WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 2006 >> [2006] EPICAlert 8

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 13.08 [2006] EPICAlert 8


Volume 13.08 April 21, 2006

Published by the Electronic Privacy Information Center (EPIC)
Washington, D.C.
Table of Contents

[1] ICANN Chooses Privacy for Whois
[2] Congress, Administration Push for U.S. Data Retention Laws
[3] International Privacy Commissioners Meet in Washington
[4] U.S. Archives Had Reclassification Agreements With CIA, Air Force

[5] Immigration Bill Would Require DHS Checks for All U.S. Jobs
[6] News in Brief
[7] EPIC Bookstore: David Lyon's "Surveillance as Social Sorting"

[8] Upcoming Conferences and Events

[1] ICANN Chooses Privacy for Whois

The Internet Corporation for Assigned Names and Numbers (ICANN), thebody that controls the assignment of domain names to Internet addresses,has voted to adopt a policy protecting the privacy of domain holders'
personal information. ICANN stated that Whois, a public databasecontaining the contact information of domain name holders, should beused only for its original purpose: to resolve issues related to theconfiguration of the records associated with the domain name. The rulingmeans that Whois data will not be expanded for other purposes, such aslaw enforcement and copyright investigations.

The Generic Names Supporting Organization (GNSO), which develops domainname policy for ICANN, held a vote on April 12 to decide how Whoisshould be used. Two definitions were proposed. The first stated thatthe purpose of Whois was to provide contact information so thattechnical problems with domain name servers could be addressed andresolved. The second proposed definition stated that Whois was intendedto provide contact information to resolve technical, legal or any otherissues dealing with a domain name. The first definition was agreed to,with a vote of 18 to 9.

The more expansive definition was supported by commercial Internetusers, Internet service providers, and intellectual property holders,who viewed Whois as a tool to locate and serve process on domain nameowners accused of infringing on trademarks or copyrights. Non-commercialusers, domain name registrars and registries supported the more limitedpurpose, which would better protect privacy and prevent abuses ofpersonal information contained within the Whois database.

EPIC, which is a member of the non-commercial users constituencyadvocated this position in its comments to ICANN in February.

ICANN page on Whois:

GNSO Announcement of Resolutions at April 12 Meeting:

EPIC's Whois page:

[2] Congress, Administration Push for U.S. Data Retention Laws

Members of Congress are calling for laws in the United States that wouldcompel Internet service providers and telecom companies to storeinformation about their customers for months or years and make thoserecords available to the police upon request. Supporters of a dataretention law include Rep. Ed. Whitfield (R-KY) and Homeland SecuritySecretary Michael Chertoff. Attorney General Alberto Gonzales recentlystated that retaining records of Internet users would help fight crime,especially online crimes involving child pornography.

The data at stake includes information as sensitive as mobile phonelocation data, e-mail headers, e-commerce web site transactional data,and web browsing or chat room activities. This information normally getsdiscarded if it is not useful to companies for billing, marketing,network monitoring or fraud prevention purposes. Some of that deleteddata, law enforcement is now claiming, could be useful to solve criminalcases.

In the United States, law enforcement can currently subpoena Internetproviders and phone companies to keep records on specific suspects for arenewable period of 90 days. This system is called "data preservation."
A few other countries, however, have chosen a "data retention" system,where companies have to store the data of all customers for months oryears. For example, the European Union adopted last year a dataretention directive that requires all of its member states to enact dataretention laws. The implementation of the directive is facing stiffresistance in several member states, and data protection officialswithin the EU's Article 29 Working Party on Data Protection havecriticized the directive as lacking adequate safeguards for privacy.

To date, law enforcement has not been able to show that retaining allusers' data helps to solve criminal cases. Traffic data is seldomessential in criminal investigations and data retained for longer than 6months is rarely useful. Retaining all customer data could also raiseserious security and privacy risks. The huge data warehouses created bysuch laws would provide tempting targets for hackers and identitythieves. Criminals could also easily evade data retention rules by usinganonymous online access or prepaid mobile phones, leaving law-abidingInternet and phone users with the prospect of permanent and highlyinvasive surveillance.

Article 29 Working Party Comments on the EU Data Retention Directive(pdf):

Comments of the EPIC and the Yale Internet Society Project to theEuropean Commission on Traffic Data Retention (pdf):

EPIC Data Retention page:

[3] International Privacy Commissioners Meet in Washington

The International Working Group on Data Protection in Telecommunicationsmet in Washington, DC on April 6-7. The Working Group is composed of thedata protection commissioners of twenty-five countries and privacyexperts from around the world. The meeting, co-hosted by EPIC, beganwith an address by U.S. Federal Trade Commissioner Jonathan Leibowitz.
The delegations from each country discussed the most significant eventsin the privacy laws of their respective countries, before conferringupon specific emerging issues of privacy. Among the topics covered atlength:

Electronic health records: Digitized medical records are often promotedas a means for patients to receive better care, especially when awayfrom home. But the mobility of the records means that breaches ofpatient privacy may have more widespread effects than before.

Personal data and web services: Consumers are increasingly relying uponweb-based applications, like webmail, for common online tasks.
Businesses that handle and store information for consumers have anobligation to respect users' confidentiality in storing and processingthis information.

Copyright Management and Privacy: Technical efforts to preventunauthorized uses of copyrighted works often identify individual users,or report their personal information. How can copyright protectionsavoid becoming surveillance mechanisms?

Radio frequency identification, or RFID: Both governments and theprivate sector are promoting the use of remotely-readable radiofrequency tags to uniquely identify both goods and people. Individualsshould know of the presence of the tags and be able to disable ordestroy them when desired.

The Working Group's papers on these topics are yet to be finalized, andshould be available on the Working Group's website within a few weeks.

International Working Group on Data Protection:

English-Language Site for the Working Group:

[4] U.S. Archives Had Reclassification Agreements With CIA, Air Force

The United States' chief archivist has revealed that the NationalArchives and Records Administration entered into secret agreements withthe CIA and Air Force to reclassify records that had been public fordecades. The classified Memoranda of Understanding, signed in 2001 and2002, also required the Archives not to tell the public why records werebeing pulled from the shelves.

Archivist of the United States Allen Weinstein released a statement thisweek blasting the agreements, declaring that "there can never be aclassified aspect to our mission. Classified agreements are theantithesis of our reason for being . . . . If records must be removedfor reasons of national security, the American people will always, atthe very least, know when it occurs and how many records are affected."

The reclassification program at the Archives was first publiclydisclosed by the New York Times earlier this year. According to theinitial report, several intelligence agencies had reclassified about9,500 documents that were available to the public for years at theArchives. About 8,000 documents have been reclassified during the Bushpresidency alone.

The Archives' Information Security Oversight Office is now developingprocedures to govern the review of previously declassified records. Oncecompleted, the office's proposal will be available for public comment.

Press Release, National Archives, National Archives Releases SecondDeclassified MOU:

National Archives Memorandum of Understanding with the Air Force (pdf):

National Archives Memorandum of Understanding with the CIA (pdf):

National Archives, Background on NARA Classified MOUs:

EPIC's Open Government Page:

[5] Immigration Bill Would Require DHS Checks for All U.S. Jobs

All employees in the United States would have their names, SocialSecurity numbers and job information stored in a massive governmentdatabase if a pending immigration bill becomes law. The House ofRepresentatives recently passed H.R. 4437 and it is now before theSenate. The Border Protection, Antiterrorism, and Illegal ImmigrationControl Act of 2005 would expand the currently voluntary Basic Pilotprogram, which now involves 3,600 employers. If the bill passes, thenation's 8.4 million employers would have to send employee names andSocial Security numbers to the federal government, which would checkthat information against databases for to verify employment eligibility.

The Government Accountability Office reviewed the employment databaseprogram in August and found several problems, including an "inability todetect identity fraud" and erroneous entries in databases. Theseproblems "have made it difficult for employers who want to comply withthe employment verification process to ensure that they hire onlyauthorized workers and have made it easier for unscrupulous employers toknowingly hire unauthorized workers," the GAO said.

The massive employment database, which would include sensitive dataabout all employed citizens as well as immigrants, would be a temptingtarget for identity thieves. Customs and Immigration officials also toldGAO that an expansion would create significant backlogs in employmentverification.

H.R. 4437 does not include the right for employees to review their filesor appeal any errors. This is despite the fact that GAO found manyerrors in the federal employment verification databases. Illinois Sen.
Barack Obama (D-IL) has introduced an amendment seeking to increaseprivacy protections for the verification system. Sen. Obama wouldinclude the right to appeal erroneous data, accuracy standards, privacyprotection, and limits on data sharing.

H.R. 4437, The Border Protection, Antiterrorism, and Illegal ImmigrationControl Act of 2005:

GAO Report on Immigration Enforcement Weaknesses (pdf):

[6] News in Brief

Transportation Security Administration Appoints New Privacy DirectorThe Transportation Security Administration has named a new director tooversee its expanded privacy office. The agency announced this week thatPeter Pietra, currently the agency's Assistant Chief Counsel forInformation Law, will serve as Director of Privacy Policy andCompliance. Lisa Dean, who has been TSA's privacy officer since 2004,will continue to work with the office. Since its creation in 2001, TSAhas pursued several programs that raised substantial privacy concerns,including transportation worker and airline passenger prescreeningsystems.

TSA Press Release on New Director:

EPIC's Secure Flight Page: Unveils GPS-Enabled Tracking of KidsSprint, one of the country's largest mobile service providers, haslaunched a service intended to allow parents to use GPS technology totrack children carrying cell phones. For approximately $10 a month, theSprint Family Locator will allow subscribers to display the location ofan individual on an interactive map, complete with nearby streetaddresses and landmarks. The service will also allow subscribers to askfor alerts when individuals reach specific locations.

Sprint's Press Release on Family Locator:

James C. White, People, Not Places: A Policy Framework for AnalyzingLocation Privacy Issues: Offender Registries Under Renewed Scrutiny
Two individuals were shot to death last week by an attacker who chosehis victims based on their presence on Maine's sex offender registry.
Last year, two other individuals listed on sex offender registries inWashington State were killed by a vigilante. In Arkansas, an identitythief used the Indiana registry to steal identities of sex offendersbecause their personal information was so easy to obtain. The spate ofvigilante violence and opportunistic crime against sex offenders hascaused Maine to temporarily remove its registry from the Internet. Otherstates are also under pressure to restrict access to the registries. Ina challenge to the constitutionality of sex offender registries, EPICwarned the Supreme Court that they were unjustifiably invasive ofprivacy, and that the registries would lead to vigilante violence.
However, the Supreme Court ultimately upheld the registries, holdingthat they were non-punitive civil regulation and that they could beretroactively applied to individuals who already served time for sexcrimes.

EPIC Privacy and Megan's Laws Page: Chooses Earthlink and Google for Citywide WifiThe City of San Francisco has preliminarily chosen Earthlink and Googleto provide municipal broadband service. The companies' proposal seeks tohave Google deploy an advertising-supported 300 Kbps connectioncitywide. Earthlink will provide a for-fee premium service delivering 1Mbps. The proposal also seeks to create a surveillance infrastructurefor San Francisco by allowing greater deployment of video cameras andautomated enforcement tools, such as parking meters. EPIC, EFF, and theACLU of Northern California urged city officials to tweak privacyprotections for users of the service. The coalition is seeking to ensurethat individuals can use the service without "signing in." Signing inallows Google to track users across sessions, and raises the risk thatdetailed profiles of Internet activity will be built. The groups alsourged the city to require the companies to switch to an opt-in model forinformation sharing, as both Google and Earthlink reserve the ability tosell data unless the user objects. Finally, the groups are seekingrestrictions on the use of the network to deploy cameras to monitorindividuals.

San Francisco TechConnect:

Coalition Letter on Earthlink / Google: Hampshire House Passes Anti-REAL ID BillThe New Hampshire House of Representatives has just passed HB 1582, anact "prohibiting New Hampshire from participating in a nationalidentification card system." If the measure passes the state Senate, NewHampshire will be the first state to reject the REAL ID Act, which setsfederal standards for state driver's licenses, essentially making themnational ID cards. Implementation costs will be substantial, accordingto a recent survey of state motor vehicle administrators. The federalgovernment initially put the total price at $100 million, butPennsylvania alone would spend $85 million on REAL ID, the survey found.
The National Governors Association has called REAL ID "unworkable andcounterproductive."

HB 1582:

National Governor Association press release about REAL ID:

EPIC's National ID Cards and REAL ID Act page:

[7] EPIC Bookstore: David Lyon's "Surveillance as Social Sorting"

David Lyon. "Surveillance as Social Sorting: Privacy, Risk and AutomatedDiscrimination" (Routledge, 2003).

"This book examines some crucial aspects of surveillance processes witha view to showing what constitutes them, why the growth of surveillanceis accelerating and what is really at stake personally and politically.
It scrutinizes individual surveillance systems - CCTV, biometrics,intelligent transportation systems, smart cards, on-line profiling - anddiscusses their implications for our future. Surveillance as SocialSorting is a fascinating contribution to a relatively new field -
surveillance studies."

EPIC Publications:

"Information Privacy Law: Cases and Materials, Second Edition" Daniel J.
Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98.

This clear, comprehensive introduction to the field of informationprivacy law allows instructors to enliven their teaching of fundamentalconcepts by addressing both enduring and emerging controversies. TheSecond Edition addresses numerous rapidly developing areas of privacylaw, including: identity theft, government data mining,and electronicsurveillance law, the Foreign Intelligence Surveillance Act,intelligence sharing, RFID tags, GPS, sypware, web bugs, and more.
Information Privacy Law, Second Edition, builds a cohesive foundationfor an exciting course in this rapidly evolving area of law.

"Privacy & Human Rights 2004: An International Survey of Privacy Lawsand Developments" (EPIC 2004). Price: $50.

This annual report by EPIC and Privacy International provides anoverview of key privacy topics and reviews the state of privacy in over60 countries around the world. The report outlines legal protections,new challenges, and important issues and events relating to privacy.
Privacy & Human Rights 2004 is the most comprehensive report on privacyand data protection ever published.

"FOIA 2004: Litigation Under the Federal Open Government Laws," HarryHammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price:

This is the standard reference work covering all aspects of the Freedomof Information Act, the Privacy Act, the Government in the Sunshine Act,and the Federal Advisory Committee Act. The 22nd edition fully updatesthe manual that lawyers, journalists and researchers have relied on formore than 25 years. For those who litigate open government cases (orneed to learn how to litigate them), this is an essential referencemanual.

"The Public Voice WSIS Sourcebook: Perspectives on the World Summit onthe Information Society" (EPIC 2004). Price: $40.

This resource promotes a dialogue on the issues, the outcomes, and theprocess of the World Summit on the Information Society (WSIS). Thisreference guide provides the official UN documents, regional andissue-oriented perspectives, and recommendations and proposals forfuture action, as well as a useful list of resources and contacts forindividuals and organizations that wish to become more involved in theWSIS process.

"The Privacy Law Sourcebook 2004: United States Law, International Law,and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:

The Privacy Law Sourcebook, which has been called the "Physician's DeskReference" of the privacy world, is the leading resource for students,attorneys, researchers, and journalists interested in pursuing privacylaw in the United States and around the world. It includes the fulltexts of major privacy laws and directives such as the Fair CreditReporting Act, the Privacy Act, and the OECD Privacy Guidelines, as wellas an up-to-date section on recent developments. New materials includethe APEC Privacy Framework, the Video Voyeurism Prevention Act, and theCAN-SPAM Act.

"Filters and Freedom 2.0: Free Speech Perspectives on Internet ContentControls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet contentfiltering. These papers are instrumental in explaining why filteringthreatens free expression.

EPIC publications and other books on privacy, open government, freeexpression, crypto and governance can be ordered at:

EPIC Bookstore

"EPIC Bookshelf" at Powell's Books

EPIC also publishes EPIC FOIA Notes, which provides brief summaries ofinteresting documents obtained from government agencies under theFreedom of Information Act.

Subscribe to EPIC FOIA Notes at:

[8] Upcoming Conferences and Events

Access to Knowledge Conference. Yale Information Society Project.
April 21-23, 2006. New Haven, Connecticut. For more information:

CHI 2006 Workshop on Privacy-Enhanced Personalization. UC IrvineInstitute for Software Research and the National Science Foundation.
April 22-23. Montreal, Quebec, Canada. For more information:

Rethinking the Discourse on Race: A Symposium on How the Lack of RacialDiversity in the Media Affects Social Justice and Policy. St. John'sUniversity. April 28-29, 2006. New York, New York. For more information:

The First International Conference on Legal, Security and Privacy Issuesin IT (LSPI). CompLex. April 30-May 2, 2006. Hamburg, Germany. For moreinformation:

Computers, Freedom, and Privacy Conference (CFP 2006). Association forComputing Machinery May 2-5, 2006. Washington, DC. For more information:

Conference on Data Protection and Security: A Transnational Discussion.
International Association of Young Lawyers. May 5-6, 2006. Washington,DC. For more information:

Call for papers for the CRCS Workshop 2006: Data Surveillance andPrivacy Protection. Center for Research on Computation and Society. June3, 2006. Cambridge, Massachusetts. For more information:

7th Annual Institute on Privacy Law: Evolving Laws and Practices in aSecurity-Driven World. Practising Law Institute. June 5-6, SanFrancisco, California. June 19-20, New York, New York. July 17-18,Chicago, Illinois. Live webcast available. For more information:

Infosecurity New York. Reed Exhibitions. September 12-14, 2006. NewYork, New York. For more information:

34th Research Conference on Communication, Information, and InternetPolicy. Telecommunications Policy Research Conference. September29-October 1, 2006. Arlington, Virginia. For more information:

The IAPP Privacy Academy 2006. International Association of PrivacyProfessionals. October 18-20, 2006. Toronto, Ontario, Canada. For moreinformation:

International Conference on Privacy, Security, and Trust (PST 2006).
University of Ontario Institute of Technology. October 20-November 1,
2006. Markham, Ontario, Canada. For more information:

BSR 2006 Annual Conference. Business for Social Responsibility. November7-10, 2006. New York, New York. For more information:

Subscription Information

Subscribe/unsubscribe via web interface:

Back issues are available at:

The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and tosend notices about EPIC activities. We do not sell, rent or share ourmailing list. We also intend to challenge any subpoena or other legalprocess seeking access to our mailing list. We do not enhance (link toother databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail addressfrom this list, please follow the above instructions under "subscriptioninformation."

About EPIC

The Electronic Privacy Information Center is a public interest researchcenter in Washington, DC. It was established in 1994 to focus publicattention on emerging privacy issues such as the Clipper Chip, theDigital Telephony proposal, national ID cards, medical record privacy,and the collection and sale of personal information. EPIC publishes theEPIC Alert, pursues Freedom of Information Act litigation, and conductspolicy research. For more information, see or writeEPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202483 1140 (tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic Privacy InformationCenter, contributions are welcome and fully tax-deductible. Checksshould be made out to "EPIC" and sent to 1718 Connecticut Ave., NW,Suite 200, Washington, DC 20009. Or you can contribute online at:

Your contributions will help support Freedom of Information Act andFirst Amendment litigation, strong and effective advocacy for the rightof privacy and efforts to oppose government regulation of encryption andexpanding wiretapping powers.

Thank you for your support.


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback