============================================================= @@@@ @@@@ @@@ @@@@ @ @ @@@@ @@@@ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @@@ @ @ @@@@@ @ @@@ @@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @ @@@ @@@@ @ @ @@@@ @@@@ @ @ @ ============================================================= Volume 2.14 November 9, 1995 ------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, DC info@epic.org http://www.epic.org/ ======================================================================= Table of Contents ======================================================================= [1] NIST Releases Updated Export Criteria (Clipper 2.1) [2] Wiretap Update: FBI Does New Math [3] Concerns about Medical "Privacy" Bill Grow [4] Massachusetts Enacts New Consumer Credit Law [5] New Privacy Polls: Lots of Problems, Few Solutions [6] Review: "The Right to Privacy," Alderman and Kennedy [7] EPIC E-mail Bag [8] Upcoming Conferences and Events ======================================================================= [1] NIST Releases Updated Export Criteria (Clipper 2.1) ======================================================================= The National Institute of Standards and Technology released this week a "Draft Software Key Escrow Encryption Export Criteria (11/95 version)." The new standard was expected to take into account industry comment from a September meeting when the proposal was announced and quickly trashed, but not much changed. Key requirements for those planning to export crypto? - Key escrow - No functioning crypto without . . . - A U.S. government certified key escrow agent - No triple-DES - Incompatibility with everything else The complete NIST proposal is available at: http://www.epic.org/crypto/CKE/criteria.txt NIST also announced that it will sponsor a meeting to discuss the proposed exportability criteria for the 64-bit software key escrow encryption on December 5. According to NIST, "this meeting continues the industry-government dialog of an earlier NIST-sponsored meeting held in September." Information on the December 5 meeting is available at: http://www.epic.org/crypto/CKE/dec5.html Readers who are interested in a review of the proposed NIST export standard should look at Brock Meek's column in the November 1995 issue of Wired. No five mice for Clipper 2.1. ======================================================================= [2] Wiretap Update: FBI Does New Math ======================================================================= Pressure on the Department of Justice to reevaluate the wiretap program continues to grow. The October 16 Federal Register notice (reported in EPIC Alert 2.12) prompted national news coverage and led many of those following the wiretap plan to ask whether 1% means 1 out of 100 or 1 out of 1,000. At a November 2 press conference with Jamie Gorelick, the deputy attorney general was asked repeatedly about the status of the wiretap plan. Ms. Gorelick responded, "Let me make very clear that there is no intention to expand the number of wiretaps or the extent of wiretapping. The entire purpose of the digital telephony legislation was to leave law enforcement in the same position it is now with respect to wiretaps." When pressed by a reporter who asked if there would be no substantial change to the total number of wiretaps performed if "the FBI got everything that it wanted in the Federal Register" notice, Ms. Gorelick said yes. She described the news reports as "a misunderstanding or miscommunication." (Federal electronic surveillance went from 340 warrants authorized in 1992 to 554 in 1994, according to the Administrative Office of the U.S. Courts). Readers are urged to do the math and then send the FBI a letter regarding the wiretap plan before November 15. Check out: http://www.epic.org/privacy/wiretap/ ======================================================================= [3] Concerns about Medical "Privacy" Bill Grow ======================================================================= Senator Bennett's medical privacy bill continues to raise concerns. Now, consumer groups are jumping into the battle. The Consumer Project on Technology, founded by Ralph Nader and led by public interest advocate Jamie Love, wrote recently to Senator Kassenbaum to warn that the bill "ensures that virtually any law enforcement official will have the right to search your medical records, not by identifying your doctors and obtaining a warrant for records from a doctors office, but simply by contacting large insurance companies, employers or database companies, and searching computer databases." Even one of the backers of the bill concedes that privacy will likely get short shrift if the measure goes forward. "To suggest to the public that this bill is a championing of the doctor-patient relationship and medical privacy is misrepresenting what's really going on," said Lawrence Gostin, director of the law and public health program at Georgetown University, in a November 3 Boston Globe article. "What this bill does is legitimize the development of these large health databases that are intended to hold vast amounts of medical information about individual Americans." Massachusetts is one of several states that will see current privacy safeguards drop if the federal bill goes through. Senator Kassenbaum is expected to hold hearings on November 13, 1995. Alert readers are urged to contact Senator Kassenbaum with your views on the bill. More information about the proposal can be found at: http://www.epic.org/privacy/medical/ ======================================================================= [4] Massachusetts Enacts New Consumer Credit Law ======================================================================= In September, Massachusetts Governor William Weld signed the strongest consumer credit protection law in the nation. This follows passage of a law protecting the privacy of medical records held by insurance companies two years ago. The new law requires that the three national credit bureaus each provide one free credit report to each state resident. Local credit bureaus can charge $5 for a copy. Currently, only TRW provides free reports. Another important change is that credit givers, such as department stores and banks, are liable for reporting incorrect information. If a store incorrectly reports that an individual has defaulted on a loan, the individual can sue for damages caused by the report. Currently, this lack of liability is a major reason inaccurate information keeps reappearing in individuals reports even after the bureaus are informed of the inaccuracies. Under the new law, errors must be corrected within three days and inaccurate information that has been deleted from the report cannot be reentered without notifying the individual. Investigative reports are also limited. Credit givers can only contact employers, neighbors and others with the express written consent of the consumer. The law is scheduled to go into effect January 1, 1996. ======================================================================= [5] New Privacy Poll: Lots of Problems, Few Solutions ======================================================================= Equifax, the credit reporting agency now poised to enter the medical record business, and Lou Harris, the national polling organization, released this week the "Equifax-Harris Mid-Decade Consumer Privacy Survey." The poll reveals high levels of concerns about privacy. Consumer concerns about privacy came in slightly behind controlling false advertising and reducing insurance fraud, but beat out requiring environmentally safe packing and putting content and calorie labels on food. The poll finds that 82% of Americans are very concerned or somewhat concerned about privacy. And 80% of Americans believe they have lost all control over personal information. But the Equifax-Harris poll does not tell the whole story. A recent poll from the Yankelovich group found that 90% of Americans favored legislation to protect them from businesses that invade their privacy. That number is similar to a 1991 Time/CNN poll when consumers, when asked if they favored legal protections, said yes overwhelmingly. More information about public attitudes toward medical record privacy and consumer privacy may be found at: http://www.epic.org/privacy/medical/polls.html http://www.epic.org/privacy/junk_mail/public.html ======================================================================= [6] Review: "The Right to Privacy," Alderman and Kennedy ======================================================================= "The Right to Privacy," Ellen Alderman and Caroline Kennedy (Alfred Knopf, New York 1995), $26.95. Justice Brandeis once described privacy as "the most comprehensive of all rights." But privacy is also one of the most confusing of all rights. Courts, commentators and scholars often struggle with just the definition. To the credit of Ellen Alderman and Caroline Kennedy, there is now an excellent book that helps clarify and make real the importance of privacy. The Right to Privacy is a fascinating and well constructed expose of the pivotal legal battles that have helped shaped the right of privacy. It is perhaps the most engaging book on privacy ever written. The authors look at a series of critical cases that demonstrate various major privacy themes -- privacy and law enforcement, privacy and the self, privacy and the press, privacy and the voyeur, privacy in the workplace, and privacy and information. They approach their task in even-handed fashion. While their sympathies are clearly with the claims of the plaintiff, they are careful to describe the competing concerns of law enforcement, employers, and the press. Courts are often asked to balance competing claims and the authors invite the readers to consider as well the interests of both parties. Alderman and Kennedy also convey the richness of privacy law. Few privacy claims are slam-dunks in the Supreme Court. Much of the law is made at the state level. Many cases end quietly in settlement among the parties. Insurance companies, as the authors note, often play an important role in both awards and strategy. The book is at its best describing the individuals who bring claims, and their sense of outrage and betrayal when their privacy has been violated: A woman strip-searched in a police station for a parking violation, a young couple filmed in a hotel room from behind a two-way mirror, a psychological profile required for a job that asks about sexual activities and religious belief. Each case makes real the sense of powerlessness, invasion, and simple humiliation that results when privacy is lost. The book provides also a wonderful answer to an age-old question: why go to law school? In many stories, it becomes clear that without a sympathetic and determined attorney, rights would not be vindicated. But, still, this excellent work is not without faults. The last chapter is a disappointment, a discordant note in an otherwise robust symphony. In the discussion of cutting edge privacy issues, the authors jump from hot topic to hot topic without much consideration of significance or context. They conclude, quite surprisingly, that new technologies will require us to give up some privacy rights. That conclusion is unfortunate not only because it quotes Justice Brandeis (who believed quite the opposite as both the famous law review article from 1890 and a 1928 wiretap opinion make clear), but also because it seems to ignore the evidence that much of the book presents. Individuals whose privacy is violated will indeed seek redress. Perhaps the problem is simply that the law has not reached a point where we can talk as clearly about privacy violations in the information world as we have in the physical world. Maybe it will take cases brought against police ogling women on the street though Closed Circuit Television, or credit bureaus scanning medical records to reject credit risks, a discreet genetic test used by an employer to eliminate potential workers, or a computer user arrested for sending a personal message with an illegal form of encryption Like the plaintiffs in the cases described in the book, the plaintiffs in those future cases will also ask the courts to recognize that right, both comprehensive and confusing, that is critical for human dignity and civil society. ======================================================================= [7] EPIC E-mail Bag ======================================================================= As the frequency of EPIC Alerts has increased, we've received many letters and comments. Alert 2.12 brought criticisms from two government officials. One asked whether it was fair for us to describe the wiretapping conducted by US officials on Japanese and French trade officials as "illegal." Admittedly, this is an area of international law where norms are often unclear. It was also not our point to suggest that US officials are alone in this activity (similar charges have been made recently against French agents, though we are not aware of any against Japan). But if the question is squarely asked whether it is legal for a government to wiretap a private communication without legal process, there is plenty of law to suggest that the answer is no. The Universal Declaration of Human Rights, the International Covenant on Civil and Political Rights, and the Convention of the International Telecommunications Union all make clear the responsibility of governments to respect the privacy of communication. Does it happen anyway? Of course. Should it? Look at the documents. (http://www.epic.org/privacy/intl/). A second official takes issue with our criticism of an early draft of the privacy working group IITF report on privacy noting that the proposal has since been changed. We've updated our web site to include the final version of the report, as well as the NTIA report also mentioned in Alert 2.13. We leave it to readers to decide if there has been much improvement with the IITF proposal. Several comments were received on the draft medical privacy bill in Alert 2.13. We have incorporated these suggestions in our proposal, and plan to release a revised bill next week. The Avrahami case has already stirred interest among Alert readers. Several have asked for more current updates as the case develops. As a result, we added a new section with the legal motions and updated other pages. Readers interested in the Avrahami case should check www.epic.org/privacy/junk_mail/ frequently. We will do our best to keep you informed. Please send your comments to alert@epic.org. ======================================================================= [8] Upcoming Privacy Related Conferences and Events ======================================================================= The Right to Privacy. November 9. Authors Caroline Kennedy and Ellen Alderman discuss their new book on privacy. Lizner Auditorium, George Washington University, Washington, DC. Contact 202/357-3030. Consumer Rights with Direct Marketing On and Off the Internet: Does Junk (e-)Mail Really Byte? November 21. Sponsored by Institute for Computer and Telecommunications Systems Policy. Washington, DC. See http:www.seas.gwu.edu/seas/ictsp/Activities/Seminars/. 11th Annual Computer Security Applications Conference: Technical papers, panels, vendor presentations, and tutorials that address the application of computer security and safety technologies in the civil, defense, and commercial environments. December 11-15, 1995, New Orleans, Louisiana. Contact Vince Reed at (205) 890-3323 or vreed@mitre.org. RSA 6th Annual Data Security Conference: Cryptography Summit. Focus on the commercial applications of modern cryptographic technology, with an emphasis on Public Key Cryptosystems. January 17-19, 1996. Fairmont Hotel, San Francisco. Contact Layne Kaplan Events, at (415) 340-9300, e-mail at info@lke.com, or register at http://www.rsa.com/. The Gathering: The Computer Security Conference with a Difference. February 13-15, 1996. University of Otago, Dunedin, New Zealand. Speakers include Fred Cohen, Chris Coggans, Bruce Schneier, Winn Schwartau, Robert Ellis Smith, and Philip Zimmerman. Computers Freedom and Privacy '96. March 27-30, 1996. Cambridge, Mass. Sponsored by MIT, ACM and WWW Consortium. Contact cfp96@mit.edu or http://web.mit.edu/cfp96/ Conference on Technological Assaults on Privacy, April 18-20, 1996. Rochester Institute of Technology, Rochester, New York. Papers should be submitted by February 1, 1996. Contact Wade Robison privacy@rit.edu, by FAX at (716) 475-7120, or by phone at (716) 475-6643. Australasian Conference on Information Security and Privacy June 24-26, 1996. New South Wales, Australia. Sponsored by Australasian Society for Electronic Security and University of Wollongong. Contact: Jennifer Seberry (jennie@cs.uow.edu.au). Visions of Privacy for the 21st Century: A Search for Solutions. May 9-11, 1996. Victoria, British Columbia. Sponsored by The Office of Information and Privacy Commissioner for the Province of British Columbia and the University of Victoria. Program at http://www.cafe.net/gvc/foi The Privacy Laws & Business 9th Annual Conference. July 1-3, 1996. St. JohnÕs College, Cambridge, England. Contact: Ms. Gill Ehrlich +44 181 423 1300 (tel), +44 181 423 4536 (fax). 18th International Conference of Data Protection and Privacy Commissioners. Sponsored by the Privacy Commissioner of Canada. September 18-20, 1996. Ottawa, Canada. Advanced Surveillance Technologies II. Sponsored by EPIC and Privacy International. September 17, 1996. Ottawa, Canada. Contact pi@privacy.org International Colloquium on the Protection of Privacy and Personal Information. Commission d'acces a l'information du Quebec. May 1997. Quebec City, Canada. (Send calendar submissions to Alert@epic.org) ======================================================================= The EPIC Alert is a free biweekly publication of the Electronic Privacy Information Center. To subscribe, send the message: SUBSCRIBE CPSR-ANNOUNCE Firstname Lastname to listserv@cpsr.org. You may also receive the Alert by reading the USENET newsgroup comp.org.cpsr.announce. Back issues are available via http://www.epic.org/alert/ or FTP/WAIS/Gopher/HTTP from cpsr.org /cpsr/alert/ and on Compuserve (Go NCSA), Library 2 (EPIC/Ethics). ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues relating to the National Information Infrastructure, such as the Clipper Chip, the Digital Telephony proposal, medical record privacy, and the sale of consumer data. EPIC is sponsored by the Fund for Constitutional Government and Computer Professionals for Social Responsibility. EPIC publishes the EPIC Alert and EPIC Reports, pursues Freedom of Information Act litigation, and conducts policy research on emerging privacy issues. For more information, email info@epic.org, WWW at HTTP://www.epic.org or write EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. (202) 544-9240 (tel), (202) 547-5482 (fax). The Fund for Constitutional Government is a non-profit organization established in 1974 to protect civil liberties and constitutional rights. Computer Professionals for Social Responsibility is a national membership organization of people concerned about the impact of technology on society. For information contact: cpsr-info@cpsr.org If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "The Fund for Constitutional Government" and sent to EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington DC 20003. Your contributions will help support Freedom of Information Act litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and funding of the National Wiretap Plan. Thank you for your support. ------------------------ END EPIC Alert 2.14 ------------------------ ====================================================================== Marc Rotenberg (Rotenberg@epic.org) * +1 202 544 9240 (tel) Electronic Privacy Information Center * +1 202 547 5482 (fax) 666 Pennsylvania Ave, SE, Suite 301 * HTTP://www.epic.org/ Washington, DC 20003 * info@epic.org ======================================================================