E P I C A l e r t
Earlier this week, Lanny J. Davis, one of five members of the President's Privacy and Civil Liberties Oversight Board, resigned in protest of the Bush administration's changes to the Board's first annual report. The White House made more than 200 revisions to the report, including the deletion of a passage on anti-terrorism programs where intelligence officials said the programs had "potentially problematic" intrusions on civil liberties.
Another change was the deletion of the Board's plan to investigate the controversial Automated Targeting System, which was originally established to assess cargo that may pose a threat to the United States, but has expanded to creating terrorism risk profiles for millions of people. EPIC has criticized the system, explaining that the terrorist risk profiles will be secret, unreviewable, and maintained by the government for 40 years. EPIC, along with 29 organizations and 16 privacy and technology experts, filed comments last year highlighting privacy and security risks inherent in the system and urging the agency to suspend the program and to fully enforce Privacy Act obligations.
The Board, which operates within the Executive Office of the President, is intended to "[advise] the President and other senior executive branch officials to ensure that concerns with respect to privacy and civil liberties are appropriately considered in the implementation of all laws, regulations, and executive branch policies related to efforts to protect the Nation against terrorism." However, the Board does not have subpoena authority, which weakens its investigative power. One passage deleted by the White House described a letter sent by the Board to President Bush asking him to issue an executive order to all federal agencies to fully cooperate with the Board. The extensive White House revisions have raised questions about the independence and effectiveness of the Board. EPIC has published a detailed report on the need to reform the Board. Legislation to change the Board has passed both the House and Senate.
Last week, Governor Tom Kean and Lee Hamilton, former Chair and Vice Chair of the 9/11 Commission, sent a letter to the Board in response to its report. The Kean and Hamilton letter began with the question, "What civil liberties have been specifically protected or enhanced by your actions?" The Board's report provides few details on program operations or what internal controls are in place to protect civil liberties in any of the government programs evaluated. Kean and Hamilton criticized this narrow viewpoint, stating, "There are wide-ranging concerns expressed by the American public with respect to privacy and civil liberties beyond those you raise in your report." The letter also raises questions about the President's domestic surveillance program, watch list problems, and the misuse of National Security Letter authority.
Report from the White House Privacy and Civil Liberties Board (pdf):
Draft Report with White House Revisions Marked (pdf):
Lanny J. Davis's Resignation Letter (pdf):
Letter from Gov. Tom Kean and Lee Hamilton to the Board (pdf):
EPIC's Report Recommending Changes to the Board (pdf):
EPIC's Page on the Automated Targeting System:
The Administrative office of US courts submitted its annual report to Congress on the wiretaps approved by state and federal courts. The report does not include interceptions authorized under the Foreign Intelligence Surveillance Act (FISA), which are reported to Congress separately.
State and federal judges are required by the Omnibus Crime Control and Safe Streets Act of 1968 to report each application for an order to intercept wire, oral or electronic communications within 30 days of the denial of the application or the expiration of the interception. Prosecutors must report in January all orders terminated within the previous calendar year. The reports do not identify the parties or telephone numbers intercepted.
The total number of wiretaps increased by 4 percent in 2006. Of 1839 applications, 461 were submitted to federal judges and 1378 to state judges. No applications were denied. Federal wiretap authorizations decreased by 26%, while state applications increased by 20% from the last year. However, over the last ten years, wiretaps have as a total increased by 54%. The Department of Justice (DOJ) reported that the federal decrease is due to continuing complex and sensitive wiretaps and wiretaps under seal. According to DOJ, if those were included the numbers would show no change.
Most of these wiretaps were on portable devices (92%) with the second most popular location being residences (3%). No instances of encryption were encountered in any of those wiretaps. The most intercepts occurred in a New York, where a 519-day tap captured 105,000 messages, 75,000 of which were incriminating. The average cost of intercept devices was $52,000.
The Department of Justice separately reported to Congress on the use of the Foreign Intelligence Surveillance Court (FISC) authorized searches. In 2006, the government made 2,181 applications for FISC searches. These include electronic surveillance, physical searches, and mixed applications. Of these, the court substantially modified 73 applications, and five applications were withdrawn by the government before the court ruled. The remaining 2,176 were all approved. The government also made 43 applications for access to business records, and all of these were also approved.
2006 Wiretap Report:
2006 FISA report (pdf):
EPIC's FISA page:
The New York State Consumer Protection Board has sent a letter to the Federal Trade Commission (FTC) endorsing EPIC's recent complaint to the FTC regarding the privacy implications of the Google/DoubleClick merger.
On April 20, 2007, EPIC, the Center for Digital Democracy and the US Public Interest Research Group filed a complaint with the Federal Trade Commission, urging the Commission to open an investigation into Google's data retention policies, specifically in light of its recent proposed acquisition of DoubleClick. The complaint called on the Commission to force Google to comply with internationally recognized privacy guidelines such as the Organization for Economic Co-operation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, which recognized that "the right of individuals to access and challenge personal data is generally regarded as perhaps the most important privacy protection safeguard."
In its letter to the FTC, the Consumer Protection Board stated, "[t]he combination of DoubleClick's Internet surfing history generated through consumers' pattern of clicking on specific advertisements, coupled with Google's database of consumers' past searches, will result in the creation of "super-profiles," which will make up the world's single largest repository of both personally and non-personally identifiable information." The Board expressed concern that these profiles expose consumers to the risk of disclosure of their data to third parties, as well as public disclosure as evidence in litigation or through data breaches.
The Consumer Protection Board urged the FTC to halt the merger until it
has fully investigated Google's planned use of DoubleClick's data
post-merger. The Board further urged the FTC to require Google to
establish and publicly disclose a “clear and conspicuous” data
collection policy providing for strict data security, consumer access to
personally identifiable information, the ability to edit or delete such
data, an opt-out mechanism for exclusion from Google's database, and
remedies in the event of a data breach or failure to comply with an
opt-out request. The Consumer Protection Board is encouraging New York
State consumers to voice their concerns regarding the Google/DoubleClick
merger and its potential impact on their privacy to the FTC. It has
provided a sample consumer letter to the FTC on its website to
facilitate this process.
“Technology is advancing at a pace never before seen,” the Board stated, “and although there are many benefits, government should act to ensure that the public's fundamental right to privacy is not abridged.”
Letter from the NY State Consumer Protection Board (pdf):
NY Consumer Protection Board Press Release:
NY Consumer Protection Board Take Action page for NY consumers:
EPIC's Complaint to the FTC (pdf):
EPIC's FTC Google Complaint page:
The Department of Homeland Security announced that it has received more than 12,000 comments on its draft implementation regulations for the REAL ID Act, even though the comment process was marked with problems. Many people complained that they were unable file comments through the Web site and fax number provided by DHS. Overwhelmed by the flow of comments, DHS set up an e-mail address for public submissions one day before the comments were due.
EPIC and 24 other experts in privacy and technology jointly submitted comments warning the federal agency not to go forward with the REAL ID proposal. The group urged DHS to recommend to Congress that REAL ID is unworkable and must be repealed. "The REAL ID Act creates an illegal de facto national identification system filled with threats to privacy, security and civil liberties that cannot be solved, no matter what the implementation plan set out by the regulations," the group said.
The group said that the ill-conceived plan would increase the risk of and the damage caused by identity theft. Creating a national identification database full of personal documents such as birth and citizenship certificates, making that database accessible to thousands of people, while not requiring adequate security and privacy safeguards, will necessarily make us less secure as a nation and as individuals. "DHS has the obligation to protect the privacy of citizens affected by this system and must do more than the feeble attempts set out in the draft regulations," the group said.
REAL ID faces considerable opposition by the public, the States and in Congress. More than 60 organizations and 200 blogs joined a campaign to file comments against REAL ID. Washington and Montana passed legislation to opt-out of REAL ID completely. Colorado, Georgia and Idaho will either delay or not spend any money on implementation. Arkansas, Hawaii, Maine, Nevada, and North Dakota are calling for the repeal of REAL ID. Legislation has been introduced in both houses of Congress to repeal REAL ID.
Last week, at a Senate Judiciary Committee hearing about REAL ID, Chairman Patrick Leahy said, "The days of Congress rubber-stamping any and every idea cooked up by this administration are over." At the hearing on May 8, Bruce Schneier, security expert and member of the EPIC Board of Directors, testified against the fundamentally flawed national identification scheme. Schneier explained that REAL ID would only protect us from terrorists "if the terrorists did exactly what we expect them to. But if they find a way around REAL ID, then it won't protect us at all." Schneier also said that DHS has shown a profound lack of respect for the public and for the states. "Today is the deadline for comments on the draft regulations. DHS has testified that final regulations will be released by August or September. It is not possible for DHS to read, review and consider the thousands of public comments it will receive. This tells me that DHS does not intend to make substantial changes to its draft regulations."
Comments of EPIC and 24 Experts in Privacy and Technology (pdf):
Senate Judiciary Hearing, "Will REAL ID Actually Make Us Safer? An Examination of Privacy and Civil Liberties Concerns":
Department of Homeland Security's Notice of Proposed Rulemaking on REAL ID:
EPIC's Page on National ID Cards and REAL ID Act:
Stop REAL ID Campaign site:
A number of Data Security and consumer protection bills have moved through their respective Senate and House Committees in the last month. On May 3, the Senate Judiciary Committee passed The Personal Data Privacy and Security Act of 2007, S. 495, introduced by Committee Chairman Leahy and Senator Specter, as well as the Notification of Risk to Personal Data Act, S. 239, introduced by Senator Feinstein.
S. 495 aims to prevent and mitigate identity theft, ensure privacy, provide notice of security breaches, and enhance criminal penalties, law enforcement assistance, and other protections against security breaches, fraudulent access, and misuse of personally identifiable information. S. 239, which focuses on security breach notification, was amended to mirror the Leahy-Specter bill.
The Senate Commerce Committee previously passed a similar bill, the Identity Theft Prevention Act, S. 1178, introduced by Senator Inouye. The bill provides for the implementation of security standards for the holding of sensitive personal information, and includes security breach notification and security breach provisions. The bill also calls for the establishment of an Information Security and Consumer Privacy Advisory Committee.
EPIC previously testified before the Senate Commerce Committe on the subject of security breach notification. In its testimony, EPIC recommended that security breach legislation should include provisions regarding the availability of credit freezes, as well as requirements for audit trails and public reporting of breaches. All three bills in Congress currently include media notification for large breaches. S. 1178 inlcudes provisions for credit freezes, and S.495 requires government agencies to ensure that audit regulations are in place.
The House Commerce Committee passed both the Social Security Protection Act of 2007, H.R. 948, and the Securely Protect Yourself From Cyber-Trespass, or Spy Act H.R. 964. H.R. 948 makes it illegal to purchase or sell social security numbers in a manner that violates Federal Trade Commission (FTC) anti-fraud regulations. EPIC testified last year before the House Subcommittee on Social Security on the risks associated with expanded use of Social Security numbers, such as identity theft. H.R. 964 bans malware or spyware tracking techniques such as the use of keystroke-logging programs or the installation of software without gaining approval via a clearly stated end user licensing agreement.
S. 495 Personal Data Privacy and Security Act of 2007:
S. 239 Notification of Risk to Personal Data Act of 2007:
S. 1178 Identity Theft Prevention Act:
H.R. 948 Social Security Number Protection Act of 2007:
H.R. 964 Securely Protect Yourself Against Cyber Trespass Act (SPY ACT):
EPIC's Testimony on Identity Theft and Data Brokers (2005):
EPIC's Testimony before Subcommittee on Social Security (pdf):
New York Plan for DNA Data in Most Crimes
New York Governor Eliot Spitzer is proposing a massive expansion of New York State's database of DNA samples. Currently, New York State generally only collects DNA samples from those convicted of the most serious crimes. The governor's proposal would order DNA taken from those convicted of most crimes, including all misdemeanors - even minor drug offenses, harassment, or unauthorized use of a credit card. The governor is also proposing mandatory DNA sampling of all prisoners in New York, as well as anyone on parole, on probation, or registered as a sex offender, an expansion that would add about 50,000 samples to the database. In October 2005, EPIC filed a “friend of the court” brief in the federal court case of Kohler v. Englade addressing whether the police may coerce a person to provide a DNA sample. EPIC's brief surveyed more than 20 DNA dragnets conducted in the United States over the past 15 years. The brief showed that the investigative technique has repeatedly failed to identify the intended targets of investigations, but has compromised the privacy rights of thousands of innocent people.
New York State Governor's Press Release:
Text of proposed DNA database legislation:
EPIC's “friend of the court” brief in Kohler v. Englade (pdf):
European Parliament Considers US Demands for Passenger Data
US Homeland Security Secretary Michael Chertoff addressed the European Parliament's Committee on Civil Liberties, Justice and Home Affairs last week regarding the passenger name records (PNR) agreement between the EU and the US. The current interim deal expires in July, and the European Parliament wants a new agreement with better data protection standards. Parliament seeks to limit how much data is transferred, which agencies it is shared with, and how long the data is kept. Contrary to this position, Chertoff asked that restrictions on the use of data be made looser than what is in the current agreement, claiming that wider sharing amongst agencies is necessary to stop terrorist attacks.
The United States Mission to the European Union, "Homeland Security's Chertoff Addresses European Parliament Committee on Data Transfer, Privacy" (May 14, 2007)
EPIC's page on EU-US Airline Passenger Data Disclosure
Union Sues TSA Over Data Breach
The American Federation of Government Employees has filed a class action suit against the Transportation Security Administration over its loss of a hard drive containing personal information on over 100,000 employees. The hard drive, which contains payroll data from January 2002 to August 2005, holds employee names, Social Security numbers, birth dates, and bank account and routing information. The loss affects all individuals who were employed by the TSA during this period. The union claims that the breach constitutes a violation of the Privacy Act. The Privacy Act provides remedies for certain disclosures of personal information held by the government, including the creation of new security measures, and damages. In 2003, EPIC filed an amicus brief in Doe v. Chao, a Supreme Court case interpreting the Privacy Act's minimum damages provision.
"AGFE Sues TSA for Reckless Violation of Privacy Act":
EPIC's Doe v. Chao page and brief:
EC Announces New Project on Privacy Enhancing Technologies
On May 2, the European Commission detailed plans to identify, develop, and promote Privacy Enhancing Technologies ("PETs"). Commission Vice-President Franco Frattini said the EC seeks to "ensure that breaches of the data protection rules and violations of individual's rights are not only something forbidden and subject to sanctions under the existing legal provisions, but also technically more difficult." EPIC has urged the use of PETs in the U.S. and internationally. In its January comments to the President's Identity Theft Task Force, EPIC said, "PETs can allow authentication to occur without the need for identifying information to be disclosed. Such techniques enable commerce, communication, web browsing, and even voting without unnecessary privacy risks."
EC Press Release, "Promoting Data Protection by Privacy Enhancing Technologies (PETs)":
EPIC's Comments to the President's Identity Theft Task Force (pdf):
GAO Report: Customs Agency's Data Collection Violates Privacy Laws
Customs and Border Protection is violating privacy laws in its data collection practices, the Government Accountability Office reported Wednesday. The GAO said that the current passenger prescreening process does not comply with the Privacy Act of 1974 and the E-Government Act of 2002. Customs "has not fully disclosed or assessed the privacy impacts of its use of personal information during international passenger prescreening as required by law," the GAO said. EPIC has repeatedly urged that the federal privacy laws be fully applied to all passenger prescreening programs. "The lack of enforcement of Privacy Act obligations means that individuals are not given the opportunity to inspect, correct or limit the dissemination of inaccurate information," and this lack of transparency leads to security resources being wasted on innocent travelers who are misidentified as criminal suspects, EPIC said.
GAO Report, "Aviation Security: Efforts to Strengthen International Passenger Prescreening are Under Way, but Planning and Implementation Issues Remain" (pdf):
EPIC Page on Secure Flight:
The Unbinding by Walter Kirn (Random House, 2006)
Walter Kirn's novel, originally published in online serial form on Slate.com, presents a view not of the world as it could be, but rather the world as it may already be. The Unbinding's characters make and remake themselves in online and offline forms, in order to entice or repel others, as the case may be.
Kent Selkirk, the novel's main character, works at an omnipresent subscriber service called AidSat, where he coaches clients through all manner of life situations, from relationship advice to emergency response. Through the AidSat network Kent has a wealth of information at his fingertips, as well as the power to passively observe any client, their conversations, their vital signs, and their movements. Abuse of this power is particularly powerful given that online research is accorded more trust than face-to-face interaction and observation. Society and its players rely on two assumptions: that data doesn't lie, and that the aggregation of enough isolated pieces can paint a complete picture that satisfies any purpose, be it employment, dating, or criminal risk assessment.
The online form of the novel allows the author to incorporate real-time events, drawing even closer the parallel between Kirn's “fictional” world and ours. In a bold statement about the current social concept of privacy, Kirn writes, “They've grown up believing in the orbiting eye, the subdermal microchip, the circling drone, and they're no more afraid of them than they are of moonlight. Perhaps that's because they're born onstage, these creatures, and the first thing they see is the snout of Daddy's Handycam. . . In time, they have nothing inside them that hasn't been outside.” As the watchers become the watched, a race to gather the most information on others ensues, leaving one problem for both the characters and the reader: which information represents the truth?
-- Allison Knight
"Information Privacy Law: Cases and Materials, Second Edition" Daniel J.
Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005).
This clear, comprehensive introduction to the field of information privacy law allows instructors to enliven their teaching of fundamental concepts by addressing both enduring and emerging controversies. The Second Edition addresses numerous rapidly developing areas of privacy law, including: identity theft, government data mining and electronic surveillance law, the Foreign Intelligence Surveillance Act, intelligence sharing, RFID tags, GPS, spyware, web bugs, and more. Information Privacy Law, Second Edition, builds a cohesive foundation for an exciting course in this rapidly evolving area of law.
"Privacy & Human Rights 2005: An International Survey of Privacy Laws
and Developments" (EPIC 2006). Price: $60.
This annual report by EPIC and Privacy International provides an overview of key privacy topics and reviews the state of privacy in over 70 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy & Human Rights 2005 is the most comprehensive report on privacy and data protection ever published.
"FOIA 2004: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004).
This is the standard reference work covering all aspects of the Freedom of Information Act, the Privacy Act, the Government in the Sunshine Act, and the Federal Advisory Committee Act. The 22nd edition fully updates the manual that lawyers, journalists and researchers have relied on for more than 25 years. For those who litigate open government cases (or need to learn how to litigate them), this is an essential reference manual.
"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.
This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, and recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process.
"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005).
The Privacy Law Sourcebook, which has been called the "Physician's Desk Reference" of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act.
"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.
A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression.
EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at:
EPIC Bookstore http://www.epic.org/bookstore
"EPIC Bookshelf" at Powell's Books
EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act.
Subscribe to EPIC FOIA Notes at:
Conference on Interdisciplinary Studies in Information Privacy and Security. Rutgers University. May 22, 2007. New Brunswick. For more information: http://www.scils.rutgers.edu/ci/isips/
Privacy Compliance Conference. The Canadian Institute. May 30-31, 2007.
Toronto, Canada. For more information:
2007 ALA Annual Conference. Washington Convention Center. June 23-26,
2007. Washington, DC. For more information:
National Institute on Computing and the Law: From Steps to Strides into
the New Age. June 25-26, 2007. San Francisco, CA. For more
Civil Society Privacy Conference: Privacy Rights in a World Under
Surveillance. September 25, 2007. Montreal, Canada. For more
29th International Conference of Data Protection and Privacy
Commissioners. September 25-28, 2007. Montreal, Canada. For more
Future of the Internet Economy - OECD Ministerial Meeting. June 14-18,
2008. Seoul, Korea. For more information:
Subscribe/unsubscribe via web interface:
Back issues are available at:
The EPIC Alert displays best in a fixed-width font, such as Courier.
The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information."
The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax).
If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at:
Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers.
Thank you for your support.