WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 2002 >> [2002] EPICAlert 11

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 9.11 [2002] EPICAlert 11


Volume 9.11 June 5, 2002

Published by the Electronic Privacy Information Center (EPIC)
Washington, D.C.

Table of Contents

[1] FBI Docs Obtained by EPIC: Carnivore Hampered Terror Probe
[2] EPIC, ACLU Prevail - Library Filtering Law Unconstitutional
[3] Coalition Questions New Investigative Guidelines
[4] EU Officials Launch Investigation of Microsoft Passport
[5] Data Retention: EU Vote and ReplayTV Decision
[6] "Observing Surveillance" in Washington, DC
[7] EPIC Bookstore - Overseers of the Poor
[8] Upcoming Conferences and Events

[1] FBI Docs Obtained by EPIC: Carnivore Hampered Terror Probe

FBI documents obtained by EPIC show that an anti-terrorisminvestigation possibly involving Osama bin Laden was hampered bytechnical flaws in the Bureau's controversial Carnivore Internetsurveillance system. A written report describes the incident as partof a "pattern" indicating "an inability on the part of the FBI tomanage" its foreign intelligence surveillance activities.

An internal FBI e-mail message dated April 5, 2000, recounts how theCarnivore "software was turned on and did not work correctly." Thesurveillance system captured not only the electronic communications ofthe court-authorized target, "but also picked up E-Mails onnon-covered" individuals, a violation of federal wiretap law.
According to the Bureau document, the "FBI technical person wasapparently so upset that he destroyed all the E-Mail take, includingthe take on [the authorized target]."

The botched surveillance was performed by the FBI's InternationalTerrorism Operations Section (ITOS) and its "UBL Unit," which refersto the government's official designation of bin Laden. The Bureaudocument indicates that an official at the Justice Department's Officeof Intelligence Policy and Review became aware of the problem, and"[t]o state that she is unhappy with ITOS and the UBL Unit would be anunderstatement of incredible proportions."

The reported problem apparently was not the first to arise during thecourse of FBI implementation of the Foreign Intelligence SurveillanceAct (FISA). The internal document concludes its report of the "UBLUnit" incident by noting, "When you add this story to the FISAmistakes covered in [another, unreleased document], you have a patternof occurrences which indicate to OIPR an inability on the part of theFBI to manage its FISAs." Two Bureau documents written one week laterdiscuss Carnivore's tendency to cause "the improper capture of data,"
and note that "[s]uch unauthorized interceptions not only can violatea citizen's privacy but also can seriously 'contaminate' ongoinginvestigations" and that such interceptions are "unlawful."

Since its existence became public in 2000, the Carnivore system hasbeen criticized by EPIC and other privacy groups, as well as membersof Congress, because it gives the FBI unprecedented, direct access tothe data networks of Internet service providers. The FBI has publiclydownplayed the system's potential for over-collection of privatecommunications, although internal documents released earlier to EPICconfirmed such a risk.

The newly-released FBI documents were provided to EPIC on May 24, inresponse to a court order issued by U.S. District Judge JamesRobertson in EPIC's ongoing lawsuit seeking the disclosure of materialconcerning Carnivore. The order directed the Bureau to conduct asecond search for relevant documents after EPIC successfully argued(over the Bureau's objections) that an initial FBI search wasinadequate and likely overlooked responsive records (see EPIC Alert9.06).

More information on Carnivore, including the newly-released FBIdocuments, is available at:

[2] EPIC, ACLU Prevail - Library Filtering Law Unconstitutional

A three-judge panel in Philadelphia ruled May 31 that the government'sthird attempt to regulate content on the Internet violates the FirstAmendment because it would restrict substantial amounts of protectedspeech "whose suppression serves no legitimate government interest."
This censorship comes in the form of the Childrens Internet ProtectionAct (CIPA), which requires the installation of filtering software oncomputers in libraries that receive federal support.

In a 195-page opinion, the panel concluded that current filteringtechnology is far too problematic to survive First Amendment scrutiny,
and that these "[f]iltering products' shortcomings will not be solvedthrough a technical solution in the foreseeable future." EPIC'srecent publication, Filters & Freedom 2.0, details the free expressionimplications of filtering technologies. The decision also notes thatthe law infringes upon the First Amendment right to anonymity becauseit forces patrons to reveal their identity in order to get certainsites unblocked.

Congress approved CIPA in December 1999, after even its own 18-membercommittee rejected the proposal because of the risk that "protected,
harmless, or innocent speech would be accidentally or inappropriatelyblocked." The chairman of the panel, Donald Telage, told the WallStreet Journal that "not even the most conservative members of thecommission felt that [blocking] was the road to go down." The lawwould have required public libraries to install the filters or risklosing federal funding starting July 1. CIPA was challenged by acoalition of libraries and patrons, with EPIC acting as co-counsel inthe lawsuit.

The statute provides for an automatic right of review to the SupremeCourt; the government has not yet indicated whether it plans to seeksuch review.

The ruling is available at:


"Filters & Freedom 2.0: Free Speech Perspectives on Internet ContentControls" is available at:

[3] Coalition Questions New Investigative Guidelines

Attorney General John Ashcroft has established new policies that poseserious threats to First Amendment and Fourth Amendment freedoms. Thenew Attorney General's Guidelines on General Crimes, Racketeering andTerrorism ("Guidelines") allow the FBI to engage in prospectivesearches of private-sector databases, and to attend public events andeven religious gatherings where there is no suspicion of criminalactivity. Under the new Guidelines, political speech and freeassociation could be chilled by the specter of government monitoringand ordinary, law-abiding individuals could be profiled in governmentdatabases for signs of criminal deviance.

Ashcroft justified the Guidelines by claiming that FBI agents couldnot use the Internet, use private-sector databases, or even go intopublic places to prevent crime. Those claims were inaccurate -- theFBI did engage in such activities under the former Guidelines, butonly pursuant to a legitimate investigation, one that was based oninformation pointing to the possibility of criminal wrongdoing.

The FBI has a long history of using its investigative powers tomonitor and disrupt legitimate, constitutionally-protected politicalactivity. Years of abuses, perhaps marked most notably by anaggressive smear campaign of the Rev. Martin Luther King, Jr., led tothe development of the first Attorney General's Guidelines in 1976.

A coalition of over thirty civil liberties organizations has sentletters to the House and Senate Judiciary Committees urging promptreview of the Attorney General's Guidelines. The letters urgeCongress to review how the changes impact First Amendment freedoms ofpolitical and religious organizations, to question the legal basis forthe changes, to establish regular oversight of FBI activities toprevent abuse, and to determine how long the guidelines will be ineffect.

EPIC's Attorney General's Guidelines Page:

Coalition Letter to the Senate Judiciary Committee on the Guidelines,
June 4, 2002:

Coalition Letter to the House Judiciary Committee on the Guidelines,
June 4, 2002:

Attorney General's Guidelines:

[4] EU Officials Launch Investigation of Microsoft Passport

The European Commission (EC) has begun an investigation intoMicrosoft's Passport to determine whether the service complies withdata protection laws. The announcement came in a response to writtenquestions posed by Dutch EC member Erik Meijer.

In March 2002, Meijer submitted a series of questions regarding theprivacy of individuals' information in Passport, its security, whetheraggregation of personal information through Passport was legal, andwhether law enforcement officials could access the information withoutnotice and consent to the data subject.

Commissioner Frits Bolkestein confirmed that the Commission was awareof Microsoft's Passport, and assured Meijer that the body "is lookingto this as a matter of priority, [...] with national data protectionauthorities, as regards the system's compatibility (or not) with EUdata protection law." The Commission plans to make a report onMicrosoft Passport by the end of 2002.

In two previous filings with the Federal Trade Commission (FTC),
fifteen privacy and consumer protection organizations urged theCommission to investigate Microsoft Passport and related services.
However, the Commission has taken no public action to investigateMicrosoft.

EPIC's Passport Investigation Docket:

EPIC's Sign Out of Passport Page:

[5] Data Retention: EU Vote and ReplayTV Decision

The European Parliament voted on May 30 on the new European UnionTelecommunications Privacy Directive (COM(2000)385). In a remarkablereversal of their original opposition to data retention, the membersvoted to allow each EU government to demand access to individuals'
electronic communications. Included in the scope of the directive aree-mails, faxes, phone calls on land lines and cellular phones,
messages on the World Wide Web, and electronic communications ingeneral. Law enforcement authorities could, in the future, be giventhe power by their national legislatures to require Internet serviceproviders and telephone companies to store communications for longperiods and provide them with traffic and localization data logs ofindividuals' communications. Such requirements could be implementedfor purposes varying from national security to criminal investigationsand prevention, and prosecution of criminal offences, all withoutspecific judicial authorization.

