WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 2006 >> [2006] EPICAlert 6

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 13.06 [2006] EPICAlert 6


Volume 13.06 March 24, 2006

Published by the Electronic Privacy Information Center (EPIC)
Washington, D.C.
Table of Contents

[1] EPIC, Archive File Brief Supporting Release of Abu Ghraib Images
[2] EPIC Testifies Against Social Security Number Expansion
[3] House Committee Approves Bill to Weaken Data Breach Laws

[4] Judge Restricts Justice Department's Demand for Google Records

[5] Security Flaws at Retailers Affect Thousands of Debit Card Holders
[6] News in Brief
[7] EPIC Bookstore: Mark S. Monmonier's "Spying with Maps"

[8] Upcoming Conferences and Events

[1] EPIC, Archive File Brief Supporting Release of Abu Ghraib Images

EPIC and the National Security Archive have filed an amicus brief urgingan appeals court to permit the disclosure of photos and videos showingAmerican troops abusing detainees at Abu Ghraib prison in Iraq. ThePentagon has refused to release the information to the American CivilLiberties Union under the Freedom of Information Act, claiming that itwould endanger U.S. soldiers serving in Iraq. EPIC and the Archive arguethat the government is turning FOIA on its head by claiming thatinformation likely to expose government misconduct should be withheld toprevent public outrage.

In this case, the ACLU submitted Freedom of Information Act requests toseveral government agencies for information about the treatment ofdetainees in U.S. custody, including controversial images of abuse thathad been reported in the media. When the government failed to respond tothe ACLU's request nearly a year later, the organization filed suit inthe District Court for the Southern District of New York. U.S. DistrictJudge Alvin K. Hellerstein reviewed a sampling of photos depicting abuseof detainees, and ordered the government to release them in redactedform to protect the privacy of the pictured individuals.

The government appealed the ruling to the Second Circuit Court ofAppeals, arguing that disclosure of the images would "endanger the lifeor physical safety" of U.S. troops and coalition forces by provokinginsurgent and terrorist attacks against them. The government also saidthat the photos should not be released, even in the redacted formrequired by Judge Hellerstein, because such disclosure could invade thepersonal privacy of the detainees.

The amicus brief written by EPIC and the Archive argues that thegovernment's claims undermine the FOIA's purpose of promoting open,honest and accountable government. The brief shows that U.S. courtshave never allowed the potential for public anger to thwart the right tofree expression guaranteed by the Constitution and reflected, in part,by the FOIA.

The brief also argues that disclosure of the photos will not threatenpersonal privacy because Judge Hellerstein has already taken precautionsto safeguard the rights of the pictured detainees. Disclosure of theseredacted images will advance the public interest in examining thepropriety of the U.S. soldiers' conduct. Such disclosure will also helpto hold higher government officials responsible for the abuses at AbuGhraib.

Amicus Brief Filed by EPIC and the National Security Archive (pdf):

District Court Decision in ACLU v. Department of Defense (pdf):

National Security Archive Press Release:

[2] EPIC Testifies Against Social Security Number Expansion

In testimony before the House Subcommittee on Social Security, EPICExecutive Director Marc Rotenberg urged Congress not to expand the usesof the Social Security number and the Social Security card. "Everysystem of identification is subject to error, misuse, and exploitation,"
Rotenberg said.

The hearing was the fourth in a series held by Representative McCrery(R-LA) to focus on high-risk issues facing the Social Security number.
The hearings, held over the course of the last four months, examinedfraud, the use of the number in verifying employment eligibility, andpossible modification of the card.

Some members of Congress have proposed that the card contain digitalphotos, machine-readable identifiers, and biometric identifiers thatcould turn the Social Security card into a national ID card. CurrentSocial Security cards, while bearing anti-counterfeiting features suchas those used on banknotes, are not intended or designed to be used foridentification.

In creating the Social Security Administration in the 1930s, Congresswas concerned with the number being used as a universal identifier thatcould aid in government tracking of activities, and that the first actof the newly formed Administration was to limit the card's use. Congressalso halted later expansions of expansion of the card's role by passingSection 7 of the Privacy Act of 1974. Putting the card to new,unintended uses, Rotenberg testified, would erode privacy, runningcounter to this trend of protection. Rotenberg also noted that theimproper use of the SSN for identification by the private sectorcontributes to identity theft.

Nevertheless, members of Congress, including Representatives DavidDreier (R-CA) and Silvestre Reyes (D-TX), called for additions to thecard. Representative Drier insisted both that Social Security numbersare already used for identification purposes by the private sector, andalso that the new photograph-bearing, machine-readable card would not,in fact, be an identification document.

Frederick Streckewald of the Social Security Administration testifiedthat adding ID-like features to the Social Security card would cost atleast $9.5 billion. Dr. Stephen Kent of the National Research Councilalso testified that complex ID systems like the one proposed for theSocial Security card often are pressed into unintended secondary usesthat can cause privacy and security problems.

Testimony of EPIC Executive Director Marc Rotenberg before Subcommitteeon Social Security (pdf):

Subcommittee on Social Security, Fourth Hearing on High-Risk SSN Issues:

EPIC's SSN Page:

[3] House Committee Approves Bill to Weaken Data Breach Laws

The House Financial Services Committee approved legislation last weekthat would roll back protections for many Americans' personal records.
The Financial Data Protection Act would create a weak national standardfor consumer protection, overriding or "preempting" stronger stateconsumer protection laws.

For instance, comapnies only have to notify consumer of data breacheswhere "information is reasonably likely to have been or to be misused ina manner causing substantial harm or inconvenience." However, manystates have more stringent requirements that cause notices to be issuedwhenever a security breach occurs. The reasoning behind theserequirements is that businesses have significant incentives not to givenotice, and may overlook breaches and their potential harms to avoidembarrassment. But other loopholes in the language further limit therequirement to give notice. These include that the information must be"sensitive financial personal information," and that the company mustknow the scope of the breach (in many cases, the scope is unknown).

The credit freeze provisions are similarly weak. Credit freeze is theability of an individual to limit disclosure of their consumer report tonew creditors, thus stopping companies from opening new accounts. Thiserects a nearly perfect shield against identity theft. Many states allowany concerned residents to freeze their credit as a precaution againstfuture fraud. H.R. 3997, however, only allows credit freeze once someonehas become a victim of identity theft. Furthermore, H.R. 3997 creates adifficult to use freeze mechanism that requires the victim to provideproof of the crime, to send the freeze request by certified mail, and itallows the consumer reporting agency to wait five business days beforeimplementing the freeze. These inconveniences are designed to stopconsumers from freezing their reports.

The main driver of this legislation is preemption
the desire of manybusinesses to supersede stricter state laws. Additionally, the billprohibits enforcement by the state attorneys general, weakening anypossible enforcement of the law. The bill will next be considered byother committees in the House and Senate, where there is a possibilitythat it could be strengthened.

H.R. 3997, the Financial Data Protection Act:

EPIC's Page on Choicepoint and Other Security Breaches:

Coalition letter on ID Theft Legislation:

[4] Judge Restricts Justice Department's Demand for Google Records

On March 17, a federal district judge in California issued an orderlimiting the Justice Department's demand for records from Google. WhileGoogle must still turn over a list of 50,000 web addresses, it will nothave to reveal any Internet search terms submitted by users.

The government's demands had been significantly narrowed compared, tothe subpoena filed last August. That subpoena asked for the addresses ofall web sites indexed by Google, as well as every search term enteredinto Google during a two-month period in 2005. Yahoo, Microsoft, andAOL, were also asked to provide records. Of the companies, Google aloneobjected, claiming that the demand threatened Google's trade secrets andits image as a protector of users' privacy.

In making the decision, Judge Ware of the Northern District ofCalifornia recognized that the demand affected not just Google, but alsothe privacy rights of individual Google users. Not only do users wantthe terms they search for to be private, search terms alone cansometimes reveal a user's identity, such as when people search for theirsocial security numbers or credit card numbers to see if thatinformation is available on the Internet. The judge also noted that thegovernment might, in looking through search terms, decide to follow upon information for unauthorized purposes, quoting a Justice Departmentspokesperson who said that "if something raised alarms, we would hand itover…"

Because of these concerns, the judge ruled that Google did not have toturn over search terms, but that the list of web addresses, since theydid not impact privacy, had to be turned over.

The Justice Department is seeking the records to conduct a statisticalstudy for the defense of the Child Online Protection Act, an onlinecensorship law that was blocked as unconstitutional by the Supreme Courtin 2004. The government has given few details as to how it intends touse the information
an omission that the judge called "particularlystriking," considering the time the government had to prepare the case,and given that it already had essentially the same information from theother major search engines.

The Child Online Protection Act makes it a criminal offense for anyoneto post adult material on the web, unless they first collect informationfrom users proving that the user is not a minor. The Supreme Courtbarred enforcement of the law, saying that the government had not proventhat this restriction on free speech was the most effective means toprevent minors from viewing adult material on the Internet.

Text of the Decision in Google v. Gonzales (pdf):

Supreme Court Ruling on the Child Online Protection Act, Ashcroft v.

EPIC's Child Online Protection Act Page:

[5] Security Flaws at Retailers Affect Thousands of Debit Card Holders

Hundreds of thousands of debit cards may have been affected by fraud,but affected banks, card companies, and retailers are releasing very fewdetails on the incident. Consumers first became aware of the problem asmajor banks, including Citibank, Wells Fargo, Washington Mutual, andBank of America blocked ATM transactions in Canada, the United Kingdomand Russia, and quietly began issuing new debit cards to customers.

The affected banks have since told reporters that the problems wererelated to fraudulent transactions that had been traced to data breachesat unspecified retailers. Recent reports have named OfficeMax and Sam'sClub stores as likely sources for the breach, although OfficeMaxcontinues to deny that it knew of any security mishaps.

Thieves have apparently been able to collect not only the data containedwithin the magnetic strips on victims' ATM cards, but also the PIN codesthat allow access to their accounts. Fraudulent withdrawals in Canada,the United Kingdom, and Russia apparently triggered the blocks in thosecountries, and have led to the arrests of 14 people in New Jersey.

When consumers purchase goods with an ATM card, the PIN entered into theregister is supposed to be encrypted when it is sent out forverification, and deleted after the transaction is complete. For thebreaches to have occurred, the information must have been improperlyretained on a computer and the thieves must have been able to decryptthe coded PINs, either because the encryption key was carelessly storedon the same server, or through hacking by an insider.

The scope of the breach underscores the need for laws that will protectconsumers from such crimes, by notifying them when breaches occur andallowing them to freeze accounts if they suspect fraud. Many billscurrently before Congress provide loopholes that would allow breacheslike this one to go unreported, and would not allow victims to placesecurity freezes on their accounts unless they first filed a policereport. Some of the proposed laws would also eliminate state strongerstate consumer protections.

EPIC's Identity Theft Page:

Coalition letter on ID Theft Legislation:

[6] News in Brief

Lawmakers Propose .xxx Domain

Senators Max Baucus (D-MT) and Mark Pryor (D-AR) have proposed the CyberSafety for Kids Act, a bill that would require the creation of a .xxxtop-level domain. The law would require websites in the business ofdistributing adult material to register and host all adult material atthe .xxx domain, instead of using any of the current top-level domains(such as .com, .net, .biz or others). Those who fail to use the .xxxdomain would be subject to civil penalties by the Department ofCommerce. The bill has not yet been introduced.

Text of the .xxx TLD Bill (pdf): Court Limits Warrantless Searches of Homes by PoliceThe Supreme Court ruled Wednesday in Georgia v. Randolph that police,who do not have a warrant, may not search a home when one residentallows entry but another refuses it. Officers found evidence of illegaldrugs in a home after a woman had given her consent to the officers buther husband had objected. In 1974, the Supreme Court ruled in UnitedStates v. Matlock that one occupant may give police permission to searcha residence without a warrant if the other resident either is absent ordoes not object.

Supreme Court Opinion in Georgia v. Randolph (pdf): Court: Fliers Must Complete Search Process Once It's BegunLast week, the Ninth Circuit Court of Appeals ruled in United States v.
Aukai that travelers who begin the security screening process atairports cannot change their minds. The court said passengers who walkthrough airport metal detectors implicitly consent to a search, and theycan't revoke that consent even if they are chosen to undergo a moreextensive "secondary screening" process. The court did not rule onwhether a passenger could refuse searches that are more invasive thansimple pat-downs.

Ninth Circuit Opinion in United States v. Aukai (pdf):

EPIC's Passenger Profiling page: State Passes Pretexting Law
Washington State appears to be the first to pass legislation to protecttelephone records. The House and Senate have passed SB 6776, but thebill still awaits the Governor's signature. SB 6776 prohibits theintentional sale of phone records without consent of the account holder.
It also prohibits pretexting. Under the law, it is a "class c felony" tosell, pretext, or knowingly purchase phone records, while it is a "grossmisdemeanor" to knowingly receive records. There are also civilremedies, including a $5,000 liquidated damages award and attorneys'
fees. Government entities and telephone companies are exempt from thelaw.

EPIC Illegal Access to Phone Records Page:

Washington State Senate Bill 6776: Chips Vulnerable to VirusesA study by European researchers has revealed that radio frequencyidentification (RFID) systems can be affected by viruses encoded intoindividual chips. Melanie Rieback, Bruno Crispo, and Andrew Tanenbaumhave authored a paper describing how the remotely readable tags can beprogrammed to infect the machines that read them and the databases thatstore their information. Such malicious programs could then force thesystems to produce more infected tags, further spreading the virus.

Text of the RFID Virus Paper (pdf):

Paper Authors' Page on RFID Viruses:

EPIC's RFID page: Gmails to be Turned Over in FTC CaseA federal magistrate judge has ordered that Google turn over all of theemail correspondence of a Gmail user, including emails that he hasdeleted. The Federal Trade Commission, investigating a credit counselingscam, subpoenaed the emails of Peter Baker, the owner of a companylinked to the case. The subpoena asked not only for the email in Baker'sGmail mailboxes, but also for deleted emails that were retained onGoogle computers. Google's privacy policy says that copies of deletedemail may remain on active servers for up to 60 days, or indefinitely onoffline backup servers.

Google's Gmail Privacy Policy:

EPIC's Gmail page: Security Gets Another 'F' for Computer SecurityA report by the House Government Reform Committee found that manyfederal agencies are failing to protect their computer and informationnetworks. The committee gave the Department of Homeland Security an 'F'
for a third straight year. The departments of Agriculture, Defense,Energy, State, Health and Human Services, Transportation, and VeteransAffairs also received failing grades again this year. The annual reportbases the grades on information the agencies submit to the White HouseOffice of Management and Budget, and the agencies' own internalassessments.

Report and Testimony from Various Agency Leaders:

[7] EPIC Bookstore: Mark S. Monmonier's "Spying with Maps"

Mark S. Monmonier. "Spying with Maps: Surveillance Technologies and theFuture of Privacy" (University of Chicago Press, 2002).

"Maps, as we know, help us find our way around. But they're also powerfultools for someone hoping to find you. Widely available in electronic andpaper formats, maps offer revealing insights into our movements andactivities, even our likes and dislikes. In Spying with Maps, the"mapmatician" Mark Monmonier looks at the increased use of geographicdata, satellite imagery, and location tracking across a wide range offields such as military intelligence, law enforcement, market research,and traffic engineering. Could these diverse forms of geographicmonitoring, he asks, lead to grave consequences for society? To assessthis very real threat, he explains how geospatial technology works, whatit can reveal, who uses it, and to what effect.

Despite our apprehension about surveillance technology, Spying with Mapsis not a jeremiad, crammed with dire warnings about eyes in the sky andinvasive tracking. Monmonier's approach encompasses both skepticism andthe acknowledgment that geospatial technology brings with itunprecedented benefits to governments, institutions, and individuals,especially in an era of asymmetric warfare and bioterrorism. Monmonierframes his explanations of what this new technology is and how it workswith the question of whether locational privacy is a fundamental right.
Does the right to be left alone include not letting Big Brother (or alegion of Little Brothers) know where we are or where we've been? Whatsacrifices must we make for homeland security and open government?"

EPIC Publications:

"Information Privacy Law: Cases and Materials, Second Edition" Daniel J.
Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98.

This clear, comprehensive introduction to the field of informationprivacy law allows instructors to enliven their teaching of fundamentalconcepts by addressing both enduring and emerging controversies. TheSecond Edition addresses numerous rapidly developing areas of privacylaw, including: identity theft, government data mining,and electronicsurveillance law, the Foreign Intelligence Surveillance Act,intelligence sharing, RFID tags, GPS, sypware, web bugs, and more.
Information Privacy Law, Second Edition, builds a cohesive foundationfor an exciting course in this rapidly evolving area of law.

"Privacy & Human Rights 2004: An International Survey of Privacy Lawsand Developments" (EPIC 2004). Price: $50.

This annual report by EPIC and Privacy International provides anoverview of key privacy topics and reviews the state of privacy in over60 countries around the world. The report outlines legal protections,new challenges, and important issues and events relating to privacy.
Privacy & Human Rights 2004 is the most comprehensive report on privacyand data protection ever published.

"FOIA 2004: Litigation Under the Federal Open Government Laws," HarryHammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price:

This is the standard reference work covering all aspects of the Freedomof Information Act, the Privacy Act, the Government in the Sunshine Act,and the Federal Advisory Committee Act. The 22nd edition fully updatesthe manual that lawyers, journalists and researchers have relied on formore than 25 years. For those who litigate open government cases (orneed to learn how to litigate them), this is an essential referencemanual.

"The Public Voice WSIS Sourcebook: Perspectives on the World Summit onthe Information Society" (EPIC 2004). Price: $40.

This resource promotes a dialogue on the issues, the outcomes, and theprocess of the World Summit on the Information Society (WSIS). Thisreference guide provides the official UN documents, regional andissue-oriented perspectives, and recommendations and proposals forfuture action, as well as a useful list of resources and contacts forindividuals and organizations that wish to become more involved in theWSIS process.

"The Privacy Law Sourcebook 2004: United States Law, International Law,and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:

The Privacy Law Sourcebook, which has been called the "Physician's DeskReference" of the privacy world, is the leading resource for students,attorneys, researchers, and journalists interested in pursuing privacylaw in the United States and around the world. It includes the fulltexts of major privacy laws and directives such as the Fair CreditReporting Act, the Privacy Act, and the OECD Privacy Guidelines, as wellas an up-to-date section on recent developments. New materials includethe APEC Privacy Framework, the Video Voyeurism Prevention Act, and theCAN-SPAM Act.

"Filters and Freedom 2.0: Free Speech Perspectives on Internet ContentControls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet contentfiltering. These papers are instrumental in explaining why filteringthreatens free expression.

EPIC publications and other books on privacy, open government, freeexpression, crypto and governance can be ordered at:

EPIC Bookstore

"EPIC Bookshelf" at Powell's Books

EPIC also publishes EPIC FOIA Notes, which provides brief summaries ofinteresting documents obtained from government agencies under theFreedom of Information Act.

Subscribe to EPIC FOIA Notes at:

[8] Upcoming Conferences and Events

Beyond the Basics: Advanced Legal Topics in Open Source andCollaborative Development in the Global Marketplace. University ofWashington School of Law. March 21, 2006. Seattle, Washington. For moreinformation:

Call for papers for the 34th Research Conference on Communication,Information, and Internet Policy. Telecommunications Policy ResearchConference. Proposals should be based on current theoretical orempirical research relevant to communication and information policy, andmay be from any disciplinary perspective. Deadline is March 31, 2006.
For more information:

Making PKI Easy to Use. National Institutes of Health. April 4-6, 2006.
Gaithersburg, Maryland. For more information:

First International Conference on Availability, Reliability andSecurity. Vienna University of Technology. April 20-22, 2006. Vienna,Austria. For more information:

Third International Conference on Security in Pervasive Computing.
University of York. April 19-20, 2006. York, United Kingdom. For moreinformation:

CHI 2006 Workshop on Privacy-Enhanced Personalization. UC IrvineInstitute for Software Research and the National Science Foundation.
April 22-23. Montreal, Quebec, Canada. For more information:

The First International Conference on Legal, Security and Privacy Issuesin IT (LSPI). CompLex. April 30-May 2, 2006. Hamburg, Germany. For moreinformation:

Computers, Freedom, and Privacy Conference (CFP 2006). Association forComputing Machinery May 2-5, 2006. Washington, DC. For more information:

Infosecurity New York. Reed Exhibitions. September 12-14, 2006. NewYork, New York. For more information:

34th Research Conference on Communication, Information, and InternetPolicy. Telecommunications Policy Research Conference. September29-October 1, 2006. Arlington, Virginia. For more information:

International Conference on Privacy, Security, and Trust (PST 2006).
University of Ontario Institute of Technology. October 20-November 1,
2006. Oshawa, Ontario, Canada. For more information:

BSR 2006 Annual Conference. Business for Social Responsibility. November7-10, 2006. New York, New York. For more information:

Subscription Information

Subscribe/unsubscribe via web interface:

Back issues are available at:

The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and tosend notices about EPIC activities. We do not sell, rent or share ourmailing list. We also intend to challenge any subpoena or other legalprocess seeking access to our mailing list. We do not enhance (link toother databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail addressfrom this list, please follow the above instructions under "subscriptioninformation."

About EPIC

The Electronic Privacy Information Center is a public interest researchcenter in Washington, DC. It was established in 1994 to focus publicattention on emerging privacy issues such as the Clipper Chip, theDigital Telephony proposal, national ID cards, medical record privacy,and the collection and sale of personal information. EPIC publishes theEPIC Alert, pursues Freedom of Information Act litigation, and conductspolicy research. For more information, see or writeEPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202483 1140 (tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic Privacy InformationCenter, contributions are welcome and fully tax-deductible. Checksshould be made out to "EPIC" and sent to 1718 Connecticut Ave., NW,Suite 200, Washington, DC 20009. Or you can contribute online at:

Your contributions will help support Freedom of Information Act andFirst Amendment litigation, strong and effective advocacy for the rightof privacy and efforts to oppose government regulation of encryption andexpanding wiretapping powers.

Thank you for your support.


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback