E P I C A l e r t
Documents obtained by EPIC under the Freedom of Information Act reveal that Deputy Under Secretary Robert C. Cresanti, Chief Privacy Officer for the Department of Commerce, made time in 2006 for many meetings with business groups but was unable to attend one scheduled meeting with privacy advocates.
The documents were provided in response to a FOIA request from EPIC regarding the various meetings scheduled by the Chief Privacy Officer for the Department of Commerce from the time of his appointment in mid-July through September 8. Mr. Cresanti attended more than 25 meetings with business lobbyists and corporate representatives across the country, including business lunches and dinners with DaimlerChrysler, Pitney Bowes and the Council on Competitiveness, whose members include executives from Wal-Mart and IBM. He also attended day-long business meetings in Detroit, Michigan; Elyria, Ohio, and Chicago, Illinois.
However, the top privacy official at the Commerce Department did not attend one pre-scheduled meeting with privacy advocates in Washington, DC. Cresanti had accepted an invitation to speak to the Privacy Coalition, a network of privacy experts and advocates based in Washington, DC.
Cresanti had agreed to speak with the Privacy Coalition on September 8 at 1:15 p.m., after another meeting at the National Institute of Standards and Technology. But his appointment at NIST, scheduled to end at noon, was completed earlier than anticipated and he went back to his office. When Cresanti did not arrive at the privacy meeting, the coalition was informed that he had made an impromptu decision to have lunch instead. Cresanti has not rescheduled.
The Department of Commerce is responsible for a wide range of privacy issues of concern to the American public. For example, the Commerce Department is responsible for the decennial census and the data collected by the federal government. Questions have also been raised about security of the data the agency maintains on American citizens. In September, the Commerce Department disclosed the loss of 1,137 laptops -- many of which contained personal information on Americans. The agency also disclosed that, since 2003, about 297 electronic devices containing sensitive data had gone missing.
The Department of Commerce also establishes policy that affects privacy rights in other countries. In September 2005, EPIC urged Commerce Secretary Carlos M. Gutierrez to restrict the export of high-tech surveillance equipment to China. While U.S, law limits the export of tear gas, handcuffs, and shotguns to China, high-tech equipment that is used for communications surveillance and censorship is exported to the country without restrictions. EPIC's letter cited the 2005 US State Department report and the Privacy and Human Rights report, which document the role that surveillance and censorship technology play in political repression.
In announcing the appointment of Cresanti to the position of Chief Privacy officer for the Department, Commerce Secretary Gutierrez said, "Information privacy and security is of primary importance to us here at Commerce, and we are fortunate to have Robert Cresanti's expertise to call upon," said Secretary Gutierrez. "I am confident that Robert's background, experience, and concern for privacy and security make him well suited to take on the role of Chief Privacy Officer for the Department of Commerce."
EPIC's FOIA Note, "Government Privacy Official: Out to Lunch When it Comes to Privacy":
Department of Commerce:
Press Release Announcing Cresanti's Appointment:
EPIC's Letter to the Department of Commerce (pdf):
News Article about the Loss of Laptops at Commerce:
Following the election of a Democratic Congress last week, President Bush said that the current Congress, still under the control of the Republicans, should try to pass legislation that would ratify his domestic surveillance program before adjourning later this year. That program is facing legal challenges in courts across the United States.
The legislation that the President favors would prevent traditional federal judges from considering whether the domestic surveillance program violates the Constitution or federal privacy laws. It would also establish a new immunity provision for telephone companies that would allow them to disclose confidential information about their customers to the federal government without legal authority. Several bills are under consideration in the Senate, and one bill has passed the House.
Congress goes on recess this week and is expected to return to Washington on December 5. The first session of the new Congress is scheduled to begin on January 4, 2007.
EPIC's Resources on Domestic Surveillance:
Wikipedia, NSA Warrantless Surveillance Controversy:
Marc Rotenberg, EPIC Executive Director, "Congress is legislating in the dark: Lawmakers need more information before OKing Bush surveillance program":
Schedule of the U.S. Senate:
A new report from Privacy International ranked the state of privacy protection in 37 countries around the world. The survey, based on the joint EPIC and Privacy International "2005 Privacy and Human Rights Report," found wide disparities in the levels of privacy protection and enforcement.
Privacy International derived each country's ranking from the average of scores received in 13 categories of privacy protection, which ranged from the extensiveness of countries' statutory and constitutional protections to their practices on particular privacy issues, such as biometrics, data sharing and surveillance. The survey also evaluated countries' leadership on privacy issues. Germany and Canada topped the survey, while Malaysia, China, Russia, Singapore and the United Kingdom received the lowest rankings, placing them in the category of 'endemic surveillance societies.'
The report was simultaneously released at the UN's Internet Governance Forum in Athens and the 28th annual International Data Protection and Privacy Commissioners' Conference in London. The London conference included 58 data protection and privacy authorities, as well as a number of legal scholars and NGOs from around the world. The privacy commissioners expressed concern about the rapid growth of surveillance. While surveillance activities can bring benefits, uncontrolled or excessive surveillance poses substantial privacy and security risks, the commissioners said. More sophisticated regulatory schemes beyond privacy and data protection safeguards are needed to address these risks.
"A Report on the Surveillance Society," was also presented at the conference, discussed the operation and consequences of the surveillance society as well as some of the regulatory challenges that it poses. The incorporation of societal impacts into the assessment of surveillance activities will enhance current privacy impact assessment models, which tend to focus on the effect to the individual, the report said.
The privacy commissioners issued three resolutions at the conference, which accredit eight new national and regional data protection authorities and clarify future conference organization arrangements. The third resolution recommended an increase in transparency, data minimization, and consent-based storage of personal data by Internet Service Providers. It also urged providers to abide by the internationally recognized standards for privacy protection, such as the 1980 OECD Privacy Guidelines.
Privacy International's 2006 National Privacy Ranking:
Privacy and Human Rights 2005: An International Survey of Privacy Laws and Developments:
Twenty-eighth Annual International Data Protection and Privacy Commissioners' Conference:
A Report on the Surveillance Society (pdf):
Many instances of electronic voting machine failures marred the voting experience for voters in the states of Arkansas, Florida, Maryland, Pennsylvania and Virginia. The problems ranged from electronic poll-book failures to insufficient numbers of voting machines to serve polling locations. The most notable problem was the failure of Election Systems & Software's iVotronic touch-screen voting system, which resulted a 13% undervote in the race in the 13th Congressional District in Florida. About 18,000 votes were lost due to the failure.
On Election Day, Rice University and the National Committee for Voting Integrity conducted a survey of voters in Jefferson County, Texas, to learn more about the adoption of new voting systems. Jefferson County used the optical scan and direct recording electronic (DRE, also called touch-screen) voting system. The survey was conducted because of interest in how voters and election administrators are being affected by changes in voting technology after the enactment of the 2002 Help America Vote Act. The research involved timing how long it took for voters to use either the optical scan or touch screen voting system and collection of voter opinions about the system that they used. The results of the surveys will take several weeks to analyze.
With the enactment of the Act, Congress for the first time created a role for the federal government in the administration of local elections when federal offices are on the ballot. Many changes made by the Act will impact all elections, not just federal ones. The Act created a new federal government agency to provide guidance to states and instituted requirements for access by those with disabilities.
The result has been a historic shift from lever, paper, and punch card voting systems to optical scan and DRE systems. According to Election Data Services, a political consulting firm specializing in election administration, the transformation to electronic systems is nearly complete. The numbers of registered voters in counties using optical scan voting systems has increased from 46.7 million (29.5%) to 84 million (48.9%). The number of registered voters in counties using DRE systems have increased from 19.7 million (12.4%) to 65.9 million (38.4%) within two federal election cycles. Less than 15% of registered voters are in counties that do not use either system.
National Committee for Voting Integrity:
EPIC's September 2006 Spotlight on Surveillance: With Some Electronic Voting Systems, Not All Votes Count:
EPIC's page on Voting and Privacy:
EPIC joined with other organizations in urging the Supreme Court to review Gilmore v. Gonzales. The case concerns a secret rule that allows airport personnel to require travelers in the United States to produce identification. EPIC wrote in its "friend of the court" brief that the secret agency rule violates the constitutional right of due process. The secrecy prevents meaningful review and allows for arbitrary enforcement.
John Gilmore is challenging the government's unpublished law or regulation requiring passengers to present identification to fly on commercial airlines. Gilmore argues that the requirement violates numerous constitutional protections, including the rights to travel, petition and freely assemble, be free from unreasonable search and seizure, and have access to due process of law. Gilmore is petitioning to the Supreme Court after the Ninth Circuit Court of Appeals ruled for the government earlier this year.
"The secret identification directive acts as a legal obligation that directly affects millions of travelers while providing no public notice or allowing for the traditional checks on arbitrary or prejudicial enforcement,” EPIC wrote in its brief. "Unpublished, secret laws undermine the very essence of self-government. Central to the American form of government has been a longstanding commitment to public trials and to openness in government decisionmaking."
EPIC urged the Supreme Court to grant Gilmore's petition for a writ of certiorari so that it could review a "secret agency rule that offends the Constitution and implicates the rights of millions of American travelers who are presently subject to arbitrary and unaccountable governmental authority."
Gilmore v. Gonzales site:
EPIC's amicus brief to the Supreme Court:
EPIC's page on Passenger Profiling:
EPIC Welcomes Three Members to Board of Directors
Three new members have joined EPIC's board of directors: Consumer attorney Philip Friedman, security expert Bruce Schneier, and .ORG manager Edward Viltz. The EPIC board of directors also elected Deborah Hurley as Chair, Peter Neumann as Treasurer, and Jerry Kang as Secretary. Anita Allen, Whitfield Diffie, and Marc Rotenberg continue their service to EPIC as members of its board. Rotenberg thanked Barbara Simons for her long service to EPIC. She recently stepped down from the board of directors after serving as chair and treasurer.
EPIC's Board and Staff:
EPIC Debuts Page on Violence Against Women Act
EPIC's has prepared a Web page reviewing the provisions of the Violence Against Women Act that affect privacy. Since 1994, the Act has been the premier way to set federal sexual assault and domestic violence policy. The Act affects privacy in its regulation of federal rules of evidence; confidentiality requirements in grant conditions; collection of data from homeless shelter; definitions of cyberstalking; and provisions authorizing DNA collection into federal databases. The page is a part of EPIC's recently launched Privacy and Domestic Violence Project.
EPIC's Privacy and Domestic Violence Project:
EPIC's page on the Violence Against Women Act and Privacy:
Dynamic Privacy Coalition Launched at Internet Governance Forum
In early November, more than 1,200 government, private, academic and civil society representatives discussed issues of Web governance at the Internet Governance Forum's first meeting. Attendees agreed to launch "dynamic coalitions," multi-stakeholder groups that work together on a common issue through the use of online collaboration tools and meetings. Almost 50 groups, including EPIC, France's Foreign Ministry, Privacy International and the World Bank, jointed to create the Dynamic Coalition on Privacy. The group aims to further develop and clarify the public policy aspects of privacy in Internet governance. The group will focus on the issues of digital identities, the link between privacy and development, and the importance of privacy and anonymity for freedom of expression. The French government has offered to host a Dynamic Coalition on Privacy meeting in Paris in early 2007.
European Digital Rights: "IGF Outcome: Dynamic Coalition on Privacy":
European Experts Reject Use of RFID in ID Documents
European experts on identity management have released a declaration warning against the use of radio frequency identification (RFID) technology in identification documents. "By failing to implement an appropriate security architecture, European governments have effectively forced citizens to adopt new international Machine Readable Travel Documents which dramatically decrease their security and privacy and increases risk of identity theft," according to the declaration. This comes soon after the release of a draft report by the Department of Homeland Security Data Privacy and Integrity Advisory Committee also recommending against the use of RFID in identification documents. "RFID appears to offer little benefit when compared to the consequences it brings for privacy and data integrity," the committee said.
"Budapest Declaration" is available in several languages:
Department of Homeland Security Data Privacy and Integrity Advisory Committee: The Use of RFID for Human Identification (pdf):
Almost 450 IRS Laptops Either Stolen or Lost Since 2003
The Internal Revenue Service is the latest federal agency to admit it has lost or had stolen many laptop computers. Documents obtained by WTOP through the Freedom of Information Act, show that from 2002 till now, the agency had 478 laptops either lost or stolen. The personal data of taxpayers, including Social Security numbers, were in 112 computers. The IRS has announced that, beginning in January, it "will be installing an automatic encryption system that will encrypt all information on the hard drives." Other federal agencies have reported such security breaches. The largest was revealed in May, when the Department of Veterans Affairs announced that a hard drive and laptop containing sensitive data on 26.5 million veterans, active duty military personnel, and family members had been stolen from an employee's home.
Internal Revenue Service:
EPIC's page on the Veterans Affairs Data Theft:
"Privacy Lost: How Technology Is Endangering Your Privacy" by David H. Holtzman (Jossey-Bass 2006).
"While other books in the field focus on specific aspects of privacy or how to avoid invasions, David H. Holtzman—a master technologist, internet pioneer, security analyst, and former military codebreaker—presents a comprehensive insider's exposé of the world of invasive technology, who's using it, and how our privacy is at risk. Holtzman starts out by categorizing privacy violations into "The 7 Sins Against Privacy" and then goes on to explain in compelling and easy to understand language exactly how privacy is being eroded in every aspect of our lives.
"Holtzman vividly reveals actual invasions and the dangers associated with the loss of privacy, and he takes a realistic look at the trade offs between privacy and such vital issues as security, rights, and economic development."
"Information Privacy Law: Cases and Materials, Second Edition" Daniel J.
Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005).
This clear, comprehensive introduction to the field of information privacy law allows instructors to enliven their teaching of fundamental concepts by addressing both enduring and emerging controversies. The Second Edition addresses numerous rapidly developing areas of privacy law, including: identity theft, government data mining and electronic surveillance law, the Foreign Intelligence Surveillance Act, intelligence sharing, RFID tags, GPS, spyware, web bugs, and more. Information Privacy Law, Second Edition, builds a cohesive foundation for an exciting course in this rapidly evolving area of law.
"Privacy & Human Rights 2005: An International Survey of Privacy Laws
and Developments" (EPIC 2006). Price: $60.
This annual report by EPIC and Privacy International provides an overview of key privacy topics and reviews the state of privacy in over 70 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy & Human Rights 2005 is the most comprehensive report on privacy and data protection ever published.
"FOIA 2004: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004).
This is the standard reference work covering all aspects of the Freedom of Information Act, the Privacy Act, the Government in the Sunshine Act, and the Federal Advisory Committee Act. The 22nd edition fully updates the manual that lawyers, journalists and researchers have relied on for more than 25 years. For those who litigate open government cases (or need to learn how to litigate them), this is an essential reference manual.
"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.
This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, and recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process.
"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005).
The Privacy Law Sourcebook, which has been called the "Physician's Desk Reference" of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act.
"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.
A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression.
EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at:
EPIC Bookstore http://www.epic.org/bookstore
"EPIC Bookshelf" at Powell's Books
EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act.
Subscribe to EPIC FOIA Notes at:
FACEBOOK, What It Is, How It Works, Why It Matters to You, Audio
Conference. International Association of Privacy Professionals. December
7, 2006. For more information:
Assessing Current Privacy Issues. Riley Information Services, Inc.
February 21, 2007. Ottawa, Ontario, Canada. For more information:
5th Conference on Privacy and Public Access to Court Records. Center for
Legal and Court Technology and Administrative Office of the
States Courts. March 22-23, 2007. Williamsburg, Virginia. For more
CFP2007: Computers, Freedom, and Privacy Conference. Association for
Computing Machinery. May 2007. Montreal, Canada. For more information:
Subscribe/unsubscribe via web interface:
Back issues are available at:
The EPIC Alert displays best in a fixed-width font, such as Courier.
The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information."
The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax).
If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at:
Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers.
Thank you for your support.