GLOBAL INTERNET LIBERTY
CAMPAIGN
NEWS
ISSUES
RESOURCES
ABOUT
GILC
GILC Alert
August 27, 2001
Welcome to the Global Internet Liberty Campaign Newsletter
Welcome to GILC Alert, the newsletter of the Global Internet Liberty Campaign. We are an international organization of groups working for cyber-liberties, who are determined to preserve civil liberties and human rights on the Internet.
We hope you find this newsletter interesting, and we very much hope that you will avail yourselves of the action items in future issues.
If you are a part of an organization that would be interested in joining GILC, please contact us at gilc@gilc.org.
If you are aware of threats to cyber liberties that we may not know about, please contact the GILC members in your country, or contact GILC as a whole.
Please feel free to redistribute this newsletter to appropriate forums.
Free expression
[1] China installs "Internet Police" censorware
[2] Russian Ebook programmer released on bail
[3] Court forces new round in DVD weblinks case
[4] Singapore restricts political sites
[5] Thailand initiative may stifle Net speech
[6] German official seeks US Net censor help
[7] New California anonymous Net speech battle
[8] Website exposes Afghan gov't abuses
[9] New efforts underway to bridge digital dividePrivacy
[10] South African bill sparks privacy fears
[11] Disappointment over Australian cybercrime report
[12] US gov't avoids disclosure on keystroke taps
[13] US Congress orders report on Carnivore spyware
[14] Privacy fears over Aussie universal bank site
[15] Geolocation software threatens Net privacy
[16] Weak P3P privacy promoted in Windows XP
[17] Report: webbug tracking is increasing
[18] New toilet emails medical info
[1] China installs "Internet Police" censorware
Beijing is implementing new technology and other restrictions to shut out online dissent.
According to the official Xinhua news agency, "Internet Police" software has already been installed on computers in the northwestern city of Xi'an. The device deters users from accessing websites with controversial content in a variety of ways. Among other things, it issues warnings to individuals if they attempt to visit such webpages, then denies access if users keep on trying. In addition, the program captures screen shots and sends them a central facility, making it easier for government censors to detect and track critics along the Information Superhighway.
Additionally, Chinese officials have imposed further regulations on news coverage in the Land of the Dragon. As announced on state television, it is illegal to publish materials that negate "the guiding role of Marxism, Leninism, Mao Zedong and Deng Xiaoping's theories, [g]oes against the guiding principles, official line or policies of the Communist Party," or "violates party propaganda discipline," Also banned is "content that guides people in the wrong direction, is vulgar or low." Chinese commissars are set to create a special division for approval or censorship under these new regimes. On top of all this, Mainland China's Supreme People's Court has laid down rules that will hold Internet users liable for "malicious" use of domain names.
Meanwhile, Communist agents held a secret trial for Huang Qi, the proprietor of the "Tianwing Missing Persons Website" who was arrested on charges of "instigation to subvert state power." Huang had republished articles written by other people about the 1989 Tiananmen massacre, the Falun Gong spiritual movement and other topics deemed taboo by the government. A trial had been postponed after Huang collapsed during public proceedings, allegedly because he had been beaten in jail. There is also speculation that government officials delayed the trial in order to help Beijing's bid for the 2008 Summer Olympics. Details as to the outcome of the secret sessions have yet to surface.
Read "China puts Webmaster on trial," Associated Press, Aug. 20, 2001 at http://www.salon.com/tech/wire/2001/08/20/china/index.html
See Steven Bonisteel, "Trial Resumes For Jailed Chinese Webmaster Huang Qi," Newsbytes, Aug. 17, 2001 at http://www.newsbytes.com/news/01/169130.html
See also "Chinese webmaster tried for subversion," BBC News Online, Aug. 17, 2001 at http://news.bbc.co.uk/hi/english/world/asia-pacific/newsid_1496000/1496107.stm
For more about Chinese blocking and tracking systems, read "Online Police Appear in Internet Bars in Xi'an," Xinhua News Agency, Aug. 7, 2001 at http://www.cnd.org/Global/01/08/07/010807-9.html
For further details on new Chinese press restrictions, see "You Don't Say: China forbids publication of seven types of content," China Online, Aug. 13, 2001 at http://www.chinaonline.com/topstories/010813/1/c01080805.asp
Read "'Malicious cyber-squatters to face civil punishments," China Online, July 25, 2001 at http://www.chinaonline.com/issues/internet_policy/newsarchive/secure/2001/july/c01072310.asp
[2] Russian Ebook programmer released on bail
A Russian computer scientist who gave a presentation on Ebook encryption codes is still facing serious criminal charges.
The programmer, Dmitry Sklyarov, had developed a program that circumvents the copy protection scheme contained on Adobe Systems electronic books. He created the program as part of an effort to allow Ebook readers to view such products on whatever computers they like. After writing a paper on the subject and presenting it to the public at a Las Vegas computer convention, United States government agents arrested him on charges of violating the controversial Digital Millennium Copyright Act (DMCA), which restricts the right of computer users to circumvent any program that "effectively controls access" to copyrighted works. In early August, Sklyarov was finally released on US $50 000 bail, but was ordered to remain in Northern California. His next court appearance has been postponed until Aug. 30, 2001, when he will find out whether Federal officials will continue to prosecute him. If convicted, he could get 5 years in prison and a US $500 000 fine.
