The following document is from the PRIVACY Forum Archive at Vortex Technology, Woodland Hills, California, U.S.A. For direct web access to the PRIVACY Forum and PRIVACY Forum Radio, including detailed information, archives, keyword searching, and related facilities, please visit the PRIVACY Forum via the web URL: http://www.vortex.com ----------------------------------------------------------------------- PRIVACY Forum Digest Saturday, 1 June 1996 Volume 05 : Issue 11 Moderated by Lauren Weinstein (lauren@vortex.com) Vortex Technology, Woodland Hills, CA, U.S.A. ===== PRIVACY FORUM ===== ------------------------------------------------------------------- The PRIVACY Forum is supported in part by the ACM (Association for Computing Machinery) Committee on Computers and Public Policy, "internetMCI" (a service of the Data Services Division of MCI Telecommunications Corporation), and Cisco Systems, Inc. - - - These organizations do not operate or control the PRIVACY Forum in any manner, and their support does not imply agreement on their part with nor responsibility for any materials posted on or related to the PRIVACY Forum. ------------------------------------------------------------------- ********************************************* * PRIVACY Forum Four Year Anniversary Issue * ********************************************* CONTENTS Summer Season Administrivia (Lauren Weinstein; PRIVACY Forum Moderator) Caller-ID implementation delayed in California (Lauren Weinstein; PRIVACY Forum Moderator) Highway tolls and privacy (Phil Agre) Crypto Legislation (David Sobel) CDA Challenge: A Status Report (Audrie Krause) Children's Privacy Bill Introduced, Recent Problems in Direct Marketing Industry, New Medical Privacy Bill Introduced [From EPIC Alert] (Marc Rotenberg) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The Internet PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. All submissions should be addressed to "privacy@vortex.com" and must have RELEVANT "Subject:" lines; submissions without appropriate and relevant "Subject:" lines may be ignored. Excessive "signatures" on submissions are subject to editing. Subscriptions are by an automatic "listserv" system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "privacy-request@vortex.com". Mailing list problems should be reported to "list-maint@vortex.com". All messages included in this digest represent the views of their individual authors and all messages submitted must be appropriate to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "ftp.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the listserv system. Please follow the instructions above for getting the listserv "help" information, which includes details regarding the "index" and "get" listserv commands, which are used to access the PRIVACY Forum archive. All PRIVACY Forum materials are available through the Internet Gopher system via a gopher server on site "gopher.vortex.com". Access to PRIVACY Forum materials is also available through the Internet World Wide Web (WWW) via the Vortex Technology WWW server at the URL: "http://www.vortex.com"; full keyword searching of all PRIVACY Forum files is available via WWW access. ----------------------------------------------------------------------------- VOLUME 05, ISSUE 11 Quote for the day: "Now repeat after me. I am not a pleasure unit... I am not a pleasure unit..." -- Derek Flint (James Coburn) "Our Man Flint" (20th Century Fox; 1966) ---------------------------------------------------------------------- Date: Sat, 1 Jun 96 11:26 PDT From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator) Subject: Summer Season Administrivia Greetings. As we begin to enter the "summer" season, where network demographics tend to alter somewhat due to the vacations at many educational institutions, this seems like a good time to reemphasize some guidelines regarding the PRIVACY Forum. Lately I've been receiving large numbers of mass-distributed "call for action" messages from various groups. These usually encourage the reader to call, fax, or write some entity or entities to foster a particular point of view regarding a specific issue, often with suggested wording. In general (though there are exceptions), I tend not to run most such items in the digest. Such submissions tend to impart only limited information regarding the subject at hand, and often urge personal action based on limited data. The PRIVACY Forum digest is not meant primarily as a redistribution mailing list for the dissemination of such items, on any side of the issues. Nor is the digest intended mainly to be a "clipping service" (though items of interest from other sources do certainly appear; this edition of the digest is an example). Submissions from copyrighted material (other than very brief and properly attributed quotations of limited text) will not be run unless permission to distribute was received from the copyright holder/publisher. Long items covering multiple topics marked "may only be distributed in its entirety" (or similar wording) will generally not run, though they may be useful for my own information. The PRIVACY Forum digest is meant to be a *discussion* digest, where individuals inform, interact, query about, and debate the ever-growing multitude of privacy issues that impact virtually every aspect of our lives. This means that participating in the Forum means more than just copying an item seen in some other source and sending it here. It means taking a bit of time to write original material on these topics, and to not just sit passively and absorb what other folks send in. Comments, questions, ideas--all of these are welcome. If you disagree with a particular point of view, say so. I tend to see a reluctance (possibly fearing harrassing e-mail) on the part of many persons to ever publicly say something that goes against the "popular" point of view on many privacy-related topics. Yet, I know views on both sides of these issues are out there. When there's a legitimate concern along these lines that is keeping an important issue from being discussed, I am willing to send out selected items on a "Name Withheld" basis, though this is a mechanism that is to be used sparingly and I reserve the right to determine whether it is appropriate in any given case where it is requested (if the determination is negative, the item won't be sent out). I receive large numbers of messages from people asking how to find information regarding particular privacy issues (often for specific research or school projects). I'd like to remind everyone that a good starting point is the PRIVACY Forum archive of all back issues and collected papers. This can all be accessed via email through the listserv system (listserv@vortex.com), ftp from "ftp.vortex.com", gopher via "gopher.vortex.com", and World Wide Web via "http://www.vortex.com". Full boolean keyword searching of the archive is available when accessing the archive via the Web. I'm of course available to discuss privacy topics directly with interested parties, within available time constraints. A variety of exciting new features of the PRIVACY Forum are planned to be announced very soon as well. Privacy issues cut across all socioeconomic and political lines in a truly unique manner. It is our responsibilities, both individually and collectively as a society, to do our parts to help ensure that these issues receive appropropriate attention and action as we move forward toward the (just around the corner!) 21st century. --Lauren-- ------------------------------ Date: Sat, 1 Jun 96 11:09 PDT From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator) Subject: Caller-ID implementation delayed in California Today (June 1, 1996) was scheduled to be the activation day for Calling Number Identification (CNID) services for California telephone subscribers, on all intra and interstate calls. The June 1 date was the result of a six month extension granted to give the local telcos time to comply with California PUC (CPUC) subscriber notification and education requirements regarding availability of CNID blocking options. This date has now apparently been pushed back to July 1, at the request of the largest local telco in the state, Pacific Bell. The volume of written and called-in requests for free per-line ("complete") CNID blocking (which prevents numbers being sent on all calls *unless* an unblocking code is dialed) have completely overwhelmed all of the local telephone companies. The delay is to give the telcos time to catch up on processing of the requests. Anecdotal evidence indeed suggests that a vast number of persons have requested complete blocking. Request lines are busy for long periods, attempts to call the "is my line really blocked" test numbers frequently result in "all circuits busy" intercepts for long periods, and the representatives themselves speak openly about being completely swamped with callers who want blocking. Part of the reason for the outpouring of requests is undoubtedly the CPUC mandated advertisements and radio/television commercials, and multiple telco mailings, which have been widely disseminating the information that calls from unblocked lines, including those from unlisted/non-published numbers, will be passing number information. Presumably there are still many persons oblivious to these events, but the public awareness of the issues seems to be quite high for such a relatively technical matter. Pacific Telephone continues to predict that about 8% of their subscribers will elect to subscribe to CNID delivery services with a few months of availability, rising to between 8% and 15% within a relatively brief period. Whether these predictions will hold true in the face of apparently very large selection of complete blocking remains to be seen. No figures on numbers or percentages of subscribers electing complete blocking have been made available yet. A few reminders concerning CNID blocking for California subscribers. Whether or not you have chosen complete blocking, it is an *extremely* good idea to call the telco provided special test number (you should have received it in mailings by now) to verify your line(s) status. In a small sampling of lines I tested myself, I found about 15% to be set to the incorrect blocking mode, even though the correct mode had been ordered. If you find a line that is blocked or not blocked inappropriately, you should re-order the correct blocking as soon as possible. Even though CNID doesn't officially start in California until July, it is quite probable that some numbers are already going out (particularly on interstate calls) due to switch misconfigurations. Also, remember that on some calls your number will always be available, regardless of your blocking mode. These include 911 (naturally), calls to operators, and 800, 888, and 900 calls (these toll free and extra-charge calls use a different system for number identification, which is not subject to CNID blocking). In the case of 800 and 888 "toll-free" calls the issues of calling number privacy are somewhat complex. Since these are essentially "collect" calls, the parties receiving them need some way to track usage and particularly abuse of their numbers. Recent laws place restrictions on the release of number information obtained from 800/888 calls, but this is certainly an area undergoing study and a subject for future discussion. So CNID is arriving in California, though certainly in a form different than its original proponents might have anticipated, at least in terms of blocking choices availability. It should be interesting to see what transpires. --Lauren-- ------------------------------ Date: Sun, 26 May 1996 17:23:15 -0700 (PDT) From: Phil Agre Subject: highway tolls and privacy The increasingly widespread use of automatic account-based systems for highway toll collection has led to equally widespread concerns for personal privacy. If individually identifiable toll records are stored in a database then perhaps they can be used for purposes beyond those originally intended. To my knowledge this has not yet happened in the United States. But it did happen a few years ago in France, and the story is worth telling. The details are available in English on Lexis/Nexis from an Agence France Presse bulletin of 17 August 1993, which I summarize in part here: Jacques Mellick, mayor of the northern French town of Bethune and former cabinet minister, provided an alibi in the trial of politician and businessman Bernard Tapie on charges of trying to bribe a football coach to throw a match. He claimed that he and Tapie had met at Tapie's offices in Paris between 2:30 and 3:30 PM on the date when the offense had supposedly taken place. Doubts soon arose about Mellick's story. A photo claimed to have been taken 2:00 PM that day placed Mellick at a ceremony in Bethune. And, says the story, "the motorway toll booths between Paris and Bethune had no record of Mellick's car on the road that day". Mellick claimed that he had paid the toll himself because he had been traveling to Paris on private business. The article does not explain who had checked the records or who had made the information about them public. The toll booths in question used "smart cards", though the article does not say just which technology was involved. The point is, even though no record of Mellick's travels showed up in the toll-collection system, the *lack* of a record was printed in the newspapers as circumstantial evidence suggesting that Mellick had committed perjury. Fortunately in this case other, more clear-cut evidence existed. But plenty of people are having their reputations dragged through the mud in scandals and pseudo-scandals these days by "opposition research" organizations with trained researchers and access to all the databases they can find. In this context, the very existence of individually identifiable toll records is a clear invitation to trouble. And it's completely unnecessary as well, given that proven technology exists to collect highway tolls anonymously. Phil Agre, UCSD ------------------------------ Date: 1 May 1996 18:17:10 -0500 From: "David Sobel" Subject: Crypto Legislation FOR RELEASE: CONTACT: Thursday, May 2, 1996 David Sobel 8:00 a.m. EDT Dave Banisar (202) 544-9240 EPIC APPLAUDS PROPOSED CRYPTO LEGISLATION: "NECESSARY STEP" FOR SECURE INTERNET WASHINGTON, DC -- The Electronic Privacy Information Center (EPIC) today applauded the introduction of legislation designed to relax export controls on privacy-enhancing encryption technology. The "Promotion of Commerce On-Line in the Digital Era (Pro-CODE) Act," introduced by Sen. Conrad Burns (R-MT), would place export control authority in the Commerce Department, rather than the State Department and the National Security Agency (NSA) -- the agencies currently charged with that responsibility. The proposed bill would remove out-dated barriers to the development and dissemination of software and hardware with encryption capabilities. According to EPIC Legal Counsel David Sobel, "This is a necessary step to ensure the development of a secure Global Information Infrastructure that promotes on-line commerce and preserves individual privacy. EPIC has long advocated adoption of encryption policies that emphasize the protection of personal data and encourage the widespread dissemination of privacy-enhancing technologies." The proposed legislation comes in the midst of an ongoing debate concerning U.S. encryption policy and at a time when the need for secure electronic communications is becoming widely recognized. The explosive growth of the Internet underscores the need for policies that encourage the development and use of robust security technologies to protect sensitive personal and commercial information in the digital environment. EPIC recently joined with other organizations to create the Internet Privacy Coalition (IPC). The mission of the IPC is to promote privacy and security on the Internet through widespread public availability of strong encryption and the relaxation of export controls on cryptography. The IPC has launched the "Golden Key Campaign" to raise public awareness of these issues. Additional information is available at the IPC website: http://www.privacy.org/ipc/ EPIC is a public interest research center in Washington, D.C. It was established in 1994 to focus public attention on emerging civil liberties issues and to protect privacy, the First Amendment, and constitutional values. Additional information about EPIC is available at http://www.epic.org. ------------------------------ Date: Mon, 13 May 1996 23:52:50 -0700 From: akrause@Sunnyside.COM (Audrie Krause) Subject: CDA Challenge: A Status Report CPSR Members and Friends, Craig Johnson, a CPSR member and telecommunications policy analyst in Washington, D.C., attended closing arguments last Friday in ACLU v. Reno, which challenges the constitutionality of the Communications Decency Act (CDA) provisions of the recently enacted Telecommunications Reform Act of 1996. CPSR is a plaintiff in the ACLU lawsuit, and Craig has served as CPSR's volunteer contact for this effort. With his publisher's permission, we are forwarding the report that Craig filed with the American Reporter after attending the closing arguments. Audrie ======================================================= 'AS GOOD A BENCH AS WE CAN HOPE FOR' by Craig A. Johnson American Reporter Correspondent PHILADELPHIA -- The buzz was loud and the message clear as a panel of judges in the ACLU v. Reno case heard closing arguments in Philadelphia and then adjourned to consider the first of two major constitutional challenges to the Communications Decency Act (CDA) that critics say threatens free speech on the world-wide Internet. The second case, Shea v. Reno, is set for final arguments on June 3 in Federal court in Manhattan. Both cases are being heard by three- judge panels and are likely to be consolidated if they reach the Supreme Court under an expedited review process outlined in the law. Both cases were filed immediately after President Clinton signed the huge telecom- munications reform act, which contains the CDA, on February 8. The ACLU case was the first to end. As government lawyers headed off into the foggy Philadelphia afternoon, the words of Judge Stewart Dalzell in Federal court here Friday still rang in the minds of courtroom observers: In order to preserve the Internet "as the most democratic medium that the human mind has come up with yet, a chilling effect is something we have to consider" as the panel rules on the CDA. "How can we, as a matter of judicial responsibility, sustain against a chill," Judge Dolores K. Sloviter, chief judge of the Fourth Circuit Court of Appeals asked government counsel, in the absence of technology which "would not block appropriate [First Amendment protected] material for adults? "Why doesn't the government concede that a preliminary injunction would be appropriate," she queried, her exasperation evident. The central question of how to "find out whether one is an adult" was left unanswered throughout the whole case, Sloviter asserted. She charged that the government was asking the panel "to sustain the statute based on the defenses," which are not validated by current technical realities. "Until it exists," Judge Sloviter exclaimed, "it isn't working. Until it works, we don't know how it will work." Judge Dalzell agreed, stating, "The evidence is quite clear that . . . that there is no technical way to screen for age based on available technology" which non-commercial providers can avail themselves of. These were the most compelling signs yet that the panel may be leaning favorably toward the plaintiffs' request for an injunction. "This is as good a bench as we can hope for in this situation," ACLU lead attorney Christopher Hansen told reporters after adjournment. The day's arguments covered the entire waterfront of issues from the facial challenges to the constitutionality of the Communications Decency Act (CDA) to an animated debate on "defenses" and "safe harbors" to the disclosure of the recent FBI's "review" of Compuserve at the behest of the right-wing American Family Association (AFA). Hansen and American Library Association/Citizens' Internet Empowerment Coalition (ALA/CIEC) counsel Bruce J. Ennis hammered home point after point until finally, it seemed, the government's entire house of cards had collapsed onto its lap. The plaintiffs' attorneys effectively eradicated whatever defenses existed with respect to both the "indecency" standard's ability to pass Constitutional muster on its face, as well as the Act's attempt to tack a broadcast standard originally mandated by the Federal Communications Commission (FCC) onto the Internet. Hansen forcefully got across the facial argument that the statute is an "attempt to prevent adults from having information that they are constitutionally entitled to." "All speech," he declared, "would be brought down to a level acceptable to minors." Hansen stressed again and again that the act would "prohibit speech that has serious value," notwithstanding the government's contentions to the contrary. In his closing remarks, Hansen inveighed further against the criminalization of speech that would result from the law. "Libraries and institutions of higher learning" would be thrown into a witch-hunt atmosphere, he charged. Speaking to reporters after adjournment, Hansen amplified on this, saying that the CDA was being used by right-wing groups such as Enough is Enough to "go after libraries and colleges, which are not what we normally think of as great smut-peddlers." Religious Right activists recently tried to ban books online at the University of California - Riverside, a campus located in one of the most conservative regions of the state. Hansen also decried the government's argument that, with technological development, "it is possible to label speech as decent or indecent." The "notion that Government would impose on all of us, before we speak" a criteria as to whether our speech was decent or indecent, he declared, raises a "serious Constitutional problem," he said. ALA/CIEC counsel Ennis argued in closing that "there is nothing in the pipeline" that will technically work to identify adults in online newsgroups, chat rooms, and listservs or mail exploders. Second, he said, the government admitted that tagging is not effective, and even if it were, it still would not constitute a "safe harbor." Furthermore, "it would violate the doctrine against compelled speech," which states that "attaching a pejorative label to one's own speech" is something that someone "should never be required to do." There is no reason to assume, that Congress had any intent to require self-labelling, he maintained. In fact, Congress specifically rejected self-labelling with respect to broadcast speakers. The Internet, Hansen urged throughout yesterday's argument, was a specific medium, which could not tolerate having rules applied to it which were crafted in the past for other media. Rather, it is a "democratizing, many-to-many" medium. One of its real effects, he said is that it "is making us all speakers and listeners." The panel of judges seemed to concur that the CDA was based on broadcast laws. Judge Dalzell stated that Congress had "reached into" past judicial decisions applying to broadcast media and "begat the Communications Decency Act." But, if access to "indecent" content is found not to be "pervasive," which is the primary characteristic of broadcast media, then how could they sustain this statute in light of the unique characteristics of the Internet, Judge Dalzell queried? This is particularly relevant for chat rooms, news groups, and list servers or mail exploders. Plaintiffs' council Ennis argued that "tagging and registering cannot possibly protect minors" in these fora unless there is ample parental supervision and control. If that is present, Ennis said, then we "don't need the law." Judge Sloviter took the questioning one step further, declaring that to require governmental actions which may militate against the wishes of parents was "a serious Constitutional question." She asked: "What is the Government's interest in shielding 15-year olds from material that they want to see and the parents don't care" whether they see? Sloviter went on to grill Government counsel on the intent of Congress to "help the parents." How, she asked, could this be done if the Court "found that the evidence does not support the proposition that there is a significant probability of inadvertently chancing . . ." upon the material without "a lot of clicks or a warning?" "What would remain of the government's compelling interest," she asked. The questions largely went unanswered by government lawyers, though US Atty. Jason R. Baron said that "Congress could draw a bright line" which would would in fact criminalize some speech with redeeming value. The Government, he said, may prevent a 14-year old's right to read Henry Miller's Tropic of Cancer online. Similarly, excerpts from a Broadway play on AIDS may fall within the statute's boundaries. This did not sit well with the judges as they repeatedly emphasized that the Congressional Conference Committee statement that material "with no intent to offend" should not be swept under the law. At one point, in a direct parallel with the questions at issue in Shea v. Reno, Judge Dalzell, observing that recent issues of the Philadelphia Inquirer and the New York Times had pictures and articles that many people would find "patently offensive," asked government counsel if he would advocate a "newspaper decency act." Dalzell explained to a befuddled counsel that Congress clearly did not have the power to write a "newspaper decency act." "What is it about the Internet media that makes it a completely different ball game," he asked. No persuasive answer was uttered by government counsel. The judges returned several times to the government's contention that effective technology for screening, tagging, and blocking would soon be available. Sloviter was unconvinced. "After five days of testimony," she said, "all we got was hypotheticals." The tagging scheme introduced by one of the government's witnesses, Sloviter suggested, "was the product of [his] creative imagination," and "thought up . . . after the government hired him as a witness." In the end the decisive issues were raised in sharp relief by all three judges. If the intent of Congress was to help parents prevent their children from viewing objectionable content, and the technology that is available cannot do that, what good is a CDA? If available technology cannot find a solution for authenticating adults and children, then doesn't the rationale for the CDA collapse? And, if the CDA, with its labelling scheme of "indecency" is overbroad and covers speech which has value, then isn't it unconstitutional on its face? Despite all the roundabout arguments and twists and turns, the government never effectively answered any of these threshold questions. # # # Copyright 1996 Craig A. Johnson * All Rights Reserved -- Audrie Krause CPSR Executive Director PO Box 717 * Palo Alto, CA * 94302 Phone: (415) 322-3778 * Fax: (415) 322-4748 * * E-mail: akrause@cpsr.org * * * Web Page: http://www.cpsr.org/home.html * ------------------------------ Date: 29 May 1996 14:57:50 -0500 From: "Marc Rotenberg" Subject: Children's Privacy Bill Introduced, Recent Problems in Direct Marketing Industry, New Medical Privacy Bill Introduced [From EPIC Alert] [ From EPIC Alert 3.11; May 29, 1996 ] ======================================================================= [1] Children's Privacy Bill Introduced ======================================================================= On May 22, 1996, Representative Bob Franks (R-NJ) and Senator Dianne Feinstein (D-CA) introduced the Children's Privacy Protection and Parental Empowerment Act (HR 3508, S. not yet available). The bill establishes fair information practices for personal information about kids and is intended to curb recent abuses by the direct marketing industry. At a Capitol Hill press conference, Representative Franks said "commercial list companies are using that information to develop an elaborate data base on virtually every child in America. They're gathering children's complete names, ages, addresses and phone numbers -- and often even their personal likes and dislikes." As with other privacy laws in the United States, the CPPPEA focuses on a particular industry sector, in this case list brokers who collect and sell personal information on children. The Children's Privacy Protection and Parental Empowerment Act would: -- Prohibit the sale or purchase of personal information about children without parental consent; -- Require list brokers and solicitors to disclose to parents, upon request, the source and content of personal information on file about their children; -- Require list brokers to disclose to parents, upon request, the names of persons or entities to whom they have distributed personal information on that parent's child; -- Prohibit prisoners and convicted sex criminals from processing the personal information of children; -- Prohibit any exchange of children's personal information that one has a reason to believe will be used to harm or abuse a child; -- Preserve all common law privileges, and statutory and Constitutional privacy rights; and -- Establish civil remedies and criminal penalties for violations of the Act. More information about the CPPPEA is available at: http://www.epic.org/privacy/kids/ ======================================================================= [2] Recent Problems in Direct Marketing Industry ======================================================================= The Children's Privacy bill grows out of reports on recent abuses in the marketing industry. In one case, a news reporter for KCBS-TV in Los Angeles ordered a list of the names, addresses and phone numbers of 5,000 Los Angeles children from the nation's largest distributor of lists, Metromail. It placed the order in the name of Richard Allen Davis, the man currently on trial for kidnapping 12-year-old Polly Klaas from her Sausalito home and murdering her. After providing a fake name, mailing address and a disconnected phone number, the list arrived the next day. The cost -- just $277, cash on delivery. In another case, the direct marketing firm Metromail faces a class action suit in Texas where the company used prison inmates to process personal data gathered from consumers. Beverly Dennis, a 47-year-old Ohio woman, received threatening and highly offensive telephone calls from a convicted sex offender. Dennis v. Metromail Corporation, Texas District Court, No. 96-04451, April 18, 1996). A report from the Center for Media Education also found that one data-gathering company adds 67,000 children's names each week. Other firms sell segmented lists on grade school children and pre-school children. Opinion polls also reveal strong public opposition to the unregulated sale of personal data: -- A 1991 Time/CNN poll found that 93% of American consumers believe "companies that sell information to others should be required by law to ask permission from individuals before making the information available;" -- In the same poll, 90% said that "companies that collect and sell personal information should be prohibited by law from selling information about household income," and 68% said that companies "should be prohibited by law from selling information about product purchases." It is not hard to guess what the poll numbers would say about the sale of data on children. In a related matter, Ram Avrahami's case is scheduled to be heard by a Virginia judge on June 6. For more information on the case, see: http://www.epic.org/privacy/junk_mail/ ======================================================================= [3] New Medical Privacy Bill Introduced ======================================================================= On May 16, 1996, Rep. Jim McDermott (D-WA) introduced the "Medical Privacy in the Age of New Technology Act of 1996." The bill is designed to "ensure strong protections for the confidentiality of patient health care information and take into account the threats to privacy created by emerging technologies and the computerization of medical records." The new bill covers all types of medical information including genetic information. It requires informed consent before a patient's personal information can be transferred to any other party, except in very limited circumstances. Patients would be allowed to examine and correct their records. Guidelines are set to ensure the security of records. Unlike previously introduced legislation, S. 1360, under the new bill states are not prevented from enacting stronger laws. The bill was introduced after the House of Representatives approved a bill providing for "administrative simplification" of medical records. (See EPIC Alert 3.08, "House Passes Health Care Bill") and the Senate debated S. 1360, introduced by Senator Bennett. The new bill provides for a much higher level of privacy protection than either of those two measures. The bill has been embraced by consumer groups such as the Coalition for Patient Rights, which describes it as the strongest medical privacy bill introduced to date. It was referred to the Commerce Committee for review. More information on the McDermott bill and medical privacy is available at: http://www.epic.org/privacy/medical/ ------------------------------ End of PRIVACY Forum Digest 05.11 ************************