E P I C A l e r t
As the House Energy and Commerce Committee held hearings last week on the Hewlett-Packard pretexting scandal, almost 40 organizations (including EPIC, the American Library Association, the Liberty Coalition, Republican Liberty Caucus, and People for the American Way) in a joint statement urged the committee to "show the same level of interest in the NSA spying as you have show in the investigation of the Hewlett-Packard matter." The committee grilled Hewlett-Packard executives for almost 8 hours, but the committee has yet to hold a hearing on the National Security Agency's demand to US phone companies for call records of Americans.
"The actions of Hewlett Packard executives, although egregious, pale in comparison to the violation of the privacy rights of tens of millions of American consumers that should be safeguarded by federal law within the jurisdiction of the Committee," the organizations said. To date, government officials have refused to give details about the program, saying such disclosures could harm national security. However, news reports indicate that the program is operating outside the bounds set by the Foreign Intelligence Surveillance Act, which was passed to establish a legal basis for foreign intelligence surveillance within the United States.
In the NSA program, the agency is gathering communications records for a massive database so that it can analyze calling patterns as it tries to find terrorist activity. According to newspaper reports, AT&T, SBC, Verizon, and BellSouth handed over the data even though the government did not have warrants. (BellSouth and Verizon have since denied cooperating with the program.) Qwest refused to give its customers' data to the government, because the government did not have warrants and refused to have either the Foreign Intelligence Surveillance Court or the U.S. Attorney General's office evaluate the legality of the program.
The joint statement follows an earlier EPIC request to FCC Chairman Kevin Martin, which stated, "If telecommunications carriers disclosed customer information to the NSA in the manner described in press reports, then violations of section 222 of the Communications Act have occurred."
The Joint Statement to the House Energy and Commerce Committee (pdf):
EPIC's Request to FCC Chairman Kevin Martin (pdf):
EPIC's Page on Domestic Surveillance:
EPIC's Page on Pretexting:
The Belgium Privacy Commission has found that SWIFT did not obey Belgium law when it transferred vast amounts of financial data to the U.S. Treasury Department. The secret financial surveillance program was revealed in June and is under investigation in several countries for possible violations of privacy laws.
In the program, begun shortly after the Sept. 11, 2001 attacks, the Treasury Department uses broad, secret administrative subpoenas to gather vast amounts of information from Belgium-based SWIFT, which routes financial data among 7,800 financial institutions in more than 200 countries. These administrative subpoenas are not reviewed by any judicial authority; the only review is by a high-level Treasury Department official. Stuart Levey, Treasury's Undersecretary for Terrorism and Financial Intelligence, said the SWIFT database has been searched "tens of thousands" of times since the program began five years ago.
In announcing the Commission's report, Belgian Prime Minister Guy Verhofstadt said, "From the very beginning, SWIFT should have been aware that fundamental European laws should also be respected." The Belgium Privacy Commission found that SWIFT "made some substantial errors of judgment in complying with the American subpoenas." The Commission said, "SWIFT should have complied with its obligations under the Belgian privacy law, amongst which the notification of the processing, the information, and the obligation to comply with the rules concerning personal data transfer to countries outside the EU."
Many have questioned the legality of the program under international data protection laws. Civil liberties advocacy organization Privacy International filed complaints with data protection and privacy officials in 33 countries, calling the massive operation "a fishing exercise rather than legally authorised investigation." The Data Protection Commission for the German Lander of Schleswig-Holstein has analyzed the US-SWIFT data transfers and concludes that the program violates German and European data protection law. The Commission says SWIFT should cease processing or retaining any data on intra-European Union transactions in the U.S. The Privacy Commissioner of Canada also is investigating the legality of the program under Canadian data protection laws.
The EU Article 29 Data Protection Working Party is also investigating the financial data surveillance program. The Working Party has expressed "immediate concerns about the lack of transparency which has surrounded these arrangements." A report is expected soon, which Peter Schaar, Data Privacy Commissioner of Germany and head of the Working Party, said he expected would conclude that the program might violate European law restricting government access to confidential banking records. The report is expected to recommend that additional safeguards be put in place to check how financial records are shared with American intelligence officials.
Belgium Data Privacy Commission: Summary of the opinion on the transfer of personal data by SCRL SWIFT following the UST (OFAC) subpoenas (unofficial English translation) (pdf):
Privacy International Press Release Describing Complaints:
European Union Data Protection Laws:
http://ec.europa.eu/justice_home/fsj/privacy/law/index_en.htm EPIC's Spotlight on Surveillance on the SWIFT Program:
The European Union and the United States are in a legal vacuum four months after the European Court of Justice (ECJ) struck down a passenger name record deal that allowed the transfer of personal information on European travelers to the U.S. government, as no accord was struck by the court-appointed deadline of September 30.
Under the previous agreement, which had been in place since May 2004, passenger name records (PNRs) on travelers from Europe were transmitted to the U.S. Department of Homeland Security within 15 minutes of a flight's departure. PNRs are data held by air carriers and travel agents collected during booking, and can include passenger travel dates, home and work addresses, payment details, members of the party and meal preferences. The minimum amount required for a travel booking is a name, contact information, and itinerary.
Since the ECJ ruled in May that the agreement was illegal because it exceeded the scope of the 1995 EU Directive on data protection, the two sides have been engaged in high-level negotiations over the terms of a new accord. The Department of Homeland Security seeks increased access to the passenger name records, including the right to share passenger data with other U.S. government agencies. The European Union delegation is concerned that such use of citizens' data will violate European privacy laws. Washington has warned that if airlines do not disclose the information, they may be subject to fines of $6,000 per passenger and loss of landing rights. Conversely, European airlines face lawsuits by European citizens for violating European privacy laws if the data is disclosed to the U.S. without a new agreement. Officials say negotiations will continue.
Last month, the Transatlantic Consumer Dialogue (TACD), a coalition of US and EU consumer groups, wrote to US and EU officials, urging them to include privacy safeguards into air passenger data sharing agreements. The consumer groups request that officials considering PNR sharing abide by three criteria. First, the agreement must respect the May 2006 European Court of Justice decision that PNR sharing agreements must have an adequate legal basis and be respectful of U.S. and EU privacy laws. Second, the U.S. and EU must conduct a study comparing the effectiveness of passenger profiling with other safety techniques. Third, the groups held that an annual report of PNR sharing must be published.
Ruling of the European Court of Justice:
Text of the EU-US Agreement (pdf):
EPIC's Privacy Law Sourcebook (containing the text of the EU Data Directive):
Text of TACD letter:
EPIC's Page on EU-US Airline Passenger Data Disclosures:
EPIC, the ACLU of Southern California and Occidental College held a forum on identity theft and database security in Los Angeles on September 21. The panelists discussed how to protect privacy and reduce the risk of identity theft in the era of the Real ID Act, which mandates federal identification standards for state driver's licenses and ID cards, and requires states DMVs to collect sensitive personal information in a massive database, accessible by DMVs in every state.
At the forum, Malek Moazzam Doulat, adjunct professor of religious studies at Occidental College, moderated a discussion about the implications of database security upon identity theft. California Assemblyman Dario Frommer discussed his personal experience as an identity theft victim. A representative of the Los Angeles District Attorney's Office on Identity Theft explained the many ways that exploit weaknesses in database security and security of documents such as bank and health records to steal sensitive personal information.
Melissa Ngo, staff counsel and director of EPIC's Identification and Surveillance Project, explained that the compilation of sensitive personal data in large databases creates a tempting target for identity thieves. Sometimes the thieves hack into systems, but because of large databases in the government and companies, it is easy to buy financial and biographical data of many Americans For instance, last year, data broker ChoicePoint revealed that it had sold the personal information on 145,000 Americans to identity thieves. Fidelity Bank was able to buy DMV data on 565,000 people from the State of Florida. The physical security of these large databases is questionable, as well. This summer, a burglary at the home of an analyst in the Veterans Administration put at risk the information of 26.5 million veterans, active-duty troops and their families.
Ramona Ripston, Executive Director of the ACLU of Southern California, said the significant security risks inherent in large databases are especially applicable in the case of REAL ID. This database would include biographical data, Social Security numbers and images of identification documents such as birth certificates or citizenship papers.
On the same day as the forum, the National Conference of State Legislatures released a report estimating that that the cost to the states will be more than $11 billion over five years. States also expressed concern regarding the application of the Drivers Privacy Protection Act to the records retention and information sharing requirements of Real ID.
National Conference of State Legislatures Report: The Real ID Act: National Impact Analysis (pdf):
EPIC's Page on Identity Theft:
EPIC's Page on National ID Cards and REAL ID Act:
In a September 26, 2006 letter to Hugo Teufel, the Chief Privacy Officer of the Department of Homeland Security, EPIC asked when the DHS privacy report would be made available. The Department is required by law to provide an annual report to Congress.
Under the Homeland Security Act of 2002, the Chief Privacy Officer must submit a report "on activities of the Department that affect privacy, including complaints of privacy violations, implementation of the Privacy Act of 1974, internal controls, and other matters." The last report, which covered the period April 2003 to June 2004, was published in February 2005. A year ago, then-Chief Privacy Officer Nuala O'Connor Kelly said she hoped the annual report would be released "sometime in the end of the next quarter."
EPIC also submitted letters to Senators Susan Collins and Joe Lieberman, the Chairman and Ranking Member of the Senate Committee on Homeland Security, asking about the late report. EPIC highlighted that, in contrast to the Chief Privacy Officer, the DHS Inspector General has routinely submitted semiannual reports to Congress on a timely basis.
On October 4, 2006, President Bush indicated in a signing statement on the Homeland Security Appropriations Act that he might disregard a legal requirement to ensure that the annual DHS privacy report is not influenced by the White House. Section 522 of the Act, as passed, stated that:
None of the funds made available in this Act may be used by any person other than the Privacy Officer appointed under section 222 of the Homeland Security Act of 2002 (6 U.S.C. 142) to alter, direct that changes be made to, delay, or prohibit the transmission to Congress of any report prepared under paragraph (6) of such section.
However, the President wrote that he would "construe section 522 of the Act, relating to privacy officer reports, in a manner consistent with the President's constitutional authority to supervise the unitary executive branch."
EPIC's Letter to Chief Privacy Officer Teufel (pdf):
Homeland Security Act of 2002 (pdf):
DHS Chief Privacy Officer Report Covering April 2003 to June 2004 (pdf):
Department of Homeland Security Appropriations Act, 2007
Presidential Signing Statement, H.R. 5441
Report: Security Vulnerabilities in Government Health Data Network
A report release this week by the Government Accountability Office identified 47 weaknesses in the communications network used to transmit medical data for the U.S. government's Medicare and Medicaid programs. The claims data -- including patient names, Social Security numbers, and medical information -- is sent to health-care facilities, contractors, financial institutions and state Medicaid offices. The security vulnerabilities could allow "unauthorized access to personally identifiable medical data," according to the report.
Report: Information Security: The Centers for Medicare & Medicaid Services Needs to Improve Controls over Key Communication Network (pdf):
EPIC's Page on Medical Privacy:
Supreme Court Ignores Appeal in DNA Database Case
The Supreme Court this week chose not to hear the appeal of a Washington, D.C. resident who argued that the collection of his DNA for a federal database violated the Fourth Amendment. EPIC filed an amicus brief in support of Lamar Johnson's petition and emphasized three particular flaws within the DNA collection program. First, the DNA profile stored in CODIS contains more information than the unique identifier the government claims. Second, the DNA database allows for partial profile searching that implicates relatives of profiled individuals. Third, the retention of the blood sample from which the DNA profile is generated presents an opportunity for future privacy violations.
EPIC's Page on Johnson v. Quander:
EPIC's Page on Genetic Privacy:
D.C. Police Chief: Expanded Camera Surveillance Hasn't Cut Crime
In the seven weeks that they've been deployed, Washington, D.C.'s 48 new surveillance cameras have not helped to solve any cases, according to D.C. Police Chief Charles Ramsey. He spoke before the D.C. Council's Committee on the Judiciary about the emergency crime legislation adopted on July 11. EPIC and other groups opposed the Council's decision to expand camera surveillance, establish an earlier curfew, and grant police access to confidential juvenile information. EPIC has repeatedly warned the Council that the use of camera surveillance systems are ineffective and prone to abuse.
Police Chief Charles Ramsey's Statement at a Public Roundtable on District Government's Response to the Crime Emergency:
EPIC's Page on Video Surveillance:
New Report Raises Questions About Privacy, Future of Internet
A detailed survey of technology thinkers and stakeholders predicts that the Internet of 2020 will be more widespread, low-cost, and contribute to a flattening of social hierarchies. However, the respondents also express concerns about interoperability, government regulations, commercial interests, and the loss of privacy. A significant 42% of survey participants are pessimistic about human ability to control the technology in the future. They predict that dangers and dependencies will grow beyond our ability to stay in charge of technology. The survey was conducted by the Pew Internet and American Life Project.
Report: The Future of the Internet II (pdf):
Committee For Voting Integrity Urges Safeguards in Maryland Elections
Last month, the state primary election in Montgomery County, Md., uncovered problems with electronic voting systems, including issues with electronic poll books and missing voter access cards that significantly delayed or prevented many voters from casting ballots. In a letter to Montgomery County elections officials, the National Committee for Voting Integrity offered constructive guidance as it prepares for the upcoming general elections. Suggestions included: allowing voters to choose whether to use a DRE voting systems or an optical scan ballot; ensuring sufficient numbers of provisional ballots or alternative paper ballots are available should complications or planning fail to meet a particular contingency; and removing any wireless devices on DRE voting systems before the voting process.
National Committee for Voting Integrity Letter to Maryland Elections Officials:
EPIC's Page on Voting:
Berlin Conference: How Surveillance Technology Affects Civil Liberties
At the "Informatik und Rustung" ("Computer Science and Warfare") conference in Berlin last week, international technology and privacy groups debated the impact of surveillance technologies upon civil liberties. Participants such as Joseph Weizenbaum, professor emeritus of computer science at MIT and the author of the seminal "Computer Power and Human Reason," Klaus Brunnstein, President of the International Federation for Information Processing, and Reiner Braun, Executive Director of NATWISS, debated the application of technology for military and civilian uses. Melissa Ngo, EPIC Staff Counsel, spoke about the impact on civil liberties and significant security and privacy risks of camera surveillance systems and radio frequency identification technology. For example, when police use camera surveillance systems to photograph and create files on people engaged in peaceful, legal demonstrations, it has a chilling effect upon free speech.
EPIC's Page on Video Surveillance:
EPIC's Page on RFID:
Facebook Responds to Users' Demands for Increased Privacy
In response to the negative reactions of many of its users, Facebook put new privacy controls on its News Feed feature into operation. Mark Zuckerberg, CEO of Facebook, published an open letter on the Web site apologizing for not having consulted with users prior to introducing feature, which notified users of all their contacts' activities, such as profile changes from "in a relationship" to "single." However, the change is simply an opt-out and puts the burden on Facebook users to protect their privacy. Over 700,000 users signed an online petition demanding the company discontinue the feature, stating that this compromised their privacy.
Letter from Mark Zuckerberg, Facebook CEO:
http://blog.facebook.com/blog.php?post=2208562130 EPIC's Page on Social Networking Privacy:
"Reconstructing the Fourth Amendment: A History of Search and Seizure, 1789-1868" by Andrew E. Taslitz (New York University Press 2006).
"The modern law of search and seizure permits warrantless searches that ruin the citizenry's trust in law enforcement, harms minorities, and embraces an individualistic notion of the rights that it protects, ignoring essential roles that properly-conceived protections of privacy, mobility, and property play in uniting Americans. Many believe the Fourth Amendment is a poor bulwark against state tyrannies, particularly during the War on Terror.
"Historical amnesia has obscured the Fourth Amendment's positive aspects, and Andrew E. Taslitz rescues its forgotten history in Reconstructing the Fourth Amendment, which includes two novel arguments. First, that the original Fourth Amendment of 1791—born in political struggle between the English and the colonists—served important political functions, particularly in regulating expressive political violence. Second, that the Amendment's meaning changed when the Fourteenth Amendment was created to give teeth to outlawing slavery, and its focus shifted from primary emphasis on individualistic privacy notions as central to a white democratic polis to enhanced protections for group privacy, individual mobility, and property in a multi-racial republic.
"With an understanding of the historical roots of the Fourth Amendment, suggests Taslitz, we can upend negative assumptions of modern search and seizure law, and create new institutional approaches that give political voice to citizens and safeguard against unnecessary humiliation and dehumanization at the hands of the police."
"Information Privacy Law: Cases and Materials, Second Edition" Daniel J.
Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005).
This clear, comprehensive introduction to the field of information privacy law allows instructors to enliven their teaching of fundamental concepts by addressing both enduring and emerging controversies. The Second Edition addresses numerous rapidly developing areas of privacy law, including: identity theft, government data mining and electronic surveillance law, the Foreign Intelligence Surveillance Act, intelligence sharing, RFID tags, GPS, spyware, web bugs, and more. Information Privacy Law, Second Edition, builds a cohesive foundation for an exciting course in this rapidly evolving area of law.
"Privacy & Human Rights 2005: An International Survey of Privacy Laws
and Developments" (EPIC 2006). Price: $60.
This annual report by EPIC and Privacy International provides an overview of key privacy topics and reviews the state of privacy in over 70 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy & Human Rights 2005 is the most comprehensive report on privacy and data protection ever published.
"FOIA 2004: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004).
This is the standard reference work covering all aspects of the Freedom of Information Act, the Privacy Act, the Government in the Sunshine Act, and the Federal Advisory Committee Act. The 22nd edition fully updates the manual that lawyers, journalists and researchers have relied on for more than 25 years. For those who litigate open government cases (or need to learn how to litigate them), this is an essential reference manual.
"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.
This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, and recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process.
"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005).
The Privacy Law Sourcebook, which has been called the "Physician's Desk Reference" of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act.
"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.
A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression.
EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at:
EPIC Bookstore http://www.epic.org/bookstore
"EPIC Bookshelf" at Powell's Books
EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act.
Subscribe to EPIC FOIA Notes at:
The IAPP Privacy Academy 2006. International Association of Privacy
Professionals. October 18-20, 2006. Toronto, Ontario, Canada.
International Conference on Privacy, Security, and Trust (PST 2006).
University of Ontario Institute of Technology. October 20-November
2006. Markham, Ontario, Canada. For more information:
Internet Governance Forum (IGF) October 30-November 2, 2006. Athens,
Greece. For more information:
28th International Data Protection and Privacy Commissioners'
Conference. November 2-3, 2006. London, United Kingdom. For more
BSR 2006 Annual Conference. Business for Social Responsibility. November
7-10, 2006. New York, New York. For more information:
5th Conference on Privacy and Public Access to Court Records. Center for
Legal and Court Technology and Administrative Office of the
States Courts. March 22-23, 2007. Williamsburg, Virginia. For more
CFP2007: Computers, Freedom, and Privacy Conference. Association for
Computing Machinery. May 2007. Montreal, Canada. For more information:
Subscribe/unsubscribe via web interface:
Back issues are available at:
The EPIC Alert displays best in a fixed-width font, such as Courier.
The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information."
The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax).
If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at:
Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers.
Thank you for your support.