E P I C A l e r t
In comments to be filed with the Department of Homeland Security on Monday, a coalition of organizations and experts in technology and privacy will urge the federal agency to curtail the "Automated Targeting System," a federal database that creates secret terrorist ratings on tens of millions of American citizens. The problems of the Automated Targeting System are described in the current EPIC Spotlight on Surveillance "Customs and Border Protection’s Automated System Targets U.S. Citizens." Public comments on the proposal will be accepted until December 4.
The system was originally established to assess cargo that may pose a threat to the United States. Now the Department of Homeland Security proposes to use the system to establish a secret terrorism risk profile for millions of people, most of whom will be U.S. citizens. Simultaneously, it is seeking to remove Privacy Act safeguards for the database.
The new description of the database differs significantly from an earlier one. As recently as March, ATS was described as "a computerized model that [Customs and Border Protection] officers use as a decision support tool to help them target oceangoing cargo containers for inspection." It is unknown when ATS expanded from merely screening shipping cargo to scrutinizing land and sea travelers. On the same day as the Homeland Security notice about the proposal to use ATS to target individuals, the Senate Homeland Security and Governmental Affairs Committee asked the department for a briefing about ATS.
According to the Department of Homeland Security, ATS assigns a "risk assessment," which is essentially a terrorist risk rating, to all people "seeking to enter or exit the United States," "engag[ing] in any form of trade or other commercial transaction related to the importation or exportation of merchandise," "employed in any capacity related to the transit of merchandise intended to cross the United States border," and "serv[ing] as operators, crew, or passengers on any vessel, vehicle, aircraft, or train who enters or exits the United States. " In Fiscal Year 2005, Customs and Border Protection says it "processed 431 million pedestrians and passengers, 121 million privately owned vehicles, and processed and cleared 25.3 million sea, rail, and truck containers."
The Automated Targeting System's terrorist risk profiles will be secret, unreviewable, and maintained by the government for 40 years. The profiles will determine whether individuals will be subject to invasive searches of their persons or belongings, and whether U.S. citizens will be permitted to enter or exit the country. Individuals will not have judicially enforceable rights to access information about them contained in the system, nor to request correction of information that is inaccurate, irrelevant, untimely or incomplete.
The Automated Targeting System was created to screen shipping cargo, but it has many problems even completing that mission. An August 2006 report from the House Committee on Homeland Security gave both port and border security low marks. For port security, the department's grade is a C-/D+. "There are many gaps remaining in our port security. As some experts have noted, the current port security regime is a 'house of cards,' in which containers are often not inspected and the government does not truly know which containers are 'high risk.'"
EPIC has highlighted the problems inherent in passenger profiling systems in previous testimony and comments. In testimony before the National Commission on Terrorist Attacks Upon the United States (more commonly known as "the 9/11 Commission"), EPIC President Marc Rotenberg explained, "there are specific problems with information technologies for monitoring, tracking, and profiling. The techniques are imprecise, they are subject to abuse, and they are invariably applied to purposes other than those originally intended."
The public has until the close of business on Monday to submit comments about the Automated Targeting System.
Department of Homeland Security, Notice of Privacy Act system of records, 71 Fed. Reg. 64543 (Nov. 2, 2006):
EPIC's June 2006 Spotlight on SWIFT "Customs & Border Protection's Automated System Targets U.S. Citizens":
Government Accountability Office Testimony about problems with ATS (Mar. 30, 2006) (PDF):
EPIC's page on Total Information Awareness:
In a challenge to a dragnet search in which the DNA samples of more than 600 individuals were collected by the Baton Rouge police department, the Fifth Circuit Court of Appeals has reversed a lower court and held that the DNA search warrant lacked probable cause. EPIC submitted a "friend of the court" brief arguing that DNA dragnets are unconstitutional and ineffective.
In 2002, police investigating a series of rapes and murders near Baton Rouge, Louisiana, conducted a DNA dragnet. Shannon Kohler was one of the men approached by police. When he refused to provide one, he was served with a seizure warrant, forcing him to provide a sample. Kohler was later identified by police and news media as a suspect in the search for the serial killer.
After Mr. Kohler was cleared of wrongdoing in the investigation, he filed a suit against the Baton Rouge police, claiming that they lacked probable cause to obtain the warrant and that his DNA sample should be destroyed. In February 2005, a federal district court ruled against him, saying that police had probable cause based on two anonymous tips and the fact that Mr. Kohler met "certain elements of an FBI profile," which the court itself characterized as "so broad and vague that it cast a net of suspicion over thousands of citizens." The Fifth Circuit Court of Appeals reversed this decision and rejected the government's claim that it should consider a vague FBI profile to support the warrant application.
About the factors that provided the basis for the warrant, the Fifth Circuit said, "These two traits are so generalized in nature that hundreds, if not thousands, of men in the Baton Rouge area could have possessed them, and they are, therefore, insufficient to warrant the belief that Kohler was the serial killer. . . . Moreover, the cases in which profile factors have been used to support a finding of probable cause have involved a greater correlation between the profile and the suspect and far more specific evidence linking the suspect to the crime being investigated. Accordingly, we conclude that the district court erred in finding that the seizure warrant was supported by probable cause."
EPIC's amicus brief points out that DNA dragnets have been extremely ineffective in catching criminals, while the widespread collection of DNA samples erodes the privacy rights of thousands. The brief urges that clear guidelines be established before the police engage in this investigative practice.
Opinion of the Fifth Circuit Court of Appeals (PDF):
EPIC's page on Kohler v. Englade:
EPIC's amicus brief in Kohler v. Englade (PDF):
EPIC's Page on Genetic Privacy:
The Department of Homeland Security Privacy Office has released its report on the Privacy Office's activities over the past two years. The law creating the Department of Homeland Security requires the Privacy Office to issue a report every year, but the report was delayed without explanation for a year and a half.
The report discusses general efforts the Privacy Office has made since July 2004 to "embed" privacy considerations into the evaluation processes in the Department of Homeland Security, but there is no information on whether these efforts have succeeded in reducing threats to Americans' privacy. The report is lighter on specifics than the previous report, covering through June of 2004. The new report discusses the Privacy Office's work with airport and immigration screening, but it ignores recent programs like video surveillance of public spaces.
The report identifies several privacy problems in DHS programs. In 2005 Congress ordered the Government Accountability Office to investigate the Transportation Security Administration's airline passenger screening programs. The GAO found significant problems with handling of personal information and violations of privacy laws. The GAO turned its findings over to the Privacy Office, which then did its own investigation. The Privacy Office claims to have continued its work with the TSA to resolve these issues. However, the report did not resolve EPIC's concerns about TSA redress procedures -- namely that citizens do not have the right to litigate to ensure their records are correct or even to view their records.
The Department of Homeland Security has received wide criticism for its identification card programs, many of which use radio frequency identification technology. The Privacy Office's report did not mention a draft report by the Department of Homeland Security Data Privacy and Integrity Advisory Committee also recommending against the use of RFID in identification documents. "RFID appears to offer little benefit when compared to the consequences it brings for privacy and data integrity," the committee said.
Congress will be able to use the new report to evaluate the Privacy Office's performance.
DHS Chief Privacy Officer Report Covering July 2004 to July 2006 (PDF):
EPIC's Letter to Chief Privacy Officer Teufel (PDF):
Department of Homeland Security Data Privacy and Integrity Advisory Committee: The Use of RFID for Human Identification (PDF):
Homeland Security Act of 2002 (PDF):
Presidential Signing Statement, H.R. 5441:
EPIC's page on Privacy Report Held Hostage:
ICANN, the corporation that manages the assignment of domain names to Internet Protocol addresses, has invited public comments on its Preliminary Task Force Report on WHOIS services. The report sets out the key findings on policy issues in the generic top level domain (gTLD) space that have emerged since the WHOIS Task Force was convened last year.
Current WHOIS policy requires that domain name registrants' contact information, such as name, mailing address, e-mail address, telephone number, and fax number be publicly available. This same information has to be provided for the site's administrative and technical contacts. The Non-Commercial Users Constituency of the Generic Names Supporting Organization stated that this policy violates the privacy rights of registrants and may violate international laws and the privacy rights in the UN's Universal Declaration of Human Rights. In its preliminary report, the WHOIS Task Force agrees that new mechanisms to restrict some contact data from publication should be adopted to address privacy concerns.
In April 2006, the Generic Names Supporting Organization Council, to whom the task force reports, adopted a working definition of the purpose of WHOIS that restricts use of WHOIS data to its original purpose: the resolution of issues related to the configuration of the records associated with the domain name. The task force is now considering the purpose of the various WHOIS contacts and the public availability of WHOIS data within the context of this definition.
The report highlights two different approaches to limitations on the availability of WHOIS data. The first proposal, supported by the Registrar, Registry, and Non-Commercial Users Constituencies, removes administrative and technical contacts from WHOIS and requires that registrants use an "operational point of contact," an intermediary who would contact the registrant in the case of an issue with the domain name. WHOIS would also continue to publish the registrant's name and country. The second proposal, supported by the Intellectual Property and Business Constituencies, retains the current data fields required under WHOIS, but allows individuals who can demonstrate reasonable concern that public access to their contact data would jeopardize their personal safety or security to substitute contact details of the registrar for their data.
EPIC, privacy agencies, and a coalition of organizations earlier recommended that ICANN adopt the first approach, also described as "Formulation One," to help safeguard the privacy interests of Internet users.
The report also outlines five proposals which address alternative access to WHOIS data, other than public availability, which range in scope from discretionary access decisions made by the Registrar and based on best practices, to contractual limitations on the use of requested data.
The public comment period runs until January 15, 2007. The task force will consider the public comments received and prepare a final report for submission to the Generic Names Supporting Organization Council.
ICANN Launches Public Comments on WHOIS Task Force Report:
ICANN Preliminary Task Force Report on WHOIS Services:
EPIC's WHOIS page:
EPIC Comments to ICANN In Support of Formulation One:
A 23 year-old senior at UCLA, Mostafa Tabatabainejad, a U.S. citizen by birth, was shocked with a Taser five times by UCLA police after failing to show his ID card in the library. Tabatabainejad is of Iranian descent.
The incident, which was caught by a student on his cell phone camera, occurred around 11 p.m. on November 21, 2006, in UCLA's Powell library. Reports of the event vary: some students have said that when campus police arrived, Tabatabainejad was already leaving. University authorities, however, say that he refused repeated requests by community service officers and regular campus police to show ID or leave. ID cards are required in the library after 11 p.m.
The officers used the device in stun mode, which delivers volts of low-amperage energy to the body, causing a disruption of the body's electrical energy pulses and locking the muscles, as opposed to dart mode, which disables the person entirely. According to an Amnesty International report, the police use of Tasers has resulted in several deaths.
Accounts of why he was repeatedly shocked are contradictory as well. UCLA Assistant Police Chief Jeff Young described Tabatabainejad as a passive resister who, at 200 pounds, was too heavy to move. Students however noted that he was tased while being handcuffed, and he repeatedly said "I'm not fighting you" and "I said I would leave." When another student asked one of the officers for his badge number, the officer threatened to shock him as well, which is illegal.
The university, under pressure from concerned parents and alumni, as well as students, ordered an independent investigation. The announcement came shortly after more than 300 students marched to the UCLA police station. The review will be conducted by Merrick Bobb, a veteran law enforcement watchdog, who has investigated allegations of police misconduct, including the Rodney King beating.
While the Los Angeles Police Department and the Los Angeles Country Sheriff's Department allow officers to use Tasers only if a suspect poses a physical threat or is combative, according to Young, the UCLA police are allowed to use Tasers on passive resisters as a "pain compliance technique." They are the only University of California officers allowed to use Tasers in that manner.
Ex-Marine Terrence Durren, the officer who tasered Tabatabainejad has been the subject of use-of-force complaints, which he has denied, and previously recommended for dismissal. He was fired from the Long Beach Police Department in 1990. He remains on active duty while the investigation is being conducted.
Video: "Student Tasered by police for not showing ID":
Amnesty International Report: "Excessive and lethal force? Amnesty International's concerns about deaths and ill-treatment involving police use of tasers":
EPIC's page on National ID Cards and REAL ID Act:
EPIC FOIA Note: E-Passports Less Reliable Than Traditional Passports
A document obtained by EPIC from the State Department reveals that 2004 government tests found passports with radio frequency identification (RFID) chips that are read 27% to 43% less successfully than the previous Machine Readable Zone technology (two lines of text printed at the bottom of the first page of a passport). The State Department has begun issuing "e-passports," with personal data embedded on RFID chips, saying they would be more secure and faster to process. Previous documents obtained by EPIC under the FOIA showed that the same tests found the chip readers "require too much attention and time on the part of the inspector." Recent reports by the Department of Homeland Security Data Privacy and Integrity Advisory Committee and European experts also recommend against the use of RFID tags in identity documents.
EPIC FOIA Notes #14:
Department of Homeland Security Data Privacy and Integrity Advisory Committee: The Use of RFID for Human Identification (PDF):
EPIC Debuts Page on REAL ID's Impact on Domestic Violence Survivors
EPIC has prepared a page about the potential of REAL ID to severely harm the privacy interests of domestic violence survivors. The federal Real ID Act creates national standards for issuing state drivers licenses and identification cards. Survivors could have their confidentiality under REAL ID, which facilitates data collection by the private sector and will make it easier for abusers to get information on their victims. Exceptions from REAL ID requirements for domestic violence survivors will not adequately protect them. Some of REAL ID's harms to privacy may come before someone is subject to domestic violence, and thus before someone would be eligible for any exemptions. The page is a part of EPIC's recently launched Privacy and Domestic Violence Project.
EPIC's page on the REAL ID Act and Domestic Violence:
EPIC's Domestic Violence and Privacy Project:
Copyright Office Announces New Rules on Technological Circumvention
On November 27, 2006, the Librarian of Congress, on the recommendation of the Register of Copyrights, announced six classes of works subject to the exemption from the prohibition against circumvention of technological measures that control access to copyrighted works. Persons making noninfringing uses of these classes of works will not be subject to the prohibition against circumventing access controls, established by the Digital Millennium Copyright Act, during the next three years. In 1998, EPIC testified in opposition to the DMCA, stating that the bill would diminish online privacy and warned that "the anti-circumvention language in section 1201 is extraordinarily broad and will have all sorts of unintended consequences." EPIC said that the "crime of circumvention should be specifically linked to the actual infringing act and not simply the use of a particular technique that may or may not be harmful." EPIC also recommended the development of techniques to protect copyrighted works that did not track the activities of Internet users. Some of these concerns were addressed in subsequent decisions of the Copyright Office, but others were not.
U.S. Copyright Office: Anticircumvention Rulemaking:
EPIC Testimony before the House Committee on International Relations on Copyright and Privacy (1998):
EPIC's page on Digital Rights Management and Privacy:
NSA Not Required to Release Details on Wiretapping Program
A federal judge in Washington, D.C. ruled last week that the National Security Agency is not required to release details about its secret wiretapping program. After the NSA denied a Freedom of Information Act request on national security grounds, People for the American Way filed suit seeking information on the program's review process as well as how many wiretaps were performed. This is the latest in spate of divided judicial opinions issued on the surveillance program in the last six months. This week, after months of pressure from Congressional Democrats, the Justice Department's inspector general said his office had begun a review of the department's role in President Bush's domestic eavesdropping program and the legal requirements governing the program. EPIC has previously called attention to the illegality of the NSA program and urges a congressional investigation.
EPIC's Resources on Domestic Surveillance:
Marc Rotenberg, EPIC Executive Director, "Congress is legislating in the dark: Lawmakers need more information before OKing Bush surveillance program":
European Union: SWIFT's U.S. Data Transfer Violated Data Protection Laws
The European Union's Article 29 Data Protection Working Party concluded last Thursday that the Society for Worldwide Interbank Financial Telecommunications (SWIFT) violated data protection laws by transferring records of millions of private financial transactions to American intelligence agencies. SWIFT, a Brussels-based banking consortium which routes information among 7,800 financial institutions in more than 200 countries, complied with U.S. Treasury Department subpoenas for five years in what the Working Party called a "hidden, systematic, massive and long-term transfer of personal data." According to the unanimously adopted draft statement, SWIFT failed to provide an appropriate level of protection to meet the requirements for international transfers of personal data; further, the transfer agreement demonstrated a lack of transparency and adequate and effective control mechanisms, and violated the principles of proportionality and necessity contained in EU Data Protection Directive 95/46/EC.
Article 29 Working Party Press Release on the SWIFT Case (PDF):
http://www.epic.org/redirect/a29wp06.html EPIC's June 2006 Spotlight on SWIFT, "Treasury's International Finance Tracking Program of Questionable Legality":
"Privacy Protection for E-Services" by George Yee (Idea Group 2006).
"Information Privacy Law: Cases and Materials, Second Edition" Daniel J.
Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005).
This clear, comprehensive introduction to the field of information privacy law allows instructors to enliven their teaching of fundamental concepts by addressing both enduring and emerging controversies. The Second Edition addresses numerous rapidly developing areas of privacy law, including: identity theft, government data mining and electronic surveillance law, the Foreign Intelligence Surveillance Act, intelligence sharing, RFID tags, GPS, spyware, web bugs, and more. Information Privacy Law, Second Edition, builds a cohesive foundation for an exciting course in this rapidly evolving area of law.
"Privacy & Human Rights 2005: An International Survey of Privacy Laws
and Developments" (EPIC 2006). Price: $60.
This annual report by EPIC and Privacy International provides an overview of key privacy topics and reviews the state of privacy in over 70 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy & Human Rights 2005 is the most comprehensive report on privacy and data protection ever published.
"FOIA 2004: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004).
This is the standard reference work covering all aspects of the Freedom of Information Act, the Privacy Act, the Government in the Sunshine Act, and the Federal Advisory Committee Act. The 22nd edition fully updates the manual that lawyers, journalists and researchers have relied on for more than 25 years. For those who litigate open government cases (or need to learn how to litigate them), this is an essential reference manual.
"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.
This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, and recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process.
"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005).
The Privacy Law Sourcebook, which has been called the "Physician's Desk Reference" of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act.
"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.
A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression.
EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at:
EPIC Bookstore http://www.epic.org/bookstore
"EPIC Bookshelf" at Powell's Books
EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act.
Subscribe to EPIC FOIA Notes at:
Public Meeting with Privacy and Civil Liberties Experts. Privacy and
Civil Liberties Oversight Board. Georgetown University. December
2006. Washington, DC. For more information:
http://www.privacyboard.gov/press/20061124.html FACEBOOK, What It Is, How It Works, Why It Matters to You, Audio Conference. International Association of Privacy Professionals. December 7, 2006. For more information:
Assessing Current Privacy Issues. Riley Information Services, Inc.
February 21, 2007. Ottawa, Ontario, Canada. For more information:
5th Conference on Privacy and Public Access to Court Records. Center for
Legal and Court Technology and Administrative Office of the
States Courts. March 22-23, 2007. Williamsburg, Virginia. For more
CFP2007: Computers, Freedom, and Privacy Conference. Association for
Computing Machinery. May 2007. Montreal, Canada. For more information:
Subscribe/unsubscribe via web interface:
Back issues are available at:
The EPIC Alert displays best in a fixed-width font, such as Courier.
The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information."
The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax).
If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at:
Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers.
Thank you for your support.