LITA logo.
new & noteworthy
lita resources & services
lita membership

lita publications
lita events & programs
about lita
lita 40th anniversary
ALA
Search ALA
Contact ALA
Login
Search:
""Library & Information Technology Association
Home LITA Membership LITA Committees Legislation & Regulation Committee LegReg NewsGram February 3 2004

NewsGram: LITA Legislation & Regulation Update (3 February 2004)

This is an irregular newsletter from the LITA Committee on Legislation and Regulation on key areas of technology-related legislation and regulation that affect libraries.

Guest Editor: Eulalia Roel (LegReg Comm.)

Asst. Editor: Buckley Barrett (Chair, LegReg Comm.)

 

A. Defense Department Report Blasts Total Information Awareness

-- from EPIC Alert / 14 January 2004:

Citing lack of foresight and the possibility of governmental abuse of power, the Department of Defense's Inspector General has released a report criticizing the agency's failure to consider privacy concerns when developing the Total Information Awareness (TIA) system.

Initiated in 2002, TIA (later called Terrorism Information Awareness) was designed to integrate information systems in order to search and analyze vast quantities of data for indications of terrorist activity. TIA was also intended for eventual use by domestic law enforcement. Congress and the public expressed concern about TIA, particularly with respect to privacy. The report notes that in February 2003 Congress stopped funding for TIA until the Pentagon "could prove that the program does not violate privacy rights." Funding for all but three of TIA's components was ultimately eliminated in September 2003.

...The report criticizes the agency for, among other things, failing to conduct a privacy impact assessment (PIA) ... Although TIA has mostly been scrapped, this report is significant because it suggests that a PIA should be completed for all TIA-type technology even if no firm requirement mandates it ... [and] ... may help ensure that appropriate experts are involved in future projects and that privacy, policy, legal and protective measures are addressed [in] future.

The DOD Inspector General's Report is available at:

www.dodig.osd.mil/audit/reports/FY04/04-033.pdf.

For more information, see EPIC's Total Information Awareness page:

www.epic.org/privacy/profiling/tia

B. FOIA Document: Microsoft Palladium & User Privacy: Unique Identifier Issues

-- more from EPIC:

A 2002 document concerning Microsoft Palladium -- a proposed array of tools for "secure" or "trusted" computing -- has been obtained by EPIC under FOIA from the National Institute of Standards and Technology (NIST). While AMD, Intel, IBM, and HP have worked on aspects of the effort described in the

doc, the predominating Microsoft vision has profound implications for privacy and for altering the balance of power among computer users, media companies, and software programmers.

Although MS has attempted to pitch Palladium as a tool for protecting individuals' privacy, the technology could establish an infrastructure of unique user identification and tracking via such integral actions as ... traffic analysis of user behavior and establishment of unique machine identifiers.

To complicate the matter, Trusted Computing does present some opportunity for greater computer privacy and security. For instance, the technology could improve encryption key storage, it would provide for a more secure boot process, and reduce the risk that keyloggers or other devices could intercept passwords or communications.

However, the potential for control of computer users cannot be underestimated. Generally it will reduce user control over the computer, resulting in programmers being able to force upgrades, control which media or other applications are approved, or even erase pirated content or applications. Depending on its implementation, the technology could eliminate online anonymity and could serve as a starting point for ubiquitous Digital Rights Management (DRM) technologies.

As Professor Ross Anderson has noted, Trusted Computing "will be more trustworthy from the point of view of software vendors and the content industry but ... less trustworthy from the point of view of their [pc] owners. In effect, the TCG specification will transfer the ultimate control of your PC from you to whoever wrote the software it happens to be running."

NIST Palladium Presentation:

www.epic.org/privacy/consumer/microsoft/nistpalladium.pdf.

EPIC Palladium / Next Generation Secure Computing Base Page:

epic.org/privacy/consumer/microsoft/palladium.html.

C Sen. Lieberman Offers Privacy Program

Democratic presidential hopeful Joe Lieberman vowed to introduce new privacy protections and to break the "Bush Wall of Secrecy" in the federal government. Comparing President Bush to the Nixon administration, Lieberman blamed Bush for "failing to safeguard information that ought to stay private while keeping secret information that ought to be public."

Lieberman's plan would establish a high-level Electronic Privacy Task Force and address better protections re identity theft, financial information, social security numbers, medical information, and information about children.

Sen. Lieberman's Plan To Protect Privacy is available at:

www.joe2004.com/site/News2?page=NewsArticle&id=6672.

D. Book to Consider: J. Rosen's The Naked Crowd

The Naked Crowd: Reclaiming Security and Freedom in an Anxious Age. Jeffrey Rosen (Random House 2004).

From Marc Rotenberg and EPIC (Dec. 2003):

Rosen's new book The Naked Crowd looks at today's American challenge of preserving freedom. Although it recalls Vance Packard's popular The Naked Society of the '60s, Rosen is more Tocqueville than Packard. He is less concerned with blowing the whistle on Big Government and Big Business and more interested in trying to understand how Americans, with their unique strengths and weaknesses, should best respond.

The question is whether a society enamored of reality TV and willing to post intimate personal details on a web log for thousands to view is prepared to assert a right of privacy and to do so in a way that reflects broad respect for the value of individuality and not simply coarse self-interest. The answer is possibly.

Rosen looks to the Congress more than the courts as the main line of defense as new proposals for surveillance are set forward, and he also proposes that new technologies be developed to enhance security while simultaneously safeguarding privacy.

E. Coalition Recommends RFID Privacy Practices

More than 35 groups, including EPIC, have endorsed a privacy statement outlining the threats and best practices for the use of Radio Frequency Identification (RFID) technology in consumer products.

The 20 Nov. 2003 commentary outlined concerns about how RFID technology could threaten purchasing anonymity [and we could easily extrapolate to library patron anonymity] and recommended key solutions .... including routine technical assessments of the use of the technology and a mandate requiring companies to abide by established fair information practices (FIPs) of the the Organization for Economic Co-operation and Development

The debate over use of RFID technology is not just playing out in theory and privacy statements. The technology has been making headlines recently as more retail outlets stock their shelves with products tagged by RFID. Wal-Mart received criticism for the company's secret testing of RFID in heath and beauty products earlier this year, but that has not stopped the push. Wal-Mart announced that it intends to require all of the products sold in the store to be tagged with RFID within two years.

However, the coalition privacy statement does not advocate a complete rejection of the retail use of the technology. On the contrary, the statement acknowledged that there are acceptable uses of RFID, including for use in tracking pharmaceuticals, certain manufactured goods before the point of sale, and tracking toxic substances. Yet, for all other uses of the technology, especially at the point where the consumer comes in, the statement urges reasonable measures to assure that the individuals are not forced to relinquish their anonymity at the point of sale....

The coalition's positions paper is available at:

www.privacyrights.org/ar/RFIDposition.htm.

The OECD's fair information practices guidelines are available at:

www.oecd.org.

For background information, see EPIC's RFID page at:

www.epic.org/privacy/rfid.

F. FCC Internet Telephony Forum

The Federal Communications Commission held a forum late in 2003 to discuss "Voice Over Internet Protocol" (VoIP), a technology used to facilitate Internet telephony.

Many privacy issues are raised by the technology. First, VoIP users can evade police wiretapping in some cases. As a result, the FBI has sought to impose new requirements on Internet telephony providers that would facilitate wiretapping. Also, location privacy issues are raised with "presence sensing" and E911-compliant Internet systems. and, as another example, developing Internet telephony contact systems (such as ENUM) may depend on individuals posting personal contact information in publicly-available databases. The FCC is expected to release a Notice of Public Rulemaking on VoIP soon.

For background information, see EPIC's Internet Telephony page at:

www.epic.org/privacy/voip.

... and their ENUM page at:

www.epic.org/privacy/enum.

G. 2003 Year in Review: Privacy/Related Issues

-- Selected items:

January 8: Gillette and Wal-Mart announce plans to test in a Massachusetts Wal-Mart "smart shelves," which identify radio frequencies emitted by RFID chips embedded in Gillette products. Gillette says that the technology will help monitor inventory and reduce theft, but privacy groups charge that it will also be used to track consumers.

January 21: In July 2002, the Recording Industry Association of America demanded that Verizon turn over the name of a custumer alleged to have traded recording artists' copyrighted material. Verizon refused to turn over the name, and was then sued by the RIAA. The court determined that the RIAA did not need to obtain a judge's approval before demanding customer information from Internet service providers.

February 18: New Hampshire Supreme Court: Information Brokers May Be Liable for Selling Personal Info ....The N.H. Supreme Court determines that information brokers and private investigators can be held responsible for harms caused by selling an individual's personal information. In this case, a young woman was murdered by a stalker who obtained her personal information from information brokers and private investigators. The court found that p.i.'s and info brokers have a duty to exercise reasonable care when the sale of personal information creates a risk to the individual being investigated. The court also decided individuals can sue investigators who purchase their Social Security numbers from credit reporting agencies without permission.

March 5: Supreme Court: States Can Post Sex Offender Info on the Internet: Court holds that states may post the names and photos of convicted sex offenders on the Internet without violating those individuals' rights. The decision marks the first time the Court has directly faced the question of whether public records should made available on the Internet.

March 21: Federal Court Upholds Junk Fax Law: A federal appeals court upholds the Telephone Consumer Protection Act against a First Amendment challenge. A junk fax company Fax.com and Wal-Mart argued that the law violated free speech rights because it imposes fines upon companies that send fax advertisements without the permission of the individual receiving the fax. The case marks a court victory for opt-in privacy laws.

April 22: No Fly List Strands Innocent Travelers: Documents uncovered by EPIC's FOIA lawsuit against the Transportation Security Administration (TSA) reveal that innocent people were swept up by the No Fly watch list. The problems raise questions about a proposed passenger profiling system, how it will protect due process rights, and whether it is an effective security measure.

April 29: Secret Surveillance and Search at All-Time High: 2002 annual report on the Foreign Intelliegence Surveillance Act finds all 1228 applications for electronic surveillance and physical search were approved.

In 2001, the FISA Court approved 934 applications. The Patriot Act greatly expanded the government's authority to use the secretive surveillance law.

May 12: New Microsoft Passport Flaw Found: Microsoft concedes that a new flaw was found in Microsoft Passport that could expose personal information, including credit card numbers, of 200 million Internet users. FTC found that Microsoft representations about Passport constituted an unfair and deceptive trade practice and settled the action.

June 23: U.S. Supreme Court OKs Library Internet Filters: Upholds a federal law requiring libraries to filter Internet content to receive federal funding. Critics argued that the law violated free speech rights guaranteed by the Constitution. The Court disagreed, explaining that libraries could temporarily turn off the software if asked by library patrons so that they could view material that would otherwise be inaccessible.

July 10: Wal-Mart Scraps "Smart Shelf" Plan: Announces it would not move forward with plans to install "smart shelf" technology in its stores that would receive radio frequencies emitted by Gillette products with Radio Frequency Identification (RFID) chips. Wal-Mart said the move simply reflected a corporate decision to implement RFID technology in warehouses and distribution centers instead of retail stores.

August 11: Mississippi District Installs Webcams in Classrooms: The school district in Biloxi, Mississippi becomes the first in the nation to implement a system of Internet-wired video cameras (nearly 500) to monitor its classrooms and hallways 24 hours a day. The district, which is comprised of some 6,300 students, cited security concerns as the basis for its camera use. Only designated school officials and security personnel are allowed to view the footage, which can be displayed on a computer linked to the Internet.

August 20: Tampa Scraps Face-Recognition System: Police Department abandons the face recognition system used with its video surveillance cameras, citing the system's failure to recognize anyone wanted by the authorities over a two-year period. The camera-based system scanned the faces of tourists, residents, and visitors and then compared the images with police mug shots. The system's use never led to any arrests or positive identifications. The Identix system is still in operation in Virginia Beach and Great Britain.

August 21: County Requires DNA for Guilty Pleas: Prosecutors in Jackson County, Missouri instituted a policy requiring DNA samples from anyone wishing to plead guilty to a felony. Prosecutors believe the samples can be a useful tool in solving violent crimes. The county Public Defender's office, however, is opposed to the practice and is recommending that its clients not comply. Other states, including Virginia, require DNA even from people who were only arrested and questioned.

September 18: JetBlue Confirms Disclosing Passenger Data: JetBlue Airways admits that it provided 5 million passenger itineraries to Torch Concepts, a Defense Department contractor, as part of a massive dataming experiment. Torch Concepts supplemented the JetBlue data with information such as Social Security numbers and income levels furnished by Acxiom Corporation. Congress calls for an investigation.

September 19: UK Makes Spam a Crime: Britain becomes the second country in Europe to criminalize spam. Under the new law, spammers face an $8,057 fine if convicted in a magistrates court but could not be imprisoned. Potential fines imposed in a jury trial would be unlimited.

September 22: Transatlantic Tiff Over Passenger Data: E.U. officials meet in Brussels with Homeland Security officials to discuss whether European airlines should be forced to hand over information on their passengers to the U.S. government. The transfer of such information violates many European privacy laws.

September 25: Congress Pulls Plug on Total Information Awareness: Senate passes a $368 billion Pentagon spending measure that eliminated funding for the T.I.A. office. As headed by retired admiral John Poindexter, the office was responsible for the controversial Total Information Awareness surveillance program as well as a proposed terrorism futures market.

September 26: Congress Freezes CAPPS II Funding: Suspends funding for the controversial Computer Assisted Passenger Pre-Screening System until the there is a study of the system and a certification that privacy issues have been satisfactorily addressed. The report is expected in mid-February 2004.

October 1: Do-Not-Call List Sparks Litigious Furor: To the delight of telemarketing foes throughout the nation, the Federal Trade Commission's Do-Not-Call List was scheduled to take effect on October 1. But contentious litigation over the List's constitutionality and the FTC's authority to implement it stalled the List's enforcement. After maneuvering by both Congress and the President failed to resolve the matter, the FTC was eventually permitted to enforce its own Do-Not-Call List.

October 24: 9/11 Author Pushes For National Identification Card: Journalist and entrepreneur Steven Brill announces plans to develop biometric identification cards for those who are frustrated by waiting in line at security checkpoints. The card is intended to assure that cardholders are not terrorists, violent criminals, or illegal immigrants, and are thus entitled to less scrutiny at security bottlenecks than those without the card.

October 25: Discount Offered on RFID Implants: The maker of a Radio Frequency Identification chip implantable in humans launches a nation-wide promotional campaign in support of the product. Applied Digital Solutions offered a $50 discount on the device, which costs $200, to the first 100,000 people who sign up to have the chip implanted. The company next hopes to develop an implantable GPS chip. The company also faces investigations by the Food and Drug Administration and the NASDAQ.

October 28: Library of Congress Grants DMCA Exceptions: The Library of Congress creates new narrow exemptions to a digital piracy law that makes it illegal to crack digital copyright protections. One can now legally crack codes to access lists of sites blocked by commercial Internet filtering software, but not spam-fighting lists; computer programs protected by hardware dongles that are broken or obsolete; computer programs or video games that use obsolete formats or hardware; and e-books that prevent read-aloud or other handicapped access formats from functioning. The move was still criticized by free-speech activists, who had hoped for more exceptions.

November 4: Defense Department Pays Linda Tripp $595,000 To Settle Privacy Case: D.O.D. settles a Privacy Act litigation with former employee Linda Tripp, agreeing to pay $595,000 for Tripp to drop her claims. She had alleged that Pentagon officials released private information about her in retaliation for her role in the Lewinsky matter, which led to impeachment proceedings against then President Clinton.

November 16: Major luggage and lock retailers in the United States, with the backing of the Transportation Security Administration, announce the Travel Sentry, a new lock that will enable government agents to search checked baggages. A TSA spokesperson says, "In other words, we can open it, but no one else can." But reports at year's end find that Travel Sentry locks are also clipped by TSA officials.

December 4: Credit Legislation Signed Into Law: New credit privacy legislation is signed into law. The law will preempt tougher state laws protecting privacy and preventing companies from sharing personal information. The bill is a victory for the financial industry. One positive aspect of the legislation, however, is that it gives consumers new protections against identity theft, including free credit reports and a national fraud-alert system to minimize damage once a theft has occurred.

December 12: School Installs Face-Recognition Technology to Find Children, Sex Offenders: Phoenix-area middle school plans to install face-recognition technology to identify registered sex offenders and missing children. Thesurveillance system consists of two cameras linked to state and federal law enforcement databases containing information about sex offenders, missing children, and abductors.

December 16: U.S., European Union Strike Passenger Data Deal: EU agrees to allow the United States to collect airline passenger records on all individuals flying from Europe to the United States.The agreement will limit what info can be gathered from passenger records, how it can be shared with the U.S., and how long it can be stored.

December 16: Anti-Spam Legislation Signed Into Law:The CAN-SPAM Act of 2003 is signed into law, authorizing both fines and imprisonment for spammers who gather e-mail addresses from the Internet or use false information to deceive spam recipients. The new federal law will preempt stricter state laws but may be ineffective against spam sent from outside the United States. Will be enforced beginning January 1, 2004.

December 20: Recording Industry Association of America Dealt Setback: Federal district court holds that the RIAA must get a judge's permission before demanding that Internet service providers disclose the names of customers suspected of trading music online in violation of copyright laws. The decision will force the RIAA to file suit against an individual [i.e. John Doe] and then ask a judge to compel the ISP to turn over the individual's identity.

December 31: Inspector General Slams Info Awareness: DOD Inspector General concludes that the Total Information Awareness program failed to address key privacy concerns. The program was killed earlier in the year by the Congress, but some of the program's activities have been quietly transferred to other agencies.

H. COPA & Supreme Court (2004 Return)

from: news.com.com ... By Doug Isenberg:

In 2004, the U.S. Supreme Court will revisit the Child Online Protection Act (COPA [news.com.com/2100-1028-5090816.html]), a controversial law on which the justices first shared their opinions [news.com.com/2100-1023-912233.html] in May 2002.

COPA restricts the online publication of "material that is harmful to minors," which the act defines with reference to "contemporary community standards." In its first ruling on COPA, a divided Court said that [the] definition does not by itself render the statute substantially overbroad for purposes of the First Amendment, refused to lift an injunction against enforcement of the act and sent the case back to the lower appellate court, which in March 2003 found COPA unconstitutional [news.com.com/2100-1028-991477.html].

In October, the Supreme Court said it will again hear arguments [news.com.com/2100-1028-5090816.html] on COPA, and its decision in 2004 could be the most important legal ruling yet on the Internet, either finally closing the door on attempts to regulate content online or closing the gates of the untamed high-tech frontier.
LITA | Contact LITA | ALA Division Page | Questions or Suggestions


Last Revised: September 29, 2006
Copyright 2005-2008, American Library Association