E P I C A l e r t
As a result of a 2005 petition filed by EPIC, the Federal Communications Commission (FCC) adopted new rules last week to strengthen the security of consumers' phone records. The FCC also published a Notice of Proposed Rulemaking, stating that it is seeking comments on further privacy protections for customer information. Comments are due July 9, 2007.
The new rules relate to customer proprietary network information (CPNI), which is the data collected by telecommunications corporations about a consumer's telephone calls. CPNI includes the time, date, duration and destination number of each call, the type of network a consumer subscribes to, and any other information that appears on the consumer's telephone bill. Currently, the use of CPNI data is protected by the 1996 Telecommunications Act.
The FCC announced the formal rulemaking in February 2006 after EPIC petitioned the Commission to protect phone users' privacy. EPIC's petition sought to heighten security standards, including the implementation of encryption of records, the requirement of audit logs to track who accesses account information and why, and limitation on the period of time that the data is retained. Some of EPIC's proposals on specific security measures, such as passwords, were adopted in the new rules; other proposals in EPIC's petition will be considered during the new proposed rule comment period.
The new rules require customers to provide a password when a customer calls a carrier before the carrier can release customers' phone call records. The new regulations also require carriers to notify customers of account changes, and establish a notification process for both law enforcement and customers in the event of a CPNI breach. Other changes include requiring carriers to file an annual report of all actions and consumer complaints related to CPNI and extending CPNI rules to cover providers of interconnected voice over Internet Protocol (VoIP) service (which allows people to make phone calls over broadband Internet connections).
The FCC seeks comments on possible additional steps it should take to further protect the privacy of consumers. In particular, the FCC seeks comments on whether to extend password protection beyond the newly adopted rules, whether to require audit trails of CPNI disclosure and whether to limit data retention periods.
The FCC regulation addresses some of the issues that are considered in legislation pending in Congress. The Prevention of Fraudulent Access to Phone Records Act, H.R. 936 has been referred to the House Energy and Commerce Committee for consideration.
EPIC Executive Director Marc Rotenberg testified on March 9 in support of this legislation, stressing that action in this area was overdue. The Act calls for several of the same measures as the FCC regulations, such as opt-in requirements for third party disclosure, periodic audits of telecommunications carriers by the FCC, and the use of customer-specific identifiers in order to access call detail information.
In several areas, the Act provides stronger privacy protections than the regulations. The Act would require telecommunications carriers to keep a record of each time that a customer's call detail information was requested, if access was granted, and how the person's identity or authority to access the information was verified. Such records would provide customers with knowledge of how their information was improperly accessed, giving them a greater ability to prevent another breach. Furthermore, the Act requires timely notice to a customer if there is an unauthorized disclosure of his or her information. The Act also requires the FCC to consider making regulations to require deletion of call detail information after "a reasonable period of time if such data is no longer necessary for the purpose for which it was collected.
FCC's Report and Order and Further Notice of Proposed Rulemaking (pdf):
EPIC's 2005 Petition to the FCC on CPNI:
EPIC's 2005 Letter to the FTC on CPNI:
EPIC's CPNI page:
EPIC's page on Phone Record Security:
Prevention of Fraudulent Access to Phone Records Act, H.R. 936:
The Truth in Caller ID Act of 2007, H.R. 251, passed the House this week. The Act makes it illegal to defraud or cause harm to people using misleading or inaccurate caller identification. The Act applies to any telecommunications service or VoIP service. (VoIP allows people to make phone calls over broadband Internet connections.) Penalties for violations of the Act are established in the 1934 Communications Act, which provides for a fine of up to $10,000 or one year in prison. Testifying on similar legislation last year, EPIC recommended the inclusion of a requirement of an “intent to defraud or cause harm,” which distinguishes between appropriate and inappropriate uses of caller ID spoofing. EPIC's recommended language was accepted, and adopted in this session's bill, H.R. 251.
In its testimony on H.R. 251, EPIC stated that while spoofing caller ID numbers can create a real risk to individuals who might be defrauded or harmed by illegitimate uses of this technology, there are also several legitimate uses of spoofing that allow callers to limit the disclosure of their phone numbers in order to protect their privacy and in some cases their safety. This includes domestic violence survivors who are trying to reach family members and do not want their location revealed. Survivors may also need to use caller ID spoofing when calling companies that may have permissive data-sharing policies and sell information to brokers. Caller ID spoofing can also protect right of call recipients to be free from pretexting and other fraud that can lead to the loss of their privacy, and the threats of stalking, identity theft, and harassment.
The bill as passed included two new amendments. The first provides an exemption for law enforcement and intelligence agencies, for “activities performed in connection with official duties.” EPIC testified that a blanket exemption for law enforcement is not necessary because the law's intent requirement distinguishes between appropriate and inappropriate Caller ID spoofing; this distinction preserves legitimate law enforcement techniques while punishing harmful or fraudulent acts.
The second amendment requires the Federal Communications Commission to consider whether it should require “non-commercial calls to residential telephone lines using an artificial or pre-recorded voice to deliver a message to transmit caller identification information that is not misleading or inaccurate.”
The Truth in Caller ID Act of 2007:
EPIC's Testimony before the House Committee on Energy and Commerce on the Truth in Caller ID Act of 2007 (pdf):
EPIC's page on Domestic Surveillance:
At a House Subcommittee on Social Security hearing on June 7, EPIC Executive Director Marc Rotenberg urged the strengthening privacy safeguards associated with employment eligibility verification systems and said existing agency database problems should be corrected before a nationwide expansion is considered. The Subcommittee is reviewing an immigration bill that would establish a national employment eligibility verification systems; a similar bill is pending in the Senate.
EPIC recently scrutinized the proposed employment verification systems in its "Spotlight on Surveillance." Under both H.R. 1150 and S.AMDT 1645, every employer in the country would be required to submit detailed personal information on every employee to the Department of Homeland Security (DHS). This information would then be cross-referenced with that retained by the Social Security Administration. Should a discrepancy arise, workers would have to appeal to DHS and SSA to prove their identity. The appeals process could last as long as two and a half months, and if the appeal is ultimately denied the individual would not be able to work legally in the United States until the discrepancy was somehow corrected. The House bill would also transform all Social Security Cards to include biometric and machine-readable features.
Government databases upon which the verification systems would rely already contain many errors, Rotenberg said. The current, little-used employment verification system, Basic Pilot, is plagued by problems resulting from these errors. A 2002 independent study of Basic Pilot undertaken by the Immigration and Naturalization Service found that almost half of those employees deemed ineligible for work were in fact eligible. The same study also found that, while employees navigated the Basic Pilot appeals process, almost half experienced a reduction in pay or responsibilities, or were terminated from employment altogether, despite the illegality of such action. Expanding the Basic Pilot program to a nationwide system without addressing existing database inaccuracies would result in these burdensome consequences 143.6 million authorized workers nationwide, Rotenberg said. In addition to dealing with a dramatically increased number of verification requests, the proposed Social Security Card additions would cost the Social Security Administration at least $9.5 billion, Rotenberg said.
Rotenberg also highlighted the dangers of massive data aggregation in centralized databases under the proposed verification systems. Such a large collection of personal information increases the possibility that the information could be used for unintended purposes, such as long-term tracking of individuals, misuse by authorized users and identity theft. “As currently planned, these systems greatly diminish employee privacy and make personal information vulnerable to theft and misuse. The proposed verification systems would also grant to the federal government unprecedented control over the livelihoods of American citizens,” Rotenberg said. The sensitive nature of the retained information augments the seriousness of a security breach when it occurs. The dangers of security breaches were demonstrated last month when the Transportation Security Administration lost a hard drive containing the personal and financial information of 100,000 of its employees, including federal air marshals, Rotenberg said.
Hearing of the House Subcommittee on Social Security (June 7, 2007):
EPIC's Testimony on Employment Verification Systems before the House Committee on Ways and Means (pdf):
EPIC Spotlight on Surveillance on EEVS:
H.R. 1645 (pdf):
S.AMDT. 1150 (pdf):
EPIC Testimony on Social Security Numbers before the House Committee on Ways and Means, March 16, 2007 (pdf):
On June 6, EPIC, the Center for Digital Democracy, and U.S. PIRG filed a supplement to their initial complaint concerning Google's proposed acquisition of DoubleClick. In the initial complaint, filed on April 20, 2007 with the Federal Trade Commission, these consumer advocacy groups requested that the Commission open an investigation into the proposed acquisition, specifically with regard to Google's ability to collect, record, and analyze personally identifiable information about Internet users and, through use of this information, to track the Internet activity of these users.
The June 6 supplement provides further detail on the information that Google collects about its users, the ways in which Google uses that information, and the privacy impacts of Google's many commonly used services. In addition, the June 6 supplement describes similar aspects of DoubleClick's business model and operations. EPIC, CDD, and U.S. PIRG explain that there are unique privacy issues raised by the proposed combination of the Internet's largest search engine and the Internet's largest advertising company. Allowing the merger to proceed as it is currently constructed would allow a single company to have an unprecedented level of access to information about Internet users, the groups said.
Although Google currently chooses not to sell its users' information, DoubleClick's business is based on building profiles of Internet users in order to market advertisements accurately targeted to users who are likely to be interested in the products they are offered. If the merger proceeds, personal user information collected by Google could be used to enhance DoubleClick's preexisting user profiles and would therefore be sold, by proxy, to those seeking to purchase advertising.
Supplemental Complaint (June 6, 2007) (pdf):
EPIC's FTC Google Complaint page:
On June 7, the Federal Trade Commission (FTC) issued a final rule, effective immediately, that allows the agency to disclose records in the event of a data breach. Specifically, the agency sought an exemption from the requirements the Privacy Act of 1974 by amending its “routine use” provision. The agency said that disclosure of FTC records in the event of a data breach is justified to ensure that the “appropriate persons and entities” are able to respond to the event. EPIC was the only entity to supply comments to the agency during the public comment period of this rule.
In its comments, EPIC raised the issue of “customer first notification”, and stated that affected consumers should be notified of a data breach as soon as possible after its occurrence, and no later than 7 days after the incident transpires. Timely notification is imperative to ensure that individuals can monitor their personal information and mitigate damages as quickly as possible after a breach, EPIC said. The FTC, however, declined to adopt this recommendation, and explained that such notifications fall “outside the scope of a routine use notice under the Privacy Act.” Instead, the FTC decided to follow guidance provided by the OMB and the President's Identity Theft Task Force regarding the appropriateness of informing affected individuals. The FTC also stated that the routine use amendment will authorize disclosures to others who are in a position to assist in response efforts, either by assisting in notification to affected individuals or otherwise playing a role in preventing, minimizing, or remedying harms from the breach.
EPIC also questioned the extensive disclosure scheme in the FTC's proposed rule, especially the potential disclosure of individuals' sensitive personal information, such as social security numbers and financial information across the federal government. The disclosure of sensitive personal information could cause additional damage for affected individuals. EPIC recommended the development of a fixed tier of access that would allow only certain individuals and entities limited access to breached data as necessary to further investigations.
While the FTC agreed with EPIC that “disclosure of Privacy Act records in order to investigate or remedy a breach disclosure remedy a breach must be necessary and narrowly tailored to the circumstances,” it did not support adoption of “fixed categories of access.” Instead, the FTC decided to limit disclosures to people that are “reasonably necessary” and to grant access on a case-by-case basis. The FTC believes this will provide adequate protection to consumers while also allowing for rapid investigation of a data breach.
