--------------------------------------------------------------- EPIC DIGEST AT PRIVACY.ORG EPIC-DIGEST is a weekly update of news, information, and action items posted on privacy.org. January 26 - February 6, 2001 TOC------------------------------------------------------------ NEWS Consumers International Survey: US and EU Web Site Ignore Privacy Standards DEA Agent Allegedly Sells Police Information to Private Investigators Printing Error Causes Privacy Breach FDIC Releases Privacy Rule Handbook for Banks Groups Sound Off on Access to Court Records Ashcroft Promises to Review Carnivore DoubleClick Reportedly Developing New Method to Combine Data Australian ISPs Charge Police for Investigation Costs Australian Privacy Commissioner: Comply or Be Fined Online Privacy Legislation Introduced FTC's 'Consumer Sentinel' Online EPIC Submits FOIA Request to DoD on Children's Browsing Recent Privacy Violations Show Need for Privacy Regulation Toysmart Customer List to Be Destroyed EC Seeks Comment on Online Crime AMA Releases Report on Health Information Privacy Tech Association Announces Self-Regulatory Guidelines Nortel Networks Develops New Tracking Software FTC Identifies Companies Selling Personal Information Sen. Dodd Joins Privacy Caucus Big Brother at the Super Bowl Orwell v. Kafka: A Debate on Privacy Metaphors Trade Association Supports Federal Legislation With State Preemption Juno to Employ Users' Computers for Virtual Supercomputer Project CPC to Hold Hearings on Web Bugs FTC Approves Safe Harbor for Children's Online Privacy EU Study: Spam Costs Users $9.4 Billion Privacy Foundation Exposes 'Email Wiretapping' Legislation to Strengthen Privacy Regulations ACTION "ENO to ENUM! We are not numbers!" NEWS----------------------------------------------------------- DEA Agent Allegedly Sells Police Information to Private Investigators A Drug Enforcement Administration Agent has been charged with illegally accessing law-enforcement computer systems, wire fraud, and bribery for allegedly selling data from police databases to private investigators. DEA data theft raises privacy concerns, CNET, January 24, 2001. http://news.cnet.com/news/0-1005-201-4583028-0.html?tag=unkn --------------------------------------------------------------- Printing Error Causes Privacy Breach A printing error by an American Express processing center that administers 401(k) accounts resulted in clients receiving other persons' account statements. Some clients received statements that included the Social Security Numbers, birth dates, and fund balances of coworkers and strangers. Andrew Shen, of EPIC, commented that: "More and more, the cause of privacy breaches isn't malicious intent but a programming mistake." Retirement Plan's Error Discloses Personal Data, Washington Post, January 24, 2001. http://www.washingtonpost.com/wp-dyn/articles/A36460-2001Jan23.html --------------------------------------------------------------- Consumers International Survey: US and EU Web Site Ignore Privacy Standards A survey of 751 web sites concluded that a high percentage of both US and EU web sites fail to protect users' privacy. The survey authors argue that existing governmental measures in place to protect privacy are inadequate. Consumers International Report, Consumers International Web Page. http://www.consumersinternational.org/news/pressreleases/fprivreport.pdf US And EU Websites Fall Short Of The International Standards On Privacy, Consumers International Press Release, January 25, 2001. http://www.consumersinternational.org/news/pressreleases/privacy250101.html Consumer group: Online privacy protections fall short, Computerworld, January 24, 2001. http://computerworld.com/cwi/story/0%2C1199%2CNAV47_STO56858_NLTam%2C00.html Most US, EU Sites Ignore Int'l Privacy Standards, Newsbytes, January 24, 2001. http://www.newsbytes.com/news/01/161011.html --------------------------------------------------------------- FDIC Releases Privacy Rule Handbook for Banks The Federal Deposit Insurance Corporation released a privacy handbook for institutions attempting to comply with consumer financial information rules under the Gramm-Leach-Bliley Act (GLBA). Compliance with the GLBA provisions is required by July 1, 2001. Privacy of Consumer Financial Information, FDIC Press Release, January 22, 2001. http://www.fdic.gov/news/news/financial/2001/fil0103.html FDIC Privacy Rule Handbook, FDIC Web Page. http://www.fdic.gov/news/news/financial/2001/fil0103a.html --------------------------------------------------------------- Groups Sound Off on Access to Court Records A number of organizations submitted comments to the Administrative Offices of the US Courts Friday regarding public access to electronic case files. Case files sometimes contain sensitive personal information, such as Social Security numbers, medical information, financial information, and family-conflict information. Unhindered access to this information may result in risks to personal privacy. EPIC Public Access to Electronic Case Files Comments, EPIC Home Page. http://www.epic.org/open_gov/ecfcomments.html National Commission Needed to Review Privacy of Court Records, Privacy Foundation Home Page. http://www.privacyfoundation.org/release/story8court.html Privacy group seeks review of Net access to court files, New York Times, January 26, 2001 (registration required). http://www.nytimes.com/cnet/CNET_0_4_4614534_00.html Group Calls For Privacy Review Of Court Records Database, Newsbytes, January 26, 2001. http://www.newsbytes.com/news/01/161139.html Privacy group seeks review of Net access to court files, CNET, January 26, 2001. http://two.digital.cnet.com/cgi-bin2/flo?y=eBS60BINIf0U0aFOy Privacy Groups, Journalists Clash Over Court Records Database, Newsbytes, January 29, 2001. http://www.newsbytes.com/news/01/161184.html --------------------------------------------------------------- Ashcroft Promises to Review Carnivore In a response to a written question asked by Senator Herb Kohl (D-WI) regarding Carnivore, Attorney General nominee John Ashcroft responded that he would conduct a "...thorough review of Carnivore and its technical capabilities, and work closely with law enforcement to ensure that adequate measures are taken to secure personal privacy before the program is deployed." Ashcroft to Chew On Carnivore, Wired News, January 27, 2001. http://www.wired.com/news/politics/0,1283,41452,00.html?tw=wn20010127 EPIC Carnivore Archive, EPIC Home Page. http://www.epic.org/privacy/carnivore/ --------------------------------------------------------------- DoubleClick Reportedly Developing New Method to Combine Data Following the end of the FTC's investigation of DoubleClick, the company may be implementing a new system for combining offline purchase data with clickstream information gained through the use of cookies. E-Commerce Report: DoubleClick Seeking Ways to Protect Users' Anonymity, New York Times, January 29, 2001 (registration required). http://www.nytimes.com/2001/01/29/technology/29ECOMMERCE.html?printpage=yes --------------------------------------------------------------- Australian ISPs Charge Police for Investigation Costs Internet service providers in Australia will soon be repaid for costs associated with police investigations of Internet users. The payment schedule is a result of increased police investigations that require the participation of ISPs. SA Police to pay for Net searches, IT News, January 22, 2001. http://www.it.fairfax.com.au/e-commerce/20010122/A15493-2001Jan22.html --------------------------------------------------------------- Australian Privacy Commissioner: Comply or Be Fined The Australian Privacy Commissioner has given businesses a one year deadline to comply with the Private Sector Act of 2000. The Act regulates the collection, use, storage and disclosure of personal information. Australian Privacy Commissioner's Web Site. http://www.privacy.gov.au/ None of your business: privacy laws takes hold, Computerworld, January 24, 2001. http://www2.idg.com.au/atug.nsf/date/D927BFB286B9F0434A2569DF0003866A --------------------------------------------------------------- Online Privacy Legislation Introduced Senator Edwards (D-NC) re-introduced a bill on Monday to address online privacy and the use of cookies. The bill, S. 197, requires web sites to gain consent from users before tracking their movements with cookies. S. 197, THOMAS database. http://thomas.loc.gov/cgi-bin/bdquery/z?d107:s.00197: Senator Edwards Proposes Spyware Law, Press Release, Sen. Edwards Web Page, January 29, 2001. http://edwards.senate.gov/press/2001/jan29c-pr.html Senator introduces strong internet-privacy bill, Mercury Center (Reuters), January 30, 2001. http://www0.mercurycenter.com/svtech/news/breaking/internet/docs/794449l.htm --------------------------------------------------------------- FTC's 'Consumer Sentinel' Online The FTC's fraud-fighting site, the Consumer Sentinel, is online. The page features access to complaint information, consumer tips, and an online fraud complaint page. Consumer Sentinel, FTC Web Page. http://www.consumer.gov/sentinel FTC Offers Fraud, Identity Theft Data Online, Newsbytes, January 30, 2001. http://www.newsbytes.com/news/01/161222.html --------------------------------------------------------------- EPIC Submits FOIA Request to DoD on Children's Browsing EPIC has filed a series of FOIA requests to obtain information from the Department of Defense and the agency's purchase of aggregate data on children's Internet browsing habits. The Department of Defense is paying $15,000 for data collected by N2H2. N2H2 collects data from children's Internet browsing behavior through the use of content filters installed at public and private schools and colleges across the country. EPIC FOIA Request, EPIC Web Page. http://www.epic.org/open_gov/dodfoian2h2.html The Army Is Watching Your Kid, Wired, January 29, 2001. http://www.wired.com/news/politics/0,1283,41476,00.html Group Wants Feds To Disclose Plans For Kids' Net Data, Newsbytes, January 29, 2001. http://www.newsbytes.com/news/01/161191.html --------------------------------------------------------------- Recent Privacy Violations Show Need for Privacy Regulation The recent privacy violations of DoubleClick, Nortel Networks, and N2H2 Inc. demonstrate that comprehensive privacy legislation is needed. Self-Regulation Champions Dig Own Graves - Privacy Advocates, Newsbytes, January 30, 2001. http://www.newsbytes.com/news/01/161256.html --------------------------------------------------------------- Toysmart Customer List to Be Destroyed A bankruptcy judge approved the destruction of the Toysmart.com customer list database. A Disney subsidiary had offered $50,000 to purchase and destroy the list. However, under the new ruling, Toysmart may destroy the list without transferring the information to the Disney subsidiary. Mass. Judge Says Toysmart Can Destroy Customer List, Newsbytes, January 30, 2001. http://www.newsbytes.com/news/01/161230.html --------------------------------------------------------------- EC Seeks Comment on Online Crime The European Commission is seeking public comment on its activities and plans to address online crime. EC Request for Cyber-Crime Comments, EC Web Page. http://europa.eu.int/ISPO/eif/InternetPoliciesSite/Crime/crime1.html --------------------------------------------------------------- AMA Releases Report on Health Information Privacy The American Medical Associations' Ethical Force Program has released a consensus report on protecting health information privacy. AMA E-Force Report, AMA Web Page. http://www.ama-assn.org/ama/pub/category/3653.html --------------------------------------------------------------- Tech Association Announces Self-Regulatory Guidelines In the wake of numerous privacy bills introduced on the state and federal level, the Personalization Consortium has developed self-regulatory privacy standards for industry. The guidelines specify notice, opt-out, access, and other requirements. Web Firms Up Ante on Privacy Regulation, EcommerceTimes, January 31, 2001. http://www.crmdaily.com/perl/story/7149.html Personalization trade group proposes privacy guidelines, Computerworld, January 31, 2001. http://computerworld.com/cwi/story/0%2C1199%2CNAV47_STO57176_NLTpm%2C00.html --------------------------------------------------------------- Nortel Networks Develops New Tracking Software Nortel Networks has developed a software suite that allows ISPs to secretly track users' online movements. The program initiative, "Personal Internet," can target advertisements to users based upon credit card purchase history or web browsing history. Nortel's Net 'Tracking' System Irks Privacy Groups, EcommerceTimes, January 31, 2001. http://www.ecommercetimes.com/perl/story/7142.html Nortel Netware Sets Off Alarms, Wired, January 31, 2001. http://www.wired.com/news/business/0,1367,41542,00.html --------------------------------------------------------------- FTC Identifies Companies Selling Personal Information The Federal Trade Commission has identified 200 firms that are collecting personal financial information and selling it others. The FTC's investigation, Operation Detect Pretext, focuses on the practice where a person poses as a real customer in order to gain information on others from financial institutions. FTC puts Web scammers on notice, Computerworld, January 31, 2001. http://computerworld.com/cwi/story/0%2C1199%2CNAV47_STO57175_NLTpm%2C00.html FTC Watches for Violations of Privacy Law, Washington Post, February 1, 2001. http://www.washingtonpost.com/wp-dyn/articles/A10861-2001Jan31.html --------------------------------------------------------------- Sen. Dodd Joins Privacy Caucus Senator Christopher Dodd (D-CT) has joined the Congressional Privacy Caucus (CPC). The CPC is a bi-partisan, bi-cameral body dedicated to privacy issues. Congressional Privacy Caucus Announces New Member, Sen. Shelby Press Release, February 1, 2001. http://shelby.senate.gov/press/prsrs391.htm --------------------------------------------------------------- Big Brother at the Super Bowl Police video cameras were used at the Super Bowl to scan every person as they entered the stadium. The images captured were compared against a database of suspected criminals and terrorists. Police Video Cameras Taped Football Fans, Washington Post, February 1, 2001. http://www.washingtonpost.com/wp-dyn/articles/A9757-2001Jan31.html Call It Super Bowl Face Scan I, Wired, February 2, 2001. http://www.wired.com/news/politics/0,1283,41571,00.html?tw=wn20010202 And Now, the Good Side Of Facial Profiling, Washington Post, February 4, 2001. http://www.washingtonpost.com/wp-dyn/articles/A23360-2001Feb3.html --------------------------------------------------------------- Orwell v. Kafka: A Debate on Privacy Metaphors Daniel Solove, a professor at Seton Hall Law School, argues in a soon to be published article that Kafka's "The Trial" provides more accurate privacy metaphors than Orwell's "1984." A working draft of the paper is online. Privacy and Power: Computer Databases and Metaphors for Information Privacy, Seton Hall Law Web Page. http://law.shu.edu/faculty/fulltime_faculty/soloveda/works_in_progress.htm Kafkaesque? Big Brother? Finding the Right Literary Metaphor for Net Privacy, New York Times, February 2, 2001 (registration required). http://www.nytimes.com/2001/02/02/technology/02CYBERLAW.html --------------------------------------------------------------- Trade Association Supports Federal Legislation With State Preemption The Information Technology Industry Council (ITI), an industry association including AOL Time Warner, Microsoft, and Intel, has advocated federal privacy legislation. However, the group supports legislation that preempts state attempts at providing broader protection to consumers. IT Industry Council Signals Privacy-Law Advocacy, Newsbytes, February 1, 2001. http://www.newsbytes.com/news/01/161378.html --------------------------------------------------------------- Juno to Employ Users' Computers for Virtual Supercomputer Project Juno has announced the "Virtual Supercomputer Project," a plan to employ the "unused resources of the Juno subscriber base" for distributed computing. Under the project, subscribers to Juno's free Internet service would leave their computers running 24 hours a day. When the computer is not in use, Juno's system would run the computer's processor and hard disk drive to perform computations for third parties. Juno Announces Virtual Supercomputer Project, Juno Press Release, February 1, 2001. http://www.juno.com/corp/news/supercomputer.html Juno to Harvest Wasted PC Power, CNET, February 1, 2001. http://news.cnet.com/news/0-1005-200-4689725.html?tag=st.tv.toc .top.0-1005-200-4689725 Juno and privacy, Slashdot, February 2, 2001. http://slashdot.org/article.pl?sid=01/02/01/2127239&mode=thread Juno Announces Web Service Plan, New York Times, February 2, 2001 (registration required). http://www.nytimes.com/aponline/business/AP-Juno-Supercomputing.html --------------------------------------------------------------- CPC to Hold Hearings on Web Bugs The Congressional Privacy Caucus, the bi-partisan, bi-cameral group of federal legislators, will examine the use of "web bugs" in hearings later this month. Web bugs are transparent GIF images that are used to track Internet users as they browse the Internet. Privacy Foundation Web Bug Page. http://www.privacyfoundation.org/release/story3.html Lawmakers to eye 'Web bugs' at upcoming hearing, Computerworld, February 2, 2001. http://computerworld.com/cwi/story/0%2C1199%2CNAV47 _STO57318_NLTpm%2C00.html Lawmakers Announce Plans on Internet Privacy Law, Iwon.com (Reuters), February 1, 2001. http://www.iwon.com/home/technology/tech_article/0,2109,95516|internet| 02-01-2001::17:35|reuters,00.html --------------------------------------------------------------- FTC Approves Safe Harbor for Children's Online Privacy The FTC approved the first "safe harbor" guidelines for web site compliance with the Children's Online Privacy Protection Act (COPPA). The approved guidelines were submitted by the Children's Advertising Review Unit of the Council of Better Business Bureaus. First "Safe Harbor" Approved for Children's Online Privacy Protection Act, February 1, 2001. http://www.ftc.gov/opa/2001/02/caru.htm FTC agrees to self-regulation for children's privacy at Web sites, Computerworld, February 2, 2001. http://computerworld.com/cwi/story/0%2C1199%2CNAV47_STO57317_NLTpm%2C00.html FTC OK's Kid's Privacy Safe Harbor Program, Newsbytes, February 2, 2001. http://www.newsbytes.com/news/01/161421.html --------------------------------------------------------------- EU Study: Spam Costs Users $9.4 Billion A new study conducted by the European Commission estimates that E-mail spam causes users $9.4 billion in connection costs every year. Commission study: "Junk" e-mail costs internet users euro 10 billion a year worldwide, EU Study, EU Web Page. http://europa.eu.int/comm/internal_market/en/media/dataprot/studies/spam.htm Spam Costs Users $9.4 Billion - EU Study, Newsbytes, February 2, 2001. http://www.newsbytes.com/news/01/161432.html E-mail marketers question EU proposal, CNN.com, February 5, 2001. http://www.cnn.com/2001/TECH/internet/02/05/eu.spam.proposal.idg/index.html --------------------------------------------------------------- Privacy Foundation Exposes 'Email Wiretapping' The Privacy Foundation has uncovered a method to spy on email messages sent in HTML format. By planting a JavaScript program in an HTML email, the message could be secretly returned to the sender every time it is forwarded. The Privacy Foundation Advisory suggests methods to prevent this security problem. Email Wiretapping, Privacy Advisory, Privacy Foundation Web Page. http://www.privacyfoundation.org/advisories/advemailwiretap.html A New Trick Gives Snoops Easy Access to E-mail, New York Times, February 5, 2001 (registration required). http://www.nytimes.com/2001/02/05/technology/05JAVA.html --------------------------------------------------------------- Legislation to Strengthen Privacy Regulations Senator Leahy (D-VT) has promised to propose legislation to alter the health care privacy regulations released by the Clinton Administration. Leahy's legislation would grant patients a private right of action against companies that misuse or sell their information. The legislation would also include opt-in provisions to require patient consent before medical records could be used for marketing. Leahy Promises To 'Fill In Gaps' In Healthcare Privacy Rules, Newsbytes, February 5, 2001. http://www.newsbytes.com/news/01/161517.html ACTION--------------------------------------------------------- "ENO to ENUM! We are not numbers!" Learn more about ENUM, a system that has the potential to become a global unique identifier. The working proposal is at: http://www.ietf.org/internet-drafts/draft-ietf-enum-rqmts-01.txt The ENUM working group is at: http://www.ietf.org/html.charters/enum-charter.html More information on ENUM is available at: http://www.enumworld.com/ http://www.cybertelecom.org/teleph.htm#enum You can make comments on ENUM to Patrik Faltstrom (paf@cisco.com) or Richard Shockey (rshockey@ix.netcom.com). --------------------------------------------------------------- Privacy.org is a joint project of the Electronic Privacy Information Center (http://www.epic.org) and Privacy International (http://www.privacyinternational.org). For more information, e-mail Chris Hoofnagle at digest-editor@privacy.org. --------------------------------------------------------------- How to unsubscribe from EPIC-DIGEST: You can leave the EPIC-DIGEST by entering the subscription e-mail address at http://www.privacy.org/digest.php and selecting "unsubscribe." Or, you can send a blank e-mail message to EPIC-DIGEST@lists.epic.org from the subscribed address with the following text in the subject line: unsubscribe If you experience difficulty with subscription issues, send a message to digest-editor@privacy.org. --------------------------------------------------------------- EPIC-DIGEST Privacy Policy: http://www.privacy.org/privacy.php --------------------------------------------------------------- END EPIC-DIGEST END EPIC-DIGEST