WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 2002 >> [2002] EPICAlert 17

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 9.17 [2002] EPICAlert 17


Volume 9.17 September 20, 2002

Published by the Electronic Privacy Information Center (EPIC)
Washington, D.C.

Table of Contents

[1] Groups Urge Secret Appeals Court to Reject Expanded Spying Powers
[2] Bush Administration Releases Cyber Security Plan
[3] EPIC Testifies Before Congress on Preventing SSN Misuse
[4] FCC Approves Rulemaking on Telephone Consumer Protection Act
[5] Coalition Urges FTC to Adopt Effective Strategy for Passport
[6] Groups File Brief Opposing Identification of ISP Subscriber
[7] EPIC Bookstore - Litigation Under the Federal Open Government Laws
[8] Upcoming Conferences and Events

[1] Groups Urge Secret Appeals Court to Reject Expanded Spying Powers

EPIC today joined with a coalition of civil liberties groups to urge asecret appeals court to reject a government bid for broadly expandedpowers to conduct "national security" surveillance on U.S. citizens.
In a "friend of the court" brief filed with the Foreign IntelligenceSurveillance Court of Review (FISCR), the groups said that expandingsuch powers would jeopardize fundamental constitutional interests,
"including the First Amendment right to engage in lawful publicdissent, and the warrant, notice, and judicial review rightsguaranteed by the Fourth and Fifth Amendments."

At issue in the case is whether new Justice Department surveillancerules seeking to use looser foreign intelligence standards to conductcriminal investigations in the United States are constitutional andpermissible under the USA PATRIOT Act adopted by Congress after theSeptember 11 terrorist attacks. The civil liberties brief urges theFISCR to uphold a decision of the Foreign Intelligence SurveillanceCourt, which in May unanimously rejected the government's bid forexpanded powers. In its decision, the intelligence court documentedabuses of "national security" warrants by both the Bush and ClintonAdministrations, including serious errors in approximately 75applications for foreign intelligence surveillance (see EPIC Alert9.16).

At a hearing last week, members of the Senate Judiciary Committee,
which has oversight of the Justice Department, also condemned thegovernment's position. "We need to do our work well and ensure thatdomestic surveillance is aimed at true national security targets anddoes not simply serve as an excuse to violate the Constitutionalrights of our own citizens," said Committee Chairman Patrick J. Leahy(D-VT). "The abuses of the past are far too fresh simply to surrenderto the executive branch unfettered discretion to determine the scopeof these changes."

After the lower court's decision was made public in late August, thecivil liberties groups notified the FISCR that they intended to file abrief. The groups had hoped to submit their brief before the appealscourt met to review the case, but the secret court met on September 9and only the government was allowed to present arguments. EPIC joinedthe American Civil Liberties Union, Center for Democracy andTechnology, Center for National Security Studies, Electronic FrontierFoundation, and the Open Society Institute in submitting today'sbrief.

The civil liberties amicus brief is available at:

Background information on the Foreign Intelligence Surveillance Act,
including the current controversy, is available at:

The text of the USA PATRIOT ACT is available at:

[2] Bush Administration Releases Cyber Security Plan

Amid tight security on pre-publication, the President's CriticalInfrastructure Protection Board on September 18 released its firstpublic draft of the National Strategy to Secure Cyberspace at a jointgovernment-industry press event at Stanford University. The WhiteHouse claimed the draft plan "was developed in close collaborationwith key sectors of the economy that rely on cyberspace, State, andlocal governments, colleges and universities, and concernedorganizations."

Among the initiatives called for in the strategy are the creation of aNorth American "Cyber Safe Zone," extension of the Council of EuropeCybercrime Convention to other countries not currently signatories tothe Convention, and the promotion of "national and international watchand warning" and a "global 'culture of security.'" Identifiable"cyber points of contact" are also encouraged in the plan.

The plan separates cyberspace into five levels: 1) Home users andsmall businesses; 2) Major private enterprises; 3) Various sectors ofthe national information infrastructure; 4) National Priorities; and5) Global.

The draft represents an ongoing work in progress that is subject tochange and modification, according to White House sources. Earlierdrafts of the plan were viewed by the private sector, particularly thewireless industry and Internet Service Providers, as unreasonablymandating government-induced security standards.

Contrary to earlier reports, the National Strategy does not containrequirements of data retention or any other data collection/datamining requirements by ISPs or other IT service providers.
Significantly, unlike previous versions of the plan, the current draftstrategy does not call for the creation of a Federal privacy "czar"

Comments on the plan are invited until November 18, 2002. They may bee-mailed to

The draft National Strategy to Secure Cyberspace is available at:

[3] EPIC Testifies Before Congress on Preventing SSN Misuse

At a joint hearing before two House subcommittees, EPIC legislativecounsel Chris Hoofnagle urged Congress to create a comprehensive setof limitations on the collection and use of the Social Security Number(SSN). The hearing, chaired by Rep. Clay Shaw (R-FL), focused on"Preserving the Integrity of Social Security Numbers and PreventingTheir Misuse by Terrorists and Identity Thieves." Representativesfrom the Social Security Administration, the Federal Bureau ofInvestigation, and the Secret Service also testified before thecommittee.

EPIC's testimony covered recent developments in identity theft, stateattempts to limit the SSN, and federal legislation designed to stemSSN use. According to the Privacy Rights Clearinghouse,
500,000-700,000 persons are affected by identity theft annually. Thetoll on victims is burdensome -- most victims do not discover thattheir identities have been stolen until many months after the crimehas occurred. Victims spend hundreds of hours and substantial sums ofmoney fixing their credit rating.

Two states, California and Georgia, have recently passed legislationto limit the use of SSNs. In California, Senate Bill 168 was signedinto law in October 2001. The bill prohibits public posting of SSNsand the printing of SSNs on identity cards or documents used to obtaina product or service. The bill also prohibits businesses fromprinting SSNs on invoices or bills sent through the mail. In Georgia,
businesses are now required to safely dispose of records that containpersonal identifiers. Business records -- including data stored oncomputer hard drives -- must be shredded or, in the case of electronicrecords, completely wiped clean where they contain SSNs, driver'slicense numbers, dates of birth, medical information, accountbalances, or credit limit information. The Georgia law carriespenalties up to $10,000.

EPIC praised H.R. 2036, the Social Security Number Privacy andIdentity Theft Prevention Act of 2001, which was introduced by Rep.
Shaw and enjoys bipartisan support. The bill would establishmeaningful restrictions on the sale and display of SSNs, anddiscourage the use of the identifier in the private sector.

EPIC's Testimony:

Hearing Notice and Links to Witness Testimony:

H.R. 2036, Social Security Number Privacy and Identity TheftPrevention Act of 2001:

[4] FCC Approves Rulemaking on Telephone Consumer Protection Act

The Federal Communications Commission (FCC) has approved a notice ofproposed rulemaking (NPRM) on the Telephone Consumer Protection Act of1991 (TCPA), a federal law that regulates telemarketing and faxadvertising. The NPRM solicits comments on a series of telemarketingissues, including automatic dialers, prerecorded voice telemarketing,
unsolicited fax advertising, and whether the FCC should create anational do-not-call (DNC) list. The TCPA authorized the FCC tocreate a DNC list ten years ago, but the agency declined to do so.
Instead, the FCC adopted a "company-specific" DNC list that requiresindividuals to opt-out from each business that engages intelemarketing.

The Direct Marketing Association (DMA) has opposed the creation of DNClists, arguing that its opt-out list, the "Telephone PreferenceService" (TPS), adequately protects consumers. However, the TPS onlyapplies to DMA members. Enrollment in the TPS is burdensome, as theDMA allows a free opt-out only to those who send in a letter by postalmail. Additionally, states have been far more effective infacilitating convenient enrollment in DNC lists. Many states offerfree Internet enrollment, but the DMA continues to charge $5 for thesame service.

Earlier this year, the Federal Trade Commission (FTC) sought publiccomment on telemarketing practices and on whether that agency shouldcreate a national DNC list. The FCC voted 4-0 to examine these sameissues, marking a willingness to cooperate with FTC in order to createmore comprehensive protections against telemarketing. The mood of theFCC commissioners was favorable to empowering individuals to exercisecontrol over telemarketing solicitations. Commissioner Michael Coppssaid, "Unrestricted telemarketing has gone beyond being a nuisance andbecome in many cases an invasion of privacy."

FCC NPRM on Regulations Implementing the Telephone Consumer ProtectionAct of 1991:

EPIC's Telemarketing Page:

[5] Coalition Urges FTC to Adopt Effective Strategy for Passport

In comments to the Federal Trade Commission (FTC), EPIC and acoalition of privacy organizations urged the agency to amend itsConsent Order regarding Microsoft Passport to include greater privacyprotections. In July and August 2001, EPIC and a coalition of privacyorganizations filed complaints with the FTC describing privacy andsecurity risks inherent in the Microsoft Passport identification andauthentication system. The FTC began an investigation into Passport,
and in July 2002, issued a Complaint and Consent Order finding fourviolations of federal consumer protection law (see EPIC Alert 9.15).

The Consent Order requires Microsoft to implement a new informationsecurity program that is audited by an independent third-party. Thecompany must reassess this security program every two years. Microsoftis also barred from making misrepresentations about the security orprivacy of Passport.

The groups made four recommendations to the FTC to ensure effectiveimplementation of the Consent Order. First, the groups requested thatthe security audits of Passport be made available to the public, andthat individuals be given access to their entire Passport profile.
Second, the groups recommended that the FTC examine AOL'sauthentication system, the "Screen Name Service," and Project Liberty,
which is currently under development. Third, the groups recommendedthat the FTC ensure Microsoft is complying with the EU-US Safe Harbor.
Last, the groups requested the FTC to establish limitations on thefunctions of Passport. Without limitations on the functions thatPassport performs and the information that Passport collects, Passportbecomes an increasingly attractive and lucrative target for malicioushackers.

EPIC's Comments on the Microsoft Passport Consent Order:

EPIC's "Sign Out of Passport" Page:

FTC Consent Order Page:

[6] Groups File Brief Opposing Identification of ISP Subscriber

EPIC and a coalition of civil liberties groups filed an amicus briefin late August challenging the Recording Industry Association ofAmerica (RIAA)'s attempt to identify a Verizon ISP subscriber. Thebrief argues that a portion of the Digital Millennium Copyright Act(DMCA) unconstitutionally violates individuals' right to anonymouscommunications.

The case arose after Verizon refused to comply with a subpoena sent bythe RIAA in July, compelling the ISP to release the name of a customeraccused of illegally trading hundreds of songs. RIAA filed suitseeking to have a court enforce the subpoena and force Verizon todisclose the customer's name. The RIAA's subpoena was sent pursuantto a provision of the DMCA that permits a copyright owner to send asubpoena (without filing a lawsuit) ordering a "service provider" toturn over information about a subscriber.

The amicus brief states that the provision violates the right ofAmericans to be anonymous online: "Purported copyright owners shouldnot have the right to violate protected, anonymous speech with whatamounts to a single snap of the fingers." The amicus brief (as wellas Verizon's brief, which opposes RIAA's motions mostly on proceduralgrounds) maintains that the RIAA has the right to unmask a truecopyright infringer, but argues that common civil procedure rules havealways provided sufficient routes for obtaining such information.

If copyright owners were permitted to use the DMCA's subpoena processto assail peer-to-peer pirates, the amicus brief argues, the combinednumber of notices and subpoenas that Internet providers would have toprocess could easily reach into the millions annually.

The coalition's Amicus Brief is available at:

Verizon's Brief is available at:

[7] EPIC Bookstore - Litigation Under the Federal Open Government Laws


Litigation Under the Federal Open Government Laws 2002570 pages, $40.00

"Deserves a place in the library of everyone who is involved in, or thinking about, litigation under the Freedom of Information Act."

- Steve Aftergood Federation of American Scientists

This is the standard reference work covering all aspects of theFreedom of Information Act, the Privacy Act, the Government in theSunshine Act, and the Federal Advisory Committee Act. EPIC haspublished the book jointly with Access Reports and the James MadisonProject.

This 21st edition fully updates the manual that lawyers, journalistsand researchers have relied on for more than 25 years. It is editedby Harry Hammitt of Access Reports, David L. Sobel of EPIC, and MarkS. Zaid of the James Madison Project. The book draws upon theexpertise of practicing attorneys who are recognized leaders in thefield.

Appendices include the text of the relevant acts, and sample pleadingsfor litigators. "Litigation Under the Federal Open Government Laws2002" adheres to the same high standards as previous editions and isintended as a guide for FOIA requesters and plaintiff litigators. Forthose who litigate open government cases (or need to learn how tolitigate them), this is an essential reference manual.

EPIC Publications:

"Privacy & Human Rights 2002: An International Survey of Privacy Lawsand Developments" (EPIC 2002). Price: $25.

This survey, by EPIC and Privacy International, reviews the state ofprivacy in over fifty countries around the world. The survey examinesa wide range of privacy issues including data protection, telephonetapping, genetic databases, video surveillance, location tracking, IDsystems and freedom of information laws.

"The Privacy Law Sourcebook 2001: United States Law, InternationalLaw, and Recent Developments," Marc Rotenberg, editor (EPIC 2001).
Price: $40.

The "Physicians Desk Reference of the privacy world." An invaluableresource for students, attorneys, researchers and journalists who needan up-to-date collection of U.S. and International privacy law, aswell as a comprehensive listing of privacy resources.

"Filters and Freedom 2.0: Free Speech Perspectives on Internet ContentControls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet contentfiltering. These papers are instrumental in explaining why filteringthreatens free expression.

"The Consumer Law Sourcebook 2000: Electronic Commerce and the GlobalEconomy," Sarah Andrews, editor (EPIC 2000). Price: $40.

The Consumer Law Sourcebook provides a basic set of materials forconsumers, policy makers, practitioners and researchers who areinterested in the emerging field of electronic commerce. The focus ison framework legislation that articulates basic rights for consumersand the basic responsibilities for businesses in the online economy.

"Cryptography and Liberty 2000: An International Survey of EncryptionPolicy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price:

EPIC's third survey of encryption policies around the world. Theresults indicate that the efforts to reduce export controls on strongencryption products have largely succeeded, although severalgovernments are gaining new powers to combat the perceived threats ofencryption to law enforcement.

EPIC publications and other books on privacy, open government, freeexpression, crypto and governance can be ordered at:

EPIC Bookstore

"EPIC Bookshelf" at Powell's Books

[8] Upcoming Conferences and Events

Civil Liberties Under Attack -- One Year Later. National LawyersGuild; Refuse & Resist. September 7, 2002. Los Angeles, CA. For moreinformation:
IT and Law. University of Geneva, University of Bern, SwissAssociation of IT and Law. September 9-10, 2002. Geneva, Switzerland.
For more information:

Observing Surveillance. Photo Exhibit. September 12, 2002. Washington,
DC. For more information:

ILPF Conference 2002: Security v. Privacy. Internet Law & PolicyForum. September 17-19, 2002. Seattle, WA. For more information:

The Biometric Consortium Conference (BC2002). Biometric Consortium.
September 23-25, 2002. Arlington, VA. For more information:

Privacy2002: Information, Security & New Global Realities. TechnologyPolicy Group. September 24-26, 2002. Cleveland, OH. For moreinformation:

Privacy Management Summit. Privastaff. September 25, 2002. San Jose,
CA. For more information:

Commercialization of Human Genomics: Consequences for Science andHumanity. Duke University Center for Genome Ethics, Law, and Policy.
September 27-28, 2002. Durham, NC. For more information:

Privacy in Ubicomp 2002: Workshop on Socially-informed Design ofPrivacy-enhancing Solutions in Ubiquitous Computing. Held as part ofUBICOMP 2002. September 29, 2002. Goeteborg, Sweden. For moreinformation:

Shrinking World, Expanding Net. Computer Professionals for SocialResponsibility (CPSR). October 5, 2002. Cambridge, MA. For moreinformation:

Bridging the Digital Divide: Challenge and Opportunities. 3rd WorldSummit on Internet and Multimedia. October 8-11, 2002. Montreux,
Switzerland. For more information:

2002 WSEAS International Conference on Information Security (ICIS'02). World Scientific and Engineering Academy and Society. October14-17, 2002. Rio de Janeiro, Brazil. For more information:

IAPO Privacy & Security Conference. International Association ofPrivacy Officers. October 16-18, 2002. Chicago, IL. For moreinformation:

Privacy Trends: Complying With New Demands. Riley Information ServicesInc. and the Commonwealth Centre for Electronic Governance. October22, 2002. Ottawa, Canada. For more information:

3rd Annual Privacy and Security Workshop: Privacy & Security: TotallyCommitted. Centre for Applied Cryptographic Research, University ofWaterloo and the Information and Privacy Commissioner/Ontario.
University of Toronto. November 7-8, 2002. Toronto, Canada. For moreinformation:

First Hawaii Biometrics Conference. Windward Community College,
Pacific Center for Advanced Technology Training (PCATT). November10-13, 2002. Waikiki, HI. For more information:

Transformations in Politics, Culture and Society. Inter-
Disciplinary.Net. December 6-8, 2002. Brussels, Belgium. For moreinformation:

18th Annual Computer Security Applications Conference (ACSAC):
Practical Solutions to Real Security Problems. Applied ComputerSecurity Associates. December 9-13, 2002. Las Vegas, NV. For moreinformation:

Third Annual Privacy Summit. International Association of PrivacyOfficers. February 26-28, 2003. Washington, DC. For more information:

CFP2003: 13th Annual Conference on Computers, Freedom, and Privacy.
Association for Computing Machinery (ACM). April 1-4, 2003. New York,
NY. For more information:

Subscription Information

Subscribe/unsubscribe via Web interface:

Subscribe/unsubscribe via email:

Subject line: "subscribe" or "unsubscribe" (no quotes)

Help with subscribing/unsubscribing:

Subject: "help" (no quotes)

Back issues are available at:

The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and tosend notices about EPIC activities. We do not sell, rent or share ourmailing list. We also intend to challenge any subpoena or other legalprocess seeking access to our mailing list. We do not enhance (linkto other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your email addressfrom this list, please follow the above instructions under"subscription information". Please contact if you wouldlike to change your subscription email address, if you areexperiencing subscription/unsubscription problems, or if you have anyother questions.

About EPIC

The Electronic Privacy Information Center is a public interestresearch center in Washington, DC. It was established in 1994 tofocus public attention on emerging privacy issues such as the ClipperChip, the Digital Telephony proposal, national ID cards, medicalrecord privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Actlitigation, and conducts policy research. For more information,
e-mail, or write EPIC, 1718Connecticut Ave., NW, Suite 200, Washington, DC 20009.
+1 202 483 1140 (tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic PrivacyInformation Center, contributions are welcome and fullytax-deductible. Checks should be made out to "EPIC" and sent to1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009.
Or you can contribute online at:

Drink coffee, support civil liberties, get a tax deduction, and learnLatin at the same time! Receive a free "sed quis custodietipsos custodes?" coffee mug with donation of $75 or more.

Your contributions will help support Freedom of Information Act andFirst Amendment litigation, strong and effective advocacy for theright of privacy and efforts to oppose government regulation ofencryption and expanding wiretapping powers.

Thank you for your support.

END EPIC Alert 9.17


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback