From: [log in to unmask]
[mailto:[log in to unmask]] On Behalf Of EPIC News
Sent: 18 May 2007 20:18
To: [log in to unmask]
Subject: EPIC Alert 14.10
E P I C A l e r t
Volume 14.10 May 18, 2007
Published by the
Electronic Privacy Information Center (EPIC)
Table of Contents
 White House Privacy Board Under Fire for Weak Review of Programs 
2006 Wiretap & FISA Reports Released: No Applications Denied  New
York Agency Endorses EPIC's Google/DoubleClick Complaint  More Than
12,000 Comments Submitted on REAL ID Draft Regulations  Data Security
Bills Advance in Senate Committees  News in Brief  EPIC Bookstore:
 Upcoming Conferences and Events
 White House Privacy Board Under Fire for Weak Review of Programs
Earlier this week, Lanny J. Davis, one of five members of the
President's Privacy and Civil Liberties Oversight Board, resigned in
protest of the Bush administration's changes to the Board's first annual
report. The White House made more than 200 revisions to the report,
including the deletion of a passage on anti-terrorism programs where
intelligence officials said the programs had "potentially problematic"
intrusions on civil liberties.
Another change was the deletion of the Board's plan to investigate the
controversial Automated Targeting System, which was originally
established to assess cargo that may pose a threat to the United States,
but has expanded to creating terrorism risk profiles for millions of
people. EPIC has criticized the system, explaining that the terrorist
risk profiles will be secret, unreviewable, and maintained by the
government for 40 years. EPIC, along with 29 organizations and 16
privacy and technology experts, filed comments last year highlighting
privacy and security risks inherent in the system and urging the agency
to suspend the program and to fully enforce Privacy Act obligations.
The Board, which operates within the Executive Office of the President,
is intended to "[advise] the President and other senior executive branch
officials to ensure that concerns with respect to privacy and civil
liberties are appropriately considered in the implementation of all
laws, regulations, and executive branch policies related to efforts to
protect the Nation against terrorism." However, the Board does not have
subpoena authority, which weakens its investigative power. One passage
deleted by the White House described a letter sent by the Board to
President Bush asking him to issue an executive order to all federal
agencies to fully cooperate with the Board. The extensive White House
revisions have raised questions about the independence and effectiveness
of the Board. EPIC has published a detailed report on the need to reform
the Board. Legislation to change the Board has passed both the House and
Last week, Governor Tom Kean and Lee Hamilton, former Chair and Vice
Chair of the 9/11 Commission, sent a letter to the Board in response to
its report. The Kean and Hamilton letter began with the question, "What
civil liberties have been specifically protected or enhanced by your
actions?" The Board's report provides few details on program operations
or what internal controls are in place to protect civil liberties in any
of the government programs evaluated. Kean and Hamilton criticized this
narrow viewpoint, stating, "There are wide-ranging concerns expressed by
the American public with respect to privacy and civil liberties beyond
those you raise in your report." The letter also raises questions about
the President's domestic surveillance program, watch list problems, and
the misuse of National Security Letter authority.
Report from the White House Privacy and Civil Liberties Board (pdf):
Draft Report with White House Revisions Marked (pdf):
Lanny J. Davis's Resignation Letter (pdf):
Letter from Gov. Tom Kean and Lee Hamilton to the Board (pdf):
EPIC's Report Recommending Changes to the Board (pdf):
EPIC's Page on the Automated Targeting System:
 2006 Wiretap & FISA Reports Released: No Applications Denied
The Administrative office of US courts submitted its annual report to
Congress on the wiretaps approved by state and federal courts. The
report does not include interceptions authorized under the Foreign
Intelligence Surveillance Act (FISA), which are reported to Congress
State and federal judges are required by the Omnibus Crime Control and
Safe Streets Act of 1968 to report each application for an order to
intercept wire, oral or electronic communications within 30 days of the
denial of the application or the expiration of the interception.
Prosecutors must report in January all orders terminated within the
previous calendar year. The reports do not identify the parties or
telephone numbers intercepted.
The total number of wiretaps increased by 4 percent in 2006. Of 1839
applications, 461 were submitted to federal judges and 1378 to state
judges. No applications were denied. Federal wiretap authorizations
decreased by 26%, while state applications increased by 20% from the
last year. However, over the last ten years, wiretaps have as a total
increased by 54%. The Department of Justice (DOJ) reported that the
federal decrease is due to continuing complex and sensitive wiretaps and
wiretaps under seal. According to DOJ, if those were included the
numbers would show no change.
Most of these wiretaps were on portable devices (92%) with the second
most popular location being residences (3%). No instances of encryption
were encountered in any of those wiretaps. The most intercepts occurred
in a New York, where a 519-day tap captured 105,000 messages, 75,000 of
which were incriminating. The average cost of intercept devices was
The Department of Justice separately reported to Congress on the use of
the Foreign Intelligence Surveillance Court (FISC) authorized searches.
In 2006, the government made 2,181 applications for FISC searches. These
include electronic surveillance, physical searches, and mixed
applications. Of these, the court substantially modified 73
applications, and five applications were withdrawn by the government
before the court ruled. The remaining 2,176 were all approved. The
government also made 43 applications for access to business records, and
all of these were also approved.
2006 Wiretap Report:
2006 FISA report:
EPIC's FISA page:
 New York Agency Endorses EPIC's Google/DoubleClick Complaint
The New York State Consumer Protection Board has sent a letter to the
Federal Trade Commission (FTC) endorsing EPIC's recent complaint to the
FTC regarding the privacy implications of the Google/DoubleClick merger.
On April 20, 2007, EPIC, the Center for Digital Democracy and the US
Public Interest Research Group filed a complaint with the Federal Trade
Commission, urging the Commission to open an investigation into Google's
data retention policies, specifically in light of its recent proposed
acquisition of DoubleClick. The complaint called on the Commission to
force Google to comply with internationally recognized privacy
guidelines such as the Organization for Economic Co-operation and
Development (OECD) Guidelines on the Protection of Privacy and
Transborder Flows of Personal Data, which recognized that "the right of
individuals to access and challenge personal data is generally regarded
as perhaps the most important privacy protection safeguard."
In its letter to the FTC, the Consumer Protection Board stated, "[t]he
combination of DoubleClick's Internet surfing history generated through
consumers' pattern of clicking on specific advertisements, coupled with
Google's database of consumers' past searches, will result in the
creation of "super-profiles," which will make up the world's single
largest repository of both personally and non-personally identifiable
information." The Board expressed concern that these profiles expose
consumers to the risk of disclosure of their data to third parties, as
well as public disclosure as evidence in litigation or through data
The Consumer Protection Board urged the FTC to halt the merger until it
has fully investigated Google's planned use of DoubleClick's data
post-merger. The Board further urged the FTC to require Google to
establish and publicly disclose a "clear and conspicuous" data
collection policy providing for strict data security, consumer access to
personally identifiable information, the ability to edit or delete such
data, an opt-out mechanism for exclusion from Google's database, and
remedies in the event of a data breach or failure to comply with an
opt-out request. The Consumer Protection Board is encouraging New York
State consumers to voice their concerns regarding the Google/DoubleClick
merger and its potential impact on their privacy to the FTC. It has
provided a sample consumer letter to the FTC on its website to
facilitate this process.
"Technology is advancing at a pace never before seen," the Board stated,
"and although there are many benefits, government should act to ensure
that the public's fundamental right to privacy is not abridged."
Letter from the NY State Consumer Protection Board (pdf):
NY Consumer Protection Board Press Release:
NY Consumer Protection Board Take Action page for NY consumers:
EPIC's Complaint to the FTC (pdf):
EPIC's FTC Google Complaint page:
 More Than 12,000 Comments Submitted on REAL ID Draft Regulations
The Department of Homeland Security announced that it has received more
than 12,000 comments on its draft implementation regulations for the
REAL ID Act, even though the comment process was marked with problems.
Many people complained that they were unable file comments through the
Web site and fax number provided by DHS. Overwhelmed by the flow of
comments, DHS set up an e-mail address for public submissions one day
before the comments were due.
EPIC and 24 other experts in privacy and technology jointly submitted
comments warning the federal agency not to go forward with the REAL ID
proposal. The group urged DHS to recommend to Congress that REAL ID is
unworkable and must be repealed. "The REAL ID Act creates an illegal de
facto national identification system filled with threats to privacy,
security and civil liberties that cannot be solved, no matter what the
implementation plan set out by the regulations," the group said.
The group said that the ill-conceived plan would increase the risk of
and the damage caused by identity theft. Creating a national
identification database full of personal documents such as birth and
citizenship certificates, making that database accessible to thousands
of people, while not requiring adequate security and privacy safeguards,
will necessarily make us less secure as a nation and as individuals.
"DHS has the obligation to protect the privacy of citizens affected by
this system and must do more than the feeble attempts set out in the
draft regulations," the group said.
REAL ID faces considerable opposition by the public, the States and in
Congress. More than 60 organizations and 200 blogs joined a campaign to
file comments against REAL ID. Washington and Montana passed legislation
to opt-out of REAL ID completely. Colorado, Georgia and Idaho will
either delay or not spend any money on implementation. Arkansas, Hawaii,
Maine, Nevada, and North Dakota are calling for the repeal of REAL ID.
Legislation has been introduced in both houses of Congress to repeal
Last week, at a Senate Judiciary Committee hearing about REAL ID,
Chairman Patrick Leahy said, "The days of Congress rubber-stamping any
and every idea cooked up by this administration are over." At the
hearing on May 8, Bruce Schneier, security expert and member of the EPIC
Board of Directors, testified against the fundamentally flawed national
identification scheme. Schneier explained that REAL ID would only
protect us from terrorists "if the terrorists did exactly what we expect
them to. But if they find a way around REAL ID, then it won't protect us
at all." Schneier also said that DHS has shown a profound lack of
respect for the public and for the states. "Today is the deadline for
comments on the draft regulations. DHS has testified that final
regulations will be released by August or September. It is not possible
for DHS to read, review and consider the thousands of public comments it
will receive. This tells me that DHS does not intend to make substantial
changes to its draft regulations."
Comments of EPIC and 24 Experts in Privacy and Technology (pdf):
Senate Judiciary Hearing, "Will REAL ID Actually Make Us Safer? An
Examination of Privacy and Civil Liberties Concerns":
Department of Homeland Security's Notice of Proposed Rulemaking on REAL
EPIC's Page on National ID Cards and REAL ID Act:
Stop REAL ID Campaign site:
 Data Security Bills Advance in Senate Committees
A number of Data Security and consumer protection bills have moved
through their respective Senate and House Committees in the last month.
On May 3, the Senate Judiciary Committee passed The Personal Data
Privacy and Security Act of 2007, S. 495, introduced by Committee
Chairman Leahy and Senator Specter, as well as the Notification of Risk
to Personal Data Act, S. 239, introduced by Senator Feinstein.
S. 495 aims to prevent and mitigate identity theft, ensure privacy,
provide notice of security breaches, and enhance criminal penalties, law
enforcement assistance, and other protections against security breaches,
fraudulent access, and misuse of personally identifiable information. S.
239, which focuses on security breach notification, was amended to
mirror the Leahy-Specter bill.
The Senate Commerce Committee previously passed a similar bill, the
Identity Theft Prevention Act, S. 1178, introduced by Senator Inouye.
The bill provides for the implementation of security standards for the
holding of sensitive personal information, and includes security breach
notification and security breach provisions. The bill also calls for the
establishment of an Information Security and Consumer Privacy Advisory
EPIC previously testified before the Senate Commerce Committe on the
subject of security breach notification. In its testimony, EPIC
recommended that security breach legislation should include provisions
regarding the availability of credit freezes, as well as requirements
for audit trails and public reporting of breaches. All three bills in
Congress currently include media notification for large breaches. S.
1178 inlcudes provisions for credit freezes, and S.495 requires
government agencies to ensure that audit regulations are in place.
The House Commerce Committee passed both the Social Security Protection
Act of 2007, H.R. 948, and the Securely Protect Yourself From
Cyber-Trespass, or Spy Act H.R. 964. H.R. 948 makes it illegal to
purchase or sell social security numbers in a manner that violates
Federal Trade Commission (FTC) anti-fraud regulations. EPIC testified
last year before the House Subcommittee on Social Security on the risks
associated with expanded use of Social Security numbers, such as
identity theft. H.R. 964 bans malware or spyware tracking techniques
such as the use of keystroke-logging programs or the installation of
software without gaining approval via a clearly stated end user
S. 495 Personal Data Privacy and Security Act of 2007:
S. 239 Notification of Risk to Personal Data Act of 2007:
S. 1178 Identity Theft Prevention Act:
H.R. 948 Social Security Number Protection Act of 2007:
H.R. 964 Securely Protect Yourself Against Cyber Trespass Act (SPY ACT):
EPIC's Testimony on Identity Theft and Data Brokers (2005):
EPIC's Testimony before Subcommittee on Social Security (pdf):
 News in Brief
New York Plan for DNA Data in Most Crimes
New York Governor Eliot Spitzer is proposing a massive expansion of New
York State's database of DNA samples. Currently, New York State
generally only collects DNA samples from those convicted of the most
serious crimes. The governor's proposal would order DNA taken from those
convicted of most crimes, including all misdemeanors - even minor drug
offenses, harassment, or unauthorized use of a credit card. The governor
is also proposing mandatory DNA sampling of all prisoners in New York,
as well as anyone on parole, on probation, or registered as a sex
offender, an expansion that would add about 50,000 samples to the
database. In October 2005, EPIC filed a "friend of the court" brief in
the federal court case of Kohler v. Englade addressing whether the
police may coerce a person to provide a DNA sample. EPIC's brief
surveyed more than 20 DNA dragnets conducted in the United States over
the past 15 years. The brief showed that the investigative technique has
repeatedly failed to identify the intended targets of investigations,
but has compromised the privacy rights of thousands of innocent people.
New York State Governor's Press Release:
Text of proposed DNA database legislation:
EPIC's "friend of the court" brief in Kohler v. Englade:
European Parliament Considers US Demands for Passenger Data
US Homeland Security Secretary Michael Chertoff addressed the European
Parliament's Committee on Civil Liberties, Justice and Home Affairs last
week regarding the passenger name records (PNR) agreement between the EU
and the US. The current interim deal expires in July, and the European
Parliament wants a new agreement with better data protection standards.
Parliament seeks to limit how much data is transferred, which agencies
it is shared with, and how long the data is kept. Contrary to this
position, Chertoff asked that restrictions on the use of data be made
looser than what is in the current agreement, claiming that wider
sharing amongst agencies is necessary to stop terrorist attacks.
The United States Mission to the European Union, "Homeland Security's
Chertoff Addresses European Parliament Committee on Data Transfer,
Privacy" (May 14, 2007)
EPIC's page on EU-US Airline Passenger Data Disclosure
Union Sues TSA Over Data Breach
The American Federation of Government Employees has filed a class action
suit against the Transportation Security Administration over its loss of
a hard drive containing personal information on over 100,000 employees.
The hard drive, which contains payroll data from January 2002 to August
2005, holds employee names, Social Security numbers, birth dates, and
bank account and routing information. The loss affects all individuals
who were employed by the TSA during this period. The union claims that
the breach constitutes a violation of the Privacy Act. The Privacy Act
provides remedies for certain disclosures of personal information held
by the government, including the creation of new security measures, and
damages. In 2003, EPIC filed an amicus brief in Doe v. Chao, a Supreme
Court case interpreting the Privacy Act's minimum damages provision.
"AGFE Sues TSA for Reckless Violation of Privacy Act":
EPIC's Doe v. Chao page and brief:
EC Announces New Project on Privacy Enhancing Technologies
On May 2, the European Commission detailed plans to identify, develop,
and promote Privacy Enhancing Technologies ("PETs"). Commission
Vice-President Franco Frattini said the EC seeks to "ensure that
breaches of the data protection rules and violations of individual's
rights are not only something forbidden and subject to sanctions under
the existing legal provisions, but also technically more difficult."
EPIC has urged the use of PETs in the U.S. and internationally. In its
January comments to the President's Identity Theft Task Force, EPIC
said, "PETs can allow authentication to occur without the need for
identifying information to be disclosed. Such techniques enable
commerce, communication, web browsing, and even voting without
unnecessary privacy risks."
EC Press Release, "Promoting Data Protection by Privacy Enhancing
EPIC's Comments to the President's Identity Theft Task Force (pdf):
GAO Report: Customs Agency's Data Collection Violates Privacy Laws
Customs and Border Protection is violating privacy laws in its data
collection practices, the Government Accountability Office reported
Wednesday. The GAO said that the current passenger prescreening process
does not comply with the Privacy Act of 1974 and the E-Government Act of
2002. Customs "has not fully disclosed or assessed the privacy impacts
of its use of personal information during international passenger
prescreening as required by law," the GAO said. EPIC has repeatedly
urged that the federal privacy laws be fully applied to all passenger
prescreening programs. "The lack of enforcement of Privacy Act
obligations means that individuals are not given the opportunity to
inspect, correct or limit the dissemination of inaccurate information,"
and this lack of transparency leads to security resources being wasted
on innocent travelers who are misidentified as criminal suspects, EPIC
GAO Report, "Aviation Security: Efforts to Strengthen International
Passenger Prescreening are Under Way, but Planning and Implementation
Issues Remain" (pdf):
EPIC Page on Secure Flight:
 EPIC Bookstore: "The Unbinding"
The Unbinding by Walter Kirn (Random House, 2006)
Walter Kirn's novel, originally published in online serial form on
Slate.com, presents a view not of the world as it could be, but rather
the world as it may already be. The Unbinding's characters make and
remake themselves in online and offline forms, in order to entice or
repel others, as the case may be.
Kent Selkirk, the novel's main character, works at an omnipresent
subscriber service called AidSat, where he coaches clients through all
manner of life situations, from relationship advice to emergency
response. Through the AidSat network Kent has a wealth of information at
his fingertips, as well as the power to passively observe any client,
their conversations, their vital signs, and their movements. Abuse of
this power is particularly powerful given that online research is
accorded more trust than face-to-face interaction and observation.
Society and its players rely on two assumptions: that data doesn't lie,
and that the aggregation of enough isolated pieces can paint a complete
picture that satisfies any purpose, be it employment, dating, or
criminal risk assessment.
The online form of the novel allows the author to incorporate real-time
events, drawing even closer the parallel between Kirn's "fictional"
world and ours. In a bold statement about the current social concept of
privacy, Kirn writes, "They've grown up believing in the orbiting eye,
the subdermal microchip, the circling drone, and they're no more afraid
of them than they are of moonlight. Perhaps that's because they're born
onstage, these creatures, and the first thing they see is the snout of
Daddy's Handycam. . . In time, they have nothing inside them that hasn't
been outside." As the watchers become the watched, a race to gather the
most information on others ensues, leaving one problem for both the
characters and the reader: which information represents the truth?
-- Allison Knight
"Information Privacy Law: Cases and Materials, Second Edition" Daniel J.
Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98.
This clear, comprehensive introduction to the field of information
privacy law allows instructors to enliven their teaching of fundamental
concepts by addressing both enduring and emerging controversies. The
Second Edition addresses numerous rapidly developing areas of privacy
law, including: identity theft, government data mining and electronic
surveillance law, the Foreign Intelligence Surveillance Act,
intelligence sharing, RFID tags, GPS, spyware, web bugs, and more.
Information Privacy Law, Second Edition, builds a cohesive foundation
for an exciting course in this rapidly evolving area of law.
"Privacy & Human Rights 2005: An International Survey of Privacy Laws
and Developments" (EPIC 2006). Price: $60.
This annual report by EPIC and Privacy International provides an
overview of key privacy topics and reviews the state of privacy in over
70 countries around the world. The report outlines legal protections,
new challenges, and important issues and events relating to privacy.
Privacy & Human Rights 2005 is the most comprehensive report on privacy
and data protection ever published.
"FOIA 2004: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price:
This is the standard reference work covering all aspects of the Freedom
of Information Act, the Privacy Act, the Government in the Sunshine Act,
and the Federal Advisory Committee Act. The 22nd edition fully updates
the manual that lawyers, journalists and researchers have relied on for
more than 25 years. For those who litigate open government cases (or
need to learn how to litigate them), this is an essential reference
"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.
This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS). This
reference guide provides the official UN documents, regional and
issue-oriented perspectives, and recommendations and proposals for
future action, as well as a useful list of resources and contacts for
individuals and organizations that wish to become more involved in the
"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:
The Privacy Law Sourcebook, which has been called the "Physician's Desk
Reference" of the privacy world, is the leading resource for students,
attorneys, researchers, and journalists interested in pursuing privacy
law in the United States and around the world. It includes the full
texts of major privacy laws and directives such as the Fair Credit
Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well
as an up-to-date section on recent developments. New materials include
the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the
"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.
A collection of essays, studies, and critiques of Internet content
filtering. These papers are instrumental in explaining why filtering
threatens free expression.
EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:
EPIC Bookstore http://www.epic.org/bookstore
"EPIC Bookshelf" at Powell's Books
EPIC also publishes EPIC FOIA Notes, which provides brief summaries of
interesting documents obtained from government agencies under the
Freedom of Information Act.
Subscribe to EPIC FOIA Notes at:
 Upcoming Conferences and Events
Conference on Interdisciplinary Studies in Information Privacy and
Security. Rutgers University. May 22, 2007. New Brunswick. For more
Privacy Compliance Conference. The Canadian Institute. May 30-31, 2007.
Toronto, Canada. For more information:
2007 ALA Annual Conference. Washington Convention Center. June 23-26,
2007. Washington, DC. For more information:
National Institute on Computing and the Law: From Steps to Strides into
the New Age. June 25-26, 2007. San Francisco, CA. For more information:
Civil Society Privacy Conference: Privacy Rights in a World Under
Surveillance. September 25, 2007. Montreal, Canada. For more
29th International Conference of Data Protection and Privacy
Commissioners. September 25-28, 2007. Montreal, Canada. For more
Future of the Internet Economy - OECD Ministerial Meeting. June 14-18,
2008. Seoul, Korea. For more information:
Subscribe/unsubscribe via web interface:
Back issues are available at:
The EPIC Alert displays best in a fixed-width font, such as Courier.
The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities. We do not sell, rent or share our
mailing list. We also intend to challenge any subpoena or other legal
process seeking access to our mailing list. We do not enhance (link to
other databases) our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe your e-mail address
from this list, please follow the above instructions under "subscription
The Electronic Privacy Information Center is a public interest research
center in Washington, DC. It was established in 1994 to focus public
attention on emerging privacy issues such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale of personal information. EPIC publishes the
EPIC Alert, pursues Freedom of Information Act litigation, and conducts
policy research. For more information, see http://www.epic.org or write
EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202
483 1140 (tel), +1 202 483 1248 (fax).
If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible. Checks
should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW,
Suite 200, Washington, DC 20009. Or you can contribute online at:
Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation of encryption and
expanding wiretapping powers.
Thank you for your support.
------------------------- END EPIC Alert 14.10 -------------------------
Distributed through Cyber-Society-Live [CSL]: CSL is a moderated discussion
list made up of people who are interested in the interdisciplinary academic
study of Cyber Society in all its manifestations.To join the list please visit: