffice nevertheless made clear that if industry actors could not agreeon a voluntary code of practice on data retention, the governmentwould go forward with the planned retention.

The crucial issue in the current debate on electronic surveillance ofcommunications data under the new EU Directive on Privacy andElectronic Communications (2002/58/EC) is whether law enforcementauthorities can justifiably claim that the retention of all people'sprivate communications data for long periods and in a systematicfashion is necessary to fight crime and terrorism. The"communications data" referred to in the European context are alltraffic and location data held by Internet service providers andlandline and mobile telephone companies about their customers. Thisincludes people's browsing patterns, phone and e-mail details(geographic location of mobile phone users, call time and duration,
number dialed, callers' and recipients' names, e-mail addresses),
chatroom user IDs, credit cards, etc. The European Council iscurrently working on a framework decision that could make theprinciple of data retention -- which can be defined as the systematicand mandatory storage of large categories of traffic and location datafor a specified period -- compulsory for all EU Member States;
however, data preservation -- the storage of specific data related toa particular criminal investigation of a specified individual for aspecified period of time, accessed pursuant to legal andconstitutional safeguards and subject to judicial review -- is favoredin most countries.

For more information and news items about data retention, see EPIC'sData Retention page:

All Party Internet Group report:

[4] Public Voice Conference at OECD-APEC Forum on the Digital Economy

The Public Voice Coalition held a conference in conjunction with thejoint OECD-APEC Forum on the Future of the Digital Economy fromJanuary 14-17 in Honolulu, Hawaii. The Public Voice provides theopportunity for civil society organizations to participate ininternational policymaking forums that might otherwise be limited tobusiness and government. Attendees included representatives from theAssociation for Computing Machinery (ACM), Consumers International,
the Electronic Privacy Information Center (EPIC), the Federal TradeCommission, the National Consumers League, the Office of ConsumerProtection in Hawaii, the Organization for Economic Cooperation andDevelopment (OECD), and the Trade Union Advisory Council (TUAC), aswell as experts in technology, security, and Internet law and policy.

Public Voice participants addressed two topics under consideration bythe OECD and the Asia Pacific Economic Cooperation forum (APEC):
Security and Trust in Ecommerce, and Inclusion and Participation inthe Information Society. The latter was also the subject of a WSIS(World Summit on the Information Society) preparatory meeting held onJanuary 17, immediately after the OECD-APEC forum.

An important theme that emerged from the conference was thatpolicymakers should focus more on serving the needs of end users ofInformation and Communications Technologies (ICTs). The digitalmarketplace is a demand-driven economy; therefore, in order forcommerce to thrive, policy frameworks must provide an environment thatfosters trust and security for consumers. Governments also have greatpotential to use ICTs to provide various services to their citizens,
including e-government, e-learning and e-health; however, thegovernment must be more responsive to citizens' needs, and shouldaddress the concerns of the public in the design of any suchframework.

Participants made several specific recommendations to the OECD andAPEC. Key recommendations included the following: (1) While goodconsumer, privacy and security guidelines are vital, policymakers mustalso focus their attention on the challenges of implementation,
including building effective cross-border and internal enforcementmechanisms; (2) Privacy and security guidelines need to be applied tothe databases and record systems established by government. Too oftenthe protection of privacy is misconceived as a national security risk.
In fact, given the vulnerability of citizens and the continuedweakness of many security systems, the lack of privacy is quicklybecoming the real national security risk; (3) As the profile of ICTusers rapidly moves away from technologically savvy users, there is agrowing need for governments to provide simple, clear regulations thatprotect users and educate them about their rights; (4) There is apressing need to develop online rights for online workers to protectworker's rights to organize and communicate in the electronicworkplace; (5) Governments must bring more technical expertise to thedecision making process when considering emerging technologies.
Recent developments concerning copyright protection, electronicvoting, and the proposal for "Total Information Awareness" lackadequate input from the technical community and often result incounterproductive or misguided proposals; and (6) While promotinginclusion and participation in the information society, it isimportant to provide more than access. Governments should focus onreducing the barriers to enable actual participation in the use anddevelopment of the Internet, this might include expanding the publicdomain and allowing new ICTs such as Wi-Fi networks to freely develop.

The Public Voice will continue working closely with the OECD and nowwith APEC to bring civil society voices to international decisionmaking forums.

For reports, presentations, and background information, visit:

More information about Public Voice events and activities can be foundat:

[5] FTC, New York Attorney General Take Action to Protect Privacy

The Federal Trade Commission (FTC) and New York Attorney General(NYAG) have both taken actions that will improve privacy protectionsnationwide. The FTC and the NYAG have settled actions into thebusiness practices of student marketers. In a separate case, the NYAGrecently settled a lawsuit against a spam company. Additionally, theFTC has issued a report on consumer protection that shows thatidentity theft is a major threat to consumers.

Both the FTC and NYAG have recently completed actions against StudentMarketing Group (SMG), a company that collected information fromstudents for marketing purposes under the pretense of collegefinancial aid assistance. Through teachers, SMG distributed surveysto students that collected personal information, and then sold thatinformation to credit card, student loan, cosmetics, magazine, andclothing companies. These settlements demonstrate that datacollectors who mislead individuals by not fully disclosing secondaryuses of personal information will run afoul of consumer protectionlaw.

In a separate action, the NYAG obtained a court order enjoiningMonsterHut, a now-defunct e-mail marketing company, from falselyrepresenting that individuals consented to receiving its spam. As aresult of this order, list purchasers are likely to require e-mailaddress sellers to guarantee that individuals' information wasobtained with proper consent. A February hearing will determinewhether MonsterHut will be subject to restitution and civil penalties.

Finally, the FTC has released its annual report about identity theftand the top ten fraud complaint categories reported by consumers.
Identity theft topped the list -- continuing the trend for a thirdyear -- constituting 43 percent of complaints in the FTC's "ConsumerSentinel" complaint database. The number of reported identity theftcomplaints increased from 31,117 in 2000 to 86,198 in 2001, and surgedto 161,819 in 2002.

FTC Consumer Alert on Student "Surveys:"

FTC Student Marketing Group Settlement:

NYAG Student Marketing Group Settlement:

EPIC Student Privacy Page:

NYAG MonsterHut Settlement:

FTC Report on National and State Trends in Identity Theft

EPIC Fair Credit Reporting Act Page:

[6] Privacy International Seeks Nominations for Big Brother Awards

In April 2003, Privacy International (PI) will hold the fifth U.S.
"Big Brother Awards" to name and shame the public and private sectorindividuals and organizations that have done the most to invadepersonal privacy in the United States in the past year.

Three distinctive "Orwell" statues of a golden boot stomping a headwill be presented to the government agencies and officials, companiesand initiatives that have done the most to invade personal privacy inthe previous year. The "Admiral John M. Poindexter Lifetime Menace"
award will also be presented to an organization that hassystematically invaded privacy over a long period of time. Previous"winners" include the Federal Bureau of Investigation, the NationalSecurity Agency, DoubleClick, ChoicePoint, Trans Union, Oracle, theFAA's BodyScan system, the Department of Commerce and Microsoft.

"Brandeis" awards will also be given out to champions of privacy. TheBrandeis Award is named after U.S. Supreme Court Justice LouisBrandeis, who is considered the father of American privacy law,
describing privacy as "the right most valued by civilized" persons.
The awards are given to those who have done exemplary work to protectand enhance privacy. Previous winners include Phil Zimmermann,
creator of PGP; Beth Givens, founder of the Privacy RightsClearinghouse; and Robert Ellis Smith, editor of the Privacy Journal.

The judging panel, consisting of lawyers, academics, consultants,
journalists and civil rights activists, is currently invitingnominations from members of the public. Nominations can be submittedvia the PI Web site. Privacy International will post the most popularcurrent nominations on its site.

The U.S. Big Brother Awards are now in their fifth year. There havealso been ceremonies in the UK, Germany, Austria, Belgium, Bulgaria,
Finland, Spain, Switzerland, Hungary, France, Denmark and theNetherlands. The initiator of the awards, Privacy International, wasfounded in 1990, and campaigns on a wide range of privacy issuesaround the world. Substantial support for the Awards is made throughthe Public Voice Campaign.

The ceremony will be held at the New Yorker Hotel in New York City atthe 13th Annual Conference on Computers, Freedom and Privacy.

Privacy International Big Brother Awards Page:

Conference on Computers, Freedom, and Privacy:

The Public Voice:

[7] EPIC Bookstore: The GigaLaw Guide to Internet Law

The GigaLaw Guide to Internet Law, by Doug Isenberg (Random House2002).

In this comprehensive guide, Isenberg succinctly covers every aspectof Internet law -- from intellectual property, free speech, andprivacy to contract and employment law -- in a concise andnon-"legalese" style. His coverage provides the reader with realisticand business-oriented solutions to the most common problems relatingto conducting online business in America, and is especially aimed atpolicy makers, researchers, company lawyers and decision-makers.
Although the book is not particularly consumer-oriented, it offers agood outline of current privacy issues and raises the average reader'sawareness on some of today's most important privacy risks when surfingor expressing oneself on the Internet.

EPIC Publications:

"The Privacy Law Sourcebook 2002: United States Law, InternationalLaw, and Recent Developments," Marc Rotenberg, editor (EPIC 2002).
Price: $40.

The "Physicians Desk Reference of the privacy world." An invaluableresource for students, attorneys, researchers and journalists who needan up-to-date collection of U.S. and International privacy law, aswell as a comprehensive listing of privacy resources.

"FOIA 2002: Litigation Under the Federal Open Government Laws," HarryHammitt, David Sobel and Mark Zaid, editors (EPIC 2002). Price: $40.

This is the standard reference work covering all aspects of theFreedom of Information Act, the Privacy Act, the Government in theSunshine Act, and the Federal Advisory Committee Act. The 21stedition fully updates the manual that lawyers, journalists andresearchers have relied on for more than 25 years. For those wholitigate open government cases (or need to learn how to litigatethem), this is an essential reference manual.

"Privacy & Human Rights 2002: An International Survey of Privacy Lawsand Developments" (EPIC 2002). Price: $25.

This survey, by EPIC and Privacy International, reviews the state ofprivacy in over fifty countries around the world. The survey examinesa wide range of privacy issues including data protection, telephonetapping, genetic databases, video surveillance, location tracking, IDsystems and freedom of information laws.

"Filters and Freedom 2.0: Free Speech Perspectives on Internet ContentControls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet contentfiltering. These papers are instrumental in explaining why filteringthreatens free expression.

"The Consumer Law Sourcebook 2000: Electronic Commerce and the GlobalEconomy," Sarah Andrews, editor (EPIC 2000). Price: $40.

The Consumer Law Sourcebook provides a basic set of materials forconsumers, policy makers, practitioners and researchers who areinterested in the emerging field of electronic commerce. The focus ison framework legislation that articulates basic rights for consumersand the basic responsibilities for businesses in the online economy.

"Cryptography and Liberty 2000: An International Survey of EncryptionPolicy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price:

EPIC's third survey of encryption policies around the world. Theresults indicate that the efforts to reduce export controls on strongencryption products have largely succeeded, although severalgovernments are gaining new powers to combat the perceived threats ofencryption to law enforcement.

EPIC publications and other books on privacy, open government, freeexpression, crypto and governance can be ordered at:

EPIC Bookstore

"EPIC Bookshelf" at Powell's Books

[8] Upcoming Conferences and Events

O'Reilly Bioinformatics Technology Conference. February 3-6, 2003.
San Diego, CA. For more information:

10th Annual Network and Distributed System Security Symposium. TheInternet Society. February 5-7, 2003. San Diego, CA. For moreinformation:

Civil Liberties in the Information Age. Potomac Institute. February 6,
2003. Washington, DC. For more information, contact Dan Dayton at703-562-4511.

Politics of Code: Shaping the Future of the Next Internet. OxfordUniversity Programme in Comparative Media Law and Policy. February 6,
2003. Oxford, England. For more information:

Call for Proposals: February 15, 2003. O'Reilly Open SourceConvention. July 7-11, 2003. Portland, OR. For more information:

Third Annual Privacy & Data Security Summit: Implementing & ManagingPrivacy in a Complex Environment. International Association of PrivacyProfessionals. February 26-28, 2003. Washington, DC. For moreinformation:

Quality Labels for Web Sites: Alternative Approaches to Content Rating.
Programme in Comparative Media Law and Policy (PCMLP), OxfordUniversity. February 27, 2003. Kirchberg, Luxembourg. For moreinformation:

The Law and Technology of DRM: What will DRM technologies mean for thefuture of information? University of California, Berkeley, School ofInformation Management and Systems and Boalt Hall School of Law.
February 27 - March 1, 2003. Berkeley, CA. For more information:

Legal and Pedagogical Aspects of a Safer Internet. Safer Internet ForKnowing and Living (SIFKaL). February 28, 2003. Kirchberg, Luxembourg.
For more information:

Spectrum Policy: Property or Commons? Stanford Law School Center forInternet and Society. March 1, 2003. For more information:

P&AB's Privacy Practitioners' Workshop and Ninth Annual NationalConference. Privacy & American Business. March 12-14, 2003.
Washington, DC. For more information:

Big Brother Technologies. A Choices and Challenges Forum. Center forInterdisciplinary Studies, Virginia Polytechnic Institute and StateUniversity. March 27, 2003. Blacksburg, VA. For more information:

CFP2003: 13th Annual Conference on Computers, Freedom, and Privacy.
Association for Computing Machinery (ACM). April 1-4, 2003. New York,
NY. For more information:

28th Annual AAAS Colloquium on Science and Technology Policy. AmericanAssociation for the Advancement of Science. April 10-11, 2003.
Washington, DC. For more information:

Integrating Government With New Technologies '03: E-Government, Changeand Information Democracy. Riley Information Services. April 11, 2003.
Ottawa, Canada. For more information:

RSA Conference 2003. RSA Security. April 13-17, 2003. San Francisco,
CA. For more information:

O'Reilly Emerging Technology Conference. April 22-25, 2003. SantaClara, CA. For more information:

Privacy2003. Technology Policy Group. September 30 - October 2, 2003.
Columbus, OH. For more information:

Subscription Information

Subscribe/unsubscribe via Web interface:

Subscribe/unsubscribe via e-mail:

Subject line: "subscribe" or "unsubscribe" (no quotes)

Help with subscribing/unsubscribing:

Subject: "help" (no quotes)

Back issues are available at:

The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and tosend notices about EPIC activities. We do not sell, rent or share ourmailing list. We also intend to challenge any subpoena or other legalprocess seeking access to our mailing list. We do not enhance (linkto other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail addressfrom this list, please follow the above instructions under"subscription information". Please contact if you wouldlike to change your subscription e-mail address, if you areexperiencing subscription/unsubscription problems, or if you have anyother questions.

About EPIC

The Electronic Privacy Information Center is a public interestresearch center in Washington, DC. It was established in 1994 tofocus public attention on emerging privacy issues such as the ClipperChip, the Digital Telephony proposal, national ID cards, medicalrecord privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Actlitigation, and conducts policy research. For more information,
e-mail, or write EPIC, 1718Connecticut Ave., NW, Suite 200, Washington, DC 20009.
+1 202 483 1140 (tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic PrivacyInformation Center, contributions are welcome and fullytax-deductible. Checks should be made out to "EPIC" and sent to1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009.
Or you can contribute online at:

Drink coffee, support civil liberties, get a tax deduction, and learnLatin at the same time! Receive a free "sed quis custodietipsos custodes?" coffee mug with donation of $75 or more.

Your contributions will help support Freedom of Information Act andFirst Amendment litigation, strong and effective advocacy for theright of privacy and efforts to oppose government regulation ofencryption and expanding wiretapping powers.

Thank you for your support.

END EPIC Alert 10.02


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback