GILC Alert Volume 4, Issue 5 May 31, 2000 Welcome to the Global Internet Liberty Campaign Newsletter. Welcome to GILC Alert, the newsletter of the Global Internet Liberty Campaign. We are an international organization of groups working for cyber-liberties, who are determined to preserve civil liberties and human rights on the Internet. We hope you find this newsletter interesting, and we very much hope that you will avail yourselves of the action items in future issues. If you are a part of an organization that would be interested in joining GILC, please contact us at <gilc@gilc.org>. If you are aware of threats to cyber-liberties that we may not know about, please contact the GILC members in your country, or contact GILC as a whole. Please feel free to redistribute this newsletter to appropriate forums. =============================================== Free Expression [1] Yahoo sued over web anonymity [2] Australian censorship system does little [3] Elian Web parody battle [4] Chinese online dissidents' uphill fight [5] DVD Web links case gets ugly [6] Internet freedom study released [7] Russia's digital divide [8] Saudi censorship slows Internet growth [9] Syria plans Internet expansion [10] Oxford Net free speech meeting held Privacy and Encryption [11] US gov't knocks dot-coms on user privacy [12] New French anti-anonymity bill [13] Love Bug virus highlights privacy flaws [14] G8 plan threatens individual privacy [15] New Microsoft security woes [16] New NetRadar Internet spy tool [17] UK Net privacy under siege [18] US child online privacy laws take effect [19] Indian Net search plans deemed invasive [20] EU to lift crypto restrictions [21] Euro plan: end Net anonymity =============================================== [1] Yahoo sued over web anonymity =============================================== A lawsuit against a popular Internet portal company raises important questions about the future of free speech in cyberspace. The controversy centers on message boards maintained by Yahoo about publicly traded companies. Under this system, users must register their identity with Yahoo in order to participate in the discussion. When registering, individuals must provide a great deal of personal information about themselves, including their occupation, industry, interests, postal code and gender. Yahoo also saves the Internet address of everyone who posts messages. The Internet firm also has a privacy policy which generally promises users that it will not disclose this collected data without user notification and consent. In February 2000, one of the companies being discussed, AnswerThink, filed a defamation lawsuit against several unknown people who had posted highly critical comments on Yahoo's message board. AnswerThink also caused a subpoena to be served on Yahoo for personal information about those users. Yahoo allegedly turned over its files on these individuals without getting their approval or giving them notice. One of these users (known by his pseudonym, Aquacool) turned out to be an AnswerThink employee. AnswerThink promptly fired him, denied him compensation, then sued him individually for his supposedly libelous remarks. Aquacool launched his own lawsuit, claiming that his free speech rights had been violated. The lawsuit was supported by two GILC member organizations, the Electronic Privacy Information Center (EPIC) and the American Civil Liberties Union (ACLU). The two groups noted that the United States Constitution protects the rights of individuals to anonymous free speech, as well as the right to speak freely online. In the words of EPIC's David Sobel, Yahoo's policies would render that right "illusory." To see a joint EPIC and ACLU press release on this case, visit http://www.epic.org/anonymity/epic_aclu_release.html To see the complaint (in PDF format), click http://www.epic.org/anonymity/aquacool_complaint.pdf =============================================== [2] Australian censorship system does little =============================================== What if someone built a system to censor the Internet, and nobody came? That's apparently what has happened Down Under. The Australian government had implemented a complaint-based system to block out Internet content. These plans were in response to presumed public concern over the harmful effects of the Internet on society. However, the flood of complaints envisioned by the scheme's creators did not materialize. Out of an estimated six million Australian adults who use the Internet, only 124 complaints were received between January and March 2000. Stephen Nugent of the Australian Broadcasting Authority admitted "[t]here doesn't appear to have been a huge pent-up demand to make complaints." Critics cited the dearth of entries as clear evidence that most Australians are satisfied with what's available on the Internet. Robbie Swan of the Eros Foundation said that the statistics showed that "there was no need for legislation. Politicians clearly freaked about something they really weren't in a position to comment upon." There are now calls to discard the entire system; a formal review by the Australian parliament has already been scheduled. See Stewart Taggart, "Content in Australia, Sort Of," Wired News, April 28, 2000 at http://www.wired.com/news/print/0,1294,35949,00.html =============================================== [3] Elian Web parody battle =============================================== Controversy has erupted over an Internet movie that lampoons a famous photograph of Elian Gonzalez. An Associated Press (AP) photographer took the original picture when US government agents raided the home of Elian's relatives to return the child to his father. The left side of the image features a Federal agent holding a gun. The gun appears to be pointed at Gonzalez, who is shown on the right side of the photograph in the arms of the person who rescued him from the waters near Florida. The movie was the brainchild of Sean Bonner and Chris Lathrop, who doctored the photo to show all three people saying "WHAZZUP" to each other. The film goes on to show United States Attorney General Janet Reno, Cuban dictator Fidel Castro, and other famous people linked with the Elian case also shouting "WHAZZUP." The entire presentation is drawn from a popular American television commercial for Budweiser beer, where several people shout "WHAZZUP" amongst themselves while enjoying their drinks, then say "True" at the end. The movie finishes with an image reading "Stormtroopers" and "True" in an obvious parody of the Budweiser ad. On April 25, Sean Bonner posted this movie on his website, and the film became extremely popular. Numerous other individuals, including Tom Fulp, reposted the movie on their websites. The film caught the attention of David Tomlin, assistant to the president of the Associated Press. Tomlin sent out a curious e-mail message to Bonner, Lathrop, Fulp and several other people, threatening a copyright infringement suit. The message made no mention of the potential damage such a lawsuit might have on Internet free speech. Instead, the letter continued, "We'll go for whatever it takes to get our material out of your hands. Please acknowledge immediately that you understand and are taking down the display of AP pictures at the address above." Bonner has since removed the video from his website, but the parody remains available from other sources on the Internet. The Associated Press' current plans for the case are not known at this time. See Brad King, "Wazzup? Not Elian Web Parody," Wired News, April 27, 2000 at http://www.wired.com/news/politics/0,1283,35958,00.html To see the Bonner film, click http://www.andyring.com/elian ==================================================== [4] Chinese online dissidents' uphill fight ==================================================== According to recent reports, mainland Chinese online dissenters are still struggling to make their voices heard in the face of intense pressure from their Communist adversaries. Chinese government agents have redoubled their efforts to censor Internet content. Recently, Communist officials closed down a website in Wuhan, known as the China Finance Information Network (CFN), claiming that it "downloaded and spread rumors that damaged the government's image." This apparently occurred after the site's operators posted a Hong Kong newspaper article detailing the corruption of a provincial leader. Authorities fined CFN and halted its operations for 15 days. In addition, the Chinese government will issue new Internet censorship regulations within a month or so, according to Wang Qincun, who heads China's Internet News Administrative Bureau of the State Council Information Office. These regulations apparently will limit what news stories may be reported by mainland websites and prevent commentary on certain news items by agencies other than Communist publications (such as the People's Daily and the Xinhua News Agency). Nevertheless, He Depu of the China Democracy Party (CDP) noted that while "China's Internet police have invested a lot of money and manpower into blocking messages from our overseas members their efforts in the end will be futile." He noted that because the Internet was so large, "[e]ven if the police monitored the Internet 24 hours a day, they would not be able to stop all the messages getting through." For more on the Wuhan website shutdown from the Digital Freedom Network (DFN-a GILC member), click http://www.dfn.org/Voices/Asia/china/cfinet.htm See also "China Suspends Site for 'Rumors'," Reuters, May 15, 2000 at http://www.wired.com/news/print/0,1294,36333,00.html For more on new Chinese Internet news restrictions, read "China Website Closure Signals Tighter Grip on Internet Control," Agence France Presse, May 17, 2000 at http://www.insidechina.com/news.php3?id=160050 For more on He Depu and the China Democracy Party, read "Democracy Group Prepares To Win Cyberbattle With Chinese Police," Agence France Presse, April 24, 2000, at http://www.insidechina.com/news.php3?id=153879 ==================================================== [5] DVD Web links case gets ugly ==================================================== In many respects, the war over Internet links to a DVD-related computer program has turned into the legal equivalent of a barroom brawl. The entertainment industry, through the DVD Content Control Association (DVD CCA) and the Motion Picture Association of America (MPAA), had sued to prevent Internet users from linking to websites that have DeCSS. DeCSS was a primitive program to help users of the Linux operating system play DVDs on their computers. Previously, courts in both New York and California had issued preliminary injunctions that barred computer users from posting DeCSS on their websites. Many experts are concerned that these actions may stifle free expression in cyberspace. In the New York case, the MPAA is trying to disqualify the opposing attorney, Martin Garbus, on conflict of interest grounds. The alleged conflict is based on the fact that Garbus had previously represented Time Warner (a plaintiff in the DeCSS lawsuit) in another case. Garbus, on the other hand, is seeking sanctions against the MPAA's lawyers for hindering the discovery of key evidence, including the apparent failure to make MPAA President Jack Valenti available for a deposition. A full trial is scheduled for December 5, 2000. Meanwhile, in the California case, the Electronic Frontier Foundation (EFF-a GILC member) is appealing the preliminary injunction. In the words of EFF's executive director, David Greene, "The court's injunction is a prior restraint on free expression, one of the most severe civil penalties in our legal system. Even a momentary deprivation of the right to speak or publish causes serious and irreparable harm, far more grave than any monetary loss." For more on the New York case, see Patricia Jacobs, "DVD cracking case heats up," CNET News.com, May 11, 2000, at http://news.cnet.com/news/0-1005-200-1856023.html For more on the California case, see "DeCSS Gag Injunction Appealed," Wired News, May 15, 2000, at http://www.wired.com/news/print/0,1294,36351,00.html ==================================================== [6] Internet freedom study released ==================================================== "Will the Internet become a censor's web, worldwide?" That is the question raised by a new survey from Freedom House. According to this study, an estimated 45 countries "now restrict Internet access on the pretext of protecting the public from subversive ideas or violation of national security-code words used by censors since the sixteenth century." The report goes on to note that the Internet "is the most formidable challenge to the censor ... [b]ut that has not stopped countries in all regions from restricting domestic and transnational news flows." In particular, the group cited Russia, Burma, China and several other countries for their censorial policies toward cyberspace. The report documents attempts by the Russian government to force "Internet service providers (ISPs) to install surveillance equipment," and that Russian "[s]ecurity services can now monitor Internet communications without a court order." Similarly, Burmese computer owners "must report computers to the government or face a 15-year prison term. The Burmese government's 'cyberspace warfare center' counterattacks against possible dissent by hacking into computers that receive or send forbidden messages." Meanwhile, Chinese "[s]ecurity operatives inspect web sites to make sure they do not leak 'state secrets.' These may include references to the arrest and torture of practitioners of the banned Falun Gong [spiritual movement]. Based on such surveillance, Internet sites have been shut down, e-mail censored, and web sites overseas attacked by sites based in China." The Freedom House survey is available via http://www.freedomhouse.org/pfs2000/sussman.html ==================================================== [7] Russia's digital divide ==================================================== There are growing fears that Russia is falling behind the rest of the online world. Mikhail Khodorkovskiy, the president of a major Russian petroleum firm, Yukos, aired some of these concerns in a recent speech. Khodorkovskiy pointed to current estimates that only 3% of all Russians use the Internet on a regular basis. This statistic is 10 times lower than in other developed nations. Furthermore, he expressed alarm at the dearth of financial resources that could eliminate this apparent digital divide. Khodorkovskiy hypothesized that at the current rate, only one out of every five Russians would have Internet access by the year 2050. For these reasons, he argued that education about the online world was "an absolute must." Towards that end, Yukos is working with the Russian government in a national program to improve Internet awareness and skills among students. Even so, Khodorkovskiy urged private industries to contribute more time and money toward educating Russian citizens about cyberspace, noting that the "efforts of Yukos alone will not be enough." See "Russia 'losing internet race'," BBC News Online, April 23, 2000, at http://news.bbc.co.uk/low/english/sci/tech/newsid_723000/723664.stm ==================================================== [8] Saudi censorship slows Internet growth ==================================================== The Saudi Arabian government's attempts to censor the Internet may keep the country in a technological Dark Age. At present, all 30 of the country's Internet service providers (ISPs) are linked to a ground-floor room in the King Abdulaziz City of Science and Technology, located in the capital, Riyadh. Here, filtering programs scan through all Internet transmissions and block out any content deemed offensive or sacrilegious. This center for censorship monitors the activities of some 130,000 Saudi Internet users. However, many experts are concerned that the Saudi government is spending too much energy on censorship and too little energy on expanding its Internet resources. Saudi Arabia joined the online world only 18 months ago, and many Saudi Arabian businesses are still unable to conduct e-commerce. This comes in stark contrast to counterparts in neighboring countries (such as the United Arab Emirates) that have benefited from government-sponsored initiatives. Ironically, Saudi computing resources are so meager that officials had to import the blocking software used in Riyadh, then bring in technicians from Finland to run the program. Additional information is available from Frank Gardner, "Saudis 'defeating' internet porn," BBC News Online, May 10, 2000, at http://news.bbc.co.uk/low/english/world/middle_east/newsid_742000/742798.stm ==================================================== [9] Syria plans Internet expansion ==================================================== Syria is trying to enter the digital age, but it is unclear whether the government will loosen its tight censorial grip in order to achieve its goals. Currently, Syria's Internet only has several thousand users (out of a population of 16 million). Most of these fortunate individuals have ties to the government or to big business. However, plans have been hatched to expand Internet usage on a dramatic scale. This scheme was prepared by the Syrian Computer Society, led by Bashar Assad (son of Syrian President Hafez Assad). Bashar believes that someday "the Internet is going to enter every house" in Syria through these and other programs. Nevertheless, there are many free expression issues that have yet to be resolved, including the harsh prison sentences that are given to private individuals found guilty of unauthorized Internet contact with foreigners. Not surprisingly, Reporters Sans Frontieres recently branded Syria as one of the Internet's twenty biggest enemies. Indeed, even Bashar admitted his government may issue new "guidelines" to restrict online access and content, similar to the stringent controls on other media (such as government-run newspapers, radio and television). For further details, see Howard Schneider, "Syria Advances Cautiously into The Online Age," Washington Post, April 27, 2000 at http://www.washingtonpost.com/wp-dyn/articles/A21443-2000Apr26.html Reporters Sans Frontieres' homepage is located at http://www.rsf.fr ==================================================== [10] Oxford Net free speech meeting held ==================================================== The Humanities Computing Unit of Oxford University held a colloquium about the future of Internet free speech. Entitled "Beyond Control or Through the Looking Glass", the event took place on April 28, 2000 at the Oxford Union Debating Chamber. The meeting featured leaders of several GILC member organizations, including Nadine Strossen of the American Civil Liberties Union (ACLU), Avedon Carol from Feminists Against Censorship, and Yaman Akdeniz of Cyber-Rights and Cyber-Liberties (UK), which co-organized the event. The central debate, Policing the Net, discussed the motion: "This house believes that any attempt by government to police the internet is both unworkable and a severe threat to civil liberties." During this debate, Akdeniz noted the fact that current proposals to regulate cyberspace failed to provide clearly defined standards, did not have broad public support, and had yet to show favorable results when evaluated under a cost/benefit analysis. He referred specifically to a recent British government proposal, the Regulation of Investigatory Powers (RIP) Bill, which would expand the power of law enforcement officials in cyberspace. Legal experts have decried many parts of the RIP plan, including provisions that would force defendants to prove their innocence if they fail to provide passwords or encryption keys when asked by government agents. Akdeniz argued that RIP's standards were virtually incomprehensible and warned that such ill-drafted proposals would chill freedom online. He also attacked the Internet Watch Foundation, which has sought restrictions on Internet content for several years. Similarly, Strossen suggested that the blocking of Internet content violated the precepts delineated in a recent ruling by the United States Supreme Court. The Court held that Internet speech should be protected to at least the same degree as more traditional forms of expression. She cited efforts (by the ACLU and other cyber-liberties groups) to strike down broad-based laws that would criminalize any Internet speech with any amount of sexual content, without any regard to its social value. Strossen further suggested that Internet users should not be silenced based on mere speculation that their speech may have some anti-social impact. To hear audio recordings from the Policing the Net debate, and to read transcripts of the arguments on both sides, click http://www.guardianunlimited.co.uk/freespeech ============================================== [11] US gov't knocks dot-coms on user privacy ============================================== A US regulatory agency has found that many e-commerce sites do a poor job of protecting the privacy of their users, and is calling for legislative action to correct the problem. According to a recent study by the US Federal Trade Commission (FTC), nearly 4 out of 5 e-commerce sites failed to meet the Commission's standards for safeguarding user privacy. These standards include the posting of a privacy policy, consumer control over how their data is used, users' ability to view and correct the files compiled about them, and security measures to stop cybercriminals. The report did note that nearly 90% of the most heavily trafficked websites did have privacy policies available online. However, the Commission also noted that many web content providers fared poorly in the categories of consumer control, security measures and so forth. As a solution, the FTC is recommending that "Congress enact legislation to ensure adequate protection of consumer privacy online." This legislation "would set out the basic standards of practice governing the collection of information online, and provide an implementing agency with the authority to promulgate more detailed standards," including powers of enforcement. Under this system, "[a]ll consumer-oriented commercial Web sites that collect personal identifying information from or about consumers online, to the extent not covered by the COPPA [Children's Online Privacy Protection Act], would be required to comply with the four widely-accepted fair information practices." These practices include providing consumers with adequate notice as to how respective companies handle personal information, giving consumers choices as to how their data will be used, allowing users to access their own records (including the right to correct or delete information), and taking "reasonable steps to protect the security of the information they collect from consumers." The report has met with mixed reviews. Marc Rotenberg of the Electronic Privacy Information Center (EPIC-a GILC member) noted that "[l]egislation to protect privacy is long overdue." Rotenberg also commented on the FTC's suggestion that self-regulatory schemes may still play a part, even though such efforts have failed to protect user privacy in the past. Nevertheless, many observers expect the proponents of this new plan will be forced to fight an uphill battle. The FTC Report "Privacy Online: Fair Information Practices and the Electronic Marketplace" is available via http://www.ftc.gov/os/2000/05/index.htm#22 See also John Schwartz, "Republicans Oppose Online Privacy Plans," Washington Post, May 21, 2000, page A8, at http://www.washingtonpost.com/wp-dyn/articles/A42502-2000May21.html The Final Report of the FTC Online Access Advisory Committee is available under http://www.ftc.gov/acoas/finalreport.htm ============================================= [12] New French anti-anonymity bill ============================================= Critics are warning that a new French proposal to end anonymity on the Internet may create big potholes along the Information Superhighway. The French Parliament is in the process of reviewing the Liberty of Communication Act, which generally addresses audiovisual broadcasting communications. However, special provisions regarding Internet service provider (ISP) liability have been introduced after a highly publicized lawsuit against a French ISP. The bill received the blessing of the French Senate on May 29th of this year; the National Assmebly will now consider the Act within the next few weeks. In its current form, the Liberty of Communication Act would essentially require anyone who creates a webpage to provide personal information about themselves to the public. Under this plan, any public Internet service (which may include providers of chat rooms, bulletin boards and e-mail messaging as well as websites) must publicly disclose the editor's name and postal address. Private individuals must at least provide information about their Internet host provider (including the provider's name and postal address) as well as their own online names. In turn, host providers would be required to collect personal information about their users, which would be turned over upon judicial request. Violators may go to jail for three months and pay fines of 25,000 francs (about $3,500 US). Many observers have lambasted the plan as a serious threat to civil liberties. Imaginons un Reseau Internet Solidaire (IRIS-a GILC member) warned that the measure might cause "the death of the Internet in France." IRIS feared that the mandatory registration of Internet users would constitute a serious invasion of individual privacy, although the the French Senate has recently restricted the divulgation of individual personal information upon judicial request. Moreover, the French cyberliberties group feared that the Act would turn Internet companies into agents of the state. These concerns have been echoed by many leading French firms, including Libertysurf.com, the nation's biggest free Web hosting company. A Libertysurf spokesperson suggested that the plan would shift business overseas, because users would seek webhosts that are more protective of personal information. Furthermore, the spokesperson expressed anxiety that the Act would increase the costs of doing business in France on an astronomical scale. Visit IRIS' webpage on French anti-anonymity legislation (in French) at http://www.iris.sgdg.com/actions/loi-comm For an English language news item on the subject, read Jason Straziuso, "Anonymity? Mais Non," Associated Press, May 23, 2000, at http://www.abcnews.go.com/sections/tech/DailyNews/france_net000523.html ==================================================== [13] Love Bug highlights privacy flaws ==================================================== Experts worldwide are recommending better security software, not government regulation, as the proper response to an insidious computer pest. The so-called "Love Bug" got its name from its carrier messages, which usually contain "I Love You" in the subject header. The "Love Bug" comes as an e-mail attachment that, once opened, destroys JPEG image files and sends itself to everyone in a user's e-mail address book. This scourge attacked millions of computers worldwide and caused many e-mail systems to shutdown. Other similar bugs have since appeared. One of these pests, known as "NewLove," only has "FW" in the subject line, thus giving less warning to its victims. Worse still, the "NewLove" attachment destroys all files on a user's hard drive, not just JPEGs. Another version is entitled "Resume-Janet Simons", while a third nuisance is written in German and includes an attachment named "SouthPark.exe". Scientists have noted that these attacks were helped by the fact that many software companies do a poor job of protecting user privacy. David Stringer-Calvert, senior project manager and research engineer at SRI International, noted that "[s]ecurity is always a tradeoff against usability, and currently security is often the poor cousin in this. Microsoft products do make it exceptionally easy to write very damaging viruses." In addition, programming gurus have questioned whether new government initiatives would solve the problem. Peter Neumann, the principal scientist at SRI's Computer Science Laboratory, said that "[t]he government reaction ... to build more jails and arrest more hackers ... ignores the fundamental vulnerabilities in the computer systems. Regulating e-mail does not make much sense." Stringer-Calvert added, "Regulation is not the answer. The market needs to become more demanding in the security aspects of systems." Instead, computer scientists have suggested a variety of technical solutions, including encryption and extra firewalls. For more on these analyses, read "Love Me Not: Experts Discuss the Problem of Computer Viruses," ABCNews.com (US), May 5, 2000, at http://more.abcnews.go.com/sections/tech/DailyNews/000505_lovevirus_experts_ chat.html For possible solutions to the "Love Bug" problem, read Eamonn Sullivan, "Next viruses will be silent killers," IT Week, May 11, 2000, at http://msnbc.com/news/406448.asp?cp1=1 The Killer Resume virus is described in "E-mail virus 'contained'," BBC News Online, May 29, 2000 at http://news.bbc.co.uk/low/english/sci/tech/newsid_768000/768320.stm To read more on the German "South Park" bug, see "New worm-'South Park' in German," Reuters, May 11, 2000 at http://www.zdnet.co.uk/news/2000/18/ns-15325.html More on the "FW:" bug is available through Sascha Segan, "Virus: Bold as Love," ABCNews.com (US), May 19, 2000 at http://abcnews.go.com/sections/tech/DailyNews/virus_new000519.html ==================================================== [14] G8 plan threatens individual privacy ==================================================== A superpower Internet security summit has recommended measures that many fear will undermine privacy online. This recently concluded G8 conference brought together delegates from eight major powers, including the United States, the United Kingdom and Russia. The meeting focused on ways to prevent Internet crime. Conferees discussed 22 recommendations for improving Internet security. These particular proposals came from the Global Internet Project--an association of computing companies that includes Microsoft and America Online. Thirteen of these suggestions were for the private sector, including such ideas as cooperating "with law enforcement and other agencies to detect and alleviate attacks." One suggestion might turn private companies into de facto government informants; under this provision, companies would "identify and disseminate information" about perceived risks to computer systems, then pass this information on to so-called "clearing houses" like the United States Federal Bureau of Investigation. The group also urged government agencies to take action by removing the "remaining controls on civilian encryption technologies," as well as encouraging and supporting "efforts to teach youngsters how to behave ethically in cyberspace." G8 representatives also discussed a "Draft Convention on Cybercrime" sponsored by the Council of Europe. This proposal would make it illegal to link to certain types of software that could interfere with (or allow unauthorized access to) a computer. The measure would also punish people who fail to provide passwords or encryption keys. Furthermore, the Convention would require Internet service providers (ISPs) to collect personal information about their users. However, many observers fear that these plans will actually diminish Internet privacy while failing to prevent future cyberattacks. A spokesperson from the Foundation for Information Policy Research (FIPR) worried that the G8 nations would waste valuable time discussing security solutions. Worse still, the spokesperson believed that as the number and impact of cyber-crimes grew, governments would go on to choose harsh standards that would severely impinge on the privacy rights of Internet users. Indeed, Barry Steinhardt of the American Civil Liberties Union (ACLU-a GILC member) called the Draft Convention "dangerous" and believes "it will interfere with the ability to speak anonymously." He also suggested that the proposal would prevent computer scientists from adequately ensuring "their own security and the security of others." Privacy International (a GILC member) has compiled an extensive site to document these developments at http://www.privacyinternational.org/issues/cybercrime/ ==================================================== [15] New Microsoft security woes ==================================================== Researchers have recently discovered security flaws in two of Microsoft's most popular products: Internet Explorer and Hotmail. Peacefire (a GILC member) has issued a series of articles that documented these weaknesses. Both difficulties are based on the common use of computer files known as "cookies." Many websites surreptitiously place these cookies on users' computers for identification purposes or for storing other personalized information. In the case of Internet Explorer, a hole in its security features allows website operators to secretly scan all of the cookies on an individual user's computer and discover where that person has been on the Internet. A savvy webpage operator can create a special domain name that will fool Internet Explorer into thinking that particular page is actually from another site (such as Amazon.com, rather than Peacefire) and divulge the cookies pertaining to that other site (such as the cookie Amazon.com placed on the user's computer). That way, the attacker can check what cookies are on the user's machine and discover where that user has been on the World Wide Web. One way individuals can avoid this loophole is by changing Explorer's settings to disable all cookies. The Hotmail flaw enables people to discover other users' passwords and read private e-mail messages. This is done through a special HTML program (attached to an e-mail message) that intercepts the cookies that Hotmail uses to identify its users and passes them along to the attacker. These cookies contain special session keys (known individually as "MSPAUTH") that can then be used to enter another person's e-mail account, read that person's messages, and break into still more accounts. Visit Peacefire's homepage (for analyses of these Microsoft security holes) at http://www.peacefire.org ==================================================== [16] New NetRadar Internet spy tool ==================================================== A new software package will allow businesses and government agencies to spy on private Internet users everywhere. The program, known as NetRadar, searches through chat rooms, bulletin boards, and other areas of cyberspace by using key words chosen by the user. NetRadar then provides automatic summaries of its results. Its properties are vaguely similar to government systems such as ECHELON, which reportedly intercept communications on a global scale, then use special computer programs (called DICTIONARY) to siphon out pertinent material. NetRadar was used to monitor the activities of groups opposed to the World Trade Organization (WTO) and demonstrated against them in Seattle this past winter. Its creators now are hoping to sell the software to major companies as well as law enforcement agents. Critics fear that devices like NetRadar will seriously erode the privacy of ordinary citizens. Jim Dempsey of the Center for Democracy and Technology (CDT-a GILC member) feared that widespread use of NetRadar "could end up chilling political speech organizing, peaceful advocacy, criticism of either government or corporations." Similarly, Professor Jonathan Zittrain (from the Berkman Center for Internet and Society at Harvard Law School) worried that the current data privacy laws would not prevent abuse of such programs. Zittrain noted: "if there's an alcoholics anonymous group, a group to talk about depression, even about back pain, those sorts of things could end up being surveyed for purposes of insurance fraud or anything else." For more, see Jack Smith, "Web Spies," ABCNews.com (US), May 16, 2000, at http://www.abcnews.go.com/onair/CloserLook/wnt_000516_CL_netsecurity.html For more on ECHELON, visit http://www.echelonwatch.org ======================================= [17] UK Net privacy under siege ======================================= It may be getting harder for British Internet users to preserve their privacy. The British government has proposed several new measures to enhance their surveillance powers. One of these proposals would create a Government Technical Assistance Centre to intercept all e-mail messages in the United Kingdom. Similarly, the British Home Office has introduced a Regulation of Investigatory Powers (RIP) Bill, which might force Internet service providers to accommodate more invasive searches by law enforcement officials. The Bill would also punish people who are unable to provide "keys" to encrypted computer files and force these individuals to disprove their guilt. Cyber-liberties groups, who are concerned that these measures will treat innocent Internet users as criminals, have savaged both proposals. The RIP bill, in particular, has been excoriated because of its reversed burden of proof; some experts have suggested that this particular provision violates various International human rights accords. The RIP legislation also has caught flak from software manufacturers, who fear that the plan will make it more expensive to conduct e-commerce in Britain. Meanwhile, a recent survey indicated yet another threat to online privacy: big business. A study by the Industrial Relations Services indicated (among other things) that over 75% of British companies monitor their employees in cyberspace. Many of these companies go so far as to read private e-mail messages and limit their workers' access to the Internet. For more on the Government Technical Assistance Centre, read "Brits Launch Online Spy Network," Wired News, May 2, 2000, at http://www.wired.com/news/print/0,1294,36031,00.html See also Sascha Segan, "Spies Like Us," ABCNews.com (US), May 2, 2000 at http://www.abcnews.go.com/sections/tech/DailyNews/britishspies_000502.html Press coverage of the RIP Bill is available under "Computer crime plan 'bad for business'," BBC News Online, May 8, 2000 at http://news.bbc.co.uk/low/english/sci/tech/newsid_740000/740766.stm For a report on British online monitoring of employees, read "British companies monitor staff Internet use-study," Reuters, May 15, 2000 at http://news.ft.com/ft/gx.cgi/ftc?pagename=View&c=Article&cid=FT4J73FC98C&liv e=true&tagid=ZZZPB7GUA0C&reuters=true ============================================== [18] US child online privacy laws take effect ============================================== The US government has started to enforce a new law designed to protect the privacy of children in cyberspace. The Children's Online Privacy Protection Act (COPPA) restricts operators of websites and other Internet services from collecting sensitive information from users aged 13 years or under. These rules generally require websites that are directed at children to post privacy policies. These sites cannot gather personal information from youngsters without parental consent. Furthermore, mothers and fathers can revoke such consent at any time and force web companies to expunge information that these firms have already collected about their kids. These moves come as a recent survey indicates the apparently predatory nature many companies have in extracting personal data from kids. A study by the Annenberg School for Communication revealed, among other things, that nearly two-thirds of children aged 10-17 reveal (online) the names of their favorite stores if they received a free gift. Over 50% of children between 10 and 17 years of age would divulge to website operators the names of their parents' favorite places to shop, in exchange for a present. The full text of COPPA is available at http://www.ftc.gov/ogc/coppa1.htm For more press coverage of COPPA, visit "Study: Kids Spill The Beans On Web," CBS News, May 17, 2000, at http://cbsnews.cbs.com/now/story/0,1597,195861-412,00.shtml See also David Ho, "Online Tit for Tat," Associated Press, May 16, 2000, at http://www.abcnews.go.com/sections/tech/DailyNews/netprivacy000516.html ============================================= [19] Indian Net search plans deemed invasive ============================================= The Indian parliament has passed a law that may increase government intrusions into cyberspace. The federal Information Technology Bill allows senior law enforcement officials to conduct searches of public places (under the pretext of conducting a cybercrime investigation) without a warrant. Other provisions may force Internet users to provide certain types of information about themselves, and ban them from posting data deemed to be obscene. In addition, Internet service providers (with over 2MB of bandwidth) may have to make their networks wiretap-friendly for India's Central Bureau of Investigation and other such agencies. Opponents of the bill worry that it will subvert individual privacy on the Internet, and will stifle India's rapidly growing technology sector. Read "Parliament passes IT bill," IndiaTimes, May 17, 2000 at http://www.indiatimes.com/17indu2.htm See also Frederick Noronha, "India Eyes Cyberlaws," Wired News, April 25, 2000, at http://www.wired.com/news/print/0,1294,35822,00.html ============================================= [20] EU to lift crypto restrictions ============================================= The European Union is considering plans to ease restrictions on the use of computer cryptography. The EU is hoping that by reducing its own rules on cryptographic programs, it will ensure that European computer companies will be able to compete on an equal footing with their American counterparts. Previously, European firms that wanted to export encryption software had to request permission from their respective governments, then wait while officials undertook arduous investigations to ensure that the buyer did not constitute a national security threat. Worse still, government agencies often used these review powers to pressure companies into weakening the cryptographic strength of their products. US officials already had announced plans to end limitations on the export of strong encryption, and are now accepting applications from software manufacturers for export licenses. Oddly enough, an EU spokesperson confirmed the fact that the US government had urged its European partners not to liberalize its rules on crypto. Nevertheless, EU ministers bucked these concerns, noting that "the European Union does not make their policies dependent on the opinion of the United States." For further information, see Jelle van Buuren, "European Union sets free export of encryption products," Heise Telepolis, May 22, 2000 at http://www.heise.de/tp/english/inhalt/te/8179/1.html See also "EU To Copy US Crypto 'Open Export' Rules," Newsbytes, April 28, 2000, at http://www.newsalert.com/bin/story?StoryId=CoqKmWc4bmdaWmti&FQ=Crypto&Nav=na -search-&StoryTitle=Crypto ============================================= [21] Euro plan: end Net anonymity ============================================= End anonymity on the Internet? Not so fast. That appears to be the message being given by European government officials. Previous reports had indicated that the European Parliament's Committee for Citizens' Freedoms, Rights, Justice and Home Affairs would recommend a new law that would force Internet users to register personal information with telecommunications companies. While details of the proposal were sketchy at best, the plan apparently followed the suggestions of a recent European Commission white paper, which called for anonymous remailers to follow a "code of conduct" that included the collection of personal information from individual users and other restrictions. The initiative was bolstered by concerns that anonymous e-mail messaging would enhance the organizational powers of cyber-terrorists. However, the scheme has run into a number of difficulties. Privacy advocates have voiced fears that these plans would curtail individual privacy online. In addition, the proposal reportedly suffered from highly unwieldy provisions that made it hard to enforce. Furthermore, there was virtually no public support for the scheme. Against this backdrop, the European Council of Ministers is now hinting that it will shelve the proposal for the time being. For more on this story, read Tim Richardson, "Euro anonymous email plans are 'unworkable'," The Register (UK), May 12, 2000, at http://www.theregister.co.uk/000512-000008.html See also Declan McCullagh, "Anonymity Threatened in Europe," Wired News, April 26, 2000 at http://www.wired.com/news/print/0,1294,35924,00.html ========================================================== ABOUT THE GILC NEWS ALERT: ========================================================== The GILC News Alert is the newsletter of the Global Internet Liberty Campaign, an international coalition of organizations working to protect and enhance online civil liberties and human rights. Organizations are invited to join GILC by contacting us at gilc@gilc.org. To alert members about threats to cyber liberties, please contact members from your country or send a message to the general GILC address. To submit information about upcoming events, new activist tools and news stories, contact: Christopher Chiu GILC Coordinator American Civil Liberties Union 125 Broad Street, 17th Floor New York, New York 10004 USA Or email: cchiu@aclu.org More information about GILC members and news is available at http://www.gilc.org You may re-print or redistribute the GILC NEWS ALERT freely. To subscribe to the alert, please send e-mail to gilc-announce@gilc.org with the following message in the body: subscribe gilc-announce ======================================================== PUBLICATION OF THIS NEWSLETTER IS MADE POSSIBLE BY A GRANT FROM THE OPEN SOCIETY INSTITUTE (OSI) ======================================================== ---------------------------------- Send mail for the 'huridocs-tech' list to <huridocs-tech@hrea.org>. Mail administrative requests to <majordomo@hrea.org>. For additional assistance, send mail to: <owner-huridocs-tech@hrea.org>. Archives of previous messages posted to the list can be found at: http://www.hrea.org/lists/huridocs-tech/markup/maillist.html
[Reply to this message] [Start a new topic] [Date Index] [Thread Index] [Author Index] [Subject Index] [List Home Page] [HREA Home Page]