==============================================================
@@@@ @@@@ @@@ @@@@ @ @ @@@@ @@@@ @@@@@
@ @ @ @ @ @ @ @ @ @ @ @
@@@@ @@@ @ @ @@@@@ @ @@@ @@@ @
@ @ @ @ @ @ @ @ @ @ @
@@@@ @ @@@ @@@@ @ @ @@@@ @@@@ @ @ @
==============================================================
Volume 9.15 August 9, 2002
--------------------------------------------------------------
Published by the
Electronic Privacy Information Center (EPIC)
Washington, D.C.
http://www.epic.org/alert/EPIC_Alert_9.15.html
=======================================================================
Table of Contents
=======================================================================
[1] FTC Announces Action Against Microsoft Passport
[2] Court Orders DOJ to Disclose Names of 9/11 Detainees
[3] OECD Announces Computer Security Guidelines
[4] EPIC Files Brief in Online Offender Registry Case
[5] EPIC Argues Police Must Be Present for Online Search
[6] Eli Lilly Settles With States; NTIA to Hold ENUM Forum
[7] EPIC Bookstore - Trust Us, We're Experts
[8] Upcoming Conferences and Events
=======================================================================
[1] FTC Announces Action Against Microsoft Passport
=======================================================================
The Federal Trade Commission (FTC) yesterday announced a consent
order with Microsoft regarding the Passport identification and
authentication system. Prompted by a complaint submitted by EPIC and
fourteen leading consumer groups, the FTC's investigation found that
Microsoft had violated federal consumer protection law prohibiting
unfair and deceptive trade practices.
In July and August 2001, EPIC -- joined by groups including
Junkbusters, Consumers Union, US PIRG and the Consumer Federation of
America -- submitted detailed complaints to the Commission. The
complaints described the serious privacy implications of Microsoft
Windows XP and Microsoft Passport, and alleged that the collection and
use of personal information by the company would violate Section 5 of
the Federal Trade Commission Act. After the complaints were filed,
the company experienced a series of serious security breaches,
including a vulnerability that would have allowed a person to steal
information within the Microsoft Wallet service.
The FTC yesterday found that Microsoft made a series of false
representations about Passport. First, the company, despite
guarantees to the contrary, did not employ reasonable methods to
protect the privacy of personal information collected by Passport.
Second, the company falsely represented that the Passport Wallet
service provided extra security over standard e-commerce transactions.
Third, the company did not disclose that Passport tracked users'
visits to web sites, when in fact a log of user activity was
maintained by the company for months. Fourth, Kids' Passport failed
to provide parental control over collection of information online.
The order requires Microsoft to implement a new information security
program. A third-party auditor will check compliance with this
program within one year, and Microsoft must reassess its information
security practices every two years. Further, Microsoft is prohibited
from making future false representations about the Passport service.
Microsoft is bound by the order for 20 years, and fines can be levied
for non-compliance.
The FTC will accept public comment on the order until September 9,
2002.
FTC Consent Order:
http://www.ftc.gov/os/2002/08/microsoftagree.pdf
FTC Complaint:
http://www.ftc.gov/os/2002/08/microsoftcmp.pdf
EPIC's Sign Out of Passport Page:
http://www.epic.org/privacy/consumer/microsoft/
EPIC's Passport Investigation Docket Page:
http://www.epic.org/privacy/consumer/microsoft/passport.html
=======================================================================
[2] Court Orders DOJ to Disclose Names of 9/11 Detainees
=======================================================================
In a decision issued on August 2, U.S. District Judge Gladys Kessler
directed the Justice Department to disclose, no later than August 19,
the identities of more than 1,000 individuals detained in connection
with the government's September 11 terrorist investigation. Under the
order, detainees desiring confidentiality of their identities can file
statements requesting non-disclosure. The judicial decision marks a
significant defeat for government secrecy in the wake of the terrorist
attacks. EPIC joined with a coalition of other groups in seeking the
disclosure of the information under the Freedom of Information Act
(FOIA) and serves as co-counsel in the case.
The Justice Department had argued that releasing the detainees' names
and other information could undermine the September 11 investigation
and harm national security. Disclosure would subject the detainees to
possible intimidation or coercion, the government argued, and provide
terrorists with a potential "road map" of the investigation. Judge
Kessler found the government's argument "unpersuasive" and concluded
that "the public's interest in learning the identities of those
arrested and detained is essential to verifying whether the government
is operating within the bounds of the law."
The FOIA lawsuit was filed by the Center for National Security
Studies, EPIC, and 21 other organizations, including the American
Civil Liberties Union, Human Rights Watch and Amnesty International
USA. The plaintiffs argued that the detentions constituted secret
arrests that violated longstanding legal requirements compelling the
government to account for the individuals it incarcerates.
"The Court fully understands and appreciates that the first priority
of the executive branch in a time of crisis is to ensure the physical
security of its citizens," Judge Kessler wrote. "By the same token,
the first priority of the judicial branch must be to ensure that our
government always operates within the statutory and constitutional
constraints which distinguish a democracy from a dictatorship."
The Justice Department has appealed the ruling and asked Judge Kessler
to delay enforcement of her order pending resolution of the appeal.
The court's decision is available at:
http://www.epic.org/open_gov/foia/cnssdecision.pdf
EPIC has produced a resource page with background on the litigation:
http://www.epic.org/open_gov/foia/cnss_v_doj.html
=======================================================================
[3] OECD Announces Computer Security Guidelines
=======================================================================
The Organization for Economic Cooperation and Development (OECD) has
released principles for computer security that emphasize democracy,
transparency, privacy, and education. The OECD principles are
intended to protect important civil society values as countries and
private sector organizations go forward with computer security plans.
EPIC Research Director Sarah Andrews served on the OECD expert panel
as the civil society representative, and consulted with computer
security experts, public policy experts, and NGO participants in the
Public Voice project during the year-long development of the
guidelines.
The OECD, based in Paris, is a thirty-member organization of leading
industrial nations in North America, Europe and East Asia. Over the
years, the OECD has produced several important policy frameworks for
information technology in such areas as privacy, cryptography, and
electronic commerce.
The original OECD Security Guidelines were promulgated in 1992. The
new Guidelines seek to take account of the development of network
computing and the growth of commercial services, as well as the
response of governments to the events of September 11.
The OECD Security Guidelines set out nine principles: Awareness,
Responsibility, Response, Ethics, Democracy, Risk Assessment, Security
Design and Implementation, Security Management, and Reassessment.
Each principle is followed by a definition and then a one paragraph
description. Taken as a whole, the principles emphasize the joint
responsibility of all participants to promote network security. The
Guidelines also draw attention to important democratic goals in the
design of security policy, including and specifically stating that:
Security should be implemented in a manner consistent with
the values recognised by democratic societies including the
freedom to exchange thoughts and ideas, the free flow of
information, the confidentiality of information and
communication, the appropriate protection of personal
information, openness and transparency.
The OECD also adopted a principle on Risk Assessment that states:
Risk assessment identifies threats and vulnerabilities and
should be sufficiently broad-based to encompass key internal
and external factors, such as technology, physical and human
factors, policies and third-party services with security
implications. Risk assessment will allow determination of
the acceptable level of risk and assist the selection of
appropriate controls to manage the risk of potential harm to
information systems and networks in light of the nature and
importance of the information to be protected. Because of
the growing interconnectivity of information systems, risk
assessment should include consideration of the potential
harm that may originate from others or be caused to others.
A similar proposal was under consideration by the OECD in 1992 but was
not adopted at that time.
Regrettably, the OECD adopted the authoritarian "culture of security"
as the tagline for its most recent effort. But overall the Guidelines
are a welcome contribution to the computer security field, and should
promote policies that are more responsive to civil society interests
than some of the recent proposals of national governments.
OECD Guidelines for the Security of Information Systems and Networks:
http://www.oecd.org/pdf/M00033000/M00033182.pdf
OECD Governments Launch Drive to Improve Security of Online Networks:
http://www.epic.org/redirect/oecd_redirect.html
The Public Voice:
http://www.thepublicvoice.org/
<snip>
=======================================================================
[8] Upcoming Conferences and Events
=======================================================================
IT and Law. University of Geneva, University of Bern, Swiss
Association of IT and Law. September 9-10, 2002. Geneva, Switzerland.
For more information: http://www.informatiquejuridique.ch/
ILPF Conference 2002: Security v. Privacy. Internet Law & Policy
Forum. September 17-19, 2002. Seattle, WA. For more information:
http://www.ilpf.org/conference2002/
Privacy2002: Information, Security & New Global Realities. Technology
Policy Group. September 24-26, 2002. Cleveland, OH. For more
information: http://www.privacy2000.org/privacy2002/
Privacy in Ubicomp 2002: Workshop on Socially-informed Design of
Privacy-enhancing Solutions in Ubiquitous Computing. Held as part of
UBICOMP 2002. September 29, 2002. Goeteborg, Sweden. For more
information: http://guir.berkeley.edu/privacyworkshop2002/
Shrinking World, Expanding Net. Computer Professionals for Social
Responsibility (CPSR). October 5, 2002. Cambridge, MA. For more
information: http://www.cpsr.org/conferences/annmtg02/
Bridging the Digital Divide: Challenge and Opportunities. 3rd World
Summit on Internet and Multimedia. October 8-11, 2002. Montreux,
Switzerland. For more information: http://www.internetworldsummit.org/
2002 WSEAS International Conference on Information Security (ICIS
'02). World Scientific and Engineering Academy and Society. October
14-17, 2002. Rio de Janeiro, Brazil. For more information:
http://www.wseas.org/conferences/2002/brazil/icis/
IAPO Privacy & Security Conference. International Association of
Privacy Officers. October 16-18, 2002. Chicago, IL. For more
information: http://www.privacyassociation.org/html/conferences.html
Privacy Trends: Complying With New Demands. Riley Information Services
Inc. and the Commonwealth Centre for Electronic Governance. October
22, 2002. Ottawa, Canada. For more information:
http://www.rileyis.com/seminars/
3rd Annual Privacy and Security Workshop: Privacy & Security: Totally
Committed. Centre for Applied Cryptographic Research, University of
Waterloo and the Information and Privacy Commissioner/Ontario.
University of Toronto. November 7-8, 2002. Toronto, Canada. For more
information: http://www.epic.org/redirect/cacr.html
First Hawaii Biometrics Conference. Windward Community College,
Pacific Center for Advanced Technology Training (PCATT). November
10-13, 2002. Waikiki, HI. For more information:
http://biometrics.wcc.hawaii.edu/
Transformations in Politics, Culture and Society. Inter-
Disciplinary.Net. December 6-8, 2002. Brussels, Belgium. For more
information: http://www.inter-disciplinary.net/tpcs1.htm
18th Annual Computer Security Applications Conference (ACSAC):
Practical Solutions to Real Security Problems. Applied Computer
Security Associates. December 9-13, 2002. Las Vegas, NV. For more
information: http://www.acsac.org/
Third Annual Privacy Summit. International Association of Privacy
Officers. February 26-28, 2003. Washington, DC. For more information:
http://www.privacyassociation.org/html/conferences.html
CFP2003: 13th Annual Conference on Computers, Freedom, and Privacy.
Association for Computing Machinery (ACM). April 1-4, 2003. New York,
NY. For more information: http://www.cfp.org/
<snip>
---------------------- END EPIC Alert 9.15 -----------------------
========== HURIDOCS-Tech listserv ==========
Send mail intended for the list to <huridocs-tech@hrea.org>.
Archives of the list can be found at:
http://www.hrea.org/lists/huridocs-tech/markup/maillist.php
To subscribe to the list, send a message to <majordomo@hrea.org>,
with the following text in the message: subscribe huridocs-tech
To unsubscribe from the list, send a message to <majordomo@hrea.org>,
with the following text in the message: unsubscribe huridocs-tech
If you have problems (un)subscribing, contact <owner-huridocs-tech@hrea.org>.
[Reply to this message] [Start a new topic] [Date Index] [Thread Index] [Author Index] [Subject Index] [List Home Page] [HREA Home Page]