Both the case and the DMCA have drawn strong protests from Internet users around the world who fear that these legal developments will threaten free expression, particularly in the scientific community. Earlier this year, the Recording Industry Association of America had written a letter to a Princeton University professor, Edward Felten, suggesting that he might face a DMCA-styled lawsuit if he presented a research paper on decrypting a certain digital watermark copy protection scheme. Felten, who is represented by the Electronic Frontier Foundation (EFF-a GILC member) sued the RIAA and eventually gave his presentation on Aug. 15, 2001; the case is still ongoing. A similar battle has arisen in the Netherlands, where a computer scientist, Niels Ferguson, held off publishing his research results on an Intel copy protection system "for fear of prosecution and/or liability under the U.S. DMCA law" on one of his many visits to the United States.
These moves have also generated interest in various US proposals, such as the Music Online Competition Act (MOCA), which would ease intellectual property-based restrictions along the Information Superhighway. Ironically, while Sklyarov continues to encounter legal hurdles in the United States, he faces no such problems under the laws of his home country. Dmitry Chepchugov, who directs the Russian Interior Ministry's technology division, said that "[i]f this case was being reviewed in Russia, we would have nothing against Dmitry Sklyarov."
For press coverage of the Sklyarov case, visit a special EFF archive under http://www.eff.org/IP/DMCA/US_v_Sklyarov/media.html
For further background materials about the Sklyarov case, click http://www.eff.org/IP/DMCA/US_v_Sklyarov/
For more on the Felten and Ferguson cases, read Mike Musgrove, "Digital-Music Code Crackers Tell All," Washington Post, Aug. 16, 2001, page E3 at
http://www.washingtonpost.com/wp-dyn/articles/A17617-2001Aug15.htmlSee also Lisa M. Bowman, "Professor unveils anti-copying flaws," ZDNet News, Aug. 16, 2001 at http://www.zdnet.com/zdnn/stories/news/0,4586,5095789,00.html
For more on the Russian government's refusal to prosecute Sklyarov, see "Adobe Hacker off Hook in Russia," Associated Press, Aug. 9, 2001 at http://www.wired.com/news/print/0,1294,45966,00.html
For further information on what happened at the Sklyarov bail hearing, read Carrie Kirby, "Accused in copyright case out on bail," San Francisco Chronicle, Aug. 7, 2001, page E2 at
http://www.sfgate.com/cgi-bin/article.cgi?file=/c/a/2001/08/07/BU139975.DTL&type=printableFor more on British protests against the prosecution of Skylarov, read Wendy McAuliffe, "London protesters slam US copyright laws," ZDNet UK, Aug. 3, 2001 at http://www.zdnet.com/zdnn/stories/newsbursts/0,7407,2801413,00.html
The text of MOCA is posted under http://www.digmedia.org/whatsnew/moca.pdf For more reaction to MOCA, read "Online music bill 'meets disapproval'," BBC News, Aug. 6, 2001 at http://news.bbc.co.uk/hi/English/entertainment/new_media/newsid_1475000/1475799.stm
[3] Court forces new round in DVD weblinks case
A college student and budding computer scientist has suffered a serious court setback in a high profile copyright case.
The case centers around DeCSS-a primitive computer program that unscrambles the copy protection scheme used in DVDs. It was created to help users of the Linux operating system play DVDs on their computers. Over the past year and a half, the entertainment industry, through the DVD Content Control Association (DVD CCA) and the Motion Picture Association of America (MPAA), has waged legal battles in both New York and California to prevent Internet users from linking to websites that have DeCSS. Many experts fear that these actions may stifle free expression in cyberspace.
One of the defendants, Matthew Pavlovich, had posted DeCSS on a DVD player development mailing list that he operated. After the initial lawsuit was filed, a court ruled that Pavlovich can be forced to answer charges in California, largely because "California is commonly known as the center of the motion picture industry" and that he somehow should have known that posting DeCSS was "injuriously affecting the motion picture and computer industries in California." The ruling despite the fact that Pavlovich, whose defense is being coordinated by the Electronic Frontier Foundation (EFF-a GILC member) performed all of these actions thousands of miles away and has never lived in California. An appeal is expected shortly.
An EFF press release on the ruling is available at http://www.eff.org/IP/Video/DVDCCA_case/20010808_eff_pavlovich_pr.html
The text of the ruling is posted under http://www.eff.org/Cases/DVDCCA_case/20010807_pavlovich_appelate_ruling.html
[4] Singapore restricts political sites
The government of Singapore has issued a series of tough restrictions concerning online political activity, even as the country gears up for national elections.
While the full details of this plan have still to be released, it would apparently ban political content on the World Wide Web except on the official sites of various political parties. In addition, those official sites would have to comply with certain regimes, including moderators for chat areas. The bill would not allow anonymous campaign paraphernalia, but would require the printer, publisher and advertiser to be specifically identified, for possible future government prosecution. Moreover, the state Singapore Broadcast Authority is already requiring registration of all political websites.
Opposition leaders scoffed at the new regulations, arguing that they constituted yet another attempt by the ruling People's Action Party to silence dissent. Indeed, the Singaporean government had already banned such things as singing during political rallies and political advertisements in video or film form. Chee Soon Juan of the Singapore Democratic Party said that the proposed standards were just "another way the government is trying to crack down on the use of the internet. They know it is one way the opposition can use it and be on level playing field with the ruling party."
Unfortunately, the new strictures have already led one organization to shutdown its web activities. The SBA had ordered Sintercom (a GILC member) to register with government agents and to refrain from discussion various prohibited "themes" including "material that is objectionable on the grounds of public interest, public morality, public order, public security, national harmony" or speech that "offends against good taste or decency." In spite of protests, SBA insisted that Sintercom "exercise judgement and ensure that the contents on their websites comply with the SBA Internet Code of Practice." Sintercom has since closed down, although the precise reasons for this move are not clear.
For the latest details, see "Singapore net law dismays opposition," BBC News, Aug. 14, 2001 at http://news.bbc.co.uk/hi/English/world/Asia-pacific/newsid_1490000/1490425.stm
Read John Aglionby, "Singapore plans purge of net politics," The Guardian, July 27, 2001 at http://www.guardianunlimited.co.uk/internetnews/story/0,7369,528129,00.html
Further background information is available from DFN under http://dfn.org/focus/singapore/web-laws.htm
For additional details on the Sintercom shutdown, click http://www.sintercom.org/sba/index.html
[5] Thailand initiative may stifle Net speech
Thailand officials are implementing a new tracking and blocking system to prevent people from seeing various types of Internet content.
Under this plan, Internet service providers will have to block user access to given websites. ISPs will also have to log information about their users' activities and retain these records for a minimum of 3 months. Clauses will be introduced into customer contracts so that computer users can be held responsible for viewing or accessing of controversial online materials. The scheme even goes so far as to mandate service providers to standardize their system clocks, so as to ensure accurate user tracking records.
It is unclear what effect these efforts will have on Internet speech, particularly since Thai authorities apparently have not disclosed any specific criteria as to what content will be censored. Despite these concerns, however, many telecommunications companies reportedly have agreed to this plan.
See Karnjana Karnjanatawe, "Thailand Moves To Crack Down On Web Content," Bangkok Post, July 26, 2001 at http://www.newsbytes.com/news/01/168353.html
[6] German official seeks US Net censor help
A senior German government official wants his American counterparts to shutdown websites in the United States.
German Interior Minster Otto Schily is pushing such these measures as a way to silence various forms of so-called hate speech. Such materials are illegal under German law, but are often available via sites in the United States, where there are tougher protections for freedom of expression. Schily said that he will travel to the US in the fall of 2001 to meet with "responsible officials" to help carry out this plan. He also mentioned that these meetings will feature discussions on how to use civil lawsuits as a weapon against US web creators.
Some observers are worried about this apparent attempt to impose German speech restrictions on citizens in another country. Indeed, Schily previously had pushed for several other bizarre methods to curb controversial content, including letting government agents disrupt private websites via spam and denial of service attacks. Andy Muller-Maguhn from the Chaos Computer Club (CCC-a GILC member) accused Schily of "trying to shoot the messenger," adding that "Mr. Schily seems to want a very strong government, and not let the people make their own opinions on what makes reality." Similar concerns were aired by opposition party official Hans-Joachim Otto, who doesn't "expect any spectacular agreement in a German-American meeting with Mr. Schily. He should not have the illusion that he can bring his own German standards as a general standard between the United States and Germany. It's not possible and it's not even desirable."
Read Ned Stafford, "German Official To Visit US In Effort To Shut Down Hate Sites," Newsbytes, Aug. 22, 2001 at http://www.newsbytes.com/news/01/169280.html
See also Steve Kettman, "Germany's Anti-Hate Push Angers," Wired News, Aug. 8, 2001 at http://www.wired.com/news/print/0,1294,45907,00.html
[7] New California anonymous Net speech victory
A California court has upheld the right of Internet users to speak without having to divulge their identities first.
One of these rulings rejected an attempt by Pre-Paid Legal Services Inc. to discover the real names of 8 Yahoo chatroom users. They had posted several comments that took the company to task, particularly in its treatment of employees. The firm then sued, claiming that it wanted to find out whether the online speakers had divulged any trade secrets. However, the defendants, who were represented by the Electronic Frontier Foundation (EFF-a GILC member), feared possible reprisals if their identities were revealed.
The judge reaffirmed the principle that Internet users have the right to anonymous free expression under the United States Constitution. She went on to hold that this speech interest was strong enough to override Prepaid Legal's desire to find personal information about the defendants. EFF Senior Staff Counsel Lee Tien welcomed this decision, hoping it would "signal to other companies that judges will not permit corporate executives to abuse the courts in ferreting out critics."
An EFF press release on this subject is available at http://www.eff.org/sc/ppls/20010813_eff_ppls_pr.html
See David McGuire, "Judge Rejects Attempt To Unmask Online Speakers," Newsbytes, Aug. 13, 2001 at http://www.newsbytes.com/news/01/168972.html
See Lisa M. Bowman, "Court: Posters' IDs can stay under wraps," ZDNet News, Aug. 13, 2001 at http://www.zdnet.com/filters/printerfriendly/0,6061,5095619-2,00.html
[8] Website exposes Afghan gov't abuses
A women's website is helping expose the excesses of Afghanistan's rulers. But government censors may prevent anyone in the country from seeing it.
The Revolutionary Association of the Women of Afghanistan (RAWA) has created a site that chronicles human rights violations, many of which have been perpetrated by the ruling Taliban elite. These materials include a large gallery of photographs that depict such grim events as summary executions of women, children being forced to live in squalor, starving peasants, and even forced amputations as criminal punishment. Besides these images, the site stores news updates and accounts of life in the troubled nation. The individuals who help put together these webpages remain anonymous in order to head off possible harassment; indeed, RAWA's founder was murdered several years ago by Afghan government agents.
Unfortunately, various forces have apparently made it difficult for much of the website's potential audience to view these materials. The Taliban government recently made it illegal for anyone in the country to use the Information Superhighway. Moreover, severe problems with the nation's infrastructure have prevented many Afghanis from going online in the first place. In spite of these difficulties, the website continues to draw more public attention to the plight of women in the beleaguered Central Asian country.
The RAWA homepage can be reached via http://www.rawa.org/
Read Julia Scheeres, "Risking All to Expose the Taliban," Aug. 10, 2001 at http://www.wired.com/news/print/0,1294,45974,00.html
[9] New efforts underway to bridge digital divide
Several initiatives have been launched recently to allow more people to enter the Information Superhighway.
Some of these projects have been developed by the Association of Southeast Asian Nations (ASEAN), including an e-ASEAN framework and Asian IT Belt Initiative, to enhance information technology resources in the region. ASEAN ministers have announced that they are "determined to use ICT [Information Communications Technology] as a tool for narrowing the development gap and closing the digital divide within and among member countries as well as between ASEAN and the rest of the world." In addition, the governments of India and Brazil are offering email accounts to remotely located citizens in their respective countries, which can be accessed by logging on at local post offices.
Meanwhile, various private institutions have also started programs to bridge the digital divide. In Uganda, for example, a new non-profit Internet service provider named The Source has been created to help users go online. Despite having to work with second hand equipment and deal with relatively high licensing fees, the organization was able to open an Internet cafÈ in the capital that offers personal email accounts and web access at low cost. The Source's founders now hope that others will use their project "as a springboard for ideas to begin similar projects that can serve communities" throughout Africa.
In addition, the Center for Democracy and Technology (CDT-a GILC member) and the nonprofit Internews have launched the Global Internet Policy Initiative, which is intended to promote reforms in developing countries that will support an open and more affordable Internet, and thereby help bridge the digital divide. GIPI has full-time policy coordinators in 11 countries, including Russia, Indonesia and Nigeria, working with local stakeholders in consultative, coalition-based efforts to promote the principles of a decentralized, accessible, user-controlled, and market-driven Internet. Recently, GIPI signed a cooperative agreement with the United Nations Development Programme, and is planning to expand further in Asia, Africa, and Latin America.
For further details about Uganda's The Source ISP, click http://home.att.net/~africantech/Internet/Uganda-ISP.htm
For more on the Indian universal email program, see Ram Dutt Tripathi, "India sets up e-post office," BBC News Online, Aug. 13, 2001 at http://news.bbc.co.uk/hi/English/world/south_asia/newsid_1489000/1489470.stm
See David Legard, "ASEAN in push to reduce digital divide," IDG News, July 24, 2001 at http://idg.net/ic_656219_1794_9-10000.html
Read Paulo Rebelo, "Casting a Wider Net in Brazil," July 30, 2001 at http://www.wired.com/news/print/0,1294,45526,00.html
The GIPI homepage is located at http://www.gipiproject.org/
[10] South African bill sparks privacy fears
A proposal to revise government surveillance laws in South Africa is drawing fierce criticism over its potential privacy ramifications.
Among other things, the Interception and Monitoring Bill 2001 allows the government to monitor of all telecommunications systems, including mobile phones, Internet and e-mail. One provision states that "no service provider may provide any telecommunication service which does not have the capacity to be monitored." Towards this end, the proposal empowers the Minister of Communications to issue directives and thereby force telecommunications companies to comply with government surveillance specifications (including connections to "central monitoring centres"). Furthermore, the bill's broad exceptions would allow law enforcement officials and members of the South African Defense Forces in many cases to avoid the need for judicial approval before intercepting certain types of data (such as "call related information").
Many experts are worried that the proposal will allow massive government intrusions into cyberspace. In formal comments submitted to the South African government, Privacy International (a GILC member) charged that the Bill "represents a step backwards ... and is inconsistent with international standards on human rights and the legal requirements of the South African Constitution." The group pointed out that the provisions "for authorizing surveillance" failed to "include meaningful limitations to prevent abuses," and suggested that "journalism, civic protest, trade union organizing and political opposition" might be "subjected to unwarranted surveillance because the individuals involved have different interests and goals than those in power." The organization also pointed out the Bill's loose definition of "call related information" may allow government agents to track users (such as through mobile phones) without a court order. Hearings on these and other concerns will take place in a few weeks; a formal decision on whether to adopt the measure may occur before the end of the year.
The text of the bill is available at http://www.pmg.org.za/bills/Interception0107.htm
Privacy International's comments on the bill are posted under http://www.privacyinternational.org/countries/south_africa/pi-sa-intercept-letter.html
Read Declan McCullagh, "So. Africa Weighs Police Spy Law," Wired News, Aug. 17, 2001 at http://www.wired.com/news/print/0,1294,46124,00.html
See Philippa Garson, "Protests over SA 'snooping' bill," BBC News, Aug. 13, 2001 at http://news.bbc.co.uk/hi/English/world/africa/newsid_1484000/1484698.stm
[11] Disappointment over Australian cybercrime report
An Australian government report regarding a new cybercrime proposal is drawing fire from privacy advocates.
An Australian Senate committee issued the document to address civil liberties concerns over the Cybercrime Bill 2001. That proposal, among other things, would greatly expand the power of government agents to conduct surveillance along computer networks. It also would impose absolute criminal liability for many Internet activities, including "unauthorized impairment of electronic communication," with no exceptions for individuals who access computers by mistake of fact. People who are found liable under the plan could face 10 year jail sentences. Proponents claim that the Bill is needed to conform with a proposed international cybercrime Convention that is currently being considered by the Council of Europe--a treaty may be signed by European government ministers in mid-September, but has already attracted heavy criticism from privacy experts as well as telecommunications providers.
In the report, the Senate committee granted its assent to the Bill, although it did suggest a few changes to certain provisions. For example, it held that that the proposal should be amended "to provide for the destruction of all personal information collected by law enforcement agencies, which is not relevant to an investigation, after a period of 3 months but subject this time frame being extended on the authorisation of a senior officer." However, some of these changes actually benefitted government investigators; for example, the panel recommended that law enforcement officials be allowed to retain seized computer equipment for longer periods of time (5 days, rather than 72 hours).
Many observers feel that the report did not go far enough in protecting privacy rights online. Greg Taylor from Electronic Frontiers Australia (EFA-a GILC member) charged that the "Committee made some fairly superficial changes to the wording of the Bill but nothing substantial. We're disappointed with the Report overall." Taylor pointed out that portions of revised plan would still grant government agents greater access to private encryption keys, under threat of criminal penalties: "If you've lost that key, how do you prove you actually have and you're not just using that explanation as an excuse? We've asked that it be excised from the bill until it is properly investigated. The way the Bill is currently worded could criminalise innocent behaviour...behaviour designed to protect computer systems."
The Senate Committee report is available (in PDF format) under http://www.aph.gov.au/senate/committee/legcon_ctte/cybercrimebill01/cybercrime_bill01.pdf
For further background information, visit the EFA website under http://www.efa.org.au/Campaigns/cybercrime.html
See Rachel Lebihan, "Australian cyberCrime Bill 'overpowers' inquiry," ZDNet Australia, Aug. 22, 2001 at http://www.zdnet.com.au/printfriendly?AT=2000020826-20256107
[12] US gov't avoids disclosure on keystroke taps
The United States government has invoked a little known law to avoid having to provide more details on a new computer interception technique.
The technique has become a key issue in the case of Nicodemo Scarfo, an alleged mobster who was targeted by the US Federal Bureau of Investigations (FBI) for wiretapping purposes. FBI agents decided to go beyond traditional surveillance methods and installed a device on the keyboard of Scarfo's home computer that apparently recorded every letter and character he typed. The exact nature and capabilities of these taps is unclear; after government prosecutors indicted Scarfo, they gave few details regarding this technique to the presiding judge.
This secrecy angered Federal judge Nicholas Politan, who explained: "In this new age of rapidly evolving technology, the Court cannot make a determination as to the lawfulness of the Government's search in this matter without knowing specifically how the search was effectuated." The judge held that the "government has not satisfactorily confirmed for the court that the keylogger device did not operate in conjunction with the computer's modems, or otherwise to cause the interception of a communication," which would violate US wiretapping statutes. Politan then commanded prosecutors to provide "a report explaining fully how the key logger device functions." However, government officials then moved for reconsideration, claiming protection from disclosure under the Classified Information Procedures Act. Politan granted this last request and ruled that the government need provide the defense with only an unclassified summary of the keylogging method by September 14, 2001.
The Scarfo case is being watched very closely by privacy advocates. David Sobel from the Electronic Privacy Information Center (EPIC-a GILC member) noted that keystroke logging systems presented new civil liberties challenges: "Because of this technology there are a lot of gray areas, but law enforcement is always attempting to resolve them in favor of more aggressive techniques."
See "FBI keeps its bugging secrets," BBC News Online, Aug. 24, 2001 at http://news.bbc.co.uk/hi/English/sci/tech/newsid_1508000/1508109.stm
Background materials on the Scarfo case (including motions and court orders) are archived at the EPIC website under http://www.epic.org/crypto/scarfo.html
[13] US politicians order Carnivore spyware report
Several recent events may lead to greater disclosure about a highly publicized Internet spy tool.
Carnivore was created by the United States Federal Bureau of Investigations (FBI). It can be attached to the server of a given Internet service provider and intercepts all Internet transmissions that come through the server. Afterwards, it parses out pertinent material, based on keywords provided by the administrator. The latest version of the program, known as Enhanced Carnivore or DCS 1000, uses the Windows 2000 operating system and reportedly includes improvements such as better filtering and triggering capabilities as well as greater capacity (presumably to cope with high-speed broadband networks).
Many Internet user groups have criticized both Carnivore and its progeny over the past year as being serious threats to online privacy. After the initial revelations concerning Carnivore appeared, the Electronic Privacy Information Center (EPIC-a GILC member) filed a request for more details under the Freedom of Information Act (FOIA). After a Federal judge ordered the United States Department of Justice (DOJ) to formally respond to EPIC's request, US government officials released a series of documents on the subject which, however, contained a number of omissions. For example, none of these papers contained any analysis of whether the use of Carnivore-type programs was legal; in any case, the documents that actually had been released were heavily redacted.
Nevertheless, in spite of these omissions, the DOJ moved to end Epic's inquiry, saying that it had fulfilled its FOIA obligations. EPIC has since filed papers challenging these assessments and arguing that, if anything, the DOJ should be releasing still more information, due to apparent failure to disclose key documents regarding Carnivore's abilities and legal implications. A ruling is expected within the next few weeks.
Meanwhile, various US politicians have taken an interest in trying to determine the legality of Carnivore. As a result, the US House of Representatives has approved a measure (contained within an appropriations bill) that would require greater government disclosures regarding the controversial interception tool. More specifically, the adopted legislation would force the US Attorney General to provide a report (at the end of Fiscal Years 2001 and 2002) with details on the scope of the Carnivore program, how many times it has been approved for use during the 2002 Fiscal Year, who at DOJ reviews surveillance requests, and the criteria used for approving such requests. The measure will now go to the Senate for further consideration.
More recently, there are indications that the use of Carnivore may be expanded to intercept text messages transmitted through wireless networks. Michael Altschul from the Cellular Telecommunications and Internet Association warned in an Aug. 15, 2001 letter that "[i]f the industry is not provided the guidance and time to develop solutions for packet surveillance that intercept only the target's communications, it seems probable that Carnivore, which intercepts all communications in the pathway without the affirmative intervention of the carrier, will be widely implemented." Altschul was referring to deadlines pursuant to the Communications Assistance for Law Enforcement Act (CALEA), which essentially requires telecom providers to make their networks wiretap-friendly. Epic's David Sobel commented that these technical difficulties could open "the door to the collection of communications of people who aren't even named in [court] orders."
Read Robert O'Harrow Jr., "FBI's 'Carnivore' Might Target Wireless Text," Washington Post, Aug. 24, 2001, page E1 at http://www.washingtonpost.com/wp-dyn/articles/A54155-2001Aug23.html
Epic's latest filing in its Carnivore FOIA requests is posted under http://www.epic.org/privacy/carnivore/discovery_motion.pdf
See Brian Krebs, "Group Asks Court To Get Info On FBI E-Mail Snooping Tool," Newsbytes, Aug. 10, 2001 at http://www.newsbytes.com/news/01/168926.html
A press release from Rep. Barr on the Carnivore reporting amendment is posted under http://hillsource.house.gov/barr/newsdescr.asp?N=20010724085005
See Lisa M. Bowman, "House pulls Carnivore into the light," ZDNet News, July 23, 2001 at http://www.zdnet.com/zdnn/stories/news/0,4586,5094558,00.html
See also "Congress Wants FBI Monitor," Associated Press, July 24, 2001 at http://cbsnews.com/now/story/0,1597,303019-412,00.shtml
[14] Privacy fears over Aussie universal bank sites
Australian websites that purport to be one-stop shops for personal financial transactions are heightening concerns about online privacy.
Several Australian companies, including Commonwealth Bank, AMP, Macquarie Bank and others, have each created new services that permit customer information to be aggregated. The idea is for individuals to access accounts from different institutions (including brokerage houses and even airline frequent flier mile programs as well as banks) from a single spot on the World Wide Web. In addition to collecting all of this sensitive data in one place, the scheme requires users to provide their names and passwords to third parties upfront.
These systems have provoked concern from consumer privacy groups, who fear that it will cause security problems. Chris Connolly from the Australian Consumer Policy Centre said that "We've spent more than a decade telling people not give anyone else their PINs, and now the Commonwealth, ninemsn and AMP are saying it's okay. It raises legal questions, as under the electronic funds transfer code of conduct you're not supposed to give your PIN to a third party." Similarly, Delia Rickard from the Australian Securities and Investments Commission charged that if "I were a consumer I wouldn't be giving my PIN to an account aggregator without first checking with my financial institution if they would consider that a breach of the terms and conditions."
Indeed, it is unclear whether these practices would violate Australia's upcoming privacy directive. These rules, which are scheduled to take effect December 17, 2001, require companies to do several things, such as provide public notices as to what is done how personal information is handled. Similarly, the centralized banking website programs may not pass muster under the Australian Internet Industry Association's self-regulatory privacy guidelines, which are meant to patch perceived weaknesses in the directive.
See Caitlin Fitzsimmons, "Pins 'at risk' in online banking," Australian IT, Aug. 14, 2001 at http://australianit.news.com.au/common/storyPage/0,3811,2580393%5E442,00.html
Additional details on Australia's online privacy directives are available in "Australian privacy confusion escalates," ZDNet Australia, Aug. 17, 2001 at http://www.zdnet.com.au/printfriendly?AT=2000020814-20255322
For more on Australian privacy self-regulation, read Selina Mitchell, "IIA code to bolster privacy," Australian IT, Aug. 14, 2001 at http://australianit.news.com.au/common/storyPage/0,3811,2581498%255E442,00.html
[15] Geolocation software threatens Net privacy
New computer programs may be able to trace the geographic location of Internet users. But is this technological innovation such a good thing?
That's what privacy advocates are wondering as several companies, including Quova, are pushing ahead with the development of geolocation software. Quova's GeoPoint technology consists of equipment software installed on a gateway server through which users' computers must go to access a given website. GeoPoint then collects visitors' Internet Protocol numbers and locates them based on maps of some 4 billion IP addresses. According company literature, this tracking can be done in real time and be broken down by Latitude and Longitude as well as other geographic categories (including Postal Code, Metro Area and so forth). These products are being pitched for use in a variety of purposes, including region-based Internet content blockers and targeted mass-marketing campaigns.
Some observers warn that the tracking capabilities of these products may erode individual liberties both online and off. David Sobel from the Electronic Privacy Information Center (EPIC-a GILC member) warned: "Right now oppressive governments around the world are not able to keep information away from their citizens as they had [before the Information Superhighway]." As such, Sobel added, the uninhibited use of geolocation software may lead to "a serious loss of one of the main benefits of the Internet"
For more on Quova geolocation software, click http://www.quova.com/service.htm
Read Matthew Leising, "New software pinpoints location of web users," Financial Times, Aug. 1, 2001 at http://news.ft.com/ft/gx.cgi/ftc?pagename=View&c=Article&cid=FT3T4GY9VPC
&live=true&useoverridetemplate=ZZZFKOXOA0C&tagid=ZZZC00L1B0C
&subheading=information%20technology
[16] Weak P3P privacy promoted in Windows XP
The newest version of the world's most commonly used operating system is getting more negative reviews from privacy advocates.
In a complaint filed in late July with the United States Federal Trade Commission (FTC), a coalition of groups, including GILC members the Electronic Privacy Information Center (EPIC), Computer Professionals for Social Responsibility (CPSR) and the Electronic Frontier Foundation (EFF) charged that Microsoft's Windows XP will seriously erode the privacy of computer users. The complaint alleged that Microsoft's release of Windows XP and related products such as Passport and Hailstorm will shift control of sensitive information away from respective users to the company and will allow the company to exchange this personal data among a whole host of business partners. In addition, the filed papers suggested that Microsoft's statements regarding the privacy implications of this scheme are misleading, and drew attention to past flaws in Microsoft products that have allowed "intruders unauthorized access to files, most recently ... the 'CodeRed' virus." Thus, computer users may be coerced into providing sensitive details about themselves to the software giant and be left without "meaningful or effective control over the use of that information within Microsoft."
Afterwards, Microsoft made a few changes, including a requirement for Passport affiliated merchants to utilize Platform for Privacy Preferences software (P3P), which was developed by the software giant and is due to be included within the latest version of the Internet Explorer browser. However, these minor alterations did little to appease critics. Indeed, EPIC, CPSR, EFF and a number of other organizations filed an amended complaint with the FTC, charging that even with the changes, individuals who wish to use many of XP's features (including Passport) must still give out large amounts of personal information. The document also charged that broader use of P3P would not be enough to protect user privacy, calling the system "a complicated and confusing language ... that fails to provide any assurance of compliance with baseline privacy standards, including the FTC's own privacy standards." Furthermore, the groups suggested that Microsoft's Kids Passport "collects unnecessary personally identifiable information" from children, in violation of the US Child Online Privacy Protection Act (COPPA).
These groups urged the FTC to launch a formal investigation of these Microsoft activities and to order the company to take several key steps to protect user privacy. These steps include ordering Microsoft "to block the sharing of personal information among Microsoft areas ... absent explicit consent," incorporation of techniques to "allow users of Windows XP to gain access to Microsoft web sites without disclosing their actual identity," and providing better notice to users.
An analogous filing may soon come from the United Kingdom, based on concerns that XP may not comply with the US-European Union privacy safe harbor agreement. That plan, among other things, requires US companies must notify European users how their private data is being handled and allows concerned individuals to limit access to such information. Yet despite these difficulties, other companies have plans to create their own centralized personal information storage services. For example, America Online is working on a similar Magic Carpet program to store such tidbits as people's names, addresses and credit card numbers.
The revised complaint over Windows XP privacy problems (in PDF format) is posted under http://epic.org/privacy/consumer/MS_complaint2.pdf
For more on possible British privacy complaints against Windows XP, see Brian Krebs, "U.K. Resident To Name Microsoft in FTC Privacy Complaint," Newsbytes, Aug. 16, 2001 at http://www.newsbytes.com/news/01/169104.html
Read Jonathan Krim, "Microsoft's One-ID Plan Again Draws Fire Over Privacy," Washington Post, Aug. 16, 2001, page E1 at http://www.washingtonpost.com/wp-dyn/articles/A16617-2001Aug15.html
Read "Windows XP sparks privacy fears," Agence France Presse, Aug. 16, 2001 at http://australianit.news.com.au/common/storyPage/0,3811,2605243%5E442,00.html
For more on America Online's Magic Carpet identity harvesting service, read Alec Klein and Ariana Eunjung Cha, "AOL May Launch Own Internet ID Service," July 26, 2001, page E1, at http://www.washingtonpost.com/wp-dyn/articles/A56191-2001Jul26.html
Further details on how flaws in Microsoft products help computer bug attacks, see "Net Intruders," Christian Science Monitor, Aug. 15, 2001 edition at http://www.csmonitor.com/2001/0815/p8s2-comv.html
[17] Report: webbug tracking is increasing
Despite signs that show customer unease with current online privacy environments, many e-businesses are continuing to track users through a variety of means, especially webbugs.
For example, according to a new report by the Internet consulting firm Cyveillance, the use of webbugs has gone up more than five-fold over the past 3 years. Also known as "pixel tags," webbugs are tiny image files embedded in webpages. They are used to identify and track computer users and are often more difficult to block than cookies. According to Cyveillance officials, many tested sites contradicted their own privacy policies by using webbug tracking technology and passing along the collected information to third parties. Indeed, webbug use has become so prevalent that software (including Bugnosis) has now been developed to allow users to detect and avoid them.
The report warns that as "public awareness levels begin to rise, the fact that websites are collecting information from visitors without permission is likely to generate more controversy." This argument is supported by other recent studies from the Australian government and the financial analysis firm Ernst and Young. Australian government researchers discovered that more than 90 percent of surveyed individuals wanted "businesses to seek permission before using their personal information for marketing." In addition, "[t]he importance of good privacy practices to businesses that deal with personal information was further reinforced with the finding that 'respect for, and protection of, my personal information' was, overall, the aspect of service that mattered most to the largest proportion of consumers." Similarly, the Ernst and Young paper found that such things as online credit card fraud were among the most prevalent fears of would-be e-shoppers, and that 80 percent of those surveyed said that they would be more likely to visit a particular webpage if it used encryption or digital certificates.
Read Alfred Hermida, "Web bugs spying on net users," BBC News, Aug. 16, 2001 at http://news.bbc.co.uk/hi/English/SCI/tech/newsid_1493000/1493152.stm
See also Stefanie Olsen, "Web bug swarm grows 500 percent," CNet News, Aug. 14, 2001 at http://news.cnet.com/news/0-1005-200-6873202.html
Bugnosis is available at http://www.bugnosis.org/
The Australian government report on privacy attitudes is available via http://www.privacy.gov.au/research/index.html#1.1
For more about the Ernst and Young paper, read Jennifer Foreshew, "Security key to net success," Australian IT, Aug. 14, 2001 at http://australianit.news.com.au/common/storyPage/0,3811,2579410%255E442,00.html
[18] New toilet emails medical info
The latest threat to Internet privacy may be soon be in your bathroom.
Several companies, including U.K.-based Twyford Bathroom, have developed computerized toilets that perform tests on human waste. In doing so, they can determine whether users have certain health problems, including pregnancy, low fiber diet, and various diseases. These toilets can then send this medical information over the Internet to a variety of recipients, such as supermarkets (should there be any nutritional deficiencies). As one bathroom expert quipped, "Why shouldn't toilets be linked to the Internet?"
These devices have drawn considerable alarm from many quarters as an apparent invasion of privacy. One leading gastroenterologist expressed fears that the high-technology toilets would "result in a lot of unnecessary further testing." It is also unclear whether the manufacturers have developed any specific systems or rules to prevent privacy abuses. However, for the time being, it may be some time before these digital bathroom appliances become widespread, mainly because they are still very expensive. Indeed, a single Twyford Bathroom VIP toilet costs a hefty US $5 000.
See Michael Y. Park, "More Than an Average Joe's 'John'," Fox News, Aug. 9, 2001 at http://foxnews.com/story/0,2933,31677,00.html
ABOUT THE GILC NEWS ALERT:
The GILC News Alert is the newsletter of the Global Internet Liberty Campaign, an international coalition of organizations working to protect and enhance online civil liberties and human rights. Organizations are invited to join GILC by contacting us at gilc@gilc.org. To alert members about threats to cyber liberties, please contact members from your country or send a message to the general GILC address.
To submit information about upcoming events, new activist tools and news stories, contact: GILC Coordinator, American Civil Liberties Union 125 Broad Street 17thFloor, New York, New York 10004 USA. email: gilcedit@aclu.org
More information about GILC members and news is available at http://www.gilc.org. You may re-print or redistribute the GILC NEWS ALERT freely. To subscribe to the alert, please send an mail to gilc-announce@gilc.org with the following message in the body: subscribe gilc-announce
PUBLICATION OF THIS NEWSLETTER IS MADE POSSIBLE BY A GRANT FROM THE OPEN SOCIETY INSTITUTE (OSI)