[Articles on new EU surveillance proposals, social security numbers, financial privacy, and much else.] =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= This message was forwarded through the Red Rock Eater News Service (RRE). You are welcome to send the message along to others but please do not use the "redirect" option. For information about RRE, including instructions for (un)subscribing, see http://dlis.gseis.ucla.edu/people/pagre/rre.html =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Date: Fri, 18 May 2001 10:38:29 -0400 From: EPIC News <epic-newsat_private> (by way of Marc Rotenberg) Subject: EPIC Alert 8.09 ============================================================== @@@@ @@@@ @@@ @@@@ @ @ @@@@ @@@@ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @@@ @ @ @@@@@ @ @@@ @@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @ @@@ @@@@ @ @ @@@@ @@@@ @ @ @ ============================================================== Volume 8.09 May 17, 2001 -------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org/alert/EPIC_Alert_8.09.html ======================================================================= Table of Contents ======================================================================= [1] European Union Considering Data Retention Requirements [2] WA State Court Finds Compelling Interest in Protecting SSNs [3] Court Decisions Uphold Financial Privacy Protections [4] "Cyber Security" FOIA Exemption Likely to Resurface [5] House Hearing Examines Public Perceptions of Privacy [6] EPIC Bill-Track: New Bills in Congress [7] EPIC Bookstore - Filters & Freedom 2.0 [8] Upcoming Conferences and Events ======================================================================= [1] European Union Considering Data Retention Requirements ======================================================================= A new report by Statewatch, a London-based civil liberties research group, says that the Council of the European Union is preparing to back police agency proposals to require the retention of all telephone calls, e-mails, faxes, and Internet activity for up to seven years. The proposal seeks a review of existing EU laws on data protection and privacy to meet the demands of law enforcement agencies for access to all telecommunications content and traffic data. The report is based upon documents obtained by Statewatch reflecting the deliberations of the Council's Working Party on Police Cooperation. A November 2000 memorandum from the Working Party states, "It is impossible for investigation services to know in advance which traffic data will prove useful in a criminal investigation. The only effective national legislative measure would therefore be to prohibit the erasure or anonymity of traffic data." Existing EU legislation requires police agencies to obtain permission each time they seek to intercept electronic communications or search for evidence during investigations. The existing laws also restrict the length of time that service providers can keep data before it must be destroyed. Previous efforts to grant sweeping investigative powers to European law enforcement agencies have been defeated due to objections from the EU Data Protection Commissioners and public opposition. Early drafts of the Council of Europe's Cybercrime Convention included data retention requirements that have been scaled back in more recent drafts (see EPIC Alert 8.06). The European Commission's Justice and Home Affairs Council is scheduled to debate the most recent data retention proposal on May 28. The European Commission has recently published a new guide entitled "Data Protection in the European Union." Among other principles, the guide notes that, under the EU Data Directive, "data that identifies individuals must not be kept longer than necessary." The Statewatch report on surveillance of telecommunications in Europe is available at: http://www.statewatch.org/soseurope.htm The guide, "Data Protection in the European Union," is available at: http://www.europa.eu.int/comm/internal_market/en/media/dataprot/ news/guide_en.pdf ======================================================================= [2] WA State Court Finds Compelling Interest in Protecting SSNs ======================================================================= A Washington State Court has found a compelling interest in protecting Social Security numbers (SSNs) from public dissemination, and has ordered a website operator to remove lawfully obtained SSNs from an Internet site. In City of Kirkland v. Sheehan, a website operator posted police officers' personal information on Justicefiles.org, an Internet site critical of law enforcement. The personal information included names, addresses, phone numbers, and Social Security numbers. The court found that the site operator posted the information "to cause at least some degree of fear and apprehension in the minds of law enforcement personnel." The website operator promised to remove the personal information if the officers' departments would adopt civilian police oversight boards. The City of Kirkland brought suit to enjoin the website operator from posting the officers' personal information, alleging that the activity invaded the officers' privacy interests. The web site operator claimed a First Amendment right to post the personal information, which apparently had been culled from public records. The King County Superior Court allowed the website operator to continue posting the names, addresses, and other information relating to the police officers. The court held that the First Amendment protected the publication of lawfully obtained personal information for political purposes, absent a credible specific threat of harm. However, the court enjoined the site operator from publishing the officers' Social Security numbers. The court reasoned that SSNs, unlike names and addresses, do not "facilitate or promote substantive communication." Further, access to Social Security numbers allows others to "obtain access to and to control, manipulate or alter other personal information." Accordingly, the court held that the government has a compelling interest in preventing the dissemination of SSNs that overrides the operator's right to publish. The decision in City of Kirkland v. Sheehan is available at: http://www.politechbot.com/docs/justicefiles.opinion.051001.html ======================================================================= [3] Court Decisions Uphold Financial Privacy Protections ======================================================================= In a significant blow to the information selling industry, U.S. District Court Judge Ellen Huvelle on April 30 issued a decision upholding regulations restricting the sale of personal information by credit reporting agencies and information brokers. The case arose after the FTC and five other regulatory agencies, following the directive of the Gramm-Leach-Bliley Act (GLB), promulgated regulations to restrict the distribution of "credit headers" -- the information such as name, address, and Social Security number that appears at the top of a credit report. The FTC found that such protections are required because this data is often used by financial institutions when providing or offering financial products to consumers. Therefore, following the regulations, credit reporting agencies and credit bureaus that compile databases on consumers are required to provide notice and opt-out before purchasing or selling this information. Information brokers, represented by plaintiffs Trans Union and Individual References Services Group (IRSG), challenged the regulations as outside the scope of the agencies' rulemaking authority and unconstitutional. Judge Huvelle followed precedent of administrative law by deferring to the agencies' clarification of "personally identifiable financial information," the definition in question during the rulemaking. She similarly disposed of the plaintiffs' First Amendment freedom of speech argument, holding that the speech in question was not of public concern because credit header information "consists of information of interest solely to the speaker and the client audience." Therefore, under a lower level of scrutiny than that required by speech of public concern, the regulations directly advanced a substantial governmental interest: "to protect the privacy of consumers -- particularly the security and confidentiality of their nonpublic personal information." Because GLB expressly exempts the dissemination of nonpublic personal information in order to prevent fraud or to comply with a civil, criminal or administrative order or ruling, uses that are legitimately "of public concern" -- such as prevention of identity fraud and conformation with court orders -- are not subject to a notice and opt-out. In combination with a recent ruling against Trans Union upholding an FTC restriction on the sale of target marketing lists, these cases signal that federal privacy rules protect a substantial governmental interest and will likely withstand legal challenges from the information broker industry. Individual References Services Group, Inc. v. Federal Trade Commission, et. al.: http://www.epic.org/privacy/consumer/IRSGvFTC.pdf Trans Union Corporation v. Federal Trade Commission: http://www.epic.org/privacy/consumer/transunionvftc.txt ======================================================================= [4] "Cyber Security" FOIA Exemption Likely to Resurface ======================================================================= Two members of Congress have recently announced plans to introduce legislation that would exempt information concerning "cyber security" and "critical infrastructure protection" from the disclosure requirements of the Freedom of Information Act (FOIA). Rep. Tom Davis (R-VA) plans to reintroduce a bill to protect such information shared by private companies with federal agencies. The new bill would likely be modeled after the Cyber Security Information Act, which Davis co-sponsored last year with Rep. James Moran (D-VA). It would create a specific FOIA for information companies share with federal organizations such as the Federal Computer Incident Response Center, the coordinating center for civilian agencies on cyberattack alerts and analysis, and the National Infrastructure Protection Center at the FBI. Sen. Robert Bennett (R-UT) has announced plans to introduce a similar bill in the Senate. Some private companies and trade associations have been lobbying for an exemption to cover information provided to the government that relates to weaknesses and vulnerabilities in their computer systems. Presidential Decision Directive (PDD) 63, signed by President Clinton in May 1998, identified as "critical infrastructure" systems such as those that run the nation's electric power grid and telecommunications networks. PDD-63 requires federal agencies to coordinate efforts to secure those systems, most of which are under the control of the private sector. In Congressional testimony last year, EPIC General Counsel David Sobel said the Cyber Security Information Act was unneeded because existing law adequately protects security information submitted by the private sector. He warned that "the proposed exemption would hide from the public essential information about critically important -- and potentially controversial -- government activities undertaken in partnership with the private sector." EPIC's testimony on the Cyber Security Information Act is available at: http://www.epic.org/security/cip/hr4246_testimony.html Resources on Critical Infrastructure Protection are available at: http://www.epic.org/security/cip/ ======================================================================= [5] House Hearing Examines Public Perceptions of Privacy ======================================================================= On May 8, the House Subcommittee on Commerce, Trade, and Consumer Protection convened a hearing on "Opinion Surveys: What Consumers Have To Say About Information Privacy." Hearing panelists included representatives from the Gallup Poll, the Pew Internet & American Life Project, Privacy and American Business, the Harris Poll and opinion research firm Wirthlin Worldwide. In his written testimony, Dr. Frank Newport of the Gallup Poll presented a survey of Internet users in which about half of those polled said that the federal government should be doing more to protect privacy online, a third approved of the current approach and only thirteen percent thought the government should be doing less. In addition, the Gallup poll found that about sixty-three percent of Internet users are "very concerned" about government surveillance of e-mail communications and that a nearly equal sixty percent were similarly concerned about online databases of personal information. The testimony of Humphrey Taylor of the Harris Poll presented polls stating that ninety-four percent of Internet users want companies to ask for their permission before their data is used for any other purpose than what it was originally provided. Also, the Harris polls found that eighty-seven percent of Internet users want companies to explain what information is collected from them and how it is to be used, eighty-two percent want to be able to see the information companies have stored about them and eighty-two percent want to know how their data is secured in transmission and storage. Dr. Alan Westin of Privacy and American Business added in his testimony that consumers report that their views on privacy come from their own experiences, as well as those of their family and friends. He also noted that privacy now "scores as one of the top consumer and social-policy issues in the U.S." In related privacy news, European Commissioner Bolkestein, in a May 11 press conference, stated that the Gramm-Leach-Bliley Act (GLB) does not adequately compare to privacy protection guaranteed to EU citizens by the EU Data Protection Directive. Bush Administration officials and representatives of the financial industry have been seeking an adequacy determination for the past year. Now that GLB has been found inadequate, and given that the EU-U.S. Safe Harbor agreement does not accomodate financial institutions, the only other route of compliance with the EU Directive for the financial industry is the adoption of model contractual clauses. The European Commission is currently proceeding with its model contract clauses despite earlier Bush Administration criticisms (see EPIC Alert 8.06). Internal Market Commissioner John Mogg replied to those criticisms by noting that Bush Administration officials' letter did "not specify what difficulties you have with the text, but you refer to the objections raised by business organisations" and added that other proposed model contracts can be presented to the European Commission for approval at a later date. Written testimony and an archived audio recording of the May 8 House hearing on "Opinion Surveys: What Consumers Have To Say About Information Privacy" are available at: http://energycommerce.house.gov/107/hearings/05082001Hearing209/ hearing.htm Information about the European Commission's draft decision on model contract clauses, including replies to letters sent by business organizations and the U.S. government is available at: http://europa.eu.int/comm/internal_market/en/media/dataprot/news/ clausesdecision.htm ======================================================================= [6] EPIC Bill-Track: New Bills in Congress ======================================================================= *House* H.R.1655 Personal Pictures Protection Act of 2001. To amend title 18, United States Code, to punish the placing of sexual explicit photographs on the Internet without the permission of the persons photographed. Sponsor: Rep Green, Mark (R-WI). Latest Major Action: 5/1/2001 Referred to House committee: House Judiciary. H.R.1800 Upper Mississippi River Basin Conservation Act of 2001. To establish the Upper Mississippi River Stewardship Initiative to monitor and reduce sediment and nutrient loss in the Upper Mississippi River. Sponsor: Rep Kind, Ron (D-WI). Latest Major Action: 5/10/2001 Referred to House committee: House Agriculture; House Resources. *Senate* S.718 Amateur Sports Integrity Act. A bill to direct the National Institute of Standards and Technology to establish a program to support research and training in methods of detecting the use of performance-enhancing drugs by athletes, and for other purposes. The Internet gambling section of the bill requires institutions of higher education to monitor Internet communications. Sponsor: Sen McCain, John (R-AZ). Latest Major Action: 5/14/2001 Placed on Senate Legislative Calendar under General Orders. S.803 E-Government Act of 2001. A bill to enhance the management and promotion of electronic Government services and processes by establishing a Federal Chief Information Officer within the Office of Management and Budget, and by establishing a broad framework of measures that require using Internet-based information technology to enhance citizen access to Government information and services, and for other purposes. Sponsor: Sen Lieberman, Joseph I. (D-CT) - Latest Major Action: 5/1/2001 Referred to Senate committee: Senate Governmental Affairs. S.840 Law Enforcement Discipline, Accountability, and Due Process Act of 2001. A bill to amend title I of the Omnibus Crime Control and Safe Streets Act of 1968 to provide standards and procedures to guide both State and local law enforcement agencies and law enforcement officers during internal investigations, interrogation of law enforcement officers, and administrative disciplinary hearings, to ensure accountability of law enforcement officers, to guarantee the due process rights of law enforcement officers, and to require States to enact law enforcement discipline, accountability, and due process laws. Sponsor: Sen Biden Jr., Joseph R. (D-DE). Latest Major Action: 5/8/2001 Referred to Senate committee: Senate Judiciary. S.848 Social Security Number Misuse Prevention Act of 2001. A bill to amend title 18, United States Code, to limit the misuse of social security numbers, to establish criminal penalties for such misuse, and for other purposes. Sponsor: Sen Feinstein, Dianne (D-CA). Latest Major Action: 5/9/2001 Referred to Senate committee. S.851 Citizens' Privacy Commission Act of 2001. A bill to establish a commission to conduct a study of government privacy practices, and for other purposes, Sponsor: Sen Thompson, Fred (R-TN). Latest Major Action: 5/9/2001 Referred to Senate committee: Senate Governmental Affairs. EPIC Bill Track: Tracking Privacy, Speech, and Cyber-Liberties Bills in the 107th Congress, is available at: http://www.epic.org/privacy/bill_track.html ======================================================================= [7] EPIC Bookstore - Filters & Freedom 2.0 ======================================================================= Filters & Freedom 2.0: Free Speech Perspectives on Internet Content Controls, edited by the Electronic Privacy Information Center http://www.powells.com/cgi-bin/partner?partner_id=24075&cgi=search/ search&searchtype=isbn&searchfor=1893044114 Originally proposed as a technological solution that would forestall official censorship, content filtering has been shown to pose its own significant threats to free expression on the Internet. Often characterized by their proponents as mere features or tools, filtering and rating systems can also be viewed as fundamental architectural changes that may, in fact, facilitate the suppression of speech far more effectively than national laws alone ever could. This newly revised edition addresses recent developments, including new content control legislation in the United States, efforts within the European Union to establish a uniform rating regime for online material, and the growing controversy over the use of filtering in public libraries. Partly as a result of the writings contained in this collection, the headlong rush toward the development and acceptance of filtering and rating systems has slowed. These critical views must be considered carefully if we are to preserve freedom of expression in the online world. For other books recommended by EPIC, browse the EPIC Bookshelf at: http://www.powells.com/features/epic/epic.html ================================ EPIC Publications: "The Consumer Law Sourcebook 2000: Electronic Commerce and the Global Economy," Sarah Andrews, editor (EPIC 2000). Price: $40. http://www.epic.org/cls/ The Consumer Law Sourcebook provides a basic set of materials for consumers, policy makers, practitioners and researchers who are interested in the emerging field of electronic commerce. The focus is on framework legislation that articulates basic rights for consumers and the basic responsibilities for businesses in the online economy. ================================ "Privacy & Human Rights 2000: An International Survey of Privacy Laws and Developments," David Banisar, author (EPIC 2000). Price: $20. http://www.epic.org/phr/ This survey, by EPIC and Privacy International, reviews the state of privacy in over fifty countries around the world. The survey examines a wide range of privacy issues including, data protection, telephone tapping, genetic databases, ID systems and freedom of information laws. ================================ "The Privacy Law Sourcebook 2000: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2000). Price: $40. http://www.epic.org/pls/ The "Physicians Desk Reference of the privacy world." An invaluable resource for students, attorneys, researchers and journalists who need an up-to-date collection of U.S. and International privacy law, as well as a comprehensive listing of privacy resources. ================================ "Cryptography and Liberty 2000: An International Survey of Encryption Policy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price: $20. http://www.epic.org/crypto&/ EPIC's third survey of encryption policies around the world. The results indicate that the efforts to reduce export controls on strong encryption products have largely succeeded, although several governments are gaining new powers to combat the perceived threats of encryption to law enforcement. ================================ Additional titles on privacy, open government, free expression, computer security, and crypto, as well as films and DVDs can be ordered through the EPIC Bookstore: http://www.epic.org/bookstore/ ======================================================================= [8] Upcoming Conferences and Events ======================================================================= The Internet and State Security Forum (ISSF). Cambridge Review of International Affairs. May 19, 2001. Cambridge, England. For more information: http://www.cria.org.uk/ Presentation and Book Signing - Marjorie Heins, author of Not in Front of the Children: Indecency, Censorship, and the Innocence of Youth. Freedom Forum. May 22, 2001. Arlington, VA. For more information: vwrightat_private Communication Research and Policy Workshop. Ford Foundation and Computer Professionals for Social Responsibility (CPSR). May 24, 2001. Washington, DC. For more information: http://www.cpsr.org/ICA_workshop It's the Public's Right. National Freedom of Information Coalition. May 25-27, 2001. Newport Beach, CA. For more information: http://www.reporters.net/nfoic/ Call for Papers - June 1, 2001. Summer 2001 Issue on Cybermedicine. John Marshall Journal of Computer and Information Law. For more information: 5simondoat_private The Internet Security Conference (TISC) 2001. Core Competence, Inc. June 4-8, 2001. Los Angeles, CA. For more information: http://www.tisc2001.com/ INET 2001: A Net Odyssey, Mobility and the Internet. The 11th Annual Internet Society Conference. June 5-8, 2001. Stockholm, Sweden. For more information: http://www.isoc.org/inet2001/ ETHICOMP 2001: Systems of the Information Society. Telecommunications and Informatics Technical University of Gdansk, Poland. June 18-20, 2001. Gdansk, Poland. For more information: http://www.ccsr.cse.dmu.ac.uk/conferences/ccsrconf/ethicomp2001/ ACS/IEEE International Conference on Computer Systems and Applications 2001: Taking Stock of Existing Technology, Charting Future Trends. Lebanese American University. June 25-29, 2001. Beirut, Lebanon. For more information: http://www.lau.edu.lb/news-events/conferences/aiccsa2001.html Democracy Forum 2001: Democracy and the Information Revolution. International Institute for Democracy and Electoral Assistance. June 27-29, 2001. Stockholm, Sweden. For more information: http://www.idea.int/frontpage_forum2001.htm Call for Papers - June 30, 20001. CEPE2001: Computer Ethics, Philosophical Enquiries. Lancaster University (UK). Centre for Study of Technology in Organizations, Institute for Environment, Philosophy and Public Policy. December 14-16, 2001. For more information: http://www.lancs.ac.uk/depts/philosophy/conferences/ Re-shaping the Culture of Research: People, Participation, Partnerships & Practical Tools - Fourth Annual Community Research Network Conference. The Loka Institute. July 6-8, 2001. Austin, TX. For more information: http://www.loka.org/ Call For Submissions - August 3, 2001. Workshop on Security and Privacy in Digital Rights Management 2001. Eighth Association for Computing Machinery (ACM) Conference on Computer and Communications Security. November 5, 2001. For more information: http://www.star-lab.com/sander/spdrm/ ICSC 2001: International Conference on Social Computing. University of Bremen. October 1-3, 2001. Bremen, Germany. For more information: http://icsc2001.informatik.uni-bremen.de/ Privacy2001: Information, Security & Ethics for the New Century. Technology Policy Group. October 3-4, 2001. Cleveland, Ohio. For more information: http://www.privacy2000.org/ Nurturing the Cybercommons, 1981-2001. Computer Professionals for Social Responsibility (CPSR) 20th Annual Meeting. October 19-21, 2001. Ann Arbor, MI. For more information: http://www.cpsr.org/conferences/annmtg01/ Learning for the Future. Business for Social Responsibility's Ninth Annual Conference. November 7-9, 2001. Seattle, WA. For more information: http://www.bsr.org/events/2001.asp ======================================================================= Subscription Information ======================================================================= The EPIC Alert is a free biweekly publication of the Electronic Privacy Information Center. A Web-based form is available for subscribing or unsubscribing at: http://www.epic.org/alert/subscribe.html To subscribe or unsubscribe using email, send email to epic-newsat_private with the subject: "subscribe" (no quotes) or "unsubscribe". Back issues are available at: http://www.epic.org/alert/ ======================================================================= Privacy Policy ======================================================================= The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your email address from this list, please follow the above instructions under "subscription information". Please contact infoat_private if you have any other questions. ======================================================================= About EPIC ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, e-mail infoat_private, http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at http://www.guidestar.org/aol/search/report/report.adp?ein=52-2225921 Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ---------------------- END EPIC Alert 8.09 ----------------------- .
This archive was generated by hypermail 2b30 : Sun May 20 2001 - 14:46:47 PDT