WorldLII [Home] [Databases] [WorldLII] [Search] [Feedback]

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 2002 >> [2002] EPICAlert 19

[Database Search] [Name Search] [Recent Alerts] [Noteup] [Help]

EPIC Alert 9.19 [2002] EPICAlert 19 (17 October 2002)







EPIC ALERT




Volume 9.19 October 17, 2002

Published by the Electronic Privacy Information Center (EPIC)
Washington, D.C.

http://www.epic.org/alert/EPIC_Alert_9.19.html


Table of Contents



[1] Memo Reveals FBI National Security Wiretap Violations
[2] Court Hears Argument in Warrant Service Procedure Case
[3] Public Interest Registry (PIR) To Operate .ORG
[4] EPIC, Junkbusters Urge AGs to Protect Privacy of Amazon Booklists
[5] National Research Council Report Finds Polygraph Testing Flawed
[6] House Passes Measure Requiring Agencies to Report Privacy Risks
[7] EPIC Bookstore - First Anniversary of the USA PATRIOT Act
[8] Upcoming Conferences and Events


[1] Memo Reveals FBI National Security Wiretap Violations


A recently released FBI memo provides the latest evidence that theBureau has frequently overstepped its legal bounds when conductingintrusive national security surveillance. The document, which waswritten in April 2000 and originally classified as "secret," revealsthat FBI agents illegally videotaped suspects, intercepted e-mailwithout court permission, recorded the wrong phone conversations, andconducted "unauthorized searches." The incidents detailed in the memoinvolved cases requiring warrants under the Foreign IntelligenceSurveillance Act (FISA).

The declassified document was obtained by Rep. William Delahunt(D-MA), with the assistance of EPIC. The existence of the memo wasfirst revealed in an FBI document obtained by EPIC earlier this yearthrough its Freedom of Information Act lawsuit for informationconcerning the Bureau's controversial Carnivore Internet surveillancesystem (see EPIC Alert 9.11). That earlier disclosure, which showedthat an anti-terrorism investigation involving Osama bin Laden washampered by technical flaws in the Carnivore system, alluded to aseparate document discussing other "FISA mistakes." EPIC worked withRep. Delahunt's office to seek disclosure of the "mistakes" memo.

The latest disclosure comes as the Foreign Intelligence SurveillanceCourt of Review (FISCR), in its first proceeding since being createdin 1978, is considering the legality of new Justice Departmentsurveillance rules. DOJ has asked the FISCR to overturn a decision ofthe Foreign Intelligence Surveillance Court, which in May unanimouslyrejected the government's bid for expanded powers. In its decision,
the intelligence court documented abuses of "national security"
warrants by both the Bush and Clinton Administrations, includingserious errors in approximately 75 applications for foreignintelligence surveillance (see EPIC Alert 9.16).

The newly disclosed "mistakes" memo reveals errors that extend beyondthose detailed by the surveillance court in May, which concerned FBImisrepresentations in applications for surveillance warrants. The new"mistakes" involve the manner in which surveillance activities wereactually conducted, a potentially more serious issue as the incidentsappear to involve violations of both FISA and the Fourth Amendment.

The FBI "FISA mistakes" memo is available at:

http://www.epic.org/privacy/terrorism/fisa/FISA-mistakes.pdf

Background information (including selected documents) on EPIC'sCarnivore FOIA litigation is available at:

http://www.epic.org/privacy/carnivore/

Background information on FISA is available at:

http://www.epic.org/privacy/terrorism/fisa/



[2] Court Hears Argument in Warrant Service Procedure Case


On October 10, the Eighth Circuit held oral arguments in United Statesv. Bach, a case examining how the Fourth Amendment protects storede-mail and other files held by Internet Service Providers (ISPs). Theissue raised is whether a police officer's presence is required duringservice of a search warrant on an ISP.

EPIC filed an amicus brief in the case, arguing that police officerpresence is required during the service of a warrant on an ISP. Thecase arose after Yahoo! was "served" with a search warrant by fax, aprocedure that EPIC argues does not adequately safeguard the FourthAmendment guarantee of a "reasonable" search. EPIC's brief detailsthe history of U.S. search and seizure law, which has mandated officerpresence at the site of the service of a warrant since the 1700s.

The district court suppressed the evidence, stating that the lawenforcement practice of faxing search warrants for the contents ofe-mails to ISPs violated the Constitution because the Fourth Amendmentrequired the government to be physically present to execute thewarrant. The government appealed to the circuit court.

At oral argument, the government's attorney urged the court to resolvethe question on narrow reasonableness grounds, without addressing thebroader issue of whether an Internet user has an expectation ofprivacy in remotely stored files held by an ISP.

For more information on the case, see EPIC's Bach Page:

http://www.epic.org/privacy/bach/

Recordings of the oral arguments and other files are available throughthe Web site of the U.S. Court of Appeals for the 8th Circuit:

http://www.ca8.uscourts.gov/tmp/021238.html



[3] Public Interest Registry (PIR) To Operate .ORG


The Internet Corporation for Assigned Names and Numbers (ICANN) hasselected the proposal of the Internet Society (ISOC) for the operationof the .org top-level domain, beginning January 1, 2003. The PublicInterest Registry (PIR), established by ISOC, will be the registryoperator. EPIC President Marc Rotenberg was named as one of thefounding board members of PIR.

ICANN launched a bid solicitation and evaluation process last April.
Eleven bids were received in response to a request for proposals. Aspart of the evaluation, two evaluation teams focused on technicalissues. Another team, provided by ICANN's Non Commercial Domain NameHolders Constituency (NCDNHC), focused on the effectiveness of theproposals to address the particular needs of the .org registry.
Additional input came from comments by the public and the applicantsthemselves.

ICANN is re-assigning the .org registry under a revised agreementamong ICANN, VeriSign, and the U.S. Department of Commerce that wassigned in May 2001. Under that agreement, VeriSign was permitted tokeep its registrar business, NSI, provided that it agreed torelinquish .org at the end of December 2002, and subject to otherprovisions of the revised agreements. As part of those revisedagreements, VeriSign agreed to endow the new operator with $5 millionto help fund operating costs, provided that the new operator was anot-for-profit organization.

ISOC's .ORG Bid:

http://www.isoc.org/dotorg/

ICANN Announcement:

http://www.icann.org/announcements/announcement-14oct02.htm

ISOC Announcement:

http://www.isoc.org/isoc/media/releases/021014pr.shtml



[4] EPIC, Junkbusters Urge AGs to Protect Privacy of Amazon Booklists


EPIC and Junkbusters Corp. have sent a letter to state AttorneysGeneral (AGs) urging them to protect the privacy of Amazon.com'spatrons. Specifically, the groups requested that Amazon.com beblocked from selling customers' booklists; that customers beguaranteed a right of access to and deletion of sales records; andthat the company undergo an audit of its information practices. Theletter was sent in response to a statement made by Amazon.com to theAGs in which the company indicated that it might sell customer recordsin the event of an acquisition or bankruptcy.

EPIC and Junkbusters noted that in other contexts, the same bookliststhat Amazon.com holds enjoy statutory and Constitutional protections.
Circulation records held by libraries are covered by privacy laws orregulations in all states, and by systems that can expunge records ofbook borrowing. The groups also noted that in a recent case beforethe Colorado Supreme Court, it was held that a release of book recordsto law enforcement would violate readers' First Amendment rights.

The Massachusetts AG responded to the letter, encouraging Amazon.comto reply to the suggestions made by EPIC and Junkbusters. The AGstatement clarifies that individuals who have sent e-mail to"neveramazon.com" to opt out of all information sharing will not havetheir records sold.

Amazon.com changed its privacy policy in September 2000 to allow thecompany to sell customer records in the event of a businessacquisition or bankruptcy. Previously, Amazon.com had promised thatit would not sell or rent consumers' information. As a result of thatchange, EPIC severed its "affiliate" relationship with the company andfiled a complaint with the FTC alleging that Amazon.com violatedfederal consumer protection law.

EPIC and Junkbusters Corp. Letter to the State Attorneys General:

http://www.epic.org/privacy/amazon/amazonltr10.8.02.html

Massachusetts Attorney General's Response:

http://www.epic.org/privacy/amazon/agresponse10.8.02.pdf



[5] National Research Council Report Finds Polygraph Testing Flawed


The National Academies' National Research Council recently conducted astudy of the reliability and scientific soundness of using polygraphtesting to identify spies or other national security risks inscreening prospective and current employees, and reported thatpolygraph test results are unreasonably inaccurate when used in thismanner. The U.S. Department of Energy and other federal agencies arerequired by law to test employees in sensitive positions.

While the accuracy of a polygraph may be satisfactory forinvestigation of specific, identifiable events (e.g. specific crimes),
its accuracy is inadequate for screening employees for the followingreasons: (1) examiners ask nonspecific questions during screenings,
since the examiners do not know what security risks the examinee maybe hiding; and (2) the test flags large numbers of truthful testtakers as lying, while failing to spot actual security risks. In apopulation of 10,000 employees, including 10 spies, a polygraphsensitive enough to detect eight spies would result in 1,598 falsepositives.

The report also raises scientific objections: namely, that theoriesabout the link between deception and the corresponding physiologicaleffects being measured (e.g. breathing rates, sweating and bloodpressure) have not been subjected to vigorous scientific study and aretherefore unverified. The polygraph test is especially susceptible toerror because a number of psychological and physical factors can havean effect on test results. Worse yet, deceptive individuals, withsufficient incentive and resources, can learn to duplicate thephysiological responses of truthful test takers.

For these reasons, the study concluded that the federal governmentshould not rely on polygraph tests for screening employees to identifynational security risks. Congress recommended that the Department ofEnergy devise a new plan to screen employees that would take thestudy's findings into account.

For the full report, see National Research Council, The Polygraph andLie Detection (2002):

http://www.nap.edu/books/0309084369/html/



[6] House Passes Measure Requiring Agencies to Report Privacy Risks


The House of Representatives has passed H.R. 4561, the Federal AgencyProtection of Privacy Act (FAPPA). Introduced by Rep. Bob Barr(R-GA), the measure would require all federal agencies to articulatehow new regulations will affect privacy interests. A companion billhas been introduced as S. 2492 in the Senate by Sen. Max Cleland(D-GA).

The bill would require agencies to issue an initial privacy impactanalysis when publishing a rulemaking. The initial analysis follows astrong framework of Fair Information Practices (FIPs) by explaininghow the agency plans to collect, use, secure, disclose, and preventsecondary use of personal information. The agency must also explainhow an individual can gain access to and correct information held bythe agency under the proposed rule. Additionally, agencies mustconsider significant alternatives to the proposed rule to minimizeprivacy risks.

Upon promulgating a rule, the bill would require the agency to issue afinal privacy impact analysis. This final report would assessinformation practices explained in the initial analysis, summarize anypotential risks raised by comments from the public, and describe howthe agency has taken steps to minimize privacy risks.

The bill also calls for periodic review of rules to determine whetherpolicies can be changed to be less invasive of individual privacy.
Individuals adversely affected by agency action would be able to sueunder the FAPPA. In such a case, the court could require the agencyto reevaluate the privacy implications of the rule, or to blockenforcement of the rule altogether.

H.R. 4561, Federal Agency Protection of Privacy Act (House Version):

http://thomas.loc.gov/cgi-bin/query/z?c107:H.R.4561:

S. 2492, Federal Agency Protection of Privacy Act (Senate Version):

http://thomas.loc.gov/cgi-bin/bdquery/z?d107:s.2492:



[7] EPIC Bookstore - First Anniversary of the USA PATRIOT Act


October 26 marks the first anniversary of the passage of the USAPATRIOT Act. Two recently released monographs explain thesignificance of the legislative changes, providing historical contextfor assessing the administration's actions.

"Silencing Political Dissent: How Post-September 11 Anti-TerrorismMeasures Threaten Our Civil Liberties," by Nancy Chang of the Centerfor Constitutional Rights, is written to encourage readers to "jointhe growing movement to reclaim our civil liberties." Chang begins byproviding a quick tour of the history of political repression in theUnited States. The monuments in her tour will be familiar to many;
the clear thread running through the descriptions is that, in times ofuncertainty, ugly authoritarian impulses have invariably surfaced inAmerican society. She asserts that the USA PATRIOT Act underminescivil liberties in three key ways -- by adopting an overbroaddefinition of "domestic terrorism;" by reducing the expectation ofprivacy through expanded surveillance powers; and by eroding the dueprocess rights of non-citizens. Chang's book serves as a usefulprimer to the issues at stake in this new environment.

"The Enemy Within: Intelligence Gathering, Law Enforcement, and CivilLiberties in the Wake of September 11," a Century Foundation Report byStephen Schulhofer, takes a self-consciously pragmatic view on thesame subject. Schulhofer, a criminal law professor at NYU, asks threemain questions: Are the new measures effective? Are there adequatesafeguards? And are there better, less invasive alternatives?
Schulhofer's history tour focuses on the debates around civilliberties that have taken place in times of crisis, making the pointthat criticism was not only alive and well in those times, but thatthe courts at times even sided with the defenders of civil liberties.
The book's main contention is that the most significant threat tocivil liberties comes from the administration's thirst for uncheckedexecutive power. The manner in which the USA PATRIOT Act was rammedthrough Congress vividly emphasizes his point that the administrationshows little respect for the Constitution's built-in structuralsafeguards. Schulhofer concludes that the new measures have beenmarked by bad compromises, September 11 opportunism, and uncheckedexecutive power. He argues for countering these changes throughbetter checks and balances, and suggests a list of policy proposals toachieve this aim. "The Enemy Within" provides some much neededperspective for those in the trenches as well as for newcomers. Whilesome of Schulhofer's proposals might be controversial, the picture ofthe threat he paints is convincing and the need for action clear. AsChristopher Edley, Jr. said at the Century Foundation's book release,
the civil liberties guaranteed by the Constitution should be thefloor, not the ceiling, of what our society offers.

Silencing Political Dissent:

http://www.epic.org/bookstore/powells/redirect/alert919.html

The Enemy Within:

http://www.tcf.org/Publications/Detail.asp?ItemID=167

EPIC's Analysis of the USA PATRIOT Act:

http://www.epic.org/privacy/terrorism/usapatriot/



EPIC Publications:

"FOIA 2002: Litigation Under the Federal Open Government Laws," HarryHammitt, David Sobel and Mark Zaid, editors (EPIC 2002). Price: $40.
http://www.epic.org/bookstore/foia2002/

This is the standard reference work covering all aspects of theFreedom of Information Act, the Privacy Act, the Government in theSunshine Act, and the Federal Advisory Committee Act. The 21stedition fully updates the manual that lawyers, journalists andresearchers have relied on for more than 25 years. For those wholitigate open government cases (or need to learn how to litigatethem), this is an essential reference manual.



"Privacy & Human Rights 2002: An International Survey of Privacy Lawsand Developments" (EPIC 2002). Price: $25.
http://www.epic.org/bookstore/phr2002/

This survey, by EPIC and Privacy International, reviews the state ofprivacy in over fifty countries around the world. The survey examinesa wide range of privacy issues including data protection, telephonetapping, genetic databases, video surveillance, location tracking, IDsystems and freedom of information laws.



"The Privacy Law Sourcebook 2001: United States Law, InternationalLaw, and Recent Developments," Marc Rotenberg, editor (EPIC 2001).
Price: $40. http://www.epic.org/bookstore/pls2001/

The "Physicians Desk Reference of the privacy world." An invaluableresource for students, attorneys, researchers and journalists who needan up-to-date collection of U.S. and International privacy law, aswell as a comprehensive listing of privacy resources.



"Filters and Freedom 2.0: Free Speech Perspectives on Internet ContentControls" (EPIC 2001). Price: $20.
http://www.epic.org/bookstore/filters2.0/

A collection of essays, studies, and critiques of Internet contentfiltering. These papers are instrumental in explaining why filteringthreatens free expression.



"The Consumer Law Sourcebook 2000: Electronic Commerce and the GlobalEconomy," Sarah Andrews, editor (EPIC 2000). Price: $40.
http://www.epic.org/cls/

The Consumer Law Sourcebook provides a basic set of materials forconsumers, policy makers, practitioners and researchers who areinterested in the emerging field of electronic commerce. The focus ison framework legislation that articulates basic rights for consumersand the basic responsibilities for businesses in the online economy.



"Cryptography and Liberty 2000: An International Survey of EncryptionPolicy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price:
$20. http://www.epic.org/crypto&/

EPIC's third survey of encryption policies around the world. Theresults indicate that the efforts to reduce export controls on strongencryption products have largely succeeded, although severalgovernments are gaining new powers to combat the perceived threats ofencryption to law enforcement.



EPIC publications and other books on privacy, open government, freeexpression, crypto and governance can be ordered at:

EPIC Bookstore http://www.epic.org/bookstore/

"EPIC Bookshelf" at Powell's Books http://www.powells.com/features/epic/epic.html



[8] Upcoming Conferences and Events


Privacy & Data Security Academy & Expo. International Association ofPrivacy Officers (IAPO). October 16-18, 2002. Chicago, IL. For moreinformation: http://www.privacyassociation.org/html/conferences.html

Privacy Law and Policy: Meeting the Challenges of Technology,
Terrorism, and Accountability. Council on Law in Higher Education(CLHE). October 20-22, 2002. Washington, DC. For more information:
http://www.clhe.org/programs/privacysymposium/

Paying Artists, Protecting Innovation: New Alternatives for Resolvingthe Digital Copyright Debate. Washington College of Law, AmericanUniversity. October 21, 2002. Washington, DC. For more information:
pjasziwcl.american.edu

Privacy Trends: Complying With New Demands. Riley Information ServicesInc. and the Commonwealth Centre for Electronic Governance. October22, 2002. Ottawa, Canada. For more information:
http://www.rileyis.com/seminars/

Secrecy, Freedom & Empire: Lessons for Today from Vietnam and thePentagon Papers. The Independent Institute. October 23, 2002.
Berkeley, CA. For more information:
http://www.independent.org/tii/forums/021023ipf.html

Symposium on Privacy and Security (SPS). Stiftung für Datenschutz undInformationssicherheit (SDI), Basel/Switzerland. October 30-31, 2002.
Zurich, Switzerland. For more information:
http://www.privacy-security.ch/

2nd Courtroom 21 Conference on Privacy and Public Access to CourtRecords. Courtroom 21 (College of William & Mary and the NationalCenter for State Courts). Williamsburg, VA. October 31-November 2,
2002. For more information: http://www.courtroom21.net/privacyconf/

3rd Annual Privacy and Security Workshop: Privacy & Security: TotallyCommitted. Centre for Applied Cryptographic Research, University ofWaterloo and the Information and Privacy Commissioner/Ontario.
University of Toronto. November 7-8, 2002. Toronto, Canada. For moreinformation: http://www.epic.org/redirect/cacr.html

First Hawaii Biometrics Conference. Windward Community College,
Pacific Center for Advanced Technology Training (PCATT). November10-13, 2002. Waikiki, HI. For more information:
http://biometrics.wcc.hawaii.edu/

Call for Papers: November 15, 2002. CFP2003: 13th Annual Conference onComputers, Freedom, and Privacy. Association for Computing Machinery(ACM). April 1-4, 2003. New York, NY. For more information:
http://www.cfp.org/

Transformations in Politics, Culture and Society. Inter-
Disciplinary.Net. December 6-8, 2002. Brussels, Belgium. For moreinformation: http://www.inter-disciplinary.net/tpcs1.htm

18th Annual Computer Security Applications Conference (ACSAC):
Practical Solutions to Real Security Problems. Applied ComputerSecurity Associates. December 9-13, 2002. Las Vegas, NV. For moreinformation: http://www.acsac.org/

O'Reilly Bioinformatics Technology Conference. February 3 - 6, 2003.
San Diego, CA. For more information:
http://conferences.oreilly.com/macosxcon/

Third Annual Privacy Summit. International Association of PrivacyOfficers. February 26-28, 2003. Washington, DC. For more information:
http://www.privacyassociation.org/html/conferences.html

O'Reilly Open Source Convention. July 7-11, 2003. Portland, OR. Formore information: http://conferences.oreilly.com/oscon/


Subscription Information


Subscribe/unsubscribe via Web interface:

http://mailman.epic.org/cgi-bin/mailman/listinfo/epic_news

Subscribe/unsubscribe via email:

To: epic_news-requestmailman.epic.org
Subject line: "subscribe" or "unsubscribe" (no quotes)

Help with subscribing/unsubscribing:

To: epic_news-requestmailman.epic.org
Subject: "help" (no quotes)

Back issues are available at:

http://www.epic.org/alert/

The EPIC Alert displays best in a fixed-width font, such as Courier.


Privacy Policy


The EPIC Alert mailing list is used only to mail the EPIC Alert and tosend notices about EPIC activities. We do not sell, rent or share ourmailing list. We also intend to challenge any subpoena or other legalprocess seeking access to our mailing list. We do not enhance (linkto other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your email addressfrom this list, please follow the above instructions under"subscription information". Please contact infoepic.org if you wouldlike to change your subscription email address, if you areexperiencing subscription/unsubscription problems, or if you have anyother questions.


About EPIC


The Electronic Privacy Information Center is a public interestresearch center in Washington, DC. It was established in 1994 tofocus public attention on emerging privacy issues such as the ClipperChip, the Digital Telephony proposal, national ID cards, medicalrecord privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Actlitigation, and conducts policy research. For more information,
e-mail infoepic.org, http://www.epic.org or write EPIC, 1718Connecticut Ave., NW, Suite 200, Washington, DC 20009.
+1 202 483 1140 (tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic PrivacyInformation Center, contributions are welcome and fullytax-deductible. Checks should be made out to "EPIC" and sent to1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009.
Or you can contribute online at:

http://www.epic.org/donate/



Drink coffee, support civil liberties, get a tax deduction, and learnLatin at the same time! Receive a free epic.org "sed quis custodietipsos custodes?" coffee mug with donation of $75 or more.



Your contributions will help support Freedom of Information Act andFirst Amendment litigation, strong and effective advocacy for theright of privacy and efforts to oppose government regulation ofencryption and expanding wiretapping powers.

Thank you for your support.

END EPIC Alert 9.19


.


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback
URL: http://www.worldlii.org/int/journals/EPICAlert/2002/19.html