The vote was the major final step before the final adoption of theEuropean regulation. After the Council's approval, EU Member States'
Parliaments have to implement the Directive into their own nationallegal system, which generally takes from 2 to 5 years. During thisphase, the data retention provisions of the directive might raiseconstitutional issues in some countries as fundamental rightsprinciples (e.g., presumption of innocence, right to privacy andsecrecy of communication, and freedom of expression) contained intheir constitutions may be interpreted to conflict with governmentalmeasures that authorize preventive and generalized control ofindividuals' communications. The Directive also includes anobligation for the European Commission to report in three years to theParliament and the Council on the implementation of the Directive andits impact on economic interests and consumers.

EPIC actively participated in a campaign with other members of theGlobal Internet Liberty Campaign to oppose data retention. Acoalition of 60 civil liberties organizations and more than 16,000individuals from 73 countries endorsed an open letter that was sent toall MEPs and heads of the EU institutions. The open letter assertedthat data retention (for reasons other than billing purposes) iscontrary to well-established international human rights conventionsand case law. Because of the cross-border nature of Internetcommunications, EU-wide implementation of data retention could havenegative repercussions for Americans and citizens of other countries.
In the United States, current regulations do not require dataretention, even after the enactment of the anti-terrorism USA PATRIOTAct.

On the domestic front, a federal district court judge ruled on May 31that ReplayTV would not be required to conduct electronic surveillanceon its PVR customers. As previously reported (see EPIC Alert 9.10),
entertainment studios had obtained an order from a lower judgerequiring ReplayTV to collect data on the television uses of itscustomers. When ReplayTV (owned by SONICblue) challenged that order,
EPIC and other groups filed an amicus brief, alerting the court to theprivacy rights and intellectual freedom concerns implicated by thedecision. After this briefing, the Court stated that it was required"to decide whether the Magistrate Judge, based on the evidence andinformation before him, rendered a decision that was clearly erroneousor contrary to law." The Court further stated, "Although each of theissues raises serious questions, which have been very well briefed onall sides, the Court is persuaded to reverse the Magistrate Judge'sOrder on the grounds that it impermissibly requires defendants tocreate new data which does not now exist."

For more information on developments in the EU, see EPIC's new DataRetention web page:

An unofficial version of the new Telecommunication Privacy Directive(COM(2000)385) is available at:

Individuals are encouraged to endorse a new version of the open letterthat will be sent to important officials of each EU Member State, andmay do so until July 1, 2002 at:

Additional information on the ReplayTV case and related issues can beobtained at EPIC's ReplayTV Litigation Page:

[6] "Observing Surveillance" in Washington, DC

Privacy experts convened on June 3 to question the growingpervasiveness of video surveillance in American life at a conferenceentitled "Observing Surveillance," hosted by EPIC in Washington, DC.
Designed to draw attention to increased surveillance of the nation'scapital, the conference featured panel discussions, multimediapresentations, and an exhibit of photographs of some of the hundredsof cameras positioned within blocks of the National Mall, taken byEPIC policy fellow CÚdric Laurant.

The current situation is a "pivotal moment" for the United States,
said Simon Davies, director general of Privacy International. Daviessaid the United States must decide whether to limit the surreptitioussurveillance of people in public places or go the route of countrieslike England where, with an estimated 2.5 million cameras, the averageLondoner is caught on tape about 300 times per day. Camerasurveillance was introduced in England to prevent terrorist attacks bythe Irish Republican Army, but despite its proliferation it has beenof little help, Davies said.

Other speakers also urged the United States not to follow England'slead by confusing greater surveillance with greater safety. Privacyand security can be compatible, said Deborah Hurley, former directorof the Harvard Information Infrastructure Project and member of theEPIC Board of Directors. In fact, increased surveillance may lead toless security, noted Duke Law School professor James Boyle, becausepolice departments are flooded with "junk data" that they do not havethe resources to analyze.

Panelists also tried to counteract what polls show to be an apparentindifference on the part of the American public to the invasion oftheir privacy posed by surveillance cameras by arguing that there arein fact certain rights to privacy in public places. People conductpersonal business in the public sphere, such as banking and visits tothe doctor, that they do not expect to be made public, said AnitaAllen-Castellitto, a University of Pennsylvania Law School professor.
In addition, public areas such as parks and cafes are places of reposewhere people do not expect to be videotaped. Furthermore, suchsurveillance may have a chilling effect on people's exercise of theirFirst Amendment rights, Allen-Castellitto said.

According to documents obtained by EPIC under the Freedom ofInformation Act, out of the 39 times the National Park Service'shelicopter was used between July 2000 and May 2002, 23 instancesinvolved surveillance of political demonstrations. The Park Servicehas also announced plans to install surveillance cameras at the sitesit operates in Washington, DC, including the Washington Monument,
before the end of 2002.

Observing Surveillance:

EPIC maintains a website on face recognition and other surveillancetechnologies at:

[7] EPIC Bookstore - Overseers of the Poor

Overseers of the Poor: Surveillance, Resistance, and the Limits ofPrivacy, by John Gilliom.

Poor people have less of everything. Less autonomy, less socialmobility, and as Professor John Gilliom of Ohio University illustratesin his second book on surveillance, less privacy. Gilliom, ininterviews with fifty mothers on welfare from the Appalachian Ohioarea, details the surveillance programs used by the state to determineeligibility and worthiness for aid. He surveys the history of welfaresurveillance, noting that government inquiry into recipients' liveshas always been intense, but that it has been limited by technologicalabilities and the social norms of the times.

With increased dependence on the Social Security Number (SSN), thegovernment has been able to engage in pervasive tracking of aidrecipients. Now, with the requirement that states implementElectronic Benefits Transfer (EBT) by October 2002, aid recipients areissued benefits cards that facilitate government tracking of allpurchases. Combined with personal interviews delving into matterssuch as romantic relationships, this results in a comprehensivetracking system that subjects the poor "to forms and degrees ofscrutiny matched only by the likes of patients, prisoners, andsoldiers."

Gilliom provides firsthand accounts of the humiliation brought to bearby individuals watched by the state. Gilliom argues that traditionalnotions of privacy do not adequately describe the total surveillancein which the poor exist. He argues that a new language is needed todescribe the system of control that surveillance systems place onsociety: a language that explicitly recognizes surveillance as a toolof social control. He suggests that as a solution to thishumiliation, aid recipients themselves have to be involved in definingthe goals and framework of the welfare system.

While writing Overseers of the Poor, Gilliom himself attracted thegaze of the surveillance state. Police searched his home afterfinding a patch of marijuana located one-third of a mile from his homeon land that he didn't even own. He describes in personal terms thetrauma that the innocent can suffer in cleaning a home ransacked bypolice and in the possibility of losing one's home and employment. Heargues that the search of his home was a profound violation ofprivacy, but that the advice of his attorney to avoid public activismand criticism of the police was worse.

- Chris Hoofnagle

EPIC Publications:

"Privacy & Human Rights 2001: An International Survey of Privacy Lawsand Developments," (EPIC 2001). Price: $20.

This survey, by EPIC and Privacy International, reviews the state ofprivacy in over fifty countries around the world. The survey examinesa wide range of privacy issues including, data protection, telephonetapping, genetic databases, ID systems and freedom of informationlaws.

"The Privacy Law Sourcebook 2001: United States Law, InternationalLaw, and Recent Developments," Marc Rotenberg, editor (EPIC 2001).
Price: $40.

The "Physicians Desk Reference of the privacy world." An invaluableresource for students, attorneys, researchers and journalists who needan up-to-date collection of U.S. and International privacy law, aswell as a comprehensive listing of privacy resources.

"Filters and Freedom 2.0: Free Speech Perspectives on Internet ContentControls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet contentfiltering. These papers are instrumental in explaining why filteringthreatens free expression.

"The Consumer Law Sourcebook 2000: Electronic Commerce and the GlobalEconomy," Sarah Andrews, editor (EPIC 2000). Price: $40.

The Consumer Law Sourcebook provides a basic set of materials forconsumers, policy makers, practitioners and researchers who areinterested in the emerging field of electronic commerce. The focus ison framework legislation that articulates basic rights for consumersand the basic responsibilities for businesses in the online economy.

"Cryptography and Liberty 2000: An International Survey of EncryptionPolicy," Wayne Madsen and David Banisar, authors (EPIC 2000).
Price: $20.

EPIC's third survey of encryption policies around the world. Theresults indicate that the efforts to reduce export controls on strongencryption products have largely succeeded, although severalgovernments are gaining new powers to combat the perceived threats ofencryption to law enforcement.

EPIC publications and other books on privacy, open government, freeexpression, crypto and governance can be ordered at:

EPIC Bookstore

"EPIC Bookshelf" at Powell's Books

[8] Upcoming Conferences and Events

** The Public Voice in Internet Policy Making. June 22, 2002.
Washington, DC. The Electronic Privacy Information Center (EPIC) willhost a one-day public symposium to discuss the future of our rightsand freedoms in the information age. The event is being hosted inconjunction with INET 2002 and is free and open to the public. Formore information: **

Big Brother Is Watching: The Independent Policy Forum. The IndependentInstitute. June 6, 2002. Oakland, CA. For more information:

Save Privacy: Grenzverschiebungen im Digitalen Zeitalter. The HeinrichBöll Foundation. June 7-8, 2002. Berlin, Germany. For moreinformation:

Second Annual Information, Networks and Technology Institute. BerkeleyCenter for Law and Technology, University of Texas School of Law. June13-14, 2002. San Jose, CA. For more information:

Privacy Paradox: The Gain of Security vs. Privacy's Loss. StrategicResearch Institute. June 17-18, 2002. Chicago, IL. For moreinformation:

INET 2002. Internet Crossroads: Where Technology and Policy Intersect.
Internet Society. June 18-21, 2002. Washington, DC. For moreinformation:

Third Annual Institute on Privacy Law. Practising Law Institute. June24-25, New York, NY. For more information:

IViR International Copyright Law Summer Course. Royal NetherlandsAcademy of Arts and Sciences. July 8-12, 2002. Amsterdam, Netherlands.
For more information:

O'Reilly Open Source Convention. O'Reilly and Associates. July 22-26,
2002. San Diego, CA. For more information:

Cyberwar, Netwar and the Revolution in Military Affairs: Real Threatsand Virtual Myths. International School on Disarmament and Research onConflicts (ISODARCO). August 3-13, 2002. Trento, Italy. For moreinformation:

ILPF Conference 2002: Security v. Privacy. Internet Law & PolicyForum. September 17-19, 2002. Seattle, WA. For more information:

Privacy2002. Technology Policy Group. September 24-26, 2002.
Cleveland, OH. For more information:

IAPO Privacy & Security Conference. International Association ofPrivacy Officers. October 16-18, 2002. Chicago, IL. For moreinformation:

18th Annual Computer Security Applications Conference (ACSAC):
Practical Solutions to Real Security Problems. Applied ComputerSecurity Associates. December 9-13, 2002. Las Vegas, NV. For moreinformation:

Third Annual Privacy Summit. International Association of PrivacyOfficers. February 26-28, 2003. Washington, DC. For more information:

Subscription Information

Subscribe/unsubscribe via Web interface:

Subscribe/unsubscribe via email:

Subject line: "subscribe" or "unsubscribe" (no quotes)

Help with subscribing/unsubscribing:

Subject: "help" (no quotes)

Back issues are available at:

The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and tosend notices about EPIC activities. We do not sell, rent or share ourmailing list. We also intend to challenge any subpoena or other legalprocess seeking access to our mailing list. We do not enhance (linkto other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your email addressfrom this list, please follow the above instructions under"subscription information". Please contact if you wouldlike to change your subscription email address, if you areexperiencing subscription/unsubscription problems, or if you have anyother questions.

About EPIC

The Electronic Privacy Information Center is a public interestresearch center in Washington, DC. It was established in 1994 tofocus public attention on emerging privacy issues such as the ClipperChip, the Digital Telephony proposal, national ID cards, medicalrecord privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Actlitigation, and conducts policy research. For more information,
e-mail, or write EPIC, 1718Connecticut Ave., NW, Suite 200, Washington, DC 20009.
+1 202 483 1140 (tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic PrivacyInformation Center, contributions are welcome and fullytax-deductible. Checks should be made out to "EPIC" and sent to1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009.
Or you can contribute online at:

Drink coffee, support civil liberties, get a tax deduction, and learnLatin at the same time! Receive a free "sed quis custodietipsos custodes?" coffee mug with donation of $75 or more.

Your contributions will help support Freedom of Information Act andFirst Amendment litigation, strong and effective advocacy for theright of privacy and efforts to oppose government regulation ofencryption and expanding wiretapping powers.

Thank you for your support.

END EPIC Alert 9.11


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback