From: [log in to unmask]
[mailto:[log in to unmask]] On Behalf Of EPIC News
Sent: 19 October 2007 22:18
To: [log in to unmask]
Subject: EPIC Alert 14.21
E P I C A l e r t
Volume 14.21 October 19, 2007
Published by the
Electronic Privacy Information Center (EPIC)
Table of Contents
 House, Senate Mired in Surveillance Reform  EPIC, Domestic
Violence Groups, Propose DC Court Records Privacy  Court Blocks
Government Rule on Employment Eligibility Verification  French
Protest DNA Database Law  Security Experts Report on Hazards of New
Surveillance Architecture  News in Brief  EPIC Bookstore: "The
Future of Reputation"
 Upcoming Conferences and Events
- Subscription Information
- About EPIC
- Donate to EPIC
 House, Senate Mired in Surveillance Reform
The House of Representatives debated, but did not vote on, the RESTORE
Act reforms to the Foreign Intelligence Surveillance Act (FISA). The
Senate Intelligence Committee reached a deal with the president to grant
immunity to telecommunications companies, but Senator Dodd has vowed to
An alternative proposal to extend this summer's Protect America Act,
legislation that amends the Foreign Intelligence Surveillance Act,
failed to pass House Committees. The Protect America Act removes some
surveillance from the limited FISA court review, allows the government
to create more surveillance programs with limited review, and immunizes
from lawsuits telecommunications companies who participate in these
programs. The Protect America Act is set to expire in February 2008.
The RESTORE Act provides more avenues for FISA court review. The FISA
court will review the procedures used to target people abroad. Further
it narrows the scope of new surveillance authorities to include only
terrorism and national security, and not broader foreign intelligence
information. The RESTORE Act increases the size of the FISA court from
11 to 15 judges; allows the court to sit together in an en-banc review
of individual judges; and authorizes more expenditures on administration
staff to handle surveillance applications Intelligence officials must
report their surveillance orders to Congress, as well as perform regular
audits every 3 months. Congress also requests an audit of all
warrantless surveillance programs. The new provisions of the RESTORE Act
are set to expire in December of 2009.
The RESTORE Act does not include immunity for those who participated or
continue to participate in illegal surveillance. The president has
promised to veto any bill which does not include immunity. Any bill that
passes the House will have to be reconciled with a Senate bill, yet to
RESTORE Act, H.R. 3773:
EPIC's page on Foreign Intelligence Surveillance Act:
 EPIC, Domestic Violence Groups, Propose DC Court Records Privacy
In a response to a request from District of Columbia Superior Court
judges, EPIC and domestic violence groups filed comments on privacy in
court records. The Court asked for input on a proposal to place
domestic violence and domestic relations docket information online for
The comments point to the 2005 Violence Against Women Act (VAWA), which
prohibits the Internet publication of certain domestic violence
protection order information. VAWA protects the identity and location of
protected persons. Information contained in the docket could reveal the
identity and location of a protected person. The name of an abuser, and
the location from which the abuser is restrained all reveal information
about the protected party.
Domestic violence survivors face privacy risks from all sections of the
court docket. The mere existence of a public record discloses their
location to an abuser. The existence of a domestic violence or a
domestic relations record can lead to reputation harms and stigma.
Public records facilitate identity theft, and this loss of privacy may
lead individuals to wish to avoid the court system. All of these risks
are magnified by the fact that data brokers mine public records,
commodify and resell them for purposes other than government oversight.
Brokers use these records for profiling, direct marketing, and building
dossiers on individuals.
The comments recommend a policy that follows VAWA, respects
well-established privacy principles, and still permits convenient online
access. Individuals should have control over whether their records are
placed online. Data brokers should be restricted from accessing records
via legal and technical measures. Online record usage should be for
limited uses and be accessible only via a password-based login system.
Comments of EPIC and Domestic Violence Groups (pdf):
EPIC's page on Domestic Violence and Privacy:
EPIC's page on Privacy and Public Records:
 Court Blocks Government Rule on Employment Eligibility Verification
A federal judge has issued a temporary restraining order in a lawsuit
filed by the AFL-CIO, ACLU, and National Immigration Law Center that
prohibits the federal government from enforcing a new rule connected to
its employment eligibility verification system (now called "E-Verify").
The rule requires employers to fire employees if they are unable to
resolve "no match" discrepancies within 90 days. The federal government
is restricted from issuing 140,000 "no match" letters to employers,
which would affect about 8 million workers nationwide.
The Department of Homeland Security (DHS) had hoped to expand its
employment eligibility verification system, previously called "Basic
Pilot," to encompass 6 million employers and 143.6 million workers
nationwide. But Congress rejected such legislation this summer, so DHS
is attempting to make changes through administrative regulation.
DHS seeks to require more than 200,000 federal contractors to check the
agency databases before hiring employees. This is an increase of more
than 1,076 percent over the 17,000 employers currently registered in
E-Verify. Also, the system would use an "enhanced photograph capability"
that would allow employers to check photographs in E-Verify databases.
DHS also would expand the number of databases E-Verify checks to include
visa and passport databases; and the agency is asking states to
"voluntarily" allow DHS access to their motor vehicle databases.
DHS would also require employers to fire employees if they are unable to
resolve "no match" discrepancies within 90 days. If the employers do not
terminate the workers' employment, the businesses would face fines of
$11,000 or more. DHS also would raise fines against employers by 25
percent and increasingly use criminal action against employers, as
opposed to administrative action. This "no match" portion is the subject
of the lawsuit filed by the AFL-CIO, ACLU and National Immigration Law
Center. They seek a permanent ban against implementation by the federal
EPIC has repeatedly detailed the myriad of security and privacy problems
inherent in the E-Verify system. At a House Subcommittee on Social
Security hearing on June 7, EPIC urged the strengthening of privacy
safeguards associated with employment eligibility verification systems
and said existing agency database problems should be corrected before a
nationwide expansion is considered. Federal reviews have deemed the
system "seriously flawed in content and accuracy." For example, the
Social Security Administration database is estimated to include 18
million incorrect records.
The federal government is also battling Illinois over E-Verify by filing
suit in a federal court seeking to block a new Illinois law, claiming it
preempts federal law. However, the state law does not place an outright
ban on employer use of the voluntary employment eligibility verification
system called E-Verify. Instead, the Illinois law prohibits employers
from using the system until the federal databases used can be certified
as 99 percent accurate.
Temporary Restraining Order Issued on October 10, 2007 (pdf):
EPIC Spotlight on Surveillance About Problems in E-Verify: "E-Verify
System: DHS Changes Name, But Problems Remain for U.S. Workers" (July
U.S. v. Illinois, U.S. District Court for the Central District of
Illinois, Springfield Division (Sept. 24, 2007) (pdf):
Illinois's Right to Privacy in the Workplace Act (2007):
EPIC's Testimony on Employment Verification Systems before the House
Committee on Ways and Means (June 6, 2007) (pdf):
 French Protest DNA Database Law
Last week, thousands of French citizens attended a concert organized by
SOS Racisme to protest a new proposed law authorizing DNA tests for
immigrants. The law authorizes the use of DNA testing to determine
whether foreigners applying for visas are actually related to family
members they seek to join in France. Critics of the proposal claim it
infringes basic human rights.
The main argument against the amendment is that the notion of family in
French law is not based on blood, but on recognition of a child as one's
own. DNA testing would set up a double standard - one for the French,
another for immigrants. The testing could also prejudice the immigration
status of stepchildren and adopted children. Another recent amendment to
the proposal has limited the testing only to maternity, leaving aside
the "potentially embarrassing" question of paternity. The new
legislation also stirs up memories of the collaborationist Vichy
government during the Nazi occupation of France.
While the legislation states that the tests are voluntary until 2010,
and the President has said that the tests "would be used only where
there were no clear records 'to prove that children are really your
own'," opponents of the proposal claim that applicants will be pressured
to submit to DNA testing whenever French embassy authorities question
the credibility of their birth certificates, marriage licenses and other
Ironically, the DNA debates coincide with the opening of the new French
immigration museum, which is intended to showcase the contributions
immigrants have made to France. President Sarkozy was not present at the
museum's opening ceremony.
Members of the President's Cabinet have threatened to resign over the
proposal. Also, both the chief executive of the African Union and the
president of Senegal have publicly criticized the legislation. US House
Representative Tom Tancredo has introduced legislation similar to the
French proposal in the US Congress this week.
EPIC's page on Genetic Privacy:
Privacy and Human Rights 2006:
 Security Experts Report on Hazards of New Surveillance Architecture
This summer's Protect America Act (PAA) temporarily authorized
warrantless surveillance of communications that Americans have with
individuals abroad. The use of this authority will require the
deployment of new interception technologies. These new technologies
raise several significant security risks.
The report identified the three most serious security risks. The experts
pointed to the danger that the system could be exploited by unauthorized
users. A Greek wiretapping system was exploited by an as yet unknown
party to listen in on government conversations. FBI documents of the DCS
3000 telephone wiretap system revealed several problems in the system's
implementation. This risk turns a surveillance system on its head.
Another risk is the misuse by a trusted insider. Someone with access to
the system could use it for improper purposes. Robert Hanssen abused his
access to FBI systems to steal information and to track investigations
of him. Recently a treasury agent was indicted for using the Treasury
Enforcement Communications System (TECS) in order to stalk his former
The third major risk is misuse by the US government. Watergate era
investigations revealed wiretaps of Congressional staff, supreme court
justices. These abuses also targeted non-violent activists such as
Martin Luther King, the American Friends Service Committee and the
National Association for the Advancement of Colored People.
The security experts provide key recommendations to guard against these
risks. First is minimization. Decreasing the number of interception
points simplifies security problems. Experts also recommend that
architecture be developed with communications carriers, maintaining them
as a check on government activity. Finally they recommend independent
oversight, with regular detailed reporting.
Risking Communications Security: Potential Hazards of the "Protect
America Act" (pdf):
A Gateway For Hackers -- Susan Landau:
Privacy On the Line: The Politics of Wiretapping and Encryption, Updated
and Expanded Edition:
 News in Brief
EPIC Hosts Book Discussion with Charlie Savage, Whitfield Diffie
EPIC hosted a discussion on Friday, October 5th, with Charlie Savage,
Pulitzer Prize winner and author of "Takeover: The Return of the
Imperial Presidency and the Subversion of American Democracy," and
Whitfield Diffie, EPIC Board Member and co-author of "Privacy on the
Line, The Politics of Wiretapping and Encryption." The authors discussed
the power of signing statements, the Bush administration's concerted
effort to expand presidential power, and the future of privacy.
Book Discussion Event Page:
TSA Broadens Use of 'Backscatter X-Rays' Allowing 'Virtual Strip
The Transportation Security Administration is expanding the use of
"backscatter X-ray" systems to screen passengers before boarding
airplanes to more airports, including New York's Kennedy and Los Angeles
International. The $100,000 refrigerator-size machines use "backscatter"
technology, which bounces low-radiation X-rays off of a passenger to
produce photo-quality images of metal, plastic and organic materials
underneath clothes. These devices reveal not only prohibited items but
also medical details such as prosthetic devices. TSA states that the
machines will use software that blurs images of passengers, so screeners
will see weapons but only fuzzy images of people's bodies. However,
backscatter X-ray machines are designed to record and store naked
pictures of U.S. travelers. TSA states that operators would delete the
raw images, but there the machines do not prevent them from saving the
detailed images. Until there is such a prohibition, funding for the
program should be canceled.
EPIC's Page on Backscatter X-ray:
Canada Criticizes U.S. Passenger Screening Program
The governments of Canada and the U.S. are negotiating proposed
requirements under the U.S. Secure Flight program, a passenger
prescreening program. Canada is objecting to the proposal to require all
airlines to send all passenger lists and detailed personal data for
travelers on flights that do not land in the U.S. but merely cross U.S.
airspace en route to countries such as Mexico. Canada states that this
requirement would violate its privacy laws. Secure Flight was revamped
and reintroduced in August after being suspended for more than year
because of privacy and security vulnerabilities, but the program remains
riddled with such problems. Comments on the proposed Secure Flight
requirements are due October 22.
Department of Homeland Security, "Secure Flight Plan; Proposed Rule"
(August 23, 2007):
EPIC's page on Secure Flight:
New Online Resource for Obtaining Personal FBI File
A new website offers free help to individuals applying for access to
their FBI files. The website generates the letters needed to apply to
the FBI to get a copy of an individual's own FBI file from FBI
headquarters or any of the agency's field offices. The site can also
generate letters to a number of other federal agencies, including the
Central Intelligence Unit, the US Marshals Service, the Defense
Intelligence Agency, and the National Security Agency. Name, address and
place of birth fields can be automatically inserted by the program using
information provided by the individual, or the individual can handwrite
this information into blanks in the letter. The website includes an FAQ
page that provides information on application fees payable to the
government agencies, and how to obtain the FBI file of deceased
Get My FBI File:
EPIC's FOIA page
Report: Security Risks Remain at Transportation Security Administration
The Transportation Security Administration continues to significant
problems with aviation security, according to two new reports from the
Government Accountability Office. "TSA has also not yet effectively
deployed checkpoint technologies to address key existing
vulnerabilities, and has not yet developed and implemented technologies
needed to screen air cargo," the GAO said. The GAO also reported TSA is
plagued with problems such as "not always implementing effective
strategic planning or fully adopting and applying a risk management
approach with respect to commercial aviation security." EPIC has
detailed security and privacy problems in such programs, including
passenger prescreening programs Secure Flight and Registered Traveler.
Government Accountability Office, "Aviation Security: DHS Has Made
Progress in Securing the Commercial Aviation System, but Key Challenges
Remain GAO-08-139T," October 16, 2007 (pdf):
Government Accountability Office, "Transportation Security: Efforts to
Strengthen Aviation and Surface Transportation Security are Under Way,
but Challenges Remain GAO-08-140T," October 16, 2007 (pdf):
EPIC's page on Passenger Profiling:
 EPIC Bookstore: "The Future of Reputation"
"The Future of Reputation: Gossip, Rumor, and Privacy on the Internet"
by Daniel J. Solove (Yale University Press 2007
Professor Solove's new book examines how the Internet-enabled world is
being shaped by human nature and social norms. Solove does a very good
job at helping the reader to reflect objectively on today's society - no
easy task. The Internet's enabling technology has quickly become part of
the fabric of everyday life. In the past, integration of new
technologies and applications have taken decades, which allowed the law,
and, more importantly, social norms to create the rules that would
govern the novel technology's use within a society.
The Internet is unique in that, unlike past forms of mass communication,
participation of the audience is not limited to that of consumer. On the
Internet, participants can also be content producers. In addition, the
Internet has no scarcity: there is always more room for another blog,
web page, or advertisement. Solove makes the case that the Internet's
structure is a very good thing, but that rules of the game need to be
Solove describes the Internet as being a teenager - any parent with a
teenager can appreciate the need to maintain space while attempting to
keep their children safe as they navigate from childhood into adults. As
with teenagers, we really do not understand how the Internet creates or
sustains the social network of users. Solove identifies what he calls
the "mob" nature of the Internet to explain how one item on a blog or
web site can gain so much popularity, and indeed grow to be an entity
unto itself, capable of inciting unrelenting punishment or revenge that
spills over into other facets of life. What is clear according to Solove
is that the harm that can be inflicted by violations of privacy or
confidences should be addressed by new laws that increase protection of
confidentiality, give people greater control over their personal
information, and establish a formal process for dispute resolution. The
fundamental goal of the courts should be to restore balance rather than
The full content that is available online has not been mapped so there
is dark matter still to be found. (Please excuse the astrophysics term,
but it is probably the best approximation of the unknown Internet. Its
not hiding, its just has not be found and catalogued by search engines.)
Solove states that employers, friends, co-workers, potential partners,
and dates are "Googling" you, and the opinions reached can harm
relationships whether or not the information is divulged. Information on
the Internet can follow individuals around the globe and throughout
time. The Internet never forgets, and it seems that it has yet to learn
Solove will have a book signing at Borders Bookstore, 18th & L,
Washington, DC, on Monday, November 5th, at 6:30 PM.
-- Lillie Coney
"Information Privacy Law: Cases and Materials, Second Edition" Daniel J.
Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98.
This clear, comprehensive introduction to the field of information
privacy law allows instructors to enliven their teaching of fundamental
concepts by addressing both enduring and emerging controversies. The
Second Edition addresses numerous rapidly developing areas of privacy
law, including: identity theft, government data mining and electronic
surveillance law, the Foreign Intelligence Surveillance Act,
intelligence sharing, RFID tags, GPS, spyware, web bugs, and more.
Information Privacy Law, Second Edition, builds a cohesive foundation
for an exciting course in this rapidly evolving area of law.
"Privacy & Human Rights 2005: An International Survey of Privacy Laws
and Developments" (EPIC 2006). Price: $60.
This annual report by EPIC and Privacy International provides an
overview of key privacy topics and reviews the state of privacy in over
70 countries around the world. The report outlines legal protections,
new challenges, and important issues and events relating to privacy.
Privacy & Human Rights 2005 is the most comprehensive report on privacy
and data protection ever published.
"FOIA 2004: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price:
This is the standard reference work covering all aspects of the Freedom
of Information Act, the Privacy Act, the Government in the Sunshine Act,
and the Federal Advisory Committee Act. The 22nd edition fully updates
the manual that lawyers, journalists and researchers have relied on for
more than 25 years. For those who litigate open government cases (or
need to learn how to litigate them), this is an essential reference
"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.
This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS). This
reference guide provides the official UN documents, regional and
issue-oriented perspectives, and recommendations and proposals for
future action, as well as a useful list of resources and contacts for
individuals and organizations that wish to become more involved in the
"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:
The Privacy Law Sourcebook, which has been called the "Physician's Desk
Reference" of the privacy world, is the leading resource for students,
attorneys, researchers, and journalists interested in pursuing privacy
law in the United States and around the world. It includes the full
texts of major privacy laws and directives such as the Fair Credit
Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well
as an up-to-date section on recent developments. New materials include
the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the
"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.
A collection of essays, studies, and critiques of Internet content
filtering. These papers are instrumental in explaining why filtering
threatens free expression.
EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:
EPIC Bookstore http://www.epic.org/bookstore
"EPIC Bookshelf" at Powell's Books
EPIC also publishes EPIC FOIA Notes, which provides brief summaries of
interesting documents obtained from government agencies under the
Freedom of Information Act.
Subscribe to EPIC FOIA Notes at:
 Upcoming Conferences and Events
Voter ID Laws: Preventing Fraud or Suppressing the Vote? October 23,
2007. Washington DC. For more information: http://www.acslaw.org
University of Ottawa Faculty of Law: The Revealed "I". October 25-27,
2007. Ottawa, Canada. For more information:
Seattle Technology Law Conference. December 13-14, 2007. Seattle, WA.
For more information: http://www.lawseminars.com/seminars/07COMWA.php
ACI's 7th National Symposium on Privacy & Security of Consumer and
Employee Information. January 23-24, 2008. Philadelphia, PA. For more
Computer Professionals for Social Responsibility: Technology in Wartime
Conference. January 26, 2008. Stanford University. For more
Future of the Internet Economy - OECD Ministerial Meeting. June 17-18,
2008. Seoul, Korea. For more information:
Subscribe/unsubscribe via web interface:
Back issues are available at:
The EPIC Alert displays best in a fixed-width font, such as Courier.
The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities. We do not sell, rent or share our
mailing list. We also intend to challenge any subpoena or other legal
process seeking access to our mailing list. We do not enhance (link to
other databases) our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe your e-mail address
from this list, please follow the above instructions under "subscription
The Electronic Privacy Information Center is a public interest research
center in Washington, DC. It was established in 1994 to focus public
attention on emerging privacy issues such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale of personal information. EPIC publishes the
EPIC Alert, pursues Freedom of Information Act litigation, and conducts
policy research. For more information, see http://www.epic.org or write
EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202
483 1140 (tel), +1 202 483 1248 (fax).
Donate to EPIC
If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible. Checks
should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW,
Suite 200, Washington, DC 20009. Or you can contribute online at:
Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation of encryption and
expanding wiretapping powers.
Thank you for your support.
------------------------- END EPIC Alert 14.21 -------------------------
Electronic Privacy Information Center (EPIC)
1718 Connecticut Avenue, NW, Suite 200
Washington, DC 20009
(p) 202-483-1140 x 104
Distributed through Cyber-Society-Live [CSL]: CSL is a moderated discussion
list made up of people who are interested in the interdisciplinary academic
study of Cyber Society in all its manifestations.To join the list please visit: