WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 2006 >> [2006] EPICAlert 11

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 13.11 [2006] EPICAlert 11


Volume 13.11 June 2, 2006

Published by the Electronic Privacy Information Center (EPIC)
Washington, D.C.

Table of Contents

[1] Coalition Calls for HIPAA Compliance Review of Veterans Affairs
[2] European Court Blocks Passenger Data Transfer
[3] Supreme Court Rules Against Whistleblower
[4] EPIC Urges Privacy Safeguards for Traveler Database
[5] Gen. Michael Hayden Sworn in as CIA Director
[6] News in Brief
[7] EPIC Bookstore: Goldsmith and Wu: "Who Controls the Internet?"

[8] Upcoming Conferences and Events

[1] Coalition Calls for HIPAA Compliance Review of Veterans Affairs

Thirty organizations participating in the Consumer Coalition for HealthPrivacy yesterday asked U.S. Department of Health and Human ServicesSecretary Mike Leavitt to undertake a compliance review of the U.S.
Department of Veterans Affairs pursuant to the authority granted him bythe Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Medical diagnostic codes and disability rating information about anundisclosed number of disabled veterans were stolen last month from thehome of a VA employee along with 26.5 million veterans' names, birthdates and Social Security numbers.

"Secretary Leavitt should do everything he can to ensure the privacy andsecurity of protected health and other highly sensitive information heldby the VA," according to Paul Feldman, Deputy Director of the HealthPrivacy Project. "Ordering a HIPAA compliance review is a prudent stepthe Secretary is authorized to take which will encourage better from theVA in the future and will help assure veterans that our government takesseriously the protection of their personal information. I hope the HHSOffice for Civil Rights will proceed with this review with all duespeed."

Earlier in May, a VA employee's home was burglarized. Among the itemstaken was a laptop from the agency that had been taken home containingthe health records of some 26.5 million veterans. Although the laptopwas stolen on May 3, officials were not notified of the breach until aweek later, with the public learning of the disclosure first on May 22.
The analyst who took the data home has since been fired, and hissupervisor has resigned.

The breach likely violated the Standards for Privacy of IndividuallyIdentifiable Health Information ("Privacy Rule") and the SecurityStandards for the Protection of Electronic Protected Health Information("Security Standards"), which were implemented under HIPAA. The rulesrequire that medical providers protect the security of healthinformation and keep it from being disclosed improperly. While thegovernment has the ability to assess whether the VA may be liable undercivil or criminal law, individuals harmed do not have a private right ofaction under HIPAA.

Coalition Letter to Health and Human Services:

Consumer Coalition for Health Privacy Home Page:

EPIC's Medical Privacy page:

[2] European Court Blocks Passenger Data Transfer

The European Court of Justice ruled that the 2004 airline passenger datatransfer agreement between the U.S. Department of Homeland Security andthe European Union is to be voided after September 30, 2006. The Courtheld that the agreement was illegal because it exceeded the scope of theEU 1995 Directive on data protection.

After the terrorist attacks of September 11, 2001, airlines entering theUnited States were asked to provide the U.S. government with data ontheir passengers. However, such transfers of personal data potentiallyran afoul of European law. The European Commission thus attempted tojustify the data transfers under the 1995 Directive, which regulates theprocessing of personal data. In May of 2004, the EU officially enteredinto the data-sharing agreement with the U.S.

However, the European Parliament challenged the agreement in theEuropean Court of Justice. The court's decision invalidated theagreement, not because of particular defects in the handling ofinformation, but on the grounds that the data transfers were not beingprocessed for economic reasons, but for security purposes.

Privacy International describes the holding as a "pyrrhic victory"
because the Court ruled on the basis of legal authority, and did notaddress the privacy implications of the transfer of the personal data tothe U.S. The European Data Protection Supervisor is concerned that theruling has created a loophole because it is now uncertain whether or notthe 1995 Directive provides any protection at all to data collected forcommercial reasons but used for police matters.

U.S. and European negotiators will likely need to develop a new legalframework if the transfer of information on European citizens to theUnited States government continues.

EPIC's Page on EU-US Airline Passenger Data Disclosures:

Ruling of the European Court of Justice:

Text of the EU-US Agreement (pdf):

EPIC's Privacy Law Sourcebook (containing the text of the EU Data Directive):

Privacy International Statement on the Ruling:

[3] Supreme Court Rules Against Whistleblower

In a 5-4 decision, the Supreme Court held that public employees'
statements, if made in the course of the job, are not protected by theFirst Amendment, and that an employer can retaliate against employeesfor making them.

Richard Ceballos was a deputy district attorney in Los Angeles when herecommended to his superiors that they dismiss a case based upon afaulty warrant. After his superiors decided to proceed with theprosecution despite Ceballos's concerns, Ceballos testified for defensecounsel in a challenge to the warrant.

Ceballos claimed that after this testimony, the District Attorney'soffice retaliated against him by reassigning him, transferring him, anddenying him a promotion. Ultimately, Ceballos sued, alleging that theoffice had retaliated against him for exercising his First Amendmentrights, contrary to a line of Supreme Court cases that protectedemployees who spoke out publicly against perceived injustices at theirpublic workplaces. However, the Supreme Court ruled against Ceballos,holding that, since Ceballos's speech was made in the course of hisemployment.

"Restricting speech that owes its existence to a public employee'sprofessional responsibilities does not infringe any liberties theemployee might have enjoyed as a private citizen," the Court said in anopinion authored by Justice Kennedy. Restricting speech, the opinionsaid, "simply reflects the exercise of employer control over what theemployer itself has commissioned or created."

Justice Souter, in a dissent joined by justices Stevens and Ginsburg,stated that "this is an odd place to draw a distinction," and that itcould lead to employees who are most qualified to speak out on a subjectbeing deprived of First Amendment protections. The majority opinionargues that such a rule will encourage public employers to maintainrobust and easy-to-use internal grievance procedures, at the risk oftheir employees reporting out to the press.

However, if employees whose jobs include investigating and reportingwrongdoing within a public employer (such as an inspector general or aombudsman) have no First Amendment protections for their speech, theirincentives for criticizing their employers and institutions could bereduced, with negative effects on oversight.

Opinion in Garcetti v. Ceballos (pdf):

Amicus brief of the Government Accountability Project (pdf):

EPIC's Free Speech Page:

[4] EPIC Urges Privacy Safeguards for Traveler Database

In comments to Customs and Border Protection, EPIC urged the agency notto exempt a vast database from legal requirements that protect privacyand promote government accountability. The Global Enrollment Systemwould include employment history and biometric data, and it would coverall individuals who "apply to use any form of automated or otherexpedited inspection for verifying eligibility to cross the borders intothe United States."

Among many possible activities, the agency would use this system todetermine which travelers are "low-risk" and eligible for the "TrustedTraveler" program. CBP seeks to exempt the Global Enrollment system fromprovisions of the Privacy Act of 1974 that create judicially enforceablerights of access and correction, and replace the Privacy Act provisionwith a weak administrative right of access and redress. For redress, aperson must write to CBP Customer Satisfaction Unit in the Office ofField Operations or the Homeland Security Director for DepartmentalDisclosure and Freedom of Information Act. EPIC warned that the absenceof effective redress procedures would leave many travelers improperlydesignated as "high-risk," and they would be subject to stricterscreening procedures.

This "Trusted Traveler" system also creates a substantial security risk,as it divides travelers into categories whose criteria can be learnedand exploited. The program creates two classes of travelers: trusted andnot trusted. But, as security expert Bruce Schneier has explained, thiscould also create a third category: "bad guys with the card." Criminalscould choose applicants without previous links to terrorism, who couldpass the background checks, to commit their crimes. Nor are suchcandidates necessarily rare. For example, neither Oklahoma City bomberTimothy McVeigh nor Unabomber Ted Kaczynski had previous ties toterrorism, Schneier said.

EPIC detailed a number of approaches to this problem, none of which areconsidered by the CBP in its proposed expansion of the Global EnrollmentSystem. First, the best procedure may be to subject all travelers to thesecurity screening that would be required for a suspicious traveler.
Second, if the Trusted Traveler program is adopted, it may be necessaryto include random security screenings even for those passengers who havebeen designated "low-risk" travelers so that those who obtain such adesignation but intend harm will still be at risk of more thoroughsecurity screening. Third, as EPIC has previously recommended, the bestapproach may be to focus on security techniques that are intended todetect devices and other materials that may threaten air travel safetyrather than profiling techniques that attempt to divine the intent oftravelers.

The Global Enrollment System also has a strong risk of "mission creep,"
EPIC said. "Trusted Traveler" applicants must submit a substantialamount of personally identifiable information, which could be used forreasons other than the original security purposes for which the data wasgathered or volunteered. CBP has identified seven categories of "routineuses" of personal data that would be collected and maintained in theprogram's system of records. These routine uses are so broad as to bemeaningless, allowing for potential disclosure to virtually anygovernment agency worldwide for a vast array of actual or "potential"
undefined violations.

EPIC's Comments About the Global Enrollment System (pdf):

EPIC's Passenger Profiling Page:

More Analysis by Bruce Schneier of "Trusted Traveler" Programs:

[5] Gen. Michael Hayden Sworn in as CIA Director

Air Force Gen. Michael Hayden was sworn in as the new Director of theCentral Intelligence Agency earlier this week, a few days after theSenate voted 78-15 to confirm him. For the last year, Hayden has servedas National Intelligence Director John Negroponte's top deputy. ButHayden previously headed the National Security Agency and oversaw twodomestic surveillance programs recently revealed in newspaper reports.

Earlier this month, USA Today revealed that the phone call records oftens of millions of Americans are being secretly collected by the NSA.
This is the second secret NSA domestic spying program revealed in thelast six months. In December, the New York Times revealed that PresidentBush secretly issued an executive order in 2002 that authorized NSA toconduct warrantless surveillance of international telephone and Internetcommunications on American soil. Both programs are of dubious legality.

The USA Today report contradicts statements made by the White House andHayden that the domestic surveillance program was "highly targeted" anddirected only to "international communications." Hayden had defended thesurveillance program by saying that the privacy of Americans wasprotected and suggesting that the government was not eavesdropping onAmericans without warrants. Hayden faced questions about the programs athis confirmation hearings. Hayden was asked to reconcile his commentswith news reports, and Sen. Ron Wyden accused Hayden of makingcontradictory or misleading statements.

Legislators also rejected Hayden's assurances that Congress had beenadequately briefed about the warrantless domestic surveillance programs.
Hayden said there were 13 briefings to eight congressional leaders fromboth parties. Shortly before the hearings began, the administrationbriefed all members of the Senate and House intelligence committees.
Sen. Olympia Snowe said that was too late. "I happen to believe thatwith the programs in question, that the Congress was really, neverreally consulted or informed in a manner that we could truly perform ouroversight role as co-equal branches of government," Snowe said.

Though legislators questioned Hayden about the programs, little has beenrevealed publicly. When pressed for more information, Hayden repeatedlysaid he would answer their questions in closed session, stating that theinformation was classified.

EPIC Resources on Domestic Surveillance:

Senate Intelligence Committee Confirmation Hearing of General MichaelHayden to be Director of the CIA:

President Bush's Remarks at Hayden's Swearing-In:

[6] News in Brief

Justice Department Presses for Internet Data RetentionThe U.S. Department of Justice is pressing for Internet serviceproviders to store customer records and allow law enforcement to searchthem for evidence of child pornography or terrorism. Although details ofthe plan have not been finalized, the proposal would likely requireproviders to store data for at least two years. The data would likelyinclude lists of web sites visited, email addresses contacted, and mayinclude search terms or instant messenger contacts. Attorney GeneralAlberto Gonzales and FBI Director Robert Mueller have organized a taskforce to research the program.

EPIC's Data Retention Page: In 1990s, NSA Developed Privacy-Friendly Data-Gathering ProgramAccording to the Baltimore Sun, the National Security Agency developed apilot program in the late 1990s that would have enabled it to gather andanalyze telephone and Internet communications data without violatingfederal privacy laws. The NSA ended the program after the Sept. 11, 2001attacks, in part because of President Bush's secret order expanding theagency's surveillance power. One privacy protection of the pilotprogram, called ThinThread, was an automated auditing system to preventmisuse or abuse of the data by analysts.

EPIC's Resources on Domestic Surveillance: General Hints at Prosecuting Reporters Over NSA StoryU.S. Attorney General Alberto Gonzales said last week that he believedthere are federal laws that would allow the government to prosecute theNew York Times reporters who revealed a secret National Security Agencyeavesdropping program. After the story was published, President Bushacknowledged that he secretly issued an executive order in 2002 thatauthorized the NSA to conduct warrantless surveillance of internationaltelephone and Internet communications on American soil. He was referringto espionage laws that, in some circumstances, ban the possession andpublication of certain classified data concerning national defense and"communications intelligence activities."

EPIC's Resources on Domestic Surveillance: Privacy Commissioner Releases Annual ReportThe Office of the Canadian Privacy Commissioner issued its annual reportto parliament on the implementation of the Personal InformationProtection and Electronic Documents Act (PIPEDA). The report summarizeslegislative trends and a variety of PIPEDA complaints made to theCommissioner's Office. The report also contains a review of the use ofradio frequency identification (RFID) devices within Canada,highlighting the need for awareness and guidance in the use of thispotentially privacy-invasive technology.

Text of the Annual Report:

Office of the Privacy Commissioner: Center Issues Internet Filtering ReportThe Brennan Center for Justice at New York University School of Law hasissued an updated report on the effect of Internet filters on publicpolicy. The analysis of over 100 tests and studies through 2006 debunksthe notion that filters have gotten more accurate, and suggests thatpolicies requiring such filters be reexamined. The report adds valuablenew data and discussion to earlier reports on the impact of Internetfilters on free speech.

Internet Filters: a Public Policy Report:

EPIC's "Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls"

[7] EPIC Bookstore: Goldsmith and Wu: "Who Controls the Internet?"

Jack Goldsmith and Tim Wu. "Who Controls the Internet? Illusions of aBorderless World. Oxford University Press, 2006.

"Is the Internet erasing national borders? Will the future of the Net beset by Internet engineers, rogue programmers, the United Nations, orpowerful countries? Who's really in control of what's happening on theNet? In this provocative new book, Jack Goldsmith and Tim Wu tell thefascinating story of the Internet's challenge to governmental rule inthe 1990s, and the ensuing battles with governments around the world.
It's a book about the fate of one idea: that the Internet might liberateus forever from government, borders, and even our physical selves. Welearn of Google's struggles with the French government and Yahoo'scapitulation to the Chinese regime; of how the European Union setsprivacy standards on the Net for the entire world; and of eBay'sstruggles with fraud and how it slowly learned to trust the FBI. In adecade of events the original vision is uprooted, as governments timeand time again assert their power to direct the future of the Internet.
The destiny of the Internet over the next decades, argue Goldsmith andWu, will reflect the interests of powerful nations and the conflictswithin and between them. While acknowledging the many attractions of theearliest visions of the Internet, the authors describe the new order,and speaking to both its surprising virtues and unavoidable vices. Farfrom destroying the Internet, the experience of the last decade has leadto a quiet rediscovery of some of the oldest functions andjustifications for territorial government. While territorial governmentshave unavoidable problems, it has proven hard to replace what legitimacygovernments have, and harder yet to replace the system of rule of lawthat controls the unchecked evils ofanarchy. While the Net will changesome of the ways that territorial states govern, it will not diminishthe oldest and most fundamental roles of government and challenges ofgovernance.

Well written and filled with fascinating examples, including colorfulportraits of many key players in Internet history, this is a work thatis bound to stir heated debate in the cyberspace community."

EPIC Publications:

"Information Privacy Law: Cases and Materials, Second Edition" Daniel J.
Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98.

This clear, comprehensive introduction to the field of informationprivacy law allows instructors to enliven their teaching of fundamentalconcepts by addressing both enduring and emerging controversies. TheSecond Edition addresses numerous rapidly developing areas of privacylaw, including: identity theft, government data mining,and electronicsurveillance law, the Foreign Intelligence Surveillance Act,intelligence sharing, RFID tags, GPS, sypware, web bugs, and more.
Information Privacy Law, Second Edition, builds a cohesive foundationfor an exciting course in this rapidly evolving area of law.

"Privacy & Human Rights 2004: An International Survey of Privacy Lawsand Developments" (EPIC 2004). Price: $50.

This annual report by EPIC and Privacy International provides anoverview of key privacy topics and reviews the state of privacy in over60 countries around the world. The report outlines legal protections,new challenges, and important issues and events relating to privacy.
Privacy & Human Rights 2004 is the most comprehensive report on privacyand data protection ever published.

"FOIA 2004: Litigation Under the Federal Open Government Laws," HarryHammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price:

This is the standard reference work covering all aspects of the Freedomof Information Act, the Privacy Act, the Government in the Sunshine Act,and the Federal Advisory Committee Act. The 22nd edition fully updatesthe manual that lawyers, journalists and researchers have relied on formore than 25 years. For those who litigate open government cases (orneed to learn how to litigate them), this is an essential referencemanual.

"The Public Voice WSIS Sourcebook: Perspectives on the World Summit onthe Information Society" (EPIC 2004). Price: $40.

This resource promotes a dialogue on the issues, the outcomes, and theprocess of the World Summit on the Information Society (WSIS). Thisreference guide provides the official UN documents, regional andissue-oriented perspectives, and recommendations and proposals forfuture action, as well as a useful list of resources and contacts forindividuals and organizations that wish to become more involved in theWSIS process.

"The Privacy Law Sourcebook 2004: United States Law, International Law,and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:

The Privacy Law Sourcebook, which has been called the "Physician's DeskReference" of the privacy world, is the leading resource for students,attorneys, researchers, and journalists interested in pursuing privacylaw in the United States and around the world. It includes the fulltexts of major privacy laws and directives such as the Fair CreditReporting Act, the Privacy Act, and the OECD Privacy Guidelines, as wellas an up-to-date section on recent developments. New materials includethe APEC Privacy Framework, the Video Voyeurism Prevention Act, and theCAN-SPAM Act.

"Filters and Freedom 2.0: Free Speech Perspectives on Internet ContentControls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet contentfiltering. These papers are instrumental in explaining why filteringthreatens free expression.

EPIC publications and other books on privacy, open government, freeexpression, crypto and governance can be ordered at:

EPIC Bookstore

"EPIC Bookshelf" at Powell's Books

EPIC also publishes EPIC FOIA Notes, which provides brief summaries ofinteresting documents obtained from government agencies under theFreedom of Information Act.

Subscribe to EPIC FOIA Notes at:

[8] Upcoming Conferences and Events

RFID Frequency spectrum: Requirements and Recommendations. EuropeanCommission Information Society. June 2, 2006. Brussels, Belgium. Formore information:

Call for papers for the CRCS Workshop 2006: Data Surveillance andPrivacy Protection. Center for Research on Computation and Society. June3, 2006. Cambridge, Massachusetts. For more information:

7th Annual Institute on Privacy Law: Evolving Laws and Practices in aSecurity-Driven World. Practising Law Institute. June 5-6, SanFrancisco, California. June 19-20, New York, New York. July 17-18,Chicago, Illinois. Live webcast available. For more information:

Canadian Biometric ID Documents: a Public Forum. University of Toronto.
June 15, 2006. Toronto, Ontario, Canada. For more information:

identitymashup: Who Controls and Protects the Digital Me? Berkman Centerfor Internet & Society, Harvard Law School. June 19-21, 2006. Cambridge,Massachusetts. For more information:

Call for papers for Identity and Identification in a Networked World.
Submissions due by July 5. New York University. Symposium on September29-30, 2006. New York, New York. For more information:

Infosecurity New York. Reed Exhibitions. September 12-14, 2006. NewYork, New York. For more information:

34th Research Conference on Communication, Information, and InternetPolicy. Telecommunications Policy Research Conference. September29-October 1, 2006. Arlington, Virginia. For more information:

6th Annual Future of Music Policy Summit. Future of Music Coalition.
October 5-7, 2006. Montreal, Canada. For more information:

The IAPP Privacy Academy 2006. International Association of PrivacyProfessionals. October 18-20, 2006. Toronto, Ontario, Canada. For moreinformation:

International Conference on Privacy, Security, and Trust (PST 2006).
University of Ontario Institute of Technology. October 20-November 1,
2006. Markham, Ontario, Canada. For more information:

BSR 2006 Annual Conference. Business for Social Responsibility. November7-10, 2006. New York, New York. For more information:

CFP2007: Computers, Freedom, and Privacy Conference. Association forComputing Machinery. May 2007. Montreal, Canada. For more information:

Subscription Information

Subscribe/unsubscribe via web interface:

Back issues are available at:

The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and tosend notices about EPIC activities. We do not sell, rent or share ourmailing list. We also intend to challenge any subpoena or other legalprocess seeking access to our mailing list. We do not enhance (link toother databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail addressfrom this list, please follow the above instructions under "subscriptioninformation."

About EPIC

The Electronic Privacy Information Center is a public interest researchcenter in Washington, DC. It was established in 1994 to focus publicattention on emerging privacy issues such as the Clipper Chip, theDigital Telephony proposal, national ID cards, medical record privacy,and the collection and sale of personal information. EPIC publishes theEPIC Alert, pursues Freedom of Information Act litigation, and conductspolicy research. For more information, see or writeEPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202483 1140 (tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic Privacy InformationCenter, contributions are welcome and fully tax-deductible. Checksshould be made out to "EPIC" and sent to 1718 Connecticut Ave., NW,Suite 200, Washington, DC 20009. Or you can contribute online at:

Your contributions will help support Freedom of Information Act andFirst Amendment litigation, strong and effective advocacy for the rightof privacy and efforts to oppose government regulation of encryption andexpanding wiretapping powers.

Thank you for your support.


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback