You are here:
WorldLII >>
Databases >>
EPIC Alert >>
2000 >>
[2000] EPICAlert 2
Database Search
| Name Search
| Recent Articles
| Noteup
| LawCite
| Help
EPIC Alert 7.02 [2000] EPICAlert 2
EPIC ALERT
Volume 7.02 February 3, 2000
Published by the Electronic Privacy Information Center (EPIC)
Washington, D.C.
http://www.epic.org
Table of Contents
[1] EPIC Calls for Withdrawal of FIDNET at Senate Hearing
[2] DoubleClick Faces Lawsuit Over Change in Privacy Practices
[3] Privacy Groups Challenge Proposed FBI Wiretap Standards
[4] New Crypto Export Regulations: Still Not De-Control
[5] Industry Targets DVD Copying in Digital Copyright Suits
[6] Clinton Proposes Privacy Protections in State of Union Address
[7] EPIC Bookstore -- Critical Infrastructure Report
[8] Upcoming Conferences and Events
[1] EPIC Calls for Withdrawal of FIDNET at Senate Hearing
This week the Senate Judiciary Committee reviewed the Administration'scomputer security plan. Civil liberties organizations have
criticizedthe National Plan for Information Systems Protection, saying it woulddramatically expand government surveillance of the
nation'scommunications networks. They have singled out the Federal IntrusionDetection Network -- FIDNET -- as raising far-reaching
threats toAmerican citizens.
Testifying before the committee, Marc Rotenberg, Executive Director ofthe Electronic Privacy Information Center (EPIC), called the
FIDNETproposal contrary to "the spirit of the federal wiretap statute, theplain language of the federal Privacy Act, and the history
of theFourth Amendment." He said that "the FIDNET proposal, as currentlyconceived, must simply be withdrawn.
EPIC also released a government memo at the hearing, obtained underthe Freedom of Information Act, which indicates that the U.S.
Department of Justice is aware that the FIDNET proposal may violateU.S. law. Other records obtained by EPIC show that the governmentwill
use credit card records and telephone toll records as part of itsintrusion detection system. John Tritak, Director of the CriticalInfrastructure
Assurance Office, was unable to answer questions put tohim by the committee members regarding what type of personalinformation would
be collected by FIDNET.
Rotenberg charged that backers of the security plan were "trying toapply twentieth century notions of national defense to twenty-firstcentury
problems of communications security."
Last year, EPIC warned that a similar "critical infrastructureprotection" proposal posed risks to the civil liberties of Americans.
The revised security plan discusses privacy issues in a number ofplaces, but civil liberties organizations contend that the plan islong
on rhetoric and short on safeguards. "The plan lacks the legalprotections and independent oversight that would be necessary toprevent
abuse," said Rotenberg.
Also testifying at the hearing was Frank Cilluffo, Senior PolicyAnalyst, Center for Strategic and International Studies. The SenateSubcommittee
is chaired by Senator John Kyl (R-AZ). Senator Kyl saidthat future hearings will be held on the proposal and that governmentwitnesses
will be called to answer specific legal and technicalquestions about the design and operation of FIDNET.
EPIC Testimony on "CyberAttack: The National Protection Plan and itsPrivacy Implications":
http://www.epic.org/security/cip/EPIC_testimony_0200.pdf [PDF]
EPIC Critical Infrastructure Protection Resources Page:
http://www.epic.org/security/cip/
Memo from Ronald D. Lee, Associate Deputy Attorney General, Departmentof Justice to Jeffrey Hunker, Director, Critical InfrastructureAssurance
Office regarding the National Information Systems ProtectionPlan, March 8, 1999 (obtained by EPIC under the Freedom of InformationAct):
http://www.epic.org/security/cip/lee_memo.html
Memo from Jeffrey Hunker, CIAO to CICG Members regarding "OffsiteMaterials" (obtained by EPIC under the Freedom of Information Act):
http://www.epic.org/security/cip/hunker_memo.html
White House "National Plan for Information Systems Protection"
(January 7, 2000):
http://www.ciao.ncr.gov/National_Plan/national%20plan%20final.pdf
Executive Summary of "National Plan for Information SystemsProtection" (January 7, 2000)
http://www.whitehouse.gov/WH/EOP/NSC/html/documents/
npisp-execsummary-000105.pdf
[2] DoubleClick Faces Lawsuit Over Privacy Practices
DoubleClick, one of the largest advertisers on the World Wide Web, hastaken a dramatic new approach in learning about Internet users
--
finding out their names and addresses. The move by the company towardpersonally identifying all the information it collects previously
drewfire from privacy advocates and now from private citizens.
The change in DoubleClick's strategy was not unexpected by privacyadvocates who have been following their recent acquisitions. In
lateNovember, DoubleClick completed a merger with market research firmAbacus Direct. From the dramatic increase in information,
DoubleClickhopes to find out more about all Internet users in order to providetargeted one-to-one advertising. Prior to the merger,
DoubleClick hadbeen learning about Internet users through the use of cookietechnology -- an Internet protocol that allows for uniqueidentification
and tracking. While DoubleClick had been collectingpersonal information before, correlating existing information it hasalready accumulated
from Internet users with the data in the Abacusdatabase requires access to personally identifying information such asa name. For
that reason, DoubleClick formed the Abacus Alliance -- anunnamed group of Internet websites that will pass on personalinformation
to the advertiser.
On January 28, attorneys in California filed a lawsuit alleging thatDoubleClick had unlawfully represented that it was only collectingnon-personally
identifying information. Judnick's attorneys are askingfor an injunction against DoubleClick that would prevent any furthercollection
of personal information without written consent, an easyway for Internet users to destroy any personal information inDoubleClick's
possession, and the destruction of all personalinformation collected without consent in the past.
For more information about DoubleClick and its recent merger withAbacus Direct, see:
http://www.epic.org/doubletrouble/
[3] Privacy Groups Challenge Proposed FBI Wiretap Standards
On January 20, EPIC and other Internet privacy advocacy groups asked afederal appeals court to block new rules that would enable the
FBI todictate the design of the nation's communication infrastructure. Thechallenged rules would enable the Bureau to track the
physicallocations of cellular phone users and potentially monitor Internettraffic.
In a brief filed with the U.S. Court of Appeals for the District ofColumbia Circuit, EPIC, the American Civil Liberties Union (ACLU)
andthe Electronic Frontier Foundation (EFF) said that the rules --
contained in a Federal Communications Commission (FCC) decision issuedlast August -- could result in a significant increase in governmentinterception
of digital communications.
The court challenge involves the Communications Assistance for LawEnforcement Act (CALEA), a controversial law enacted by Congress
in1994, which requires the telecommunications industry to design itssystems in compliance with FBI technical requirements to facilitateelectronic
surveillance. In negotiations over the last few years, theFBI and industry representatives were unable to agree upon thosestandards,
resulting in the recent FCC ruling. EPIC, ACLU and EFFparticipated as parties in the FCC proceeding and argued that theprivacy rights
of Americans must be protected.
The groups' court filing asserts that the FCC ruling exceeds therequirements of CALEA and frustrates the privacy interests protectedby
federal statutes and the Fourth Amendment. Among other things, theCommission order would require telecommunications providers todetermine
the physical locations of cellular phone users and deliver"packet-mode communications" -- such as those that carry Internettraffic
-- to law enforcement agencies.
The privacy groups are being represented on a pro bono basis by KurtWimmer and Gerard J. Waldron, attorneys at the Washington law
firm ofCovington & Burling, and Carlos Perez-Albuerne, an attorney at theBoston law firm of Choate, Hall & Stewart. Oral
argument in the courtchallenge to the CALEA standards is scheduled for May 17, 2000.
In a related development, the Internet Engineering Task Force (IETF)
has published a draft document explaining its decision not to considerrequirements for wiretapping as part of the process for creating
andmaintaining IETF standards. Among other things, the draft notes that"[a]dding a requirement for wiretapping will make
the designsconsiderably more complex, thereby jeopardizing the security ofcommunications …"
Background materials on CALEA, including the brief filed by EPIC, ACLUand EFF, are available at EPIC's website:
http://www.epic.org/privacy/wiretap/
The draft IETF document on wiretapping standards is available at:
http://www.ietf.org/internet-drafts/draft-ietf-iab-raven-00.txt
[4] New Crypto Export Regulations: Still Not De-Control
The U.S. Commerce Department released its revised encryption exportregulations on January 12. While the new rules will allow for
theexport of a wide variety of "retail" encryption products, they fallshort of the Clinton Administration's promise to deregulate
theprivacy-enhancing technology. Following the release of the newregulations, EPIC joined the American Civil Liberties Union (ACLU)
andthe Electronic Frontier Foundation (EFF) in announcing that the groupswill continue to press pending constitutional litigation
challengingencryption controls.
While recognizing that the Administration has taken a positive andlong-overdue step with its latest revisions, the cyber-libertiesgroups
believe that the fundamental constitutional defects of theencryption export regime have not been remedied. Specifically:
- The new regulations, like the old ones, impose special requirementson Internet speech, contrary to the Supreme Court's 1997 ruling
inReno v. ACLU. The regulations require that the government be notifiedof any electronic "export" of publicly available encryption
sourcecode, and prohibit electronic "export" to certain countries. Yetpeople may freely send the same information anywhere on paper.
- The export regulations are still a completely discretionarylicensing scheme. They continue to require licenses for a largeamount
of communication protected by the First Amendment, includingtransmitting source code that is not "publicly available," source codethat
is "restricted," source code forming an "open cryptographicinterface," and various forms of object code.
- While the new regulations appear to permit free posting ofencryption source code to Internet discussion lists, such posting maybe
illegal if the poster has 'reason to know' that it will be read bya person in one of the seven regulated countries (such as Cuba).
- The new regulations still ban providing information on how to createor use some encryption technology as prohibited "technicalassistance."
Software publishers can be fined or imprisoned forhelping people to use their code. These same limitations do not applyto non-encryption
source code.
In a highly-publicized court case, mathematician Daniel Bernstein haschallenged the export control laws on First Amendment grounds.
Professor Bernstein claims that his right to publish his ownencryption software and share his research results with others overthe
Internet is being unconstitutionally restricted by thegovernment's controls. Bernstein won his case at the trial level, andlast
year won an appeal in the Ninth Circuit Court of Appeals. Priorto the release of the new regulations, the court had granted thegovernment's
request that the appeal be reconsidered by a larger "enbanc" panel of eleven judges, but recently sent the case back to thethree-judge
panel that originally heard it for further considerationin light of the new regulations.
A similar case challenging the constitutionality of the export ruleswas brought by the ACLU of Ohio on behalf of Ohio law professor
PeterJunger, who wished to publish an electronic version of an encryptionprogram he wrote. The case is pending in the Sixth Circuit
FederalCourt of Appeals. EPIC has participated as a "friend-of-the-court" inboth the Bernstein and Junger cases.
The text of the revised encryption regulations is available at:
http://www.epic.org/crypto/export_controls/regs_1_00.html
[5] Industry Targets DVD Copying in Digital Copyright Suits
The movie industry has filed lawsuits in California, New York, andConnecticut to prevent Internet sites from distributing informationabout
the DVD Content Scrambling System. A federal judge in adistrict court in New York granted a preliminary injunction January 20against
three defendants who provided the decoding software on theirWeb sites. A judge in a California state court granted a preliminaryinjunction
the following day against 21 defendants. The contendedprogram, DeCSS, created by a Norwegian programmer, allows users todecode the
encryption used on DVDs.
The California case was filed by the DVD Copy Control Association, anindustry trade group, after Christmas against 72 Web sites andindividuals
who had either published information about DeCSS orprovided a link to the information from their sites. The DVD-CCAclaims that the
defendants are violating their trade secrets bydiscussing the source code used to bypass the DVD encryption schemethrough reverse
engineering. The defendants, however, assert that thepurpose of the DeCSS is not to engage in illegal duplication of DVDsbut rather
to allow DVDs to operate on computers using the Linuxoperating system. The Global Internet Liberty Campaign, a coalitionof more
than 50 civil liberties groups worldwide, issued a statementclaiming that the DVD-CCA's assault could have a severe impact on freeexpression:
"We believe that intellectual property owners should notbe allowed to expand their property rights at the expense of freespeech --
particularly when the speech in question explains howcompanies have prevented the dissemination of new scientific ideas."
The New York case and a companion case in a Connecticut federal courtwere filed on Jan. 15 and center upon the Digital Millennium
CopyrightAct, a 1998 law that prohibits the distribution of products that cancircumvent copy protection schemes. The Motion Picture
Association ofAmerica, as well as six other movie studios, are plaintiffs. Criticsassert that the decoding of encryption schemes
is crucial toresearching, developing, and testing information processing systems.
The Electronic Frontier Foundation is providing legal counsel todefendants both in California and New York.
The Global Internet Liberty Campaign statement is available at:
http://www.gilc.org/speech/DVD-CSS.html
Testimony of EPIC Executive Director Marc Rotenberg on the DigitalMillennium Copyright Act (June 5, 1998) is available at:
http://www.epic.org/privacy/copyright/epic-wipo-testimony-698.html
The Electronic Frontier Foundation maintains an archive of courtmaterial relating to the DVD-CCA case at:
http://www.eff.org/ip/Video/DVDCCA_case/
EFF also maintains an archive of court material relating to the MPAADVD cases at:
http://www.eff.org/ip/Video/MPAA_DVD_cases/
[6] Clinton Proposes Privacy Protections in State of Union Address
In President Clinton's State of the Union speech on January 27, hebrought attention to the growing need to protect personal informationin
the next century.
After referring to the recent growth of information technology, hereminded his audience that technology has to be carefully directed
inorder to assure that its reach does not compromise societal values.
Additionally, he said, "First and foremost, we have to safeguard ourcitizens' privacy."
Specifically, he mentioned the ongoing rule-making process overmedical privacy regulations, the need for stronger protections overfinancial
records, and more work on preventing genetic discriminationfrom insurers and employers.
The full text of the President's speech is available at:
http://www.whitehouse.gov/WH/SOTU00/sotu-text.html
[7] EPIC Bookstore -- Critical Infrastructure Report
Critical Infrastructure Protection and the Endangerment of CivilLiberties: An Assessment of the President's Commission on CriticalInfrastructure
Protection (PCCIP) by Wayne Madsen.
http://www.amazon.com/exec/obidos/ISBN=1893044017/electronicprivacA
Excerpt from the Executive Summary:
On July 15, 1997, President Clinton signed Executive Order 13010,
which established the President's Commission on CriticalInfrastructure Protection (PPCIP). The Executive Order listed eightsectors
that the PCCIP was to examine for security vulnerabilities.
They are: telecommunications, electrical power systems, gas and oilstorage and transportation, banking and finance, transportation,
watersupply systems, emergency services, and continuity of government.
President Clinton appointed retired Air Force General Robert T. Marshto chair the PCCIP. Although the commission, its Steering Committee,
and its Advisory Committee were composed of members of government andindustry, the membership of the three bodies consisted of a majorityof
military and intelligence representatives.
PCCIP's report, issued in October 1997, contained many recommendationsthat have the potential to curtail a number of important civilliberties,
including freedom of speech and freedom of information.
Although the report concluded there was no evidence of an "impendingcyber attack which could have a debilitating effect on the nation'scritical
infrastructure," it did recommend a new bureaucratic securityestablishment with expansive authority. If not properly monitored andcontrolled,
these new national security structures andintelligence-sharing networks, in addition to those that alreadyexist, may, instead of
protecting the national infrastructure, be usedby the government and private corporations to further erode theprivacy of U.S. and
foreign citizens.
Additional titles on privacy, open government, free expression,
computer security, and crypto, as well as films and DVDs can beordered through the EPIC Bookstore: http://www.epic.org/bookstore/
[8] Upcoming Conferences and Events
Privacy, Security & Confidentiality of Medical Records 2000: ComplyingWith New HIPAA Regulations. NonProfit Management. One Day
Seminars.
Various Locations and Times. For more information:
http://www.nonprofitmgt.com/privacy
Federal Trade Commission Advisory Committee on Online Privacy andSecurity. Series of Meetings. Federal Trade Commission Headquarters.
Washington, D.C. For more information: http://www.ftc.gov/acoas/
Cyberspace and Privacy: A New Legal Paradigm? February 7, 2000.
Stanford Law School. Stanford, CA. For more information:
http://lawreview.stanford.edu or http://stlr.stanford.edu
Santa Clara University Computer and High Technology Journal Symposiumon Internet Privacy. February 11-12, 2000. For more information:
http://www.scu.edu/techlaw/symposium
Government Technology Conference 2000. February 14-18, 2000. AustinConvention Center. Austin, TX. For more information:
http://www.govtech.net
E-Commerce and Privacy: Implementing the New Law. Riley InformationServices. February 21, 2000. Westin Hotel, Ottawa. For moreinformation:
http://www.rileyis.com/seminars/
Financial Cryptography '00. International Financial CryptographyAssociation. February 21-24, 2000. InterIsland Hotel. Anguilla, BritishWest
Indies. For more information: http://fc00.ai/
The New Wave of Privacy Protection in Canada. BC Freedom of Informationand Privacy Association and Riley Information Services. March
9-10,
2000. Hotel Vancouver. Vancouver, British Columbia. For moreinformation: http://www.rileyis.com
HIPAA Security and Privacy Requirements: A How To Blueprint forCompliance. MIS Training Institute. Two-day Seminars. Various Locationsand
Times. For more information: http://www.misti.com
Entrust SecureSummit 2000. May 1-4, 2000. Hyatt Regency Dallas atReunion. Dallas, Texas. For more information:
http://www.securesummit.com
Shaping the Network: The Future of the Public Sphere in Cyberspace.
Computer Professionals for Social Responsibility (CPSR). Call forPapers -- Abstracts Due February 15. May 20-23, 2000. Seattle,
Washington. For more information: http://www.scn.org/cpsr/diac-00
Telecommunications: The Bridge to Globalization in the InformationSociety. Biennial Conference of the International TelecommunicationsSociety.
July 2-5, 2000. For more information:
http://www.its2000.org.ar
Subscription Information
The EPIC Alert is a free biweekly publication of the Electronic PrivacyInformation Center. A Web-based form is available for subscribing
orunsubscribing at:
http://www.epic.org/alert/subscribe.html
To subscribe or unsubscribe using email, send email toepic-newsepic.org with the subject: "subscribe" (no quotes) or"unsubscribe".
Back issues are available at:
http://www.epic.org/alert/
About EPIC
The Electronic Privacy Information Center is a public interest researchcenter in Washington, DC. It was established in 1994 to focus
publicattention on emerging privacy issues such as the Clipper Chip, theDigital Telephony proposal, national ID cards, medical record
privacy,
and the collection and sale of personal information. EPIC is sponsoredby the Fund for Constitutional Government, a non-profit organizationestablished
in 1974 to protect civil liberties and constitutionalrights. EPIC publishes the EPIC Alert, pursues Freedom of InformationAct litigation,
and conducts policy research. For more information,
e-mail infoepic.org, http://www.epic.org or write EPIC, 666Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544 9240(tel),
+1 202 547 5482 (fax).
If you'd like to support the work of the Electronic Privacy InformationCenter, contributions are welcome and fully tax-deductible.
Checksshould be made out to "The Fund for Constitutional Government" and sentto EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington,
DC 20003.
Your contributions will help support Freedom of Information Act andFirst Amendment litigation, strong and effective advocacy for the rightof privacy and efforts to oppose government regulation
of encryptionand expanding wiretapping powers.
Thank you for your support.
END EPIC Alert 7.02
.
WorldLII:
Copyright Policy
|
Disclaimers
|
Privacy Policy
|
Feedback
URL: http://www.worldlii.org/int/journals/EPICAlert/2000/2.html
