You are here:
WorldLII >>
Databases >>
EPIC Alert >>
1999 >>
[1999] EPICAlert 18
Database Search
| Name Search
| Recent Articles
| Noteup
| LawCite
| Help
EPIC Alert 6.18 [1999] EPICAlert 18
EPIC ALERT
Volume 6.18 November 3, 1999
Published by the Electronic Privacy Information Center (EPIC)
Washington, D.C.
http://www.epic.org
Table of Contents
[1] Proposed Federal Medical Privacy Regulations Released
[2] Internet Censorship Case Goes to Appeals Court
[3] Privacy Left Out of Financial Modernization Bill
[4] Comments Sought on Proposed Key-Recovery Standard
[5] Appeals Court Permits Warrantless Thermal-Imaging Searches
[6] Protection of FIDNet Spurs Calls to Weaken FOIA
[7] EPIC Bookstore -- Code: And Other Laws of Cyberspace
[8] Upcoming Conferences and Events
[1] Proposed Federal Medical Privacy Regulations Released
On October 29, the President presented a set of proposed federalregulations protecting the privacy of electronically stored medicalrecords.
The regulations -- produced by the Department of Health andHuman Services (HHS) in concert with multiple federal agencies -- arethe
first federal protections of medical privacy. The Department ofHealth and Human Services began drafting the regulations when Congressfailed
to pass federal legislation covering medical privacy on August21 of this year. The rules are available for public comment over thenext
sixty days.
The regulations, mandated by the Health Insurance Portability andAccountability Act of 1996 (HIPAA), would apply to all health plansand
many health care providers, as well as health care clearinghousessuch as billing companies. However, under the HIPAA provision,
theHHS regulations may cover only electronic data; paper records andverbal communications are not covered.
The HHS regulations also fail to provide a private right of action andleave open significant questions about how the rules will be
enforced.
The government would be able to impose civil and criminal penalties.
Privacy advocates, while commending the White House for moving forwardon the medical privacy regulations after Congress failed to
meet itsself-imposed deadline for the passage of legislation, nonetheless saidthat comprehensive legislation would be necessary to
ensure the privacyof medical records.
Notice of Proposed Rulemaking, "Standards for Privacy of IndividuallyIdentifiable Health Information"
http://aspe.hhs.gov/admnsimp/
HHS Medical Privacy Regulations
http://www.epic.org/privacy/medical/HHS_medical_privacy_regs.html
HHS Medical Privacy Regulations [PDF]
http://www.epic.org/privacy/medical/HHS_medical_privacy_regs.PDF
Remarks by the President on Medical Privacy, October 29, 1999
http://www.epic.org/privacy/medical/announce_med_privacy.html
[2] Internet Censorship Case Goes to Appeals Court
The legal battle to protect free speech on the Internet resumestomorrow in Philadelphia. The U.S. Court of Appeals for the ThirdCircuit
will hear oral arguments in the government's appeal of a lowercourt decision blocking enforcement of the Child Online Protection
Act(COPA). The case against COPA -- brought by EPIC, the ACLU and otherorganizations - has been pending before the appellate court
since theJustice Department filed its appeal in April. The appellate panelhearing the appeal consists of Judges McKee, Garin and
Nygaard.
The government's appeal challenges the finding of Judge Lowell A. Reed,
Jr. that the new Internet censorship law would restrict free speech inthe "marketplace of ideas." Judge Reed's February 1 ruling
enjoinsenforcement of COPA, the statutory successor to the CommunicationsDecency Act (CDA), which the Supreme Court struck down in
June 1997.
The legal challenge to COPA was filed on behalf of 17 organizationspublishing information on the World Wide Web. In granting apreliminary
injunction against COPA, Judge Reed found that theplaintiffs were likely to succeed on their claim that the law "imposesa burden
on speech that is protected for adults." The ruling cameafter a six-day hearing which featured testimony from website operatorswho
provide free information about fine art, news, gay and lesbianissues and sexual health for women and the disabled, and who all fearthat
COPA would force them to shut down their websites.
In his 49-page opinion, Judge Reed listed 68 separate "findings offact" to support his decision. The judge considered evidence that
COPAimposed technological and economic burdens on speakers, but concludedthat ultimately the relevant inquiry is the "burden imposed
on theprotected speech, not the pressure placed on the pocketbooks or bottomlines of the plaintiffs."
The full text of the Judge Reed's decision, and complete information onthe legal challenge, is available at:
http://www.epic.org/free_speech/copa/
In another Internet censorship case, the Tenth Circuit issued adecision on November 2 striking down a New Mexico law that sought tocriminalize
the online distribution of material that is "harmful tominors." The text of the decision is available at:
http://www.epic.org/free_speech/aclu_v_johnson.html
[3] Privacy Left Out of Financial Modernization Bill
S. 900, the Financial Services Modernization Bill of 1999, seeks toremove barriers to mergers in the banking and financial industry.
Thebill, voted on today in the Senate and tomorrow in the House, alsolargely abandons consumer control over the sharing of informationbetween
financial institutions and marketing companies.
The current version of the legislation arose out of two separatebills in Congress. H.R. 10, the Financial Services Act of 1999,
contained limited provisions for consumer control of personal financialinformation including: guarantees of information security,
norequirement for consent to the distribution of information to third-
parties, annual notice of privacy procedures, and the restricteduse of account numbers and access codes. S. 900 originally had noprivacy
provisions. Due to the differences in the two bills, aHouse/Senate conference was held to reconcile the privacy provisionsof the
legislation.
The final conference bill provides that financial institutions mustprovide disclosure about privacy policies, and would restrict accountnumbers
and access codes from marketers -- but continues to omitopt-out consent before information is distributed to nonaffiliatedthird parties.
With the conference committee revisions, S. 900 erodesany expectation of consumer control over personal financialinformation. The
legislation does not, however, pre-empt statefinancial privacy laws with stronger consumer protections.
EPIC, along with other privacy and consumer advocacy groups, opposesthe bill since it provides inadequate consumer control over financialinformation.
Despite the efforts of privacy-minded legislators such asSens. Richard Shelby (R-AL) and Richard Bryan (D-NV) and Rep. EdwardMarkey
(D-MA), the bill is expected to be passed by both the Senate andthe House and signed into law by the President sometime next week.
[4] Comments Sought on Proposed Key-Recovery Standard
The final deadline is approaching for submission of comments on federal"key recovery" standards. The Department of Commerce is seeking
publiccomments on proposed "technical specifications for accomplishing therecovery of keys used for encryption." The specifications
arecontained in a report issued by the Technical Advisory Committee toDevelop a Federal Information Processing Standard for the Federal
KeyManagement Infrastructure, which was chartered by the Department in1996. The Committee was established to provide technical advice
on anencryption key recovery standard for use by Federal agencies to allowfor "continued government access to encrypted information
in the eventof the unavailability (e.g., loss due to unavailability of criticalpersonnel) of the encryption/decryption key(s)."
Techniques for "key-recovery" or "key-escrow" have long beencontroversial, dating back to the unveiling of the infamous ClipperChip
in 1993.
Comments must be submitted no later than November 4, and can be sent to<key-recoverynist.gov>.
The text of the Committee's report, as well as other informationconcerning its work, is available online at:
http://csrc.nist.gov/tacdfipsfkmi/
[5] Appeals Court Permits Warrantless Thermal-Imaging Searches
The Ninth Circuit Court of Appeals, in a split opinion, has held thatthe police did not violate the Fourth Amendment when they used
athermal imaging device to search for evidence of marijuana cultivation.
The thermal imager detected high levels of heat emission in anapartment indicating the presence of heat lamps used in growingmarijuana.
The defendant Kyllo claimed that the thermal scan intruded intoactivities within his home, in which he had an expectation of privacy,
and that the police were required to obtain a warrant before conductingthe search.
Judge Hawkins, writing for the court, said that "the use of thermalimaging technology in this case did not constitute a search undercontemporary
Fourth Amendment standards." The court said that theemissions were "waste heat," entitled to no more privacy than thegarbage that
is placed on the street. The court said that there wasno government intrusion into activities in Kyllo's home, in which heexpected
privacy, rather there was simply a measurement of heatemissions radiating from his home.
Writing in dissent, Judge Noonan said that the warrantless use of theAgema 210 clearly violated the Fourth Amendment.
I have no doubt that Kyllo did have an expectation of privacy as to what was going on in the interior of his house and that
this expectation was infringed by the government's use of the Agema 210 although the machine itself never penetrated into
the interior.
The closest analogy is use of a telescope that, unknown to the homeowner, is able from a distance to see into his or her
house and report what he or she is reading or writing. Such an enhancement of normal vision by technology, permitting the
government to discern what is going on in the home, violates the Fourth Amendment.
Both the Washington state Supreme Court and the Montana Supreme Courthave held that thermal imaging is a search under their respective
stateconstitutions.
USA v. Kyllo, 96-3033 (CA9 1999)
http://www.ce9.uscourts.gov/web/newopinions.nsf/f606ac175e010d6488 2566eb00658118/b686f731840272eb882567e7005de14a?OpenDocument#top
[6] Protection of FIDNet Spurs Calls to Weaken FOIA
As reported by the National Journal's Technology Daily on October 20,
the Department of Justice is putting together a proposal to repeal partof the Freedom of Information Act (FOIA) in order to implement theFederal Intrusion Detection Network (FIDNet).
Details about FIDNet, a plan to monitor nationwide communications inthe interest of "critical infrastructure protection," first emergedin
July. While many of the details surrounding the eventualestablishment of FIDNet are still unclear, part of the original planinvolved
monitoring private sector computer networks. To encouragethe cooperation of businesses, the government had previously promisedcompanies
that the information about businesses necessary for theoperation of FIDNet would remain confidential.
The Freedom of Information Act became law in 1966, ensuring the rightof citizens to access federal agency records. Many companies areworried that information revealed
through FOIA requests via theirinvolvement in FIDNet would publicly reveal weaknesses in networksecurity or threaten the confidentiality
of business negotiations.
While FOIA does offer exemptions for certain types of information,
companies argue that there is no guarantee that all information wouldremain confidential once provided to the government.
In response to the reluctance of businesses to cooperate with FIDNetunder the present FOIA conditions, the Administration is in the
processof developing proposals to repeal parts of FOIA to garner privatesector compliance. These plans have already received criticism
inCongress.
For more information about FOIA, see the EPIC Open Government page:
http://www.epic.org/open_gov/
FIDNet will also be the topic of an upcoming event, "The Government'sRole in Computer Surveillance and The Federal Intrusion DetectionNetwork",
to be held jointly by the Association for Computing Machinery(ACM) and Stanford University on November 9. For more information, see:
http://www.acm.org
[7] EPIC Bookstore -- Code: And Other Laws of Cyberspace
Code: And Other Laws of Cyberspace by Lawrence Lessig.
http://www.amazon.com/exec/obidos/ISBN=046503912X/electronicprivacA(Note: This book will come out on December 1 but can be ordered
now.)
An exciting examination of the core values of cyberspace-intellectualproperty, free speech, and privacy -- from one of America's mostbrilliant
young legal theorists.
Lawrence Lessig "has staked out a role as one of academia's avant-gardethinkers about cyberspace and the law." - Wall Street Journal
How should we regulate cyberspace? Can we? It's a cherished belief oftechies and net denizens everywhere that cyberspace is fundamentally,
unalterably impossible to regulate. Thus the legendary freedom of theNet. Lawrence Lessig warns that, if we're not careful, we'll
wake upone day to discover that the character of cyberspace has changed outfrom under us. Commercial forces will dictate the change,
andarchitecture-the very structure of cyberspace itself-will dictate theform our interactions can and cannot take.
The author of the classic paper "Reading the Constitution inCyberspace," Lessig shows how code can make a domain, site, or networkfree or restrictive; how architectures influence people's
behavior andthe values they adopt; and how changes in code affect the pressingissues of free speech, intellectual property, and privacy
incyberspace.
EPIC Publications:
"The Privacy Law Sourcebook: United States Law, International Law, andRecent Developments," Marc Rotenberg, editor (EPIC 1999). Price:
$50.
http://www.epic.org/pls/
The "Physicians Desk Reference of the privacy world." An invaluableresource for students, attorneys, researchers and journalists who
needan up-to-date collection of US and International privacy law, as wellas a comprehensive listing of privacy resources.
"Filters and Freedom - Free Speech Perspectives on Internet ContentControls," David Sobel, editor (EPIC 1999). Price: $20.
http://www.epic.org/filters&freedom/
A collection of essays, studies, and critiques of Internet contentfiltering. These papers are instrumental in explaining why filteringthreatens
free expression.
"Cryptography and Liberty: An International Survey of CryptographyPolicy" Wayne Madsen and David Banisar, editors, (EPIC 1999). Price:
$15. http://www.epic.org/cryptobook99/
An international survey of encryption policies around the world. Surveyresults show that in the vast majority of countries, cryptography
maybe freely used, manufactured, and sold without restriction, with theU.S. being a notable exception.
"Privacy and Human Rights 1999: An International Survey of Privacy Lawsand Developments" David Banisar, Simon Davies, editors, (EPIC
1999).
Price: $15. http://www.epic.org/privacy&humanrights99/
An international survey of the privacy and data protection laws foundin 50 countries around the globe. This report outlines theconstitutional
and legal conditions of privacy protection, andsummarizes important issues and events relating to privacy andsurveillance.
Additional titles on privacy, open government, free expression,
computer security, and crypto, as well as films and DVDs can be orderedthrough the EPIC Bookstore: http://www.epic.org/bookstore/
[8] Upcoming Conferences and Events
Washington, D.C., USA Internet Engineering Task Force (IETF) Meeting.
November 7-12, 1999. Omni Shoreham Hotel. Washington, D.C. For moreinformation: http://www.ietf.org/meetings/IETF-46.html
Public Workshop on "Online Profiling" -- November 8, 1999. NationalTelecommunications and Information Administration, Commerce and
FederalTrade Commission. For more information:
http://www.ftc.gov/bcp/profiling/index.htm
Consumer Privacy in the Next Decade: New Trends, Forces and Directionsand The All New Practitioner's Privacy Policy Workshop. Privacy
&
American Business' Sixth Annual National Conference. November 8-10,
1999. Hyatt Regency Hotel. Arlington, VA. For more information:
ctrslraol.com
ID and Authentication 2000. Smart Card Forum. November 8-11, 1999. Formore information: http://www.smartcardforum.org
The Government's Role in Computer Surveillance and the FederalIntrusion Detection Network (FIDNet). Association for ComputingMachinery
and Stanford University. November 9, 1999. Kresge Auditorium,
Stanford University. For more information: http://www.acm.org
The 1999 BNA Public Policy Forum: E-Commerce and Internet Regulation.
November 15, 1999. Mayflower Hotel. Washington, D.C. For moreinformation: http://internetconference.pf.com/
Call for Papers -- Impacts of Economic Liberalization on IT Productionand Use. The Information Society. Manuscripts due November 15,
1999.
For more information: http://www.slis.indiana.edu/TIS
Call for Papers -- Telecommunications: The Bridge to Globalization inthe Information Society. International Telecommunications Society.
Abstracts due November 15, 1999. For more information:
http://www.its2000.org.ar
Annual Computer Security Applications Conference: Practical Solutionsto Real Security Problems. December 6-10, 1999. Radisson ResortScottsdale.
Phoenix, Arizona. For more information:
http://www.acsac.org/
Integrating Government with New Technologies '99 Policy vs Technology:
Service Integration in the New Environments - A two-day Seminar andTraining Session. December 13-14, 1999. Government Conference Center.
Ottawa, Canada. For more information: http://www.rileyis.com/seminars
Surveillance Expo '99. December 13-15, 1999. Doubletree Hotel. CrystalCity, Virginia. For more information: http://www.rosseng.com
PEN/Newman's Own Eighth Annual First Amendment Award. Nominations dueDecember 31, 1999. For more information: http://www.pen.org
RSA 2000. The ninth annual RSA Data Security Conference and Expo.
January 16-20, 2000. San Jose McEnery Convention Center. San Jose, CA.
For more information: http://www.rsa.com/rsa2000/
Telecommunications: The Bridge to Globalization in the InformationSociety. Biennial Conference of the International TelecommunicationsSociety.
July 2-5, 2000. For more information:
http://www.its2000.org.ar
Subscription Information
The EPIC Alert is a free biweekly publication of the Electronic PrivacyInformation Center. A Web-based form is available for subscribing
orunsubscribing at:
http://www.epic.org/alert/subscribe.html
To subscribe or unsubscribe using email, send email toepic-newsepic.org with the subject: "subscribe" (no quotes) or"unsubscribe".
Back issues are available at:
http://www.epic.org/alert/
About EPIC
The Electronic Privacy Information Center is a public interest researchcenter in Washington, DC. It was established in 1994 to focus
publicattention on emerging privacy issues such as the Clipper Chip, theDigital Telephony proposal, national ID cards, medical record
privacy,
and the collection and sale of personal information. EPIC is sponsoredby the Fund for Constitutional Government, a non-profit organizationestablished
in 1974 to protect civil liberties and constitutionalrights. EPIC publishes the EPIC Alert, pursues Freedom of InformationAct litigation,
and conducts policy research. For more information,
e-mail infoepic.org, http://www.epic.org or write EPIC, 666Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544 9240(tel),
+1 202 547 5482 (fax).
If you'd like to support the work of the Electronic Privacy InformationCenter, contributions are welcome and fully tax-deductible.
Checksshould be made out to "The Fund for Constitutional Government" and sentto EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington,
DC 20003.
Your contributions will help support Freedom of Information Act andFirst Amendment litigation, strong and effective advocacy for the rightof privacy and efforts to oppose government regulation
of encryptionand expanding wiretapping powers.
Thank you for your support.
END EPIC Alert 6.18
.
WorldLII:
Copyright Policy
|
Disclaimers
|
Privacy Policy
|
Feedback
URL: http://www.worldlii.org/int/journals/EPICAlert/1999/18.html