You are here:
WorldLII >>
Databases >>
EPIC Alert >>
2001 >>
[2001] EPICAlert 14
Database Search
| Name Search
| Recent Articles
| Noteup
| LawCite
| Help
EPIC Alert 8.14 [2001] EPICAlert 14
EPIC ALERT
Volume 8.14 July 31, 2001
Published by the Electronic Privacy Information Center (EPIC)
Washington, D.C.
http://www.epic.org/alert/EPIC_Alert_8.14.html
Table of Contents
[1] Privacy Groups File FTC Complaint About Windows XP
[2] Court Hears Arguments on Use of Secret Keystroke Monitor
[3] House Adopts Carnivore Reporting Requirements
[4] FBI Nominee Questioned on Computer Privacy Issues
[5] Groups Petition Agencies to Improve Financial Privacy
[6] EPIC Bill-Track: New Bills in Congress
[7] EPIC Bookstore - Striking a Balance: ePrivacy in the Workplace
[8] Upcoming Conferences and Events
[1] Privacy Groups File FTC Complaint About Windows XP
On July 26, EPIC and thirteen other public interest groups filed aformal complaint with the Federal Trade Commission regarding WindowsXP,
Microsoft's new operating system. The complaint alleges that thissystem and associated services such as Hailstorm, Passport, andE-Wallet,
are intended to profile, track, and monitor millions ofInternet users, and therefore Microsoft is engaging in unfair anddeceptive
trade practices in violation of Section 5 of the FederalTrade Commission Act.
The complaint examines in detail the privacy threats of Passport,
Hailstorm, Hotmail, the MSN network of Web sites, and the productactivation and registration procedures for Windows XP. It examineshow
each of these services collects and discloses detailed personalinformation about users without sufficient guarantees of privacy orsecurity,
and often without any real knowledge or consent. Itdemonstrates how Passport account information is shared among thirdparty Web-sites;
how Windows XP users are forced to create a Passportaccount to use Internet communications features (such as instantmessaging); how
Hailstorm essentially strips users of their right tocontrol their personal information; how Hotmail users areautomatically signed
up for a Passport account without notice or evenan opt-out facility; and how Microsoft misleads consumers when it saysthat information
gathered through product activation will not belinked to personally identifiable information. The complaintconcludes that the far-reaching
and inter-connected nature of theseInternet business activities, coupled with the extraordinary marketdominance of Microsoft, constitutes
a unique threat to the privacy ofcomputer users.
In terms of relief, the complainants request the FTC to initiate aninvestigation into the information collection practices of Windows
XPand other services, and to order Microsoft to revise XP registrationprocedures; to block the sharing of Passport information amongMicrosoft
properties absent explicit consent; to allow users ofWindows XP to gain access to Microsoft web sites without disclosingtheir actual
identity; and to enable users of Windows XP to easilyintegrate services provided by non-Microsoft companies for onlinepayment, electronic
commerce, and other Internet-based commercialactivity.
The complaint is available at:
http://www.epic.org/privacy/consumer/MS_complaint.pdf
[2] Court Hears Arguments on Use of Secret Keystroke Monitor
In a case that could have a significant impact on the conduct ofhigh-tech police investigations, a federal judge in Newark, New Jerseyheard
arguments on July 30 on a motion to disclose informationconcerning the FBI's surreptitious installation of a "key logger" on asuspect's
computer. The mechanism was used to capture the suspect'sPGP encryption passphrase. In the first known case of its kind, thedefense
is seeking discovery that would allow analysis of thetechnique, which has only been described publicly as "specializedcomputer software,
firmware and/or hardware." The government isvigorously opposing disclosure.
U.S. District Court Judge Nicholas Politan directed attorneys fordefendant Nicodemo Scarfo, Jr. to file a supplemental brief addressingtheir
need for information describing the secret technique by August1; the government was ordered to respond by August 3.
The details are important for two reasons. First, the FBI installedthe logger with a standard search warrant rather than a wiretapauthorization.
FBI pen register records, however, indicate that Scarfoaccessed his online account numerous times while his computer wassubject to
monitoring. The defense argues that the logging mechanismmust be evaluated to determine whether it could have captured onlineactivity
(which would have required a wiretap order).
The defense also argues that the technique may have violated theFourth Amendment by facilitating a "general search." While the courtorder
authorizing the installation specified that Scarfo's encryptionpassphrase was the target of the search, it appears that allinformation
entered into the computer was subject to capture.
The technique employed in the case is similar to procedures that wouldhave been authorized in legislation proposed by the ClintonAdministration
in 1999. The draft legislation, known as theCyberspace Electronic Security Act (CESA), would have amended currentlaw to authorize
"the alteration of hardware or software that allowsplaintext to be obtained even if attempts were made to protect itthrough encryption."
The CESA proposal, which was dropped in the faceof strong public opposition, would have given law enforcementofficials the power
to enter private premises surreptitiously toinstall a "recovery device." (See EPIC Alert 6.13).
Selected court documents on the Scarfo case are available at:
http://www.epic.org/crypto/scarfo.html
[3] House Adopts Carnivore Reporting Requirements
Following a recommendation made by EPIC last year in Congressionaltestimony, the House of Representatives has established new reportingrequirements
for the use of the Carnivore Internet surveillance device(also known as DCS 1000) and other similar systems by law enforcementagents.
These requirements were outlined in an amendment offered byRep. Bob Barr (R-GA), which passed as part of the Department ofJustice's
annual appropriations bill, H.R. 2215.
The Barr Amendment requires the Attorney General and the Director ofthe FBI to submit annual reports to Congress, detailing suchinformation
as the number of times Carnivore was used in the pastfiscal year and the criteria and procedures for submitting, reviewing,
and approving requests to use Carnivore.
Carnivore was developed to monitor e-mail and other online activitiesof suspected criminals. Privacy advocates argue that the system
istoo invasive, and fear that it grants the government too much power inmonitoring citizens' private online activities by requiring
Internetservice providers to give law enforcement full access to their datatraffic.
A spokesman for Rep. Dick Armey (R-TX) said that the legislation"sends a message [to the FBI] that Congress is watching and
there willbe accountability if this system is used."
The bill was referred to the Senate Judiciary Committee on July 24.
If it passes the Senate, the Attorney General and the FBI Directorwill be required to submit their first report to Congress no laterthan
30 days after the end of Fiscal Year 2001.
For background information on Carnivore, see:
http://www.epic.org/privacy/carnivore/
Proposed Carnivore reporting requirements, as specified in H.R. 2215:
http://www.epic.org/privacy/carnivore/reporting.html
[4] FBI Nominee Questioned on Computer Privacy Issues
The Senate Judiciary Committee today concluded the second and finalday of hearings on the nomination of Robert S. Mueller to be the
nextDirector of the FBI. Several days prior to the confirmation hearings,
EPIC sent a letter to the Committee, urging it to question the nomineeon his views on privacy and freedom of information issues.
Several ofthe issues addressed in the letter were raised during the hearings.
On the first day of the confirmation hearings, in response to aquestion from Sen. Orrin Hatch (R-UT), Mr. Mueller laid out afour-tier
hierarchy for the investigation of computer crimes. Inpriority order, Mr. Mueller said he would like to see the FBI focusmost heavily
on computer intrusions and denial of service attacks;
theft of intellectual property and corporate espionage; fraud andchild pornography; and finally, the theft of high-tech hardware.
On the second day of the hearings, Sen. Maria Cantwell (D-WA) directlyasked Mr. Mueller about the FBI's high-tech investigative techniquesand
the potentially invasive implications of systems such as Carnivoreand the FBI's "key logger" system (specifically referring to theScarfo
case). Mr. Mueller stated that the FBI's newest technological"investigative tools" are "cutting edge" and "second to none." Hewent
on to say that the "rapid advances" of these investigative toolshave led to "privacy concerns that we have to address." Stating
thathe is "sensitive to the concerns relating to privacy," Mr. Muellernoted that he has "already had meetings with privacy groups"
concerning Carnivore and that he hopes that "technology overtakes thenecessity for using" such systems in the future.
Committee Chairman Patrick Leahy (D-VT) picked up where Sen. Cantwellleft off, questioning Mr. Mueller about the recent Supreme Courtdecision
in Kyllo v. U.S., where the warrantless use of thermalimaging devices was found to violate the Fourth Amendment (see EPICAlert 8.11).
Mr. Mueller said that this was an area where "lawenforcement needed guidance from the Supreme Court," although hepointed out that
the Kyllo decision was "not a unanimous decision."
Mr. Mueller went on to say that regarding issues "where there is a lawenforcement tool, [and] there are privacy issues implicated
. . . wedo have to look at each of those issues and be cognizant of theprivacy interests involved." The nominee said that in the
future, hewould like to be "sit down and get the input from a number ofdifferent people with different concerns . . . [and be]
responsive tothose concerns and do so without the necessity of perhaps going to acourt or a third party."
EPIC's letter to the Senate Judiciary Committee is available at:
http://www.epic.org/privacy/jud_comm_mueller.html
[5] Groups Petition Agencies to Improve Financial Privacy
EPIC and a coalition of consumer and civil liberties groups havepetitioned federal agencies to improve financial privacy protectionsunder
the Gramm-Leach-Bliley Act (GLBA). The petition requests thatthe agencies begin a new rulemaking to ensure that consumers receiveclear
and concise notice and convenient methods of opting-out ofinformation sharing.
In recent months, consumers received GLBA privacy notices thatcontained information describing the opt-out process. However, thenotices
were often lengthy and difficult to read. Many employedlanguage rife with double-negatives and confusing sentence structure.
A study conducted by a readability expert concluded that most policieswere written at a third or fourth-year college reading level.
As aresult of confusing privacy notices and the burden placed on consumersby opt-out mechanisms, the American Banking Association
has estimatedthat less than one percent of consumers have opted-out under the GLBA.
In order to inform consumers fully of their rights and to encourageopting-out, the petition suggests specific language to clarify
rightsand mechanisms that will facilitate opting out. EPIC will continue tofollow developments surrounding the GLBA and financial
privacy, andadvocate the adoption of an opt-in standard for privacy.
Coalition Petition to Federal Agencies to Improve GLBA PrivacyRequirements:
http://www.epic.org/privacy/consumer/glbpetition.pdf
[6] EPIC Bill-Track: New Bills in Congress
*House*
H.R.2215 21st Century Department of Justice AppropriationsAuthorization Act. To authorize appropriations for the Department ofJustice
for fiscal year 2002, and for other purposes. Sponsor: RepSensenbrenner, F. James, Jr. (R-WI). Latest Major Action: 7/24/2001Referred
to Senate committee: House Judiciary; Senate Judiciary
*Senate*
S.1215 Dpartments of Commerce, Justice, and State, the Judiciary, andRelated Agencies Appropriations Act, 2002. An original bill makingappropriations
for the Departments of Commerce, Justice, and State,
the Judiciary, and related agencies for the fiscal year endingSeptember 30, 2002, and for other purposes. Sponsor: Sen Hollings,
Ernest F. (D-SC). Latest Major Action: 7/20/2001 Placed on SenateLegislative Calendar under General Orders. Calendar No. 95.
Committees: Senate Appropriations.
S.1234. A bill to amend title 18, United States Code, to provide thatcertain sexual crimes against children are predicate crimes for
theinterception of communications, and for other purposes. Sponsor: SenHatch, Orrin G. (R-UT). Latest Major Action: 7/25/2001 Referred
toSenate committee: Senate Judiciary.
S.1242. A bill to amend the Fair Credit Reporting Act to provide fordisclosure of credit-scoring information by creditors and consumerreporting
agencies. Sponsor: Sen Schumer, Charles E. (D-NY). LatestMajor Action: 7/25/2001 Referred to Senate committee: Senate Banking,
Housing, and Urban Affairs.
EPIC Bill Track: Tracking Privacy, Speech, and Cyber-Liberties Billsin the 107th Congress, is available at:
http://www.epic.org/privacy/bill_track.html
[7] EPIC Bookstore - Striking a Balance: e-Privacy in the Workplace
Striking a Balance: e-Privacy in the Workplace by the Business forSocial Responsibility Education Fund
http://store.bsr.org/product.cfm?product=16521
With the American Management Association finding that nearly 3/4 ofmajor businesses monitor their employees, the Business for SocialResponsibility
Education Fund has released a report arguing thatemployers should accommodate workers' privacy. The report finds thatnot accommodating
privacy in the workplace can result in a lack ofemployee trust, creativity, and health. Accordingly, the studyrecommends that employers
accommodate some fundamental privacy rightsfor their employees. These include notice, employee participation indrafting a monitoring
policy, and employee access to informationcollected under the policy.
EPIC Publications:
"Filters and Freedom 2.0: Free Speech Perspectives on Internet ContentControls," (EPIC 2001). Price: $20.
http://www.epic.org/bookstore/filters2.0/
A collection of essays, studies, and critiques of Internet contentfiltering. These papers are instrumental in explaining why filteringthreatens
free expression.
"The Consumer Law Sourcebook 2000: Electronic Commerce and the GlobalEconomy," Sarah Andrews, editor (EPIC 2000). Price: $40.
http://www.epic.org/cls/
The Consumer Law Sourcebook provides a basic set of materials forconsumers, policy makers, practitioners and researchers who areinterested
in the emerging field of electronic commerce. The focus ison framework legislation that articulates basic rights for consumersand
the basic responsibilities for businesses in the online economy.
"Privacy & Human Rights 2000: An International Survey of Privacy Lawsand Developments," David Banisar, author (EPIC 2000).
Price: $20. http://www.epic.org/phr/
This survey, by EPIC and Privacy International, reviews the state ofprivacy in over fifty countries around the world. The survey
examinesa wide range of privacy issues including, data protection, telephonetapping, genetic databases, ID systems and freedom of
informationlaws.
"The Privacy Law Sourcebook 2000: United States Law, InternationalLaw, and Recent Developments," Marc Rotenberg, editor (EPIC 2000).
Price: $40. http://www.epic.org/pls/
The "Physicians Desk Reference of the privacy world." An invaluableresource for students, attorneys, researchers and journalists who
needan up-to-date collection of U.S. and International privacy law, aswell as a comprehensive listing of privacy resources.
"Cryptography and Liberty 2000: An International Survey of EncryptionPolicy," Wayne Madsen and David Banisar, authors (EPIC 2000).
Price: $20. http://www.epic.org/crypto&/
EPIC's third survey of encryption policies around the world. Theresults indicate that the efforts to reduce export controls on strongencryption
products have largely succeeded, although severalgovernments are gaining new powers to combat the perceived threats ofencryption
to law enforcement.
Additional titles on privacy, open government, free expression,
computer security, and crypto, as well as films and DVDs can beordered through the EPIC Bookstore: http://www.epic.org/bookstore/
[8] Upcoming Conferences and Events
Healthcare Transactions and Code Sets, Privacy, Data Security andHIPAA/GLB Compliance: The Future of Technology, the Internet and
EDIin Healthcare. The Health Colloquium at Harvard and the HIPAA SummitConference Series. August 19-22, 2001. Cambridge, MA. For
moreinformation: http://www.ehc-info.com/
The Broadband Economy: The Emerging Market System in Bandwidth.
Columbia Institute for Tele-Information (CITI). September 14, 2001.
New York, NY. For more information: http://www.citi.columbia.edu/
Key Drivers for 3G Wireless: Will 3G Deliver its Promise? ColumbiaInstitute for Tele-Information (CITI). September 20, 2001. New York,
NY. For more information: http://www.citi.columbia.edu/
Health Information Privacy: Dialogue with the Stakeholders. RileyInformation Services, Inc. September 28, 2001. Ottawa, Canada. Formore
information: http://www.rileyis.com/seminars/
Call For Submissions - August 3, 2001. Workshop on Security andPrivacy in Digital Rights Management 2001. Eighth Association forComputing
Machinery (ACM) Conference on Computer and CommunicationsSecurity. November 5, 2001. Philadelphia, PA. For more information:
http://www.star-lab.com/sander/spdrm/
Privacy2001: Information, Security & Ethics for the New Century.
Technology Policy Group. October 3-4, 2001. Cleveland, OH. For moreinformation: http://www.privacy2000.org/
Privacy: The New Management Imperative - Chief Privacy OfficerTraining Program. Southern Methodist University and Privacy Council.
October 15-17, 2001. Dallas, TX. For more information:
http://execdev.cox.smu.edu/
Nurturing the Cybercommons, 1981-2001. Computer Professionals forSocial Responsibility (CPSR) 20th Annual Meeting. October 19-21,
2001.
Ann Arbor, MI. For more information:
http://www.cpsr.org/conferences/annmtg01/
The Third National HIPAA Summit: From Theory to Practice - FromPlanning to Implementation. October 24-26, 2001. Washington, DC. Formore
information: http://www.hipaasummit.com/
The 29th Research Conference on Communication, Information andInternet Policy. Telecommunications Policy Research Conference.
October 27-29, 2001. Alexandria, VA. For more information:
http://www.tprc.org
The 8th Annual Centre for Applied Cryptographic Research (CACR)
Information Security Workshop: The Human Face of Privacy Technology.
University of Waterloo and Information and Privacy Commission/Ontario.
November 1-2, 2001. Toronto, Ontario. For more information:
http://www.cacr.math.uwaterloo.ca/
Privacy: The New Management Imperative - Chief Privacy OfficerTraining Program. Cambridge University and Privacy Council. November5-8,
2001. Cambridge, England. For more information:
kturnerprivacycouncil.com
Learning for the Future. Business for Social Responsibility's NinthAnnual Conference. November 7-9, 2001. Seattle, WA. For moreinformation:
http://www.bsr.org/events/2001.asp
Subscription Information
The EPIC Alert is a free biweekly publication of the ElectronicPrivacy Information Center. A Web-based form is available forsubscribing
or unsubscribing at:
http://www.epic.org/alert/subscribe.html
To subscribe or unsubscribe using email, send email toepic-newsepic.org with the subject: "subscribe" (no quotes) or"unsubscribe".
Back issues are available at:
http://www.epic.org/alert/
Privacy Policy
The EPIC Alert mailing list is used only to mail the EPIC Alert and tosend notices about EPIC activities. We do not sell, rent or
share ourmailing list. We also intend to challenge any subpoena or other legalprocess seeking access to our mailing list. We do
not enhance (linkto other databases) our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe your email addressfrom this list, please follow the above instructions under"subscription
information". Please contact infoepic.org if you haveany other questions.
About EPIC
The Electronic Privacy Information Center is a public interestresearch center in Washington, DC. It was established in 1994 tofocus
public attention on emerging privacy issues such as the ClipperChip, the Digital Telephony proposal, national ID cards, medicalrecord
privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Actlitigation, and conducts policy research. For more information,
e-mail infoepic.org, http://www.epic.org or write EPIC, 1718Connecticut Ave., NW, Suite 200, Washington, DC 20009.
+1 202 483 1140 (tel), +1 202 483 1248 (fax).
If you'd like to support the work of the Electronic PrivacyInformation Center, contributions are welcome and fullytax-deductible.
Checks should be made out to "EPIC" and sent to1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009.
Or you can contribute online athttp://www.guidestar.org/aol/search/report/report.adp?ein=52-2225921
Your contributions will help support Freedom of Information Act andFirst Amendment litigation, strong and effective advocacy for theright of privacy and efforts to oppose government regulation
ofencryption and expanding wiretapping powers.
Thank you for your support.
END EPIC Alert 8.14
.
WorldLII:
Copyright Policy
|
Disclaimers
|
Privacy Policy
|
Feedback
URL: http://www.worldlii.org/int/journals/EPICAlert/2001/14.html
