WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 2002 >> [2002] EPICAlert 23

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 9.23 [2002] EPICAlert 23


Volume 9.23 November 19, 2002

Published by the Electronic Privacy Information Center (EPIC)
Washington, D.C.

Table of Contents

[1] Public Protest Over Pentagon Surveillance System Mounts
[2] Appeals Court Permits Broader Electronic Surveillance
[3] Homeland Security Bill Limits Open Government
[4] Circuit Court Approves Faxed Warrants
[5] DC City Council Attacks Camera System, Adopts Regulations
[6] California Passes Database Privacy Legislation
[7] EPIC Bookstore - Data Protection Law
[8] Upcoming Conferences and Events

[1] Public Protest Over Pentagon Surveillance System Mounts

The Pentagon's proposed "Total Information Awareness" (TIA)
surveillance system is coming under increasing attack. In an openletter sent yesterday, a coalition of over 30 civil liberties groupsurged Senators Thomas Daschle (D-SD) and Trent Lott (R-MS) to "actimmediately to stop the development of this unconstitutional system ofpublic surveillance." Newspapers across the country have writteneditorials castigating the program. The New York Times has said that"Congress should shut down the program pending a thoroughinvestigation." The Washington Post wrote, "The defense secretaryshould appoint an outside committee to oversee it before it proceeds."
William Safire's recent column, which played a major role in ignitingthe public outcry, called the surveillance system "a supersnooper'sdream."

The TIA project is part of the Defense Advanced Research ProjectsAgency (DARPA)'s Information Awareness Office, headed by JohnPoindexter. The surveillance system purports to capture a person's"information signature" so that the government can track potentialterrorists and criminals involved in "low-intensity/low-density"
forms of warfare and crime. The goal of the system is to trackindividuals by collecting as much information about them as possibleand using computer algorithms and human analysis to detect potentialactivity. The project calls for the development of "revolutionarytechnology for ultra-large all-source information repositories," whichwould contain information from multiple sources to create a "virtual,
centralized, grand database." This database would be populated bytransaction data contained in current databases, such as financialrecords, medical records, communication records, and travel records,
as well as new sources of information. Intelligence data would alsobe fed into the database.

A key component of the project is the development of data mining orknowledge discovery tools that will sift through the massive amountof information to find patterns and associations. The surveillanceplan will also improve the power of search tools such as ProjectGenoa, which Poindexter's former employer Syntek Technologiesassisted in developing. The Defense Department aims to fund thedevelopment of more such tools and data mining technology to helpanalysts understand and even "preempt" future action. A furthercrucial component is the development of biometric technology toenable the identification and tracking of individuals. DARPA hasalready funded its "Human ID at a Distance" program, which aims topositively identify people from a distance through technologies suchas face recognition and gait recognition. A nationwideidentification system might also be of great assistance to such aproject by providing an easy means to track individuals acrossmultiple information sources.

The initial plan calls for a five year research project into thesevarious technologies. According to the announcement solicitingindustry proposals, the interim goal is to build "leave-behindprototypes with a limited number of proof-of-concept demonstrationsin extremely high risk, high payoff areas." The FBI and theTransportation Security Administration (TSA) are also working on datamining projects that will merge commercial databases, publicdatabases, and intelligence data. Documents obtained by EPIC throughthe Freedom of Information Act (FOIA) show that the developers of thenew passenger profiling system in the TSA held meetings withPoindexter's team earlier this year. EPIC is currently involved in aFOIA lawsuit to obtain documents from the Information AwarenessOffice.

The coalition's letter to Senators Daschle and Lott is available at:

EPIC's Total Information Awareness Page:

Information Awareness Office's Total Information Awareness projectdescription:

[2] Appeals Court Permits Broader Electronic Surveillance

The Foreign Intelligence Surveillance Court of Review issued anopinion this week broadly expanding the Justice Department'ssurveillance authority. The Court held that the Department of Justicecould use looser foreign intelligence standards to conduct criminalinvestigations in the United States.

The Court of Review convened in September for the first time in its 23year existence to hear the Justice Department's appeal of anunprecedented decision by the Foreign Intelligence Surveillance Court(FISC), a special panel of federal judges that oversees implementationof the Foreign Intelligence Surveillance Act (FISA). Theextraordinary ruling, issued by the FISC in May, revealed a pattern ofFBI misrepresentations to the FISC and cast serious doubt on theveracity and accuracy of claims made by the Justice Department and theFBI in support of requests for approval of national security andanti-terrorism surveillance. The court found that DOJ and FBIofficials had submitted erroneous information in more than 75applications for search warrants and wiretaps and had improperlyshared intelligence information with agents and prosecutors handlingcriminal cases on at least four occasions.

As a result of these problems, the court refused to give DOJ the broadnew surveillance powers it sought to employ after the September 11terrorist attacks. Specifically, the FISC ruled that new proceduresproposed by Attorney General John Ashcroft earlier this year wouldgive DOJ prosecutors too much control over national securityinvestigations and would allow the government to improperly useintelligence information for criminal cases, without the requisiteshowing of "probable cause." The court noted that it was rejectingthe new DOJ procedures "to protect the privacy of Americans in thesehighly intrusive surveillances and searches."

The government argued in its appeal that the FISC failed to properlyapply changes to FISA that were contained in the USA PATRIOT Act,
which Congress enacted in the wake of the September 11 attacks. EPICjoined the American Civil Liberties Union, Center for Democracy andTechnology, Center for National Security Studies, Electronic FrontierFoundation, and Open Society Institute in submitting an amicus briefthat argued that expanding the executive branch's powers wouldjeopardize fundamental constitutional interests, "including the FirstAmendment right to engage in lawful public dissent, and the warrant,
notice, and judicial review rights guaranteed by the Fourth and FifthAmendments." (See EPIC Alert 9.17.)

The Court of Review's decision, released yesterday, permits thegovernment to remove the separation that has long existed betweenofficials conducting surveillance on suspected foreign agents andcriminal prosecutors investigating crimes. The Court of Reviewconcluded that the FISC read into FISA limitations on the Act's scopeof FISA that never existed and appear nowhere in the statute. Thecourt concluded that the changes to FISA under the USA PATRIOT Act areconstitutional, although just barely:

Our case may well involve the most serious threat our country faces. Even without taking into account the President's inherent constitutional authority to conduct warrantless foreign intelligence surveillance, we think the procedures and government showings required under FISA, if they do not meet the minimum Fourth Amendment warrant standards, certainly come close.

Attorney General Ashcroft has announced that he intends to use FISA tosharply increase the number of domestic wiretaps.

EPIC and its coalition partners are considering a number of options inthe wake of the appellate decision, including a potential request forthe Supreme Court to review the decision, and urging Congress to amendFISA to reflect the opinion of the lower court that the JusticeDepartment is not authorized to use FISA's looser surveillancestandards in ordinary criminal cases.

The FISC Review Court is a special three-judge panel appointed byChief Justice William H. Rehnquist in accordance with provisions ofthe Foreign Intelligence Surveillance Act. The judges are: Hon.
Laurence H. Silberman of the U.S. Court of Appeals for the District ofColumbia Circuit; Hon. Edward Leavy, U.S. Court of Appeals for theNinth Circuit and Hon. Ralph B. Guy, Jr., U.S. Court of Appeals forthe Sixth Circuit. All three judges were appointed by PresidentRonald Reagan.

The Court of Review's ruling is available at:

The civil liberties amicus brief is available at:

Background information on the Foreign Intelligence Surveillance Act,
including information on the current controversy, the government'sbrief and the FISC's May 2002 Memorandum Opinion and Order, isavailable at:

[3] Homeland Security Bill Limits Open Government

The Senate is likely to approve a measure to create a cabinet-levelDepartment of Homeland Security today or tomorrow. The legislationcreating the department contains a number of provisions that willenhance government surveillance powers while limiting public access togovernment records and advisory committees. Limited privacyprotections are included in the bill.

Section 225 of the Homeland Security Act of 2002 includes the entiretext of the Cyber Security Enhancement Act (CSEA), which previouslypassed the House as a free-standing measure. The CSEA, originallysponsored by Representative Lamar Smith (R-TX), allows serviceproviders to voluntarily provide government agents with access to thecontents of customer communications without consent based on a "goodfaith" belief that an emergency justifies the release. The samesection grants law enforcement the power to install pen register andtrap and trace devices without a court order where there is an ongoingattack on a "protected computer." Any computer involved in interstatecommerce or communications qualifies as a "protected computer."
Further, section 225 introduces fines and 20-year prison terms foroffenders who recklessly cause or attempt to cause serious bodilyinjury.

Section 891 contains the entire text of the Homeland SecurityInformation Sharing Act (HSISA), another measure that passed the Houseearlier in the session as H.R. 4598. HSISA will facilitate thesharing of sensitive intelligence information with state and localauthorities. Section 891 also allows greater sharing of grand juryinformation and the content of electronic intercepts with state andlocal authorities.

Title II of the bill broadly exempts "critical infrastructureinformation" (CII) voluntarily submitted to the Department of HomelandSecurity from the Freedom of Information Act. CII is information thatrelates to the operation of systems such as the national power gridand telecommunications networks. Once disclosed to the government,
CII could not be used against the company in civil litigation, andgovernment agents who disclose the information would be subject tocriminal penalties and fines.

Section 871 allows the Department to form advisory committees withindustry representatives that are exempt from the Federal AdvisoryCommittee Act (FACA), an open government law. FACA promotes opennessand accountability through requiring the recording of minutes, noticeof meetings, procedures for holding open meetings, limits on specialinterests, and balance of viewpoints.

Limited privacy protections were included in the bill. Section 222creates a privacy officer for the department charged with theresponsibility of compliance with the Privacy Act, with formulatingprivacy impact assessments for rules proposed by the Department, andwith preparing an annual report to Congress. Section 770 prohibitsall federal agencies from implementing the Terrorism Information andPrevention System (TIPS). Section 815 prohibits the new Departmentfrom developing a national identification system or card.

H.R. 5710, The Homeland Security Act:

EPIC's February 26, 2002 Letter to the House Judiciary Committee,
regarding the CSEA:

EPIC's Critical Infrastructure Information Page:

EPIC's Open Government Page:

[4] Circuit Court Approves Faxed Warrants

The Eighth Circuit ruled this week that service of a warrant on an ISPby fax complies with the "reasonableness" requirements of the FourthAmendment. The case was one of the first to address the issue of howthe Fourth Amendment applies to the protection of stored e-mail andother files held by Internet Service Providers (ISPs).

The case arose after Yahoo! was "served" with a search warrant by fax,
a procedure that EPIC argues does not adequately safeguard the FourthAmendment guarantee of a "reasonable" search. The defendant hadargued before the district court that the law enforcement practice offaxing the warrant to the ISP and having the ISP execute the warrantviolated his Fourth Amendment rights. The district court agreed,
holding that the Fourth Amendment requires the government to bephysically present at the ISP during the execution of a searchwarrant. EPIC filed an amicus brief in the Eight Circuit detailingthat the history of U.S. search and seizure law has mandated officerpresence at the site of the service of a warrant since the 1700s (seeEPIC Alert 9.15).

The court resolved the case on the narrow ground that the government'sactions were "reasonable," without deciding the broader issue ofwhether an Internet user has a Fourth Amendment expectation of privacyin their e-mail.

The Eighth Circuit's Opinion is available at:

For more information on the case, see EPIC's Bach Page:

Recordings of the oral arguments and other files are available throughthe Web site of the U.S. Court of Appeals for the 8th Circuit:

[5] DC City Council Attacks Camera System, Adopts Regulations

In an unexpectedly tight 7 to 6 vote on November 8, the DC CityCouncil approved regulations governing the use of surveillance camerasby the Metropolitan Police Department (see EPIC Alert 9.20). Councilmembers took the opportunity to lambast the police department forsetting up the surveillance camera network without seeking priorapproval from the City Council. Several members voiced theiropposition to the "Orwellian potential" of the cameras and signaledtheir intention to kill the surveillance program altogether. Councilmember Jim Graham said, "These cameras have been set up to deal withdemonstrations and dissent. This will have a chilling effect anddiscourage citizens from demonstrating openly here in the capital ofthe United States of America." Council member Sandy Allen, who heldthe swing vote, took particular care to note that her vote should notbe seen as endorsing a surveillance network.

Council member Kathy Patterson is drafting permanent legislation toregulate the cameras and has proposed pilot programs to test theeffectiveness of neighborhood surveillance cameras. There is ahearing scheduled for December 12, at which EPIC Executive DirectorMarc Rotenberg is expected to testify. Other council members mightintroduce legislation in the coming months to remove the surveillancecamera network. Council member Adrian Fenty said at the hearing, "Atfirst I thought Washington, because it's prone to more terroristattacks, would be a place where visitors would want cameras, but Iagree now with my colleagues who say Washington should be a beacon offreedom."

EPIC Alert readers, Washington residents, and other interested partiescan participate in the public debate over the proposed legislation bycontinuing to send comments to Council members, either by e-mail to:
<> or by postal mail to: Ms.
Phyllis Jones, Secretary to the Council, Suite 5, John A. WilsonBuilding, 1350 Pennsylvania Avenue, N.W., Washington, DC 20004.

EPIC's Video Surveillance Page:

Observing Surveillance:

National Capital Area ACLU Web site:

[6] California Passes Database Privacy Legislation

A new law in California requires state agencies and businesses thatown databases to disclose security breaches involving certain personalinformation. The bill comes in response to an April 2002 incident inwhich the records of over 200,000 state employees were accessed by acomputer cracker. The California legislation exceeds federalprotections, as there is no national requirement for notice toindividuals when personal information is accessed withoutauthorization.

Senate Bill 1386, sponsored by Senator Steve Peace (D-El Cajon),
creates a notice requirement where there has been an unauthorizedacquisition of an individual's name along with a Social SecurityNumber, a driver's license number, or an account number andcorresponding access code. The notice requirement is also triggeredwhen there is a reasonable belief that a security breach occurred.
Notice must be given "in the most expedient time," but may be delayedwhere it would impede a criminal investigation.

The law requires notice to be given to individuals in writing orelectronically, in accordance with federal e-signature law. If thecost of notice were to exceed $250,000, or where over 500,000 peoplewere affected by the security breach, notice could be deliveredthrough a combination of e-mail, a conspicuous posting on the agencyor company Web site, and notification of statewide media outlets.
Agencies and companies could also create information security policiesin advance of security breaches to address the notice requirement.

The law does not apply to non-computerized files, such as personaldata stored on paper. Also, only California residents enjoy the law'sprotections. Californians can bring civil actions for damages andinjunctive relief against entities that fail to comply with the law.
The law takes effect on July 1, 2003.

Senator Peace has been a longtime state leader on privacy. As earlyas 1996, he attempted to pass a comprehensive information privacy billin California.

Senate Bill 1386:

[7] EPIC Bookstore - Data Protection Law

Data Protection Law: Approaching its Rationale, Logic and Limits, byLee A. Bygrave.

The field of data protection has evolved rapidly in the last tenyears, leading to a wide array of laws and regulations around theworld. These laws and regulations, although generally guided by thesame fundamental principles established by international and Europeandata protection conventions, adopt diverse solutions that denoteconfusion and incoherence when compared to each other. Lee A.
Bygrave’s book, "Data Protection Law: Approaching its Rationale, Logicand Limits," helps to get the big picture of some of the mostimportant principles that are embodied in the various data protectionrules existing in Europe. Bygrave takes on the ambitious task ofconfronting several issues that the academic world has had troublecoming to terms with, one of which is trying to bridge the concepts ofdata protection and privacy.

"Data Protection Law" is organized into three parts, each analyzingthe rationale, logic and limits of data protection laws. In doing so,
it describes the origins, aims and purposes of data protection laws,
sets out their basic regulatory mechanisms, and attempts to point outwhere those laws differ from other types of laws -- and to what extenttheir regulatory mechanisms may be ineffective. In the first section,
Bygrave explains the kinds of interests and values that dataprotection laws promote; he then details the extent to which theprocessing of information on private collective entities should beregulated by these laws. In the final section, he proceeds to explainthe ability of these laws to control profiling practices.

The book's principal interest resides in the main thesis that Bygravetries to convey. An analysis of data protection regulations'
rationale, logic and limits has to take into account what the authorcalls the "electronic interpenetration" of previously distinct spheresof activity. Greater dissemination of information across traditionalorganizational boundaries has made it more difficult to draft,
implement and interpret data protection rules. Bygrave's aim is toprovide privacy experts, lawyers and policymakers with a clearerpicture of the shift that occurred from different levels of the dataprotection regulatory framework: from the individual to the collectiveand systemic, from the national to the inter- and supranational, andfrom the intra-organizational to the inter-organizational levels.

This book will be helpful for privacy scholars, regulators,
policymakers, lawyers, and generally anyone who is interested incomparative privacy issues.

- Cédric Laurant

EPIC maintains a Web page on the issue of data retention at:

EPIC Publications:

"The Privacy Law Sourcebook 2002: United States Law, InternationalLaw, and Recent Developments," Marc Rotenberg, editor (EPIC 2002).
Price: $40.

The "Physicians Desk Reference of the privacy world." An invaluableresource for students, attorneys, researchers and journalists who needan up-to-date collection of U.S. and International privacy law, aswell as a comprehensive listing of privacy resources.

"FOIA 2002: Litigation Under the Federal Open Government Laws," HarryHammitt, David Sobel and Mark Zaid, editors (EPIC 2002). Price: $40.

This is the standard reference work covering all aspects of theFreedom of Information Act, the Privacy Act, the Government in theSunshine Act, and the Federal Advisory Committee Act. The 21stedition fully updates the manual that lawyers, journalists andresearchers have relied on for more than 25 years. For those wholitigate open government cases (or need to learn how to litigatethem), this is an essential reference manual.

"Privacy & Human Rights 2002: An International Survey of Privacy Lawsand Developments" (EPIC 2002). Price: $25.

This survey, by EPIC and Privacy International, reviews the state ofprivacy in over fifty countries around the world. The survey examinesa wide range of privacy issues including data protection, telephonetapping, genetic databases, video surveillance, location tracking, IDsystems and freedom of information laws.

"Filters and Freedom 2.0: Free Speech Perspectives on Internet ContentControls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet contentfiltering. These papers are instrumental in explaining why filteringthreatens free expression.

"The Consumer Law Sourcebook 2000: Electronic Commerce and the GlobalEconomy," Sarah Andrews, editor (EPIC 2000). Price: $40.

The Consumer Law Sourcebook provides a basic set of materials forconsumers, policy makers, practitioners and researchers who areinterested in the emerging field of electronic commerce. The focus ison framework legislation that articulates basic rights for consumersand the basic responsibilities for businesses in the online economy.

"Cryptography and Liberty 2000: An International Survey of EncryptionPolicy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price:

EPIC's third survey of encryption policies around the world. Theresults indicate that the efforts to reduce export controls on strongencryption products have largely succeeded, although severalgovernments are gaining new powers to combat the perceived threats ofencryption to law enforcement.

EPIC publications and other books on privacy, open government, freeexpression, crypto and governance can be ordered at:

EPIC Bookstore

"EPIC Bookshelf" at Powell's Books

[8] Upcoming Conferences and Events

Ninth ACM Conference on Computer and Communications Security (CCS).
Association for Computing Machinery (ACM) Special Interest Group onSecurity, Audit, and Control (SIGSAC). November 18-22, 2002.
Washington, DC. For more information:

The New Gatekeepers: A Conference on Free Expression in the Arts.
Columbia University Graduate School of Journalism and National ArtsJournalism Program. November 20-21, 2002. New York, NY. For moreinformation:

eSafe Programme 2003-2004 -- Hearing on Options & Requirements.
European Commission. November 27-28, 2002. Kirchberg, Luxembourg. Formore information:

International Conference: Privacy: Cost to Resource. Safeguards forCitizens, Opportunities for Businesses: Advantages of aPrivacy-Oriented Market. Garante per la Protezione dei Dati Personali(Italian Data Protection Commission). December 5-6, 2002. Rome, Italy.
For more information:

Transformations in Politics, Culture and Society. Inter-
Disciplinary.Net. December 6-8, 2002. Brussels, Belgium. For moreinformation:

18th Annual Computer Security Applications Conference (ACSAC):
Practical Solutions to Real Security Problems. Applied ComputerSecurity Associates. December 9-13, 2002. Las Vegas, NV. For moreinformation:

Call for Proposals: December 13, 2002. O'Reilly Emerging TechnologyConference. April 22-25, 2003. Santa Clara, CA. For more information:

Government Convention on Emerging Technologies. Defending AmericaTogether: The New Era. Government Emerging Technology Alliance (GETA).
January 8-10, 2003. Las Vegas, NV. For more information:

O'Reilly Bioinformatics Technology Conference. February 3 - 6, 2003.
San Diego, CA. For more information:

Third Annual Privacy Summit. International Association of PrivacyOfficers. February 26-28, 2003. Washington, DC. For more information:

P&AB's Privacy Practitioners' Workshop and Ninth Annual NationalConference. Privacy & American Business. March 12-14, 2002.
Washington, DC. For more information:

CFP2003: 13th Annual Conference on Computers, Freedom, and Privacy.
Association for Computing Machinery (ACM). April 1-4, 2003. New York,
NY. For more information:

O'Reilly Open Source Convention. July 7-11, 2003. Portland, OR. Formore information:

Subscription Information

Subscribe/unsubscribe via Web interface:

Subscribe/unsubscribe via email:

Subject line: "subscribe" or "unsubscribe" (no quotes)

Help with subscribing/unsubscribing:

Subject: "help" (no quotes)

Back issues are available at:

The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and tosend notices about EPIC activities. We do not sell, rent or share ourmailing list. We also intend to challenge any subpoena or other legalprocess seeking access to our mailing list. We do not enhance (linkto other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your email addressfrom this list, please follow the above instructions under"subscription information". Please contact if you wouldlike to change your subscription email address, if you areexperiencing subscription/unsubscription problems, or if you have anyother questions.

About EPIC

The Electronic Privacy Information Center is a public interestresearch center in Washington, DC. It was established in 1994 tofocus public attention on emerging privacy issues such as the ClipperChip, the Digital Telephony proposal, national ID cards, medicalrecord privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Actlitigation, and conducts policy research. For more information,
e-mail, or write EPIC, 1718Connecticut Ave., NW, Suite 200, Washington, DC 20009.
+1 202 483 1140 (tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic PrivacyInformation Center, contributions are welcome and fullytax-deductible. Checks should be made out to "EPIC" and sent to1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009.
Or you can contribute online at:

Drink coffee, support civil liberties, get a tax deduction, and learnLatin at the same time! Receive a free "sed quis custodietipsos custodes?" coffee mug with donation of $75 or more.

Your contributions will help support Freedom of Information Act andFirst Amendment litigation, strong and effective advocacy for theright of privacy and efforts to oppose government regulation ofencryption and expanding wiretapping powers.

Thank you for your support.

END EPIC Alert 9.23


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback