EPIC Submits Amicus Brief in Supreme Court ID Case
 President Signs Credit Reporting Bill
 UN Summit Tackles Human Rights in the Information Society
 EPIC Testifies Before 9/11 Commission
 President Signs "CAN-SPAM" Legislation
 News in Brief
 EPIC Bookstore: Internet Law - The Complete Guide
 Upcoming Conferences and Events
The case involves a challenge to the constitutionality of NevadaRevised Statute Sec. 171.123(3), which allows a police officer todetain a person to ascertain his identity when there are circumstancesreasonably indicating that person has committed a crime. AppellantLarry Hiibel appealed the Nevada Supreme Court's determination thatthe challenged law is consistent with guarantees against unreasonablesearch and seizure protected by the Fourth Amendment because it"strikes a balance between constitutional protections of privacy andthe need to protect police officers and the public." Hiibel alsoargues that the law violates the Fifth Amendment protection againstself-incrimination.
EPIC's brief approaches the case from a technical perspective,
surveying the capabilities and flaws of several existing governmentinformation systems: the National Crime Information Center (NCIC), theMulti-State Anti-Terrorism Information Exchange (MATRIX), the UnitedStates Visitor and Immigrant Status Indicator Technology System(US-VISIT), the Driver And Vehicle Information Database (DAVID), andthe Transportation Workers Identification Credential (TWIC). Thebrief explains how such systems may be used by law enforcement toengage in public surveillance.
Oral argument in Hiibel v. Nevada is expected next spring.
EPIC's amicus brief is available at:
For background information, see EPIC's Hiibel v. Nevada page at:
For background information, see EPIC's FCRA Page at:
For background information, see EPIC's Preemption Page at:
Representatives from governments, business, and civil society groupsaround the world met last week at the World Summit on the InformationSociety (WSIS) in Geneva. Human rights (including privacy and freeexpression), online security (including intellectual propertyregulation), and Internet governance were all discussed at the GenevaSummit. Civil society groups urged national governments to safeguardhuman rights and to promote full participation in the informationsociety. Representatives adopted a Declaration of Principles and aPlan of Action, which will be examined again in Tunisia in November of2005.
Many members of civil society have been working inside the Summitprocess insisting on the inclusion of privacy and human rightsprotections. On December 8, the Civil Society Plenary of the WSISunanimously adopted its own declaration called, "Shaping InformationSocieties for Human Needs: Civil Society Declaration to the WorldSummit on the Information Society." The members believe that theDeclaration and Plan of Action as drafted prior to the Summit did notadequately protect free expression, narrowly focused on Internetpolicy, and over-emphasized law enforcement interests.
The Human Rights Caucus reported from the Summit that their activityboth inside and outside the Summit has been successful with regards
tothe final Declaration and Plan of Action. According to the Caucus,
"The essential principles of universality and indivisibility arereiterated and there are references to the Universal Declaration ofHuman Rights as well as to the Vienna Declaration and the UN Charter."
The document also includes the full extent of Article 19 of the UDHR,
which had been at issue. However, as the Caucus reports, much of theDeclaration is not focused on human rights but rather on the creationof a "global culture of cyber-security" with interest in global traderather than on human rights. According to the Caucus, "The discussionaround security would have been enhanced by a clear understanding thattrue security can only be achieved by measures that are fullycompatible with international human rights and particularly the rightto privacy."
Control of the Internet was also a hot topic on the agenda. TheInternet is currently administered by the Internet Corporation forAssigned
Names and Numbers (ICANN), a group established by the U.S.
Commerce Department. The U.S. has not been proactive in a movement tohelp poorer countries gain access to the Internet, which would requiremoney from industrial nations. Many representatives, particularlythose from developing nations, are therefore in favor of a moreinternational body such as the United Nations to take administrativecontrol of the Internet. This adjustment was not made at the Summit.
However, the delegates agreed that a UN working group should be set upto examine whether to introduce more international oversight of theInternet's semiformal administrative bodies. Another United Nationscommittee will be established to review ways of paying for efforts toconnect the poorer populations to the Internet.
Privacy protection of civil society representatives attending theSummit was called into question by a study highlighting technologyused
in Summit security. Independent researchers attending the eventrevealed security and privacy flaws in the security system used tocontrol
access to the Summit. Security badges issued to participantscontained SmartCards and Radio Frequency Identification (RFID). Suchtechnology
can be triggered remotely without the cardholder noticingand allowed cardholders to be tracked in their attendance at theSummit.
When participants were required to obtain security badges,
they were not informed of the possible surveillance and were notprovided with any information on privacy policies and procedures.
The second phase of the World Summit on the Information Society willtake place in Tunisia, from November 16-18, 2005. There will be apreparatory meeting in the first half of 2004 to review both theissues needing focus in Tunisia and the structure of the process. Themeetings in Geneva and the follow-up to the Declaration and Plan ofAction in Tunisia in 2005 will help shape the future of theInformation Society.
The WSIS Declaration of Principles and Plan of Action is available at:
Information on the Civil Society Declaration is available at:
For background information, see EPIC's RFID page at:
EPIC Executive Director Marc Rotenberg testified before the NationalCommission on Terrorists Attacks in a public hearing on December
The commission is an independent, bipartisan group created by Congressto investigate the circumstances surrounding the September 11terrorist attacks and examine ways to prevent future attacks.
Rotenberg was invited to speak before the commission in a session on"Security and Liberty." His panel, which was charged with discussingthe protection of privacy while preventing terrorism, also includedformer Department of Defense General Counsel Judith A. Miller, andStewart A. Baker, former General Counsel of the National SecurityAgency.
In his statement, Rotenberg emphasized the important history ofprivacy protection, the problems with new systems of surveillance,
andthe specific need to preserve Constitutional checks and balances. Hebegan by discussing the development of privacy law in the
U.S. andunderscoring the important role such laws play in protectingindividual rights. Rotenberg also pointed out that "much
of thediscussion about the expansion of government surveillance authoritypost 9-11 has failed to recognize that under our form of
there are critical checks and balances that must be respected." Newlaws and security proposals the U.S. has considered since September 11extend government powers of surveillance while rolling back importantsafeguards Congress previously had established to protect the privacyof citizens, Rotenberg argued.
Rotenberg went on to discuss the affects of new technology onindividual privacy. He pointed out that there are many ways newtechnology
can be employed without jeopardizing privacy. However, theU.S. has been intent upon employing a host of new systems ofsurveillance
to monitor its citizens that are highly privacy invasive.
Rotenberg expounded on two systems in particular -- Total InformationAwareness (TIA) and the Computer Assisted Passenger PrescreeningSystem (CAPPS II). He criticized both systems for not adequatelyfollowing federal privacy regulations nor considering privacyconcerns, and suggested that these systems would hurt, not help, theAmerican people.
Finally, Rotenberg proposed a set of recommendations to thecommission, urging it to consider privacy concerns when formulatingits
report to Congress. Specifically, he underscored the importantrole privacy law has played and continues to play in safeguardingcitizens
and warning that high-tech surveillance systems beingconsidered in our country pose an immense threat to society,
especially if not properly monitored or held accountable.
Rotenberg's statement is available at:
Information on the National Commission on Terrorist Attacks isavailable at:
For background information, see EPIC's Total Information Awarenesspage at:
For background information, see EPIC's Passenger Profiling page at:
Congress acted swiftly in passing S. 877, the Controlling the Assaultof Non-Solicited Pornography and Marketing Act of 2003, known
as the"CAN-SPAM" Act. The Act creates new penalties for sending deceptivespam advertising, but does not "can"
truthful unsolicited commerciale-mail. The Act allows every spammer in the world to send everyInternet user at least one message.
The Act does not address listbrokerage, the source of the majority of unwanted advertising.
Furthermore, the Act supercedes state laws, thereby eliminatingstronger protections against spam in many states, including individualrights of action against spammers, and a California opt-in spam lawwhich would have taken effect on January 1.
The Act defines spam as any message where the "primary purpose" is the"commercial advertisement or promotion of a commercial
product orservice." In twelve months, the Federal Trade Commission (FTC) mustissue criteria to determine the "primary
purpose" of a message.
"Transactional or relationship" messages, that is, messages foraccount maintenance, product recall or safety information, or thosenecessary to complete a sale initiated by the recipient, are exemptedfrom some provisions of the Act.
Spam must include notice that the message is an advertisement orsolicitation, an opt-out notice, and a valid postal address of thesender. If the recipient opts out of the spam, the sender has tendays to stop spamming. Address harvesting and dictionary attacks areillegal under the Act, but these practices are considered aggravatingoffenses, and they cannot serve as the sole basis of prosecution of aspammer.
The Act prohibits falsification of transmission information anddeceptive subject headings. The Act creates criminal prohibitionsagainst those who knowingly transmit spam through others' computerswithout authorization. Also, the FTC may pursue individuals whoknowingly hire others to send deceptive spam. However, these andother criminal provisions are encumbered by unusually burdensomelitigation requirements. For instance, the prohibition on deceptivesubject headings would require the government to prove in court thatthe sender knew that the message would mislead a reasonable recipient.
Spam with "sexually oriented" material must be labeled with a noticethat will be developed by the FTC and the Attorney General within sixmonths.
The Act gives the FTC the authority to create a do-not-spam registry.
The agency must issue a report to Congress on the feasibility of sucha registry within six months, and may implement it three months afterthe report.
Enforcement of the Act is limited to the FTC, state attorneys general,
and Internet Service Providers. Some individuals may be able toqualify as Internet Service Providers, and bring lawsuits under theAct. But, damages are capped, and spammers can obtain a reduction infines if they can show implementation of "reasonable practices" toavoid violation of the Act. Earlier this year, the Internet Committeeof the National Association of Attorneys General described thisreduction in fines as "unprecedented in consumer protection law" and"an additional barrier to enforcement."
The CAN-SPAM Act of 2003 is available at:
The letter from the NAAG Internet Committee Objecting to CAN-SPAM isavailable at:
For background information, see EPIC's Spam page at:
U.S., EU REACH DEAL ON PASSENGER DATA TRANSFER
The European Commission has temporarily agreed to provide the UnitedStates with information on its airline passengers traveling to
theU.S. EU Commissioner Frits Bolkestein worked out the final details ofthe agreement Monday with U.S. Department of Homeland SecuritySecretary
Tom Ridge. Pursuant to what is now only a temporaryarrangement, U.S. authorities would legally get access to passengername records
(PNR) of travelers from Europe subject to a fewsafeguards: the period during which data would be retained is 3 1/2years (down from
50 years); the fields of PNR transferred to the USwould be limited to 34 (it would include fields such as passenger1sname and address,
credit card information, telephone number and travelcompanions); the passenger data, once disclosed in the U.S., couldonly be used
against terrorism and to prosecute crimes of atransnational nature; E.U. passengers would have the right to complainbefore their
national data protection authorities if the DHS fails toproperly resolve their complaints; and a US-EU joint annual jointreview would
be carried out to assess how the U.S. implement theagreement. The deal comes after a year of negotiations in which theU.S. has sought
expansive access to EU passenger information as a partof its war on terrorism. The agreement may still violate Europeanprivacy laws
and faces opposition from the European Parliament.
The statement of the European Commission is available at:
The speech by Frits Bolkestein before the European Parliament isavailable at:
For background information, see EPIC's EU-U.S. Airline PassengerData page at:
3rd CIRCUIT RULES EMPLOYER MAY SEARCH STORED EMPLOYEE EMAIL
The 3rd U.S. Circuit Court of Appeals has decided that an employer whoaccessed his employee's e-mails in computer storage did not violatethe Electronic Communications Privacy Act (ECPA). In the case ofFraser v. Nationwide Mutual Insurance Co., the court ruled that theECPA only bans interception of email if it occurs at the time of thetransmission, thus allowing the owner of the email system to view anystored e-mail it wishes. "Every circuit court to have considered thematter has held that an 'intercept' under the ECPA must occurcontemporaneously with transmission," wrote Judge Thomas L. Ambro inthe majority opinion. Ambro found that ECPA prohibits "seizures" ofstored e-mails but includes an exception for seizures authorized "bythe person or entity providing a wire or electronic communicationsservice."
The 3rd Circuit Court's opinion in Fraser v. Nationwide MutualInsurance Co. is available at:
For background information, see EPIC's Workplace Privacy page at:
BUSH SIGNS INTELLIGENCE AUTHORIZATION BILL, EXPANDS FBI POWERS
President Bush signed H.R. 2417, the Intelligence Authorization Actfor Fiscal Year 2004, into law on December 13. The Act authorizesappropriations for intelligence-related activities of various federalagencies, including the Department of Defense, Department of HomelandSecurity, and Federal Bureau of Investigation (FBI). A provisionadded to the bill in committee in mid-November, after the bill hadbeen passed by the House and Senate, expands FBI authority to seizerecords in terrorism investigations. The Act permits the FBI todemand records without judicial approval from car dealers,
pawnbrokers, travel agents, casinos, and other businesses.
The text of H.R. 2417 is available at:
The committee report is available at:
GILMORE COMMISSION MAKES FINAL HOMELAND SECURITY RECOMMENDATIONS
The Gilmore Commission, also known as the Advisory Panel to AssessDomestic Response Capabilities for Terrorism Involving Weapons of MassDestruction, released its fifth and final annual report to thePresident and Congress on December 15. Among the Commission'srecommendations is the creation of a bipartisan board to provideoversight on homeland security activities that may impinge upon civilliberties. According to the report, such a board is necessary becauseof the "potential chilling effect" of government surveillanceconducted for homeland security purposes. The Committee alsorecommends the establishment of a domestic intelligence agencyresponsible for collecting and analyzing information related toterrorist threats within the United States. Since its inception, theCommittee has made 144 recommendations, 125 of which have been adoptedby Congress and government agencies.
The Gilmore Commission's homepage is available at:
The Gilmore Commission's Fifth Annual Report is available at:
NEW STUDY: CREDIT SCORING DOES NOT ELIMINATE RACE, AGE BIAS
A new study by the National Community Reinvestment Coalition has foundthat discrimination is widespread in home lending, resulting in"African-American and predominately elderly communities receiv[ing] aconsiderably higher level of high cost subprime loans than isjustified based on th[eir] credit risk." Traditionally, lenders haveargued that credit scoring systems allow lending decisions to be madein a colorblind fashion. However, the study, which controlled forrisk and housing market conditions, found that race and age werestrongly correlated with unfair, high-cost sub-prime lending.
Race and Age Discrimination in Lending Documented, National CommunityReinvestment Coalition, December 2003, is available at:
EMBASSY WARNED GOV'T OF CHOICEPOINT PRIVACY INVASION
EPIC has obtained a message under the Freedom of Information Act fromthe American Embassy in Mexico to U.S. government officials regardingthe acquisition of Mexicans' personal information by ChoicePoint.
Themessage alerted the White House, the Department of Homeland Securityand other agencies that Mexican newspapers and political
leadersobjected to the transfer of voting and driving records to ChoicePoint,
and warned that "a potential firestorm may be brewing." In April2002, documents obtained by EPIC revealed that the Immigration andNaturalization Service contracted with ChoicePoint to obtain citizenregistry, motor vehicle, and other information for Brazil, Argentina,
Mexico, Columbia, and Costa Rica. These documents led to calls forinvestigations in several countries (See EPIC Alert 10.08).
The message From the American Embassy in Mexico to Washington isavailable at:
Records Showing INS Purchase of Information on Latin and CentralAmericans are available at:
EPIC URGES FCC TO PROTECT PRIVACY OF INTERNET TELEPHONY USERS
EPIC has urged the Federal Communications Commission to address theprivacy implications of Voice over Internet Protocol (VoIP), atechnology
that enables Internet telephony. In a letter to theagency, EPIC recounted the FCC's past actions to protect privacy, andargued that
the adoption of genuine privacy practices will acceleratethe adoption and security of Internet telephony. Specifically, EPICrequested
that the FCC create "technical and legal safeguards toprotect communications traffic (content and routing information) anduser
location information, and to ensure that those expert in privacylaw and regulation participate in the work of the FCC on VOIP."
The EPIC VoIP Letter is available at:
The FCC VoIP Forum is available at:
Steven D. Imparl, Internet Law - The Complete Guide (SpecialtyTechnical Publishers, Canada 2003) (available in loose-leaf binder andCD-rom, 4 updates per year).
This 3-volume guide very clearly outlines the most important rules inthe field of Internet law. Its sections on children1s privacy,
consumer protection laws, advertising and telemarketing lawsapplicable to online and offline commerce, workplace privacy, andunsolicited e-mail are completed with very useful checklists forprofessionals and consumers alike. Each section is completed byup-to-date references to regulations in force, Internet resources, andindexes of relevant case law and statutes. The 3Internet Law - TheComplete Guide2 offers practical advice to privacy and consumerprotection practitioners, consultants and advocates, as well asconsumers.
- Cédric Laurant
"The Privacy Law Sourcebook 2002: United States Law, InternationalLaw, and Recent Developments," Marc Rotenberg, editor
Price: $40. http://www.epic.org/bookstore/pls2002/
The "Physicians Desk Reference of the privacy world." An invaluableresource for students, attorneys, researchers and journalists who needan up-to-date collection of U.S. and International privacy law, aswell as a comprehensive listing of privacy resources.
"FOIA 2002: Litigation Under the Federal Open Government Laws," HarryHammitt, David Sobel and Mark Zaid, editors (EPIC 2002).
This is the standard reference work covering all aspects of theFreedom of Information Act, the Privacy Act, the Government in theSunshine Act, and the Federal Advisory Committee Act. The 21stedition fully updates the manual that lawyers, journalists andresearchers have relied on for more than 25 years. For those wholitigate open government cases (or need to learn how to litigatethem), this is an essential reference manual.
"Privacy & Human Rights 2003: An International Survey of Privacy Lawsand Developments" (EPIC 2002). Price: $35.
This survey, by EPIC and Privacy International, reviews the state ofprivacy in over fifty-five countries around the world. The surveyexamines a wide range of privacy issues including data protection,
passenger profiling, genetic databases, video surveillance, ID systemsand freedom of information laws.
"Filters and Freedom 2.0: Free Speech Perspectives on Internet ContentControls" (EPIC 2001). Price: $20.
A collection of essays, studies, and critiques of Internet contentfiltering. These papers are instrumental in explaining why filteringthreatens free expression.
"The Consumer Law Sourcebook 2000: Electronic Commerce and the GlobalEconomy," Sarah Andrews, editor (EPIC 2000). Price:
The Consumer Law Sourcebook provides a basic set of materials forconsumers, policy makers, practitioners and researchers who areinterested in the emerging field of electronic commerce. The focus ison framework legislation that articulates basic rights for consumersand the basic responsibilities for businesses in the online economy.
"Cryptography and Liberty 2000: An International Survey of EncryptionPolicy," Wayne Madsen and David Banisar, authors (EPIC
EPIC's third survey of encryption policies around the world. Theresults indicate that the efforts to reduce export controls on strongencryption products have largely succeeded, although severalgovernments are gaining new powers to combat the perceived threats ofencryption to law enforcement.
EPIC publications and other books on privacy, open government, freeexpression, crypto and governance can be ordered at:
EPIC Bookstore http://www.epic.org/bookstore/
"EPIC Bookshelf" at Powell's Books http://www.powells.com/features/epic/epic.html
WHOLES - A Multiple View of Individual Privacy in a Networked World.
Swedish Institute of Computer Science. January 30-31, 2004. Stockholm,
Sweden. For more information: http://www.sics.se/privacy/wholes2004.
The New Fair Credit Reporting Act. Privacy & American Business.
February 9-10, 2004. Washington, DC. Email infopandab.org.
O'Reilly Emerging Technology Conference. February 9-12, 2004. SanDiego, CA. For more information: http://conferences.oreilly.com/etech.
IAPP 4th Annual Privacy & Security Summit & Expo. February 18-20,
2004. Washington, DC. For more information:
RSA Conference 2004 - The Art of Information Security. February23-27, 2004. San Francisco, CA. For more information:
Securing Privacy in the Internet Age. Stanford Law School. March13-14, 2004. Palo Alto, CA. For more information:
International Conference on Data Privacy and Security in a GlobalSociety. Wessex Institute. May 11-13, 2004. Skiathos, Greece. Formore information:
O'Reilly Open Source Convention. July 26-30, 2004. Portland, OR. Formore information: http://conferences.oreilly.com/oscon.
Subscribe/unsubscribe via Web interface:
Subscribe/unsubscribe via e-mail:
Subject: "subscribe" or "unsubscribe" (no quotes)
Automated help with subscribing/unsubscribing:
Subject: "help" (no quotes)
Problems or questions? e-mail < infoepic.org >
Back issues are available at: http://www.epic.org/alert/
The EPIC Alert displays best in a fixed-width font, such as Courier.
The EPIC Alert mailing list is used only to mail the EPIC Alert and tosend notices about EPIC activities. We do not sell, rent or share ourmailing list. We also intend to challenge any subpoena or other legalprocess seeking access to our mailing list. We do not enhance (linkto other databases) our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe your e-mail addressfrom this list, please follow the above instructions under"subscription information". Please contact infoepic.org if you wouldlike to change your subscription e-mail address, if you areexperiencing subscription/unsubscription problems, or if you have anyother questions.
The Electronic Privacy Information Center is a public interestresearch center in Washington, DC. It was established in 1994 tofocus
public attention on emerging privacy issues such as the ClipperChip, the Digital Telephony proposal, national ID cards, medicalrecord
privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Actlitigation, and conducts policy research. For more information,
e-mail infoepic.org, http://www.epic.org or write EPIC, 1718Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140(tel), +1 202 483 1248 (fax).
If you'd like to support the work of the Electronic PrivacyInformation Center, contributions are welcome and fullytax-deductible. Checks should be made out to "EPIC" and sent to 1718Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you cancontribute online at:
Your contributions will help support Freedom of Information Act andFirst Amendment litigation, strong and effective advocacy for theright of privacy and efforts to oppose government regulation ofencryption and expanding wiretapping powers.
Thank you for your support.
END EPIC Alert 10.25