============================================================= @@@@ @@@@ @@@ @@@@ @ @ @@@@ @@@@ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @@@ @ @ @@@@@ @ @@@ @@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @ @@@ @@@@ @ @ @@@@ @@@@ @ @ @ ============================================================= Volume 2.13 October 30, 1995 ------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, DC info@epic.org http://www.epic.org/ ======================================================================= Table of Contents ======================================================================= [1] Special: House Rejects Funding of FBI Wiretap Bill [2] Bennett Bill Raises Privacy Concerns [3] Designing a Good Medical Privacy Bill [4] British Doctors Boycott Medical Network [5] Mondex: Not So Private After All [6] USA Today Opts for Opt-In [7] Medical Privacy Resources On-line [8] Upcoming Conferences and Events ======================================================================= [1] Special: House Rejects Funding of FBI Wiretap bill ======================================================================= The House of Representatives on October 25 rejected an attempt to include language in the Omnibus Budget Bill to fund last year's controversial Communications Assistance for Law Enforcement Act. The provision would have authorized the establishment of a $500 million fund generated by a 40% surcharge on all non-civil fines imposed by the federal government. (See EPIC Alert 2.12[3] "Status of Wiretap Funding") The fund would have been be used to pay telecommunications companies to redesign their networks to facilitate wiretapping. That cost is estimated to run above $2 billion. This is simply round one in what is expected to be a long battle between Congress and the White House over the federal budget. President Clinton will probably veto the measure that emerges from Congress. At that point, another budget proposal will be introduced. Funding provisions for the FBI wiretap plan are also contained in the terrorism bills and appropriations bills . EPIC, VTW, the US Privacy Council, the ACLU, EFF and other civil liberties organizations have opposed funding of the controversial measure. More information is available at: http://www.epic.org/privacy/wiretap/ ======================================================================= [2] Bennett Bill Raises Privacy Concerns ======================================================================= The introduction of S. 1360, the Medical Records Confidentiality Act of 1995, last week sparked concern among privacy and medical organizations, with several groups saying that they will actively oppose the measure. The Coalition for Patients Rights of New England said the bill "abandons the central premise that the patient has a basic right to confidentiality and controls that right through specific informed consent." The ACLU of Massachusetts also expressed opposition to the Bennett bill. The group said, "This bill preempts most State confidentiality statutes, and related common law, the body of law which has effectively provided legal remedies for violations of confidentiality in the past." Finally the Justice Research Institute joined the ranks, charging that "This bill is particularly dangerous to those individuals living with HIV/AIDS." Hearings on the measure are expected some time later this year. ======================================================================= [3] Principles for Federal Privacy Protection of Medical Records ======================================================================= With interest in Washington about the development of real privacy protection for medical records, here are preliminary suggestions from EPIC for a good medical privacy bill. Your comments are always welcome. Please send email to alert@epic.org. >> Scope Legislation must cover all medical information, wherever it is collected, stored, processed, transferred or used, no matter the form. Legal coverage should not be limited to only medical information collected in the provision of health care but should include information collected for financial, educational, employment, marketing, and other reasons. >> Consumer Access Consumers should have full access to all personally identifiable medical records. No records should be kept secret. Record keepers should be required to notify patients that they maintain records. Consumers should have the ability to correct or remove any inaccurate, irrelevant or out- of-date information. Any card-based data system must allow consumer access to all personal information contained on the card. >> Enforcement and Oversight Substantial criminal and civil fines should be imposed for actual or attempted unauthorized access, disclosure, or use of medical information. Individuals should be able to enforce rights and obtain damages and related costs in civil court. An independent agency should be created to conduct oversight and enforce the provisions of any federal medical privacy law. >> Third Party Access Third party access to medical records should be strictly limited to a need-to-know basis. Law enforcement officials should be required to obtain a warrant after showing a compelling government interest for each piece of information sought. Civil litigants should have to show a compelling interest for each piece of information. Privileged communications should never be disclosed. Use of medical information by employers or for marketing purposes should be prohibited. >> National Databases The creation of electronic databases of unified clinical records without the consent of the patient should be prohibited. Psychiatric records should not be included in any system of electronic records. >> Research Records Use of personally identifiable information for research purposes should require consent from the individual. New technologies that create pseudo-anonymous records should be used for any personally identifiable information. Research records should not be used for any other purpose and should be protected from disclosure by warrant or subpoena. >> Security Medical information should be protected by the best available physical and electronic security. Records in storage or transit should be encrypted. Audit trails should track each access to an individuals file. Access should be limited to data relevant to the matter at hand. >> Identification Number The Social Security Number should not be used as a patient record identifier. The number that is used for record identification should not be used for any other purpose. Any health care card issued should not be used for any other purpose, particularly not for determination of employment eligibility or for personal identification >> Preemption A federal medical privacy law should set a minimum level of protection for medical record privacy. States should be provide to higher levels of protection given. No state statute should be preempted. ======================================================================= [4] British Doctors Boycott Medical Network ======================================================================= The British Medical Association has urged its members to boycott the National Health Service's nationwide computer network of medical information. The BMA has been critical of the network for a number of reasons but finally came out publicly against it after it was revealed that the Government Communications Headquarters (GCHQ), the British spy agency in charge of electronic surveillance, had pressured the NHS to omit encryption from the design of its networks. According to newspaper reports, the NHS had intended to include encryption as an integral part of their system but was overridden when the UK Government's Joint Intelligence Committee was informed of the decision. The BMA is urging all its doctors to refrain from sending information to the network until adequate security is provided. The BMA believes that use of the data network violates a doctor's duty of care to patient confidentiality and could subject doctors professional sanctions. Privacy International is also urging patients to request that their practitioners not put information on the system. In the United States, the intelligence agencies pushed the use of the Clipper Chip for the security of the medical networks set up under health care reform bill and currently are pushing the Fortezza card for a variety of government agency uses. ======================================================================= [5] Mondex: Not So Private After All ======================================================================= A British agency in charge of consumer protection has begun a formal investigation of Mondex, a company that offers smart card-based payment systems, for allegedly falsely advertising that transactions under its system were anonymous. In promotional materials, Mondex had claimed that the transactions were "just like cash." In reality, each card used in the system has a 16 digit identifying number which is captured by the merchant and transmitted to the bank each day. The merchants readers can retain up to 500 records at one time. Mondex's Swindon manager admitted in Network Week, a trade publication, that "we can certainly trace where cards have been used." The case is being eagerly watched worldwide by banks because of its implications on the use of the term "digital cash" will have Europe wide effect. The investigation began after Simon Davies, a Law Fellow at the University of Essex and Director General of Privacy International, filed a complaint. A copy of the letter is available at the Privacy International Web page at: http://www.privacy.org/pi/activities/mondex/complaint.txt ======================================================================= [6] USA Today Opts for Opt-In ======================================================================= USA Today last week editorialized in favor of the "opt-in" approach to the use of personal information, saying that businesses would "then need the customer's permission before any personal data were rented, sold, or exchanged for direct marketing purposes." (October 24, 1995) The paper said, "opt-in does not trample on anyone's rights. Consumers can still get their catalogs and other direct-mail pitches by checking a box or clicking a mouse. Companies can still get data for marketing by asking for it. It would cause some inconvenience for businesses, which face increased costs to persuade customers to give up their privacy. But who should bear the burden: the businesses that glean the profit or the consumers whose information is sold?" USA Today also faults the voluntary approach recommended by the Department of Commerce last Monday, saying that "while voluntary compliance might be preferable in an ideal world, it's not likely to work in the real world." "The reality is that the absence of government prodding has resulted in too many companies doing too little to protect consumers' privacy rights." USA Today concludes "If a business wants the privilege of marketing your most private matters, it should be willing to spend the time it takes to convince you that you'll benefit." Perhaps the USA Today position is not surprising. A 1991 Time/CNN poll found that when American adults were asked "should companies that sell information to others should be required by law to ask permission from individuals before making the information available," 93% said "yes." Meanwhile, the Avrahami case (involving the sale of an individual's name for marketing purposes) goes forward with growing public interest. Mr. Avrahami appeared last week on CNN and National Public Radio as favorable articles appeared in newspapers across the country. US News & World Report must be concerned -- it has hired one of Washington's largest law firms to defend the magazine. For current information on the Avrahami case, check out: http://www.epic.org/privacy/junk_mail/ ======================================================================= [7] Medical Privacy Resources On-line ======================================================================= EPIC has put together a comprehensive page on medical privacy issues, including hot topics (federal legislation, Supreme court cases, public polls), background on medical privacy laws, consumer advice, and general resources. Also included is the letter sent to Hillary Clinton in April 1993 by leading privacy advocates, computer scientists, and policy experts recommending that the Social Security Number not be used as a patient record identifier. http://www.epic.org/privacy/medical/ ======================================================================= [8] Upcoming Privacy Related Conferences and Events ======================================================================= SPECIAL: EPIC's Dave Banisar will discuss the current status of funding for the FBI wiretap bill this week on NPR's Morning Edition. Check out http://www.epic.org/privacy/wiretap/) Managing the Privacy Revolution. October 31 - November 1, 1995. Washington, DC. Sponsored by Privacy & American Business. Speakers include Mike Nelson (White House) C.B. Rogers (Equifax). Contact Alan Westin 201/996-1154. Innovation and the Information Environment. November 3-4. University of Oregon School of Law in Eugene, Oregon. Contact: Keith Aoki KAOKI@law.uoregon.edu. National Privacy and Public Policy Symposium. November 2-4., Hartford, Cosponsored by the Connecticut Foundation for Open Government. Contact Richard Akeroyd, rakeroyd@csunet.ctsateu.edu 203/566-4301 (tel), 203/566-8940 (fax) 22nd Annual Computer Security Conference and Exhibition. November 6-8, Washington, DC. Sponsored by the Computer Security Institute. Contact: 415-905-2626. Global Security and Global Competitiveness: Open Source Solutions. November 7-9. Washington, D.C. Sponsored by OSS. Contact: Robert Steele oss@oss.net. "The Right to Privacy," November 9. Authors Caroline Kennedy and Ellen Alderman discuss their new book on privacy. Lizner Auditorium, George Washington University, Washington, DC. Contact 202/357-3030. 11th Annual Computer Security Applications Conference: Technical papers, panels, vendor presentations, and tutorials that address the application of computer security and safety technologies in the civil, defense, and commercial environments. December 11-15, 1995, New Orleans, Louisiana. Contact Vince Reed at (205)890-3323 or vreed@mitre.org. RSA 6th Annual Data Security Conference: Cryptography Summit. Focus on the commercial applications of modern cryptographic technology, with an emphasis on Public Key Cryptosystems. January 17-19, 1996. Fairmont Hotel, San Francisco. Contact Layne Kaplan Events, at (415) 340-9300, e-mail at info@lke.com, or register at http://www.rsa.com/. Computers Freedom and Privacy '96. March 27-30. Cambridge, Mass. Sponsored by MIT, ACM and WWW Consortium. Contact cfp96@mit.edu or http://www-swiss.ai.mit.edu/~switz/cfp96 Conference on Technological Assaults on Privacy, April 18-20, 1996. Rochester Institute of Technology, Rochester, New York. Papers should be submitted by February 1, 1996. Contact Wade Robison privacy@rit.edu, by FAX at (716) 475-7120, or by phone at (716) 475-6643. Australasian Conference on Information Security and Privacy June 24-26, 1996. New South Wales, Australia. Sponsored by Australasian Society for Electronic Security and University of Wollongong. Contact: Jennifer Seberry (jennie@cs.uow.edu.au). Visions of Privacy for the 21st Century: A Search for Solutions. May 9-11, 1996. Victoria, British Columbia. Sponsored by The Office of Information and Privacy Commissioner for the Province of British Columbia and the University of Victoria. Program at http://www.cafe.net/gvc/foi 18th International Conference of Data Protection and Privacy Commissioners. Sponsored by the Privacy Commissioner of Canada. September 18-20, 1996. Ottawa, Canada. Advanced Surveillance Technologies II. Sponsored by EPIC and Privacy International. September 17, 1995. Ottawa, Canada. Contact pi@privacy.org International Colloquium on the Protection of Privacy and Personal Information. Commission d'acces a l'information du Quebec. May 1997. Quebec City, Canada. (Send calendar submissions to Alert@epic.org) ======================================================================= The EPIC Alert is a free biweekly publication of the Electronic Privacy Information Center. To subscribe, send the message: SUBSCRIBE CPSR-ANNOUNCE Firstname Lastname to listserv@cpsr.org. You may also receive the Alert by reading the USENET newsgroup comp.org.cpsr.announce. Back issues are available via http://www.epic.org/alert/ or FTP/WAIS/Gopher/HTTP from cpsr.org /cpsr/alert/ and on Compuserve (Go NCSA), Library 2 (EPIC/Ethics). ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues relating to the National Information Infrastructure, such as the Clipper Chip, the Digital Telephony proposal, medical record privacy, and the sale of consumer data. EPIC is sponsored by the Fund for Constitutional Government and Computer Professionals for Social Responsibility. EPIC publishes the EPIC Alert and EPIC Reports, pursues Freedom of Information Act litigation, and conducts policy research on emerging privacy issues. For more information, email info@epic.org, WWW at HTTP://www.epic.org or write EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. (202) 544-9240 (tel), (202) 547-5482 (fax). The Fund for Constitutional Government is a non-profit organization established in 1974 to protect civil liberties and constitutional rights. Computer Professionals for Social Responsibility is a national membership organization of people concerned about the impact of technology on society. For information contact: cpsr-info@cpsr.org If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "The Fund for Constitutional Government" and sent to EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington DC 20003. Your contributions will help support Freedom of Information Act litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and funding of the National Wiretap Plan. Thank you for your support. ------------------------ END EPIC Alert 2.13 ------------------------ ====================================================================== Marc Rotenberg (Rotenberg@epic.org) * +1 202 544 9240 (tel) Electronic Privacy Information Center * +1 202 547 5482 (fax) 666 Pennsylvania Ave, SE, Suite 301 * HTTP://www.epic.org/ Washington, DC 20003 * info@epic.org ======================================================================