[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FYI] (Fwd) GILC Alert


------- Forwarded message follows -------
From:           	Chris Chiu <CCHIU@aclu.org>
To:             	"GILC announce (E-mail)" <gilc-announce@gilc.org>
Subject:        	GILC Alert
Date sent:      	Mon, 27 Aug 2001 10:12:56 -0400

GILC Alert
Volume 5, Issue 6
August 27, 2001

Welcome to the Global Internet Liberty Campaign Newsletter.

Welcome to GILC Alert, the newsletter of the Global Internet Liberty
Campaign. We are an international organization of groups working for
cyber-liberties, who are determined to preserve civil liberties and
human rights on the Internet. We hope you find this newsletter
interesting, and we very much hope that you will avail yourselves of
the action items in future issues. If you are a part of an
organization that would be interested in joining GILC, please contact
us at <gilc@gilc.org>. If you are aware of threats to cyber-liberties
that we may not know about, please contact the GILC members in your
country, or contact GILC as a whole. Please feel free to redistribute
this newsletter to appropriate forums.

===============================================
Free expression
[1] China installs "Internet Police" censorware
[2] Russian Ebook programmer released on bail
[3] Court forces new round in DVD weblinks case
[4] Singapore restricts political sites
[5] Thailand initiative may stifle Net speech
[6] German official seeks US Net censor help
[7] New California anonymous Net speech battle
[8] Website exposes Afghan gov't abuses
[9] New efforts underway to bridge digital divide

Privacy
[10] South African bill sparks privacy fears
[11] Disappointment over Australian cybercrime report
[12] US gov't avoids disclosure on keystroke taps
[13] US Congress orders report on Carnivore spyware
[14] Privacy fears over Aussie universal bank site
[15] Geolocation software threatens Net privacy
[16] Weak P3P privacy promoted in Windows XP 
[17] Report: webbug tracking is increasing
[18] New toilet emails medical info

===============================================
[1] China installs "Internet Police" censorware
===============================================
Beijing is implementing new technology and other restrictions to shut
out online dissent.

According to the official Xinhua news agency, "Internet Police"
software has already been installed on computers in the northwestern
city of Xi'an. The device deters users from accessing websites with
controversial content in a variety of ways. Among other things, it
issues warnings to individuals if they attempt to visit such webpages,
then denies access if users keep on trying. In addition, the program
captures screen shots and sends them a central facility, making it
easier for government censors to detect and track critics along the
Information Superhighway. 

Additionally, Chinese officials have imposed further regulations on
news coverage in the Land of the Dragon. As announced on state
television, it is illegal to publish materials that negate "the
guiding role of Marxism, Leninism, Mao Zedong and Deng Xiaoping's
theories, [g]oes against the guiding principles, official line or
policies of the Communist Party," or "violates party propaganda
discipline," Also banned is "content that guides people in the wrong
direction, is vulgar or low." Chinese commisars are set to create a
special division for approval or censorship under these new regimes.
On top of all this, Mainland China's Supreme People's Court has laid
down rules that will hold Internet users liable for "malicious" use of
domain names.

Meanwhile, Communist agents held a secret trial for Huang Qi, the
proprietor of the "Tianwing Missing Persons Website" who was arrested
on charges of "instigation to subvert state power." Huang had
republished articles written by other people about the 1989 Tiananmen
massacre, the Falun Gong spiritual movement and other topics deemed
taboo by the government. A trial had been postponed after Huang
collapsed during public proceedings, allegedly because he had been
beaten in jail. There is also speculation that government officials
delayed the trial in order to help Beijing's bid for the 2008 Summer
Olympics. Details as to the outcome of the secret sessions have yet to
surface.

Read "China puts Webmaster on trial," Associated Press, Aug. 20, 2001
at http://www.salon.com/tech/wire/2001/08/20/china/index.html

See Steven Bonisteel, "Trial Resumes For Jailed Chinese Webmaster
Huang Qi," Newsbytes, Aug. 17, 2001 at
http://www.newsbytes.com/news/01/169130.html

See also "Chinese webmaster tried for subversion," BBC News Online,
Aug. 17, 2001 at
http://news.bbc.co.uk/hi/english/world/asia-pacific/newsid_1496000/149
6107.s tm

For more about Chinese blocking and tracking systems, read "Online
Police Appear in Internet Bars in Xi'an," Xinhua News Agency, Aug. 7,
2001 at http://www.cnd.org/Global/01/08/07/010807-9.html

For further details on new Chinese press restrictions, see "You Don't
Say: China forbids publication of seven types of content," China
Online, Aug. 13, 2001 at
http://www.chinaonline.com/topstories/010813/1/c01080805.asp

Read "'Malicious cyber-squatters to face civil punishments," China
Online, July 25, 2001 at
http://www.chinaonline.com/issues/internet_policy/newsarchive/secure/2
001/ju ly/c01072310.asp

===============================================
[2] Russian Ebook programmer released on bail
===============================================
A Russian computer scientist who gave a presentation on Ebook
encryption codes is still facing serious criminal charges.

The programmer, Dmitry Sklyarov, had developed a program that
circumvents the copy protection scheme contained on Adobe Systems
electronic books. He created the program as part of an effort to allow
Ebook readers to view such products on whatever computers they like.
After writing a paper on the subject and presenting it to the public
at a Las Vegas computer convention, United States government agents
arrested him on charges of violating the controversial Digital
Millennium Copyright Act (DMCA), which restricts the right of computer
users to circumvent any program that "effectively controls access" to
copyrighted works. In early August, Sklyarov was finally released on
US $50 000 bail, but was ordered to remain in Northern California. His
next court appearance has been postponed until Aug. 30, 2001, when he
will find out whether Federal officials will continue to prosecute
him. If convicted, he could get 5 years in prison and a US $500 000
fine. 

Both the case and the DMCA have drawn strong protests from Internet
users around the world who fear that these legal developments will
threaten free expression, particularly in the scientific community.
Earlier this year, the Recording Industry Association of America had
written a letter to a Princeton University professor, Edward Felten,
suggesting that he might face a DMCA-styled lawsuit if he presented a
research paper on decrypting a certain digital watermark copy
protection scheme. Felten, who is represented by the Electronic
Frontier Foundation (EFF-a GILC member) sued the RIAA and eventually
gave his presentation on Aug. 15, 2001; the case is still ongoing. A
similar battle has arisen in the Netherlands, where a computer
scientist, Niels Ferguson, held off publishing his research results on
an Intel copy protection system "for fear of prosecution and/or
liability under the U.S. DMCA law" on one of his many visits to the
United States. 

These moves have also generated interest in various US proposals, such
as the Music Online Competition Act (MOCA), which would ease
intellectual property-based restrictions along the Information
Superhighway. Ironically, while Sklyarov continues to encounter legal
hurdles in the United States, he faces no such problems under the laws
of his home country. Dmitry Chepchugov, who directs the Russian
Interior Ministry's technology division, said that "[i]f this case was
being reviewed in Russia, we would have nothing against Dmitry
Sklyarov."

For press coverage of the Sklyarov case, visit a special EFF archive
under http://www.eff.org/IP/DMCA/US_v_Sklyarov/media.html

For further background materials about the Sklyarov case, click
http://www.eff.org/IP/DMCA/US_v_Sklyarov/

For more on the Felten and Ferguson cases, read Mike Musgrove,
"Digital-Music Code Crackers Tell All," Washington Post, Aug. 16,
2001, page E3 at
http://www.washingtonpost.com/wp-dyn/articles/A17617-2001Aug15.html

See also Lisa M. Bowman, "Professor unveils anti-copying flaws," ZDNet
News, Aug. 16, 2001 at
http://www.zdnet.com/zdnn/stories/news/0,4586,5095789,00.html

For more on the Russian government's refusal to prosecute Sklyarov,
see "Adobe Hacker off Hook in Russia," Associated Press, Aug. 9, 2001
at http://www.wired.com/news/print/0,1294,45966,00.html

For further information on what happened at the Sklyarov bail hearing,
read Carrie Kirby, "Accused in copyright case out on bail," San
Francisco Chronicle, Aug. 7, 2001, page E2 at
http://www.sfgate.com/cgi-bin/article.cgi?file=/c/a/2001/08/07/BU13997
5.DTL& type=printable

For more on British protests against the prosecution of Skylarov, read
Wendy McAuliffe, "London protesters slam US copyright laws," ZDNet UK,
Aug. 3, 2001 at
http://www.zdnet.com/zdnn/stories/newsbursts/0,7407,2801413,00.html

The text of MOCA is posted under
http://www.digmedia.org/whatsnew/moca.pdf

For more reaction to MOCA, read "Online music bill 'meets
disapproval'," BBC News, Aug. 6, 2001 at
http://news.bbc.co.uk/hi/english/entertainment/new_media/newsid_147500
0/1475 799.stm

===============================================
[3] Court forces new round in DVD weblinks case
===============================================
A college student and budding computer scientist has suffered a
serious court setback in a high profile copyright case.

The case centers around DeCSS-a primitive computer program that
unscrambles the copy protection scheme used in DVDs. It was created to
help users of the Linux operating system play DVDs on their computers.
Over the past year and a half, the entertainment industry, through the
DVD Content Control Association (DVD CCA) and the Motion Picture
Association of America (MPAA), has waged legal battles in both New
York and California to prevent Internet users from linking to websites
that have DeCSS. Many experts fear that these actions may stifle free
expression in cyberspace.

One of the defendants, Matthew Pavlovich, had posted DeCSS on a DVD
player development mailing list that he operated. After the initial
lawsuit was filed, a court ruled that Pavlovich can be forced to
answer charges in California, largely because "California is commonly
known as the center of the motion picture industry" and that he
somehow should have known that posting DeCSS was "injuriously
affecting the motion picture and computer industries in California."
The ruling despite the fact that Pavlovich, whose defense is being
coordinated by the Electronic Frontier Foundation (EFF-a GILC member)
performed all of these actions thousands of miles away and has never
lived in California. An appeal is expected shortly.

An EFF press release on the ruling is available at
http://www.eff.org/IP/Video/DVDCCA_case/20010808_eff_pavlovich_pr.html

The text of the ruling is posted under
http://www.eff.org/Cases/DVDCCA_case/20010807_pavlovich_appelate_rulin
g.html

===============================================
[4] Singapore restricts political sites
===============================================
The government of Singapore has issued a series of tough restrictions
concerning online political activity, even as the country gears up for
national elections.

While the full details of this plan have still to be released, it
would apparently ban political content on the World Wide Web except on
the official sites of various political parties. In addition, those
official sites would have to comply with certain regimes, including
moderators for chat areas. The bill would not allow anonymous campaign
paraphernalia, but would require the printer, publisher and advertiser
to be specifically identified, for possible future government
prosecution. Moreover, the state Singapore Broadcast Authority is
already requiring registration of all political websites.

Opposition leaders scoffed at the new regulations, arguing that they
constituted yet another attempt by the ruling People's Action Party to
silence dissent. Indeed, the Singporean government had already banned
such things as singing during political rallies and political
advertisements in video or film form. Chee Soon Juan of the Singapore
Democratic Party said that the proposed standards were just "another
way the government is trying to crack down on the use of the internet.
They know it is one way the opposition can use it and be on level
playing field with the ruling party." 

Unfortunately, the new strictures have already led one organization to
shutdown its web activities. The SBA had ordered Sintercom (a GILC
member) to register with government agents and to refrain from
discussion various prohibited "themes" including "material that is
objectionable on the grounds of public interest, public morality,
public order, public security, national harmony" or speech that
"offends against good taste or decency." In spite of protests, SBA
insisted that Sintercom "exercise judgement and ensure that the
contents on their websites comply with the SBA Internet Code of
Practice." Sintercom has since closed down, although the precise
reasons for this move are not clear.

For the latest details, see "Singapore net law dismays opposition,"
BBC News, Aug. 14, 2001 at
http://news.bbc.co.uk/hi/english/world/asia-pacific/newsid_1490000/149
0425.s tm

Read John Aglionby, "Singapore plans purge of net politics," The
Guardian, July 27, 2001 at
http://www.guardianunlimited.co.uk/internetnews/story/0,7369,528129,00
.html

Further background information is available from DFN under
http://dfn.org/focus/singapore/web-laws.htm

For additional details on the Sintercom shutdown, click
http://www.sintercom.org/sba/index.html

===============================================
[5] Thailand initiative may stifle Net speech
===============================================
Thailand officials are implementing a new tracking and blocking system
to prevent people from seeing various types of Internet content. 

Under this plan, Internet service providers will have to block user
access to given websites. ISPs will also have to log information about
their users' activities and retain these records for a minimum of 3
months. Clauses will be introduced into customer contracts so that
computer users can be held responsible for viewing or accessing of
controversial online materials. The scheme even goes so far as to
mandate service providers to standardize their system clocks, so as to
ensure accurate user tracking records.

It is unclear what effect these efforts will have on Internet speech,
particularly since Thai authorities apparently have not disclosed any
specific criteria as to what content will be censored. Despite these
concerns, however, many telecommunications companies reportedly have
agreed to this plan.

See Karnjana Karnjanatawe, "Thailand Moves To Crack Down On Web
Content," Bangkok Post, July 26, 2001 at
http://www.newsbytes.com/news/01/168353.html

===============================================
[6] German official seeks US Net censor help
===============================================
A senior German government official wants his American counterparts to
shutdown websites in the United States.

German Interior Minster Otto Schily is pushing such these measures as
a way to silence various forms of so-called hate speech. Such
materials are illegal under German law, but are often available via
sites in the United States, where there are tougher protections for
freedom of expression. Schily said that he will travel to the US in
the fall of 2001 to meet with "responsible officials" to help carry
out this plan. He also mentioned that these meetings will feature
discussions on how to use civil lawsuits as a weapon against US web
creators. 

Some observers are worried about this apparent attempt to impose
German speech restrictions on citizens in another country. Indeed,
Schily previously had pushed for several other bizarre methods to curb
controversial content, including letting government agents disrupt
private websites via spam and denial of service attacks. Andy
Muller-Maguhn from the Chaos Computer Club (CCC-a GILC member) accused
Schily of "trying to shoot the messenger," adding that "Mr. Schily
seems to want a very strong government, and not let the people make
their own opinions on what makes reality." Similar concerns were aired
by opposition party official Hans-Joachim Otto, who doesn't "expect
any spectacular agreement in a German-American meeting with Mr.
Schily. He should not have the illusion that he can bring his own
German standards as a general standard between the United States and
Germany. It's not possible and it's not even desirable." 

Read Ned Stafford, "German Official To Visit U.S. In Effort To Shut
Down Hate Sites," Newsbytes, Aug. 22, 2001 at
http://www.newsbytes.com/news/01/169280.html

See also Steve Kettman, "Germany's Anti-Hate Push Angers," Wired News,
Aug. 8, 2001 at http://www.wired.com/news/print/0,1294,45907,00.html

===============================================
[7] New California anonymous Net speech victory
===============================================
A California court has upheld the right of Internet users to speak
without having to divulge their identities first.

One of these rulings rejected an attempt by Pre-Paid Legal Services
Inc. to discover the real names of 8 Yahoo chatroom users. They had
posted several comments that took the company to task, particularly in
its treatment of employees. The firm then sued, claiming that it
wanted to find out whether the online speakers had divulged any trade
secrets. However, the defendants, who were represented by the
Electronic Frontier Foundation (EFF-a GILC member), feared possible
reprisals if their identities were revealed. 

The judge reaffirmed the principle that Internet users have the right
to anonymous free expression under the United States Constitution. She
went on to hold that this speech interest was strong enough to
override Pre-Paid Legal's desire to find personal information about
the defendants. EFF Senior Staff Counsel Lee Tien welcomed this
decision, hoping it would "signal to other companies that judges will
not permit corporate executives to abuse the courts in ferreting out
critics."

An EFF press release on this subject is available at
http://www.eff.org/sc/ppls/20010813_eff_ppls_pr.html

See David McGuire, "Judge Rejects Attempt To Unmask Online Speakers,"
Newsbytes, Aug. 13, 2001 at
http://www.newsbytes.com/news/01/168972.html

See Lisa M. Bowman, "Court: Posters' IDs can stay under wraps," ZDNet
News, Aug. 13, 2001 at
http://www.zdnet.com/filters/printerfriendly/0,6061,5095619-2,00.html

===============================================
[8] Website exposes Afghan gov't abuses
===============================================
A women's website is helping expose the excesses of Afghanistan's
rulers. But government censors may prevent anyone in the country from
seeing it.

The Revolutionary Association of the Women of Afghanistan (RAWA) has
created a site that chronicles human rights violations, many of which
have been perpetrated by the ruling Taliban elite. These materials
include a large gallery of photographs that depict such grim events as
summary executions of women, children being forced to live in squalor,
starving peasants, and even forced amputations as criminal punishment.
Besides these images, the site stores news updates and accounts of
life in the troubled nation. The individuals who help put together
these webpages remain anonymous in order to head off possible
harassment; indeed, RAWA's founder was murdered several years ago by
Afghan government agents.

Unfortunately, various forces have apparently made it difficult for
much of the website's potential audience to view these materials. The
Taliban government recently made it illegal for anyone in the country
to use the Information Superhighway. Moreover, severe problems with
the nation's infrastructure have prevented many Afghanis from going
online in the first place. In spite of these difficulties, the website
continues to draw more public attention to the plight of women in the
beleaguered Central Asian country.

The RAWA homepage can be reached via
http://www.rawa.org/

Read Julia Scheeres, "Risking All to Expose the Taliban," Aug. 10,
2001 at http://www.wired.com/news/print/0,1294,45974,00.html

=================================================
[9] New efforts underway to bridge digital divide
=================================================
Several initiatives have been launched recently to allow more people
to enter the Information Superhighway.

Some of these projects have been developed by the Association of
Southeast Asian Nations (ASEAN), including an e-ASEAN framework and
Asian IT Belt Initiative, to enhance information technology resources
in the region. ASEAN ministers have announced that they are
"determined to use ICT [Information Communications Technology] as a
tool for narrowing the development gap and closing the digital divide
within and among member countries as well as between ASEAN and the
rest of the world." In addition, the governments of India and Brazil
are offering email accounts to remotely located citizens in their
respective countries, which can be accessed by logging on at local
post offices.

Meanwhile, various private institutions have also started programs to
bridge the digital divide. In Uganda, for example, a new non-profit
Internet service provider named The Source has been created to help
users go online. Despite having to work with second hand equipment and
deal with relatively high licensing fees, the organization was able to
open an Internet café in the capital that offers personal email
accounts and web access at low cost. The Source's founders now hope
that others will use their project "as a springboard for ideas to
begin similar projects that can serve communities" throughout Africa.

In addition, the Center for Democracy and Technology (CDT-a GILC
member) and the non-profit Internews have launched the Global Internet
Policy Initiative, which is intended to promote reforms in developing
countries that will support an open and more affordable Internet, and
thereby help bridge the digital divide. GIPI has full-time policy
coordinators in 11 countries, including Russia, Indonesia and Nigeria,
working with local stakeholders in consultative, coalition-based
efforts to promote the principles of a decentralized, accessible,
user-controlled, and market-driven Internet. Recently, GIPI signed a
cooperative agreement with the United Nations Development Programme,
and is planning to expand further in Asia, Africa, and Latin America.

For further details about Uganda's The Source ISP, click
http://home.att.net/~africantech/Internet/Uganda-ISP.htm

For more on the Indian universal email program, see Ram Dutt Tripathi,
"India sets up e-post office," BBC News Online, Aug. 13, 2001 at
http://news.bbc.co.uk/hi/english/world/south_asia/newsid_1489000/14894
70.stm

See David Legard, "ASEAN in push to reduce digital divide," IDG News,
July 24, 2001 at http://idg.net/ic_656219_1794_9-10000.html

Read Paulo Rebelo, "Casting a Wider Net in Brazil," July 30, 2001 at
http://www.wired.com/news/print/0,1294,45526,00.html

The GIPI homepage is located at
http://www.gipiproject.org 

=================================================
[10] South African bill sparks privacy fears
=================================================
A proposal to revise government surveillance laws in South Africa is
drawing fierce criticism over its potential privacy ramifications.

Among other things, the Interception and Monitoring Bill 2001 allows
the government to monitor of all telecommunications systems, including
mobile phones, internet and e-mail. One provision states that "no
service provider may provide any telecommunication service which does
not have the capacity to be monitored." Towards this end, the proposal
empowers the Minister of Communications to issue directives and
thereby force telecommunications companies to comply with government
surveillance specifications (including connections to "central
monitoring centres"). Furthermore, the bill's broad exceptions would
allow law enforcement officials and members of the South African
Defense Forces in many cases to avoid the need for judicial approval
before intercepting certain types of data (such as "call related
information"). 

Many experts are worried that the proposal will allow massive
government intrusions into cyberspace. In formal comments submitted to
the South African government, Privacy International (a GILC member)
charged that the Bill "represents a step backwards ... and is
inconsistent with international standards on human rights and the
legal requirements of the South African Constitution." The group
pointed out that the provisions "for authorizing surveillance" failed
to "include meaningful limitations to prevent abuses," and suggested
that "journalism, civic protest, trade union organizing and political
opposition" might be "subjected to unwarranted surveillance because
the individuals involved have different interests and goals than those
in power." The organization also pointed out the Bill's loose
definition of "call related information" may allow government agents
to track users (such as through mobile phones) without a court order.
Hearings on these and other concerns will take place in a few weeks; a
formal decision on whether to adopt the measure may occur before the
end of the year.

The text of the bill is available at
http://www.pmg.org.za/bills/Interception0107.htm

Privacy International's comments on the bill are posted under
http://www.privacyinternational.org/countries/south_africa/pi-sa-inter
cept-l etter.html

Read Declan McCullagh, "So. Africa Weighs Police Spy Law," Wired News,
Aug. 17, 2001 at http://www.wired.com/news/print/0,1294,46124,00.html

See Philippa Garson, "Protests over SA 'snooping' bill," BBC News,
Aug. 13, 2001 at
http://news.bbc.co.uk/hi/english/world/africa/newsid_1484000/1484698.s
tm

======================================================
[11] Disappointment over Australian cybercrime report
======================================================
An Australian government report regarding a new cybercrime proposal is
drawing fire from privacy advocates.

An Australian Senate committee issued the document to address civil
liberties concerns over the Cybercrime Bill 2001. That proposal, among
other things, would greatly expand the power of government agents to
conduct surveillance along computer networks. It also would impose
absolute criminal liability for many Internet activities, including
"unauthorized impairment of electronic communication," with no
exceptions for individuals who access computers by mistake of fact.
People who are found liable under the plan could face 10 year jail
sentences. Proponents claim that the Bill is needed to conform with a
proposed international cybercrime Convention that is currently being
considered by the Council of Europe--a treaty may be signed by
European government ministers in mid-September, but has already
attracted heavy criticism from privacy experts as well as
telecommunications providers.

In the report, the Senate committee granted its assent to the Bill,
although it did suggest a few changes to certain provisions. For
example, it held that that the proposal should be amended "to provide
for the destruction of all personal information collected by law
enforcement agencies, which is not relevant to an investigation, after
a period of 3 months but subject this time frame being extended on the
authorisation of a senior officer." However, some of these changes
actually benefitted government investigators; for example, the panel
recommended that law enforcement officials be allowed to retain seized
computer equipment for longer periods of time (5 days, rather than 72
hours).

Many observers feel that the report did not go far enough in
protecting privacy rights online. Greg Taylor from Electronic
Frontiers Australia (EFA-a GILC member) charged that the "Committee
made some fairly superficial changes to the wording of the Bill but
nothing substantial. We're disappointed with the Report overall."
Taylor pointed out that portions of revised plan would still grant
government agents greater access to private encryption keys, under
threat of criminal penalties: "If you've lost that key, how do you
prove you actually have and you're not just using that explanation as
an excuse? We've asked that it be excised from the bill until it is
properly investigated. The way the Bill is currently worded could
criminalise innocent behaviour...behaviour designed to protect
computer systems." 

The Senate Committee report is available (in PDF format) under
http://www.aph.gov.au/senate/committee/legcon_ctte/cybercrimebill01/cy
bercri me_bill01.pdf

For further background information, visit the EFA website under
http://www.efa.org.au/Campaigns/cybercrime.html

See Rachel Lebihan, "Australian cyberCrime Bill 'overpowers' inquiry,"
ZDNet Australia, Aug. 22, 2001 at
http://www.zdnet.com.au/printfriendly?AT=2000020826-20256107

=================================================
[12] US gov't avoids disclosure on keystroke taps
=================================================
The United States government has invoked a little known law to avoid
having to provide more details on a new computer interception
technique.

The technique has become a key issue in the case of Nicodemo Scarfo,
an alleged mobster who was targeted by the US Federal Bureau of
Investigations (FBI) for wiretapping purposes. FBI agents decided to
go beyond traditional surveillance methods and installed a device on
the keyboard of Scarfo's home computer that apparently recorded every
letter and character he typed. The exact nature and capabilities of
these taps is unclear; after government prosecutors indicted Scarfo,
they gave few details regarding this technique to the presiding judge.


This secrecy angered Federal judge Nicholas Politan, who explained:
"In this new age of rapidly evolving technology, the Court cannot make
a determination as to the lawfulness of the Government's search in
this matter without knowing specifically how the search was
effectuated." The judge held that the "government has not
satisfactorily confirmed for the court that the keylogger device did
not operate in conjunction with the computer's modems, or otherwise to
cause the interception of a communication," which would violate US
wiretapping statutes. Politan then commanded prosecutors to provide "a
report explaining fully how the key logger device functions." However,
government officials then moved for reconsideration, claiming
protection from disclosure under the Classified Information Procedures
Act. Politan granted this last request and ruled that the government
need provide the defense with only an unclassified summary of the
keylogging method by September 14, 2001.

The Scarfo case is being watched very closely by privacy advocates.
David Sobel from the Electronic Privacy Information Center (EPIC-a
GILC member) noted that keystroke logging systems presented new civil
liberties challenges: "Because of this technology there are a lot of
gray areas, but law enforcement is always attempting to resolve them
in favor of more aggressive techniques."

See "FBI keeps its bugging secrets," BBC News Online, Aug. 24, 2001 at
http://news.bbc.co.uk/hi/english/sci/tech/newsid_1508000/1508109.stm

Background materials on the Scarfo case (including motions and court
orders) are archived at the EPIC website under
http://www.epic.org/crypto/scarfo.html

===================================================
[13] US politicians order Carnivore spyware report
===================================================
Several recent events may lead to greater disclosure about a highly
publicized Internet spy tool.

Carnivore was created by the United States Federal Bureau of
Investigations (FBI). It can be attached to the server of a given
Internet service provider and intercepts all Internet transmissions
that come through the server. Afterwards, it parses out pertinent
material, based on keywords provided by the administrator. The latest
version of the program, known as Enhanced Carnivore or DCS 1000, uses
the Windows 2000 operating system and reportedly includes improvements
such as better filtering and triggering capabilities as well as
greater capacity (presumably to cope with high-speed broadband
networks).

Many Internet user groups have criticized both Carnivore and its
progeny over the past year as being serious threats to online privacy.
After the initial revelations concerning Carnivore appeared, the
Electronic Privacy Information Center (EPIC-a GILC member) filed a
request for more details under the Freedom of Information Act (FOIA).
After a Federal judge ordered the United States Department of Justice
(DOJ) to formally respond to EPIC's request, US government officials
released a series of documents on the subject which, however,
contained a number of omissions. For example, none of these papers
contained any analysis of whether the use of Carnivore-type programs
was legal; in any case, the documents that actually had been released
were heavily redacted. 

Nevertheless, in spite of these omissions, the DOJ moved to end EPIC's
inquiry, saying that it had fulfilled its FOIA obligations. EPIC has
since filed papers challenging these assessments and arguing that, if
anything, the DOJ should be releasing still more information, due to
apparent failure to disclose key documents regarding Carnivore's
abilities and legal implications. A ruling is expected within the next
few weeks.

Meanwhile, various US politicians have taken an interest in trying to
determine the legality of Carnivore. As a result, the US House of
Representatives has approved a measure (contained within an
appropriations bill) that would require greater government disclosures
regarding the controversial interception tool. More specifically, the
adopted legislation would force the US Attorney General to provide a
report (at the end of Fiscal Years 2001 and 2002) with details on the
scope of the Carnivore program, how many times it has been approved
for use during the 2002 Fiscal Year, who at DOJ reviews surveillance
requests, and the criteria used for approving such requests. The
measure will now go to the Senate for further consideration.

More recently, there are indications that the use of Carnivore may be
expanded to intercept text messages transmitted through wireless
networks. Michael Altschul from the Cellular Telecommunications and
Internet Association warned in an Aug. 15, 2001 letter that "[i]f the
industry is not provided the guidance and time to develop solutions
for packet surveillance that intercept only the target's
communications, it seems probable that Carnivore, which intercepts all
communications in the pathway without the affirmative intervention of
the carrier, will be widely implemented." Altschul was referring to
deadlines pursuant to the Communications Assistance for Law
Enforcement Act (CALEA), which essentially requires telecom providers
to make their networks wiretap-friendly. EPIC's David Sobel commented
that these technical difficulties could open "the door to the
collection of communications of people who aren't even named in
[court] orders." 

Read Robert O'Harrow Jr., "FBI's 'Carnivore' Might Target Wireless
Text," Washington Post, Aug. 24, 2001, page E1 at
http://www.washingtonpost.com/wp-dyn/articles/A54155-2001Aug23.html

EPIC's latest filing in its Carnivore FOIA requests is posted under
http://www.epic.org/privacy/carnivore/discovery_motion.pdf

See Brian Krebs, "Group Asks Court To Get Info On FBI E-Mail Snooping
Tool," Newsbytes, Aug. 10, 2001 at
http://www.newsbytes.com/news/01/168926.html 

A press release from Rep. Barr on the Carnivore reporting amendment is
posted under
http://hillsource.house.gov/barr/newsdescr.asp?N=20010724085005

See Lisa M. Bowman, "House pulls Carnivore into the light," ZDNet
News, July 23, 2001 at
http://www.zdnet.com/zdnn/stories/news/0,4586,5094558,00.html

See also "Congress Wants FBI Monitor," Associated Press, July 24, 2001
at http://cbsnews.com/now/story/0,1597,303019-412,00.shtml

====================================================
[14] Privacy fears over Aussie universal bank sites
====================================================
Australian websites that purport to be one-stop shops for personal
financial transactions are heightening concerns about online privacy.

Several Australian companies, including Commonwealth Bank, AMP,
Macquarie Bank and others, have each created new services that permit
customer information to be aggregated. The idea is for individuals to
access accounts from different institutions (including brokerage
houses and even airline frequent flier mile programs as well as banks)
from a single spot on the World Wide Web. In addition to collecting
all of this sensitive data in one place, the scheme requires users to
provide their names and passwords to third parties upfront. 

These systems have provoked concern from consumer privacy groups, who
fear that it will cause security problems. Chris Connolly from the
Australian Consumer Policy Centre said that "We've spent more than a
decade telling people not give anyone else their PINs, and now the
Commonwealth, ninemsn and AMP are saying it's okay. It raises legal
questions, as under the electronic funds transfer code of conduct
you're not supposed to give your PIN to a third party." Similarly,
Delia Rickard from the Australian Securities and Investments
Commission charged that if "I were a consumer I wouldn't be giving my
PIN to an account aggregator without first checking with my financial
institution if they would consider that a breach of the terms and
conditions." 

Indeed, it is unclear whether these practices would violate
Australia's upcoming privacy directive. These rules, which are
scheduled to take effect December 17, 2001, require companies to do
several things, such as provide public notices as to what is done how
personal information is handled. Similarly, the centralized banking
website programs may not pass muster under the Australian Internet
Industry Association's self-regulatory privacy guidelines, which are
meant to patch perceived weaknesses in the directive.

See Caitlin Fitzsimmons, "PINs 'at risk' in online banking,"
Australian IT, Aug. 14, 2001 at
http://australianit.news.com.au/common/storyPage/0,3811,2580393%5E442,
00.htm l

Additional details on Australia's online privacy directives are
available in "Australian privacy confusion escalates," ZDNet
Australia, Aug. 17, 2001 at
http://www.zdnet.com.au/printfriendly?AT=2000020814-20255322

For more on Australian privacy self-regulation, read Selina Mitchell,
"IIA code to bolster privacy," Australian IT, Aug. 14, 2001 at
http://australianit.news.com.au/common/storyPage/0,3811,2581498%255E44
2,00.h tml

====================================================
[15] Geolocation software threatens Net privacy
====================================================
New computer programs may be able to trace the geographic location of
Internet users. But is this technological innovation such a good
thing?

That's what privacy advocates are wondering as several companies,
including Quova, are pushing ahead with the development of geolocation
software. Quova's GeoPoint technology consists of equipment software
installed on a gateway server through which users' computers must go
to access a given website. GeoPoint then collects visitors' Internet
Protocol numbers and locates them based on maps of some 4 billion IP
addresses. According company literature, this tracking can be done in
real time and be broken down by Latitude and Longitude as well as
other geographic categories (including Postal Code, Metro Area and so
forth). These products are being pitched for use in a variety of
purposes, including region-based Internet content blockers and
targeted mass-marketing campaigns.

Some observers warn that the tracking capabilities of these products
may erode individual liberties both online and off. David Sobel from
the Electronic Privacy Information Center (EPIC-a GILC member) warned:
"Right now oppressive governments around the world are not able to
keep information away from their citizens as they had [before the
Information Superhighway]." As such, Sobel added, the uninhibited use
of geolocation software may lead to "a serious loss of one of the main
benefits of the internet." 

For more on Quova geolocation software, click
http://www.quova.com/service.htm

Read Matthew Leising, "New software pinpoints location of web users,"
Financial Times, Aug. 1, 2001 at
http://news.ft.com/ft/gx.cgi/ftc?pagename=View&c=Article&cid=FT3T4GY9V
PC&liv
e=true&useoverridetemplate=ZZZFKOXOA0C&tagid=ZZZC00L1B0C&subheading=in
format ion%20technology

====================================================
[16] Weak P3P privacy promoted in Windows XP 
====================================================
The newest version of the world's most commonly used operating system
is getting more negative reviews from privacy advocates.

In a complaint filed in late July with the United States Federal Trade
Commission (FTC), a coalition of groups, including GILC members the
Electronic Privacy Information Center (EPIC), Computer Professionals
for Social Responsibility (CPSR) and the Electronic Frontier
Foundation (EFF) charged that Microsoft's Windows XP will seriously
erode the privacy of computer users. The complaint alleged that
Microsoft's release of Windows XP and related products such as
Passport and Hailstorm will shift control of sensitive information
away from respective users to the company and will allow the company
to exchange this personal data among a whole host of business
partners. In addition, the filed papers suggested that Microsoft's
statements regarding the privacy implications of this scheme are
misleading, and drew attention to past flaws in Microsoft products
that have allowed "intruders unauthorized access to files, most
recently ... the 'CodeRed' virus." Thus, computer users may be coerced
into providing sensitive details about themselves to the software
giant and be left without "meaningful or effective control over the
use of that information within Microsoft."

Afterwards, Microsoft made a few changes, including a requirement for
Passport affiliated merchants to utilize Platform for Privacy
Preferences software (P3P), which was developed by the software giant
and is due to be included within the latest version of the Internet
Explorer browser. However, these minor alterations did little to
appease critics. Indeed, EPIC, CPSR, EFF and a number of other
organizations filed an amended complaint with the FTC, charging that
even with the changes, individuals who wish to use many of XP's
features (including Passport) must still give out large amounts of
personal information. The document also charged that broader use of
P3P would not be enough to protect user privacy, calling the system "a
complicated and confusing language ... that fails to provide any
assurance of compliance with baseline privacy standards, including the
FTC's own privacy standards." Furthermore, the groups suggested that
Microsoft's Kids Passport "collects unnecessary personally
identifiable information" from children, in violation of the US Child
Online Privacy Protection Act (COPPA).

These groups urged the FTC to launch a formal investigation of these
Microsoft activities and to order the company to take several key
steps to protect user privacy. These steps include ordering Microsoft
"to block the sharing of personal information among Microsoft areas
... absent explicit consent," incorporation of techniques to "allow
users of Windows XP to gain access to Microsoft web sites without
disclosing their actual identity," and providing better notice to
users. 

An analogous filing may soon come from the United Kingdom, based on
concerns that XP may not comply with the US-European Union privacy
safe harbor agreement. That plan, among other things, requires US
companies must notify European users how their private data is being
handled and allows concerned individuals to limit access to such
information. Yet despite these difficulties, other companies have
plans to create their own centralized personal information storage
services. For example, America Online is working on a similar Magic
Carpet program to store such tidbits as people's names, addresses and
credit card numbers. 

The revised complaint over Windows XP privacy problems (in PDF format)
is posted under http://epic.org/privacy/consumer/MS_complaint2.pdf

For more on possible British privacy complaints against Windows XP,
see Brian Krebs, "U.K. Resident To Name Microsoft in FTC Privacy
Complaint," Newsbytes, Aug. 16, 2001 at
http://www.newsbytes.com/news/01/169104.html

Read Jonathan Krim, "Microsoft's One-ID Plan Again Draws Fire Over
Privacy," Washington Post, Aug. 16, 2001, page E1 at
http://www.washingtonpost.com/wp-dyn/articles/A16617-2001Aug15.html

Read "Windows XP sparks privacy fears," Agence France Presse, Aug. 16,
2001 at
http://australianit.news.com.au/common/storyPage/0,3811,2605243%5E442,
00.htm l 

For more on America Online's Magic Carpet identity harvesting service,
read Alec Klein and Ariana Eunjung Cha, "AOL May Launch Own Internet
ID Service," July 26, 2001, page E1, at
http://www.washingtonpost.com/wp-dyn/articles/A56191-2001Jul26.html

Further details on how flaws in Microsoft products help computer bug
attacks, see "Net Intruders," Christian Science Monitor, Aug. 15, 2001
edition at http://www.csmonitor.com/2001/0815/p8s2-comv.html

====================================================
[17] Report: webbug tracking is increasing
====================================================
Despite signs that show customer unease with current online privacy
environments, many e-businesses are continuing to track users through
a variety of means, especially webbugs.

For example, according to a new report by the Internet consulting firm
Cyveillance, the use of webbugs has gone up more than five-fold over
the past 3 years. Also known as "pixel tags," webbugs are tiny image
files embedded in webpages. They are used to identify and track
computer users and are often more difficult to block than cookies.
According to Cyveillance officials, many tested sites contradicted
their own privacy policies by using webbug tracking technology and
passing along the collected information to third parties. Indeed,
webbug use has become so prevalent that software (including Bugnosis)
has now been developed to allow users to detect and avoid them.

The report warns that as "public awareness levels begin to rise, the
fact that websites are collecting information from visitors without
permission is likely to generate more controversy." This argument is
supported by other recent studies from the Australian government and
the financial analysis firm Ernst and Young. Australian government
researchers discovered that more than 90 percent of surveyed
individuals wanted "businesses to seek permission before using their
personal information for marketing." In addition, "[t]he importance of
good privacy practices to businesses that deal with personal
information was further reinforced with the finding that 'respect for,
and protection of, my personal information' was, overall, the aspect
of service that mattered most to the largest proportion of consumers."
Similarly, the Ernst and Young paper found that such things as online
credit card fraud were among the most prevalent fears of would-be
e-shoppers, and that 80 percent of those surveyed said that they would
be more likely to visit a particular webpage if it used encryption or
digital certificates. 

Read Alfred Hermida, "Web bugs spying on net users," BBC News, Aug.
16, 2001 at
http://news.bbc.co.uk/hi/english/sci/tech/newsid_1493000/1493152.stm 

See also Stefanie Olsen, "Web bug swarm grows 500 percent," CNet News,
Aug. 14, 2001 at http://news.cnet.com/news/0-1005-200-6873202.html

Bugnosis is available at
http://www.bugnosis.org

The Australian government report on privacy attitudes is available via
http://www.privacy.gov.au/research/index.html#1.1

For more about the Ernst and Young paper, read Jennifer Foreshew,
"Security key to net success," Australian IT, Aug. 14, 2001 at
http://australianit.news.com.au/common/storyPage/0,3811,2579410%255E44
2,00.h tml

====================================================
[18] New toilet emails medical info
====================================================
The latest threat to Internet privacy may be soon be in your bathroom.

Several companies, including U.K.-based Twyford Bathroom, have
developed computerized toilets that perform tests on human waste. In
doing so, they can determine whether users have certain health
problems, including pregnancy, low fiber diet, and various diseases.
These toilets can then send this medical information over the Internet
to a variety of recipients, such as supermarkets (should there be any
nutritional deficiencies). As one bathroom expert quipped, "Why
shouldn't toilets be linked to the Internet?"

These devices have drawn considerable alarm from many quarters as an
apparent invasion of privacy. One leading gastroenterologist expressed
fears that the high-technology toilets would "result in a lot of
unnecessary further testing." It is also unclear whether the
manufacturers have developed any specific systems or rules to prevent
privacy abuses. However, for the time being, it may be some time
before these digital bathroom appliances become widespread, mainly
because they are still very expensive. Indeed, a single Twyford
Bathroom VIP toilet costs a hefty US $5 000. 

See Michael Y. Park, "More Than an Average Joe's 'John'," Fox News,
Aug. 9, 2001 at http://foxnews.com/story/0,2933,31677,00.html

=========================================================
 ABOUT THE GILC NEWS ALERT:
=========================================================
The GILC News Alert is the newsletter of the Global Internet Liberty
Campaign, an international coalition of organizations working to
protect and enhance online civil liberties and human rights. 
Organizations are invited to join GILC by contacting us at
gilc@gilc.org.

To alert members about threats to cyber liberties, please contact
members from your country or send a message to the general GILC
address.

To submit information about upcoming events, new activist tools and
news stories, contact:

Christopher Chiu
GILC Coordinator
American Civil Liberties Union
125 Broad Street, 17th Floor
New York, New York 10004
USA

Or email:
cchiu@aclu.org

More information about GILC members and news is available at
http://www.gilc.org

You may re-print or redistribute the GILC NEWS ALERT freely.

To subscribe to the alert, please send e-mail to
gilc-announce@gilc.org

with the following message in the body:
subscribe gilc-announce

========================================================
PUBLICATION OF THIS NEWSLETTER IS MADE POSSIBLE BY A
GRANT FROM THE OPEN SOCIETY INSTITUTE (OSI)
========================================================
------- End of forwarded message -------