From: Brad Dolan 
Subject: (fwd) EPIC Alert 2.13 (fwd)
Message-ID: 
Date: Thu, 2 Nov 1995 07:30:26 -0500 (EST)


---------- Forwarded message ----------
     =============================================================

        @@@@  @@@@  @@@  @@@@      @    @    @@@@  @@@@  @@@@@
        @     @  @   @   @        @ @   @     @     @  @    @
        @@@@  @@@    @   @       @@@@@  @     @@@   @@@     @
        @     @      @   @       @   @  @     @     @  @    @
        @@@@  @     @@@  @@@@    @   @  @@@@  @@@@  @   @   @

     =============================================================
     Volume 2.13                                  October 30, 1995
     -------------------------------------------------------------

                         Published by the
           Electronic Privacy Information Center (EPIC)
                          Washington, DC
                          info@epic.org
                      http://www.epic.org/


=======================================================================
Table of Contents
=======================================================================

 [1] Special: House Rejects Funding of FBI Wiretap Bill
 [2] Bennett Bill Raises Privacy Concerns
 [3] Designing a Good Medical Privacy Bill
 [4] British Doctors Boycott Medical Network
 [5] Mondex: Not So Private After All
 [6] USA Today Opts for Opt-In
 [7] Medical Privacy Resources On-line
 [8] Upcoming Conferences and Events

=======================================================================
[1] Special: House Rejects Funding of FBI Wiretap bill
=======================================================================

The House of Representatives on October 25 rejected an attempt to
include language in the Omnibus Budget Bill to fund last year's
controversial Communications Assistance for Law Enforcement Act. The
provision would have authorized the establishment of a $500 million
fund generated by a 40% surcharge on all non-civil fines imposed by the
federal government. (See EPIC Alert 2.12[3] "Status of Wiretap Funding")
The fund would have been be used to pay telecommunications companies to
redesign their networks to facilitate wiretapping. That cost is
estimated to run above $2 billion.

This is simply round one in what is expected to be a long batte between
Congress and the White House over the federal budget.  President Clinton
will probably veto the measure that emerges from Congress.  At that
point, another budget proposal will be introduced. Funding provisions
for the FBI wiretap plan are also contained in the terrorism bills and
appropriations bills .

EPIC, VTW, the US Privacy Council, the ACLU, EFF and other civil
liberties organizations have opposed funding of the controversial
measure. More information is available at:

   http://www.epic.org/privacy/wiretap/

=======================================================================
[2] Bennett Bill Raises Privacy Concerns
=======================================================================

The introduction of S. 1360, the Medical Records Confidentiality Act of
1995, last week sparked concern among privacy and medical organizations,
with several groups saying that they will actively oppose the measure.

The Coalition for Patients Rights of New England said the bill "abandons
the central premise that the patient has a basic right to
confidentiality and controls that right through specific informed
consent."  The ACLU of Massachusetts also expressed opposition to the
Bennett bill. The group said, "This bill preempts most State
confidentiality statutes, and related common law, the body of law
which has effectively provided legal remedies for violations of
confidentiality in the past."

Finally the Justice Research Institute joined the ranks, charging that
"This bill is particularly dangerous to those individuals living with
HIV/AIDS."

Hearings on the measure are expected some time later this year.


=======================================================================
[3] Principles for Federal Privacy Protection of Medical Records
=======================================================================

With interest in Washington about the development of real privacy
protection for medical records, here are preliminary suggestions
from EPIC for a good medical privacy bill. Yor comments are always
welcome.  Please send email to alert@epic.org.

>> Scope

Legislation must cover all  medical information, wherever it is
collected, stored, processed, transferred or used, no matter the form.
Legal coverage should not be limited to only medical information
collected in the provision of health care but should include information
collected for financial, educational, employment, marketing, and other
reasons.

>> Consumer Access

Consumers should have full access to all personally identifiable medical
records. No records should be kept secret. Record keepers should be
required to notify patients that they maintain records. Consumers should
have the ability to correct or remove any inaccurate, irrelevant or out-
of-date information. Any card-based data system must allow consumer
access to all personal information contained on the card.

>> Enforcement and Oversight

Substantial criminal and civil fines should be imposed for actual or
attempted unauthorized access, disclosure, or use of medical
information.  Individuals should be able to enforce rights and obtain
damages and related costs in civil court. An independent agency should
be created to conduct oversight and enforce the provisions of any
federal medical privacy law.

>> Third Party Access

Third party access to medical records should be strictly limited to a
need-to-know basis.  Law enforcement officials should be required to
obtain a warrant after showing a compelling government interest for
each piece of information sought. Civil litigants should have to show a
compelling interest for each piece of information.  Privileged
communications should never be disclosed. Use of medical information by
employers or for marketing purposes should be prohibited.

>> National Databases

The creation of electronic databases of unified clinical records without
the consent of the patient should be prohibited.  Psychiatric records
should not be included in any system of electronic records.

>> Research Records

Use of personally idntifiable information for research purposes should
require consent from the individual.  New technologies that create
pseudo-anonymous records should be used for any personally identifiable
information.  Research records should not be used for any other purpose
and should be protected from disclosure by warrant or subpoena.

>> Security

Medical information should be protected by the best available physical
and electronic security. Records in storage or transit should be
encrypted. Audit trails should track each access to an individuals file.
Access should be limited to data relevant to the matter at hand.

>> Identification Number

The Social Security Number should not be used as a patient record
identifier.  The number that is used for record identification should
not be used for any other purpose.  Any health care card issued should
not be used for any other purpose, particularly not for determination
of employment eligibility or for personal identification

>> Preemption

A federal medical privacy law should set a minimum level of protection
for medical record privacy. States should be provide to higher levels of
protection given. No state statute should be preempted.


=======================================================================
[4] British Doctors Boycott Medical Network
=======================================================================

The British Medical Association has urged its members to boycott the
National Health Service's nationwide computer network of medical
information. The BMA has been critical of the network for a number of
reasons but finally came out publicly against it after it was revealed
that the Government Communications Headquarters (GCHQ), the British spy
agency in charge of electronic surveillance, had pressured the NHS to
omit encryption from the design of its networks. According to newspaper
reports, the NHS had intended to include encryption as an integral part
of their system but was
overridden when the UK Government's Joint
Intelligence Commttee was informed of the decision.

The BMA is urging all its doctors to refrain from sending information
to the network until adequate security is provided. The BMA believes
that use of the data network violates a doctor's duty of care to patient
confidentiality and could subject doctors professional sanctions.
Privacy International is also urging patients to request that their
practitioners not put information on the system.

In the United States, the intelligence agencies pushed the use of the
Clipper Chip for the security of the medical networks set up under
health care reform bill and currently are pushing the Fortezza card
for a variety of government agency uses.

=======================================================================
[5] Mondex: Not So Private After All
=======================================================================

A British agency in charge of consumer protection has begun a formal
investigation of Mondex, a company that offers smart card-based payment
systems, for allegedly falsely advertising that transactions under its
system were anonymous.

In promotional materials, Mondex had claimed that the transactions were
"just like cash."  In reality, each card used in the system has a 16
digit identifying number which is captured by the merchant and
transmitted to the bank each day. The merchants readers can retain up to
500 records at one time. Mondex's Swindon manager admitted in Network
Week, a trade publication, that "we can certainly trace where cards have
been used."

The case is being eagerly watched worldwide by banks because of its
implications on the use of the term "digital cash" will have Europe
wide effect.

The investigation began after Simon Davies, a Law Fellow at the
University of Essex and Director General of Privacy International,
filed a complaint. A copy of the letter is available at the Privacy
International Web page at:

   http://www.privacy.org/pi/activities/mondex/complaint.txt


======================================================================
[6] USA Today Opts for Opt-In
=======================================================================

USA Today last week editorialized in favor of the "opt-in" approach to
the use of personal information, saying that businesses would "then need
the customer's permission before any personal data were rented, sold, or
exchanged for direct marketing purposes." (October 24, 1995)

The paper said, "opt-in does not trample on anyone's rights. Consumers
can still get their catalogs and other direct-mail pitches by checking
a box or clicking a mouse. Companies can still get data for marketing
by asking for it. It would cause some inconvenience for businesses,
which face increased costs to persuade customers to give up their
privacy.  But who should bear the burden: the businesses that
glean the profit or the consumers whose information is sold?"

USA Today also faults the voluntary approach recommended by the
Department of Commerce last Monday, saying that "while voluntary
compliance might be preferable in an ideal world, it's not likely to
work in the real world."

"The reality is that the absence of government prodding has resulted
in too many companies doing too little to protect consumers' privacy
rights."

USA Today concludes "If a business wants the privilege of marketing
your most private matters, it should be willing to spend the time it
takes to convince you that you'll benefit."

Perhaps the USA Today position is not surprising.  A 1991 Time/CNN poll
found that when American adults were asked "should companies that sell
information to others should be required by law to ask permission from
individuals before making the information available," 93% said "yes."

Meanwhile, the Avrahami case (involving the sale of an individual's
name for marketing purposes) goes forward with growing public interest.
Mr. Avrahami appeared last week on CNN and National Public Radio as
favorable articles appeared in newspapers across the country.
US News & World Report must be concerned -- it has hired one of
Washington's largest law firms to defend the magazine.

For current information on the Avrahami case, check out:

   http://www.epic.org/privacy/junk_mail/


=======================================================================
 [7] Medical Privacy Resources On-line
======================================================================

EPIC has put together a comprehensive page on medical privacy issues,
including hot topics (federal legislation, Supreme court cases, public
polls), background on medical privacy laws, consumer advice, and general
resources.  Also included is the letter sent to Hillary Clinton in
April 1993 by leading privacy advocates, computer scientists, and policy
experts recommending that the Social Security Number not be used as a
patient record identifier.

    http://www.epic.org/privacy/medical/

=======================================================================
[8] Upcoming Privacy Related Conferences and Events
=======================================================================

SPECIAL: EPIC's Dave Banisar will discuss the current status of funding
  for the FBI wiretap bill this week on NPR's Morning Edition.  Check
  out http://www.epic.org/privacy/wiretap/)

Managing the Privacy Revolution. October 31 - November 1, 1995.
Washington, DC. Sponsored by Privacy & American Business. Speakers
include Mike Nelson (White House) C.B. Rogers (Equifax). Contact Alan
Westin 201/996-1154.

Innovation and the Information Environment.  November 3-4. University
of Oregon School of Law in Eugene,  Oregon.  Contact: Keith Aoki
KAOKI@law.uoregon.edu.

National Privacy and Public Policy Symposium.  November 2-4., Hartford,
Cosponsored by the Connecticut Foundation for Open Government. Contact
Richard Akeroyd, rakeroyd@csunet.ctsateu.edu 203/566-4301 (tel),
203/566-8940 (fax)

22nd Annual Computer Security Conference and Exhibition. November 6-8,
Washington, DC. Sponsored by the Computer Security Institute.
Contact: 415-905-2626.

Global Security and Global Competitiveness: Open Source Solutions.
November 7-9. Washington, D.C. Sponsored by OSS. Contact: Robert Steele
oss@oss.net.

"The Right to Privacy," November 9.  Authors Caroline Kennedy and Ellen
Alderman discuss their new book on privacy.  Lizner Auditorium, George
Washington University, Washington, DC.  Contact 202/357-3030.

11th nnual Computer Security Applications Conference: Technical
papers, panels, vendor presentations, and tutorials that address the
application of computer security and safety technologies in the civil,
defense, and commercial environments. December 11-15, 1995, New Orleans,
Louisiana. Contact Vince Reed at (205)890-3323 or vreed@mitre.org.

RSA 6th Annual Data Security Conference:  Cryptography Summit.
Focus on the commercial applications of modern cryptographic technology,
with an emphasis on Public Key Cryptosystems. January 17-19, 1996.
Fairmont  Hotel, San Francisco.  Contact Layne Kaplan Events, at (415)
340-9300, e-mail at info@lke.com, or register at http://www.rsa.com/.

Computers Freedom and Privacy '96. March 27-30. Cambridge, Mass.
Sponsored by MIT, ACM and WWW Consortium. Contact cfp96@mit.edu or
http://www-swiss.ai.mit.edu/~switz/cfp96

Conference on Technological Assaults on Privacy, April 18-20, 1996.
Rochester Institute of Technology, Rochester, New York. Papers should
be submitted by February 1, 1996. Contact Wade Robison privacy@rit.edu,
by FAX at (716) 475-7120, or by phone at (716) 475-6643.

Australasian Conference on Information Security and Privacy June
24-26, 1996. New South Wales, Australia. Sponsored by Australasian
Society for Electronic Security and University of Wollongong. Contact:
Jennifer Seberry (jennie@cs.uow.edu.au).

Visions of Privacy for the 21st Century: A Search for Solutions.
May 9-11, 1996.  Victoria, British Columbia. Sponsored by The Office
of Information and Privacy Commissioner for the Province of British
Columbia and the University of Victoria. Program at
http://www.cafe.net/gvc/foi

18th International Conference of Data Protection and Privacy
Commissioners. Sponsored by the Privacy Commissioner of Canada.
September 18-20, 1996. Ottawa, Canada.

Advanced Surveillance Technologies II. Sponsored by EPIC and Privacy
International. September 17, 1995. Ottawa, Canada. Contact
pi@privacy.org

International Colloquium on the Protection of Privacy and Personal
Infrmation. Commission d'acces a l'information du Quebec. May 1997.
Quebec City, Canada.

             (Send calendar submissions to Alert@epic.org)

=======================================================================

The EPIC Alert is a free biweekly publication of the Electronic
Privacy Information Center.  To subscribe, send the message:

    SUBSCRIBE CPSR-ANNOUNCE Firstname Lastname

to listserv@cpsr.org.  You may also receive the Alert by reading the
USENET newsgroup comp.org.cpsr.announce.

Back issues are available via http://www.epic.org/alert/ or
FTP/WAIS/Gopher/HTTP from cpsr.org /cpsr/alert/ and on Compuserve (Go
NCSA), Library 2 (EPIC/Ethics).


=======================================================================

The Electronic Privacy Information Center is a public interest
research center in Washington, DC.  It was established in 1994 to
focus public attention on emerging privacy issues relating to the
National Information Infrastructure, such as the Clipper Chip, the
Digital Telephony proposal, medical record privacy, and the sale of
consumer data.  EPIC is sponsored by the Fund for Constitutional
Government and Computer Professionals for Social Responsibility. EPIC
publishes the EPIC Alert and EPIC Reports, pursues Freedom of
Information Act litigation, and conducts policy research on emerging
privacy issues. For more information, email info@epic.org, WWW at
HTTP://www.epic.org or write EPIC, 666 Pennsylvania Ave., SE, Suite
301, Washington, DC 20003. (202) 544-9240 (tel), (202) 547-5482 (fax).

The Fund for Constitutional Government is a non-profit organization
established in 1974 to protect civil liberties and constitutional
rights.  Computer Professionals for Social Responsibility is a
national membership organization of people concerned about the impact
of technology on society.  For information contact: cpsr-info@cpsr.org

If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible.  Checks
should be made out to The Fund for Constitutional Government" and sent
to EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington DC 20003.

Your contributions will help support Freedom of Information Act
litigation, strong and effective advocacy for the right of privacy and
efforts to oppose government regulation of encryption and funding of
the National Wiretap Plan.

Thank you for your support.

------------------------ END EPIC Alert 2.13 ------------------------


======================================================================

Marc Rotenberg (Rotenberg@epic.org)     *   +1 202 544 9240 (tel)
Electronic Privacy Information Center   *   +1 202 547 5482 (fax)
666 Pennsylvania Ave, SE, Suite 301     *   HTTP://www.epic.org/
Washington, DC 20003                    *   info@epic.org
======================================================================

--- GEcho 1.02+
 * Origin: snet-l@world.std.com <-> FidoNet (1:330/202)