FTC Federal Register Final Rule Notice:
EPIC Comments to the FTC:
EPIC's Social Security Number Privacy page:
FBI Data Mining Proposal Questioned
Representatives Brad Miller and James Sensenbrenner have asked the Government Accountability Office to investigate the FBI's proposal for a National Security Branch Analysis Center. The FBI intends to use the Center to “leverage existing data-mining tools to help identify relationships between individuals, locations and events that may be indicators of terrorist or other activities of interest." The Department of Justice predicts that the Center will hold 6 billion records by the year 2012.
Reps. Mill and Sensenbrenner state that the program resembles the Pentagon's Total Information Awareness anti-terror data-mining research program. Congress ended TIA in 2003 out of privacy concerns. In addition to the high cost and questionable value of such a system, the representatives also pointed to the FBI's recent abuse of National Security Letter powers to show that the FBI may not be capable of handling the center.
Letter of Reps. Miller and Sensenbrenner to the GAO (June 5) (pdf):
EPIC's Total (Terrorism) Information Awareness page:
Privacy International Ranks Online Companies' Privacy Practices
Privacy International has stated that the current report is a preliminary ranking. The organization will consider any new and relevant information for the next two months before publishing a full report in September. This report comes on the heels of the Federal Trade Commission's second request looking into antitrust concerns raised by its proposed merger with DoubleClick, and the European Union's investigation into Google's compliance with EU privacy law.
Privacy International's Interim Privacy Ranking of Internet Services Companies
EPIC's Gmail Privacy FAQ
EPIC's FTC Google Complaint page:
ChoicePoint Settles With 43 States, D.C, Over 2004 Database Breach
In a settlement with various attorneys general, data broker Choicepoint agreed to implement stronger data security measures and to pay $500,000. Choicepoint sells personal information on individuals to businesses and government. In the 2004 breach, which was the subject of the settlement, data on over 140,000 individuals had been divulged to identity thieves. The identity thieves had signed up as subscribers to Choicepoint's information services, and accessed data necessary to carry out thefts of at least 750 identities. The 43 states alleged that Choicepoint had failed to properly screen the buyers of its data files, and that the transactions should have raised "red flags."
CT Attorney General Announces Nationwide Settlement with Choicepoint:
EPIC's Choicepoint Page:
Fifteen States Pass Anti-REAL ID Legislation
As the deadline for compliance draws closer, more states are opting out of the controversial REAL ID national identification system. Arkansas, Colorado, Georgia, Hawaii, Idaho, Illinois, Maine, Missouri, Montana, Nebraska, Nevada, New Hampshire, North Dakota, South Carolina, and Washington have all passed anti-REAL ID legislation. Public resistance to REAL ID is also growing. In May, more than 60 organizations and 215 blogs joined a campaign to submit comments against REAL ID. There are bills in both the U.S. House and Senate to repeal the national identification scheme. EPIC and 24 experts in privacy and technology submitted detailed comments explaining the many privacy and security threats raised by the REAL ID Act. The Department of Homeland Security's Data Privacy and Integrity Advisory Committee refused to endorse the draft regulations, stating that they did not resolve problems with privacy, redress, management controls, and more.
Stop REAL ID Campaign:
EPIC Page on National ID Cards and REAL ID Act:
Information Security: Agencies Report Progress, but Sensitive Data Remain at Risk
In testimony before Congress, the General Accountability Office's Director of Information Security Issues reported on federal government agencies' efforts to protect personal data. Director Gregory C. Wilshusen found that almost all of the major federal agencies had weaknesses in one or more areas of information security controls. Problems included inadequate access controls, not enough management of software patches, lack of encryption, and insufficient restrictions on physical access to information access. Performance metrics showed that agencies are improving security in terms of training and education, but failures to implement agency-wide information security systems still persist.
GAO Testimony (June 7, 2007) (pdf):
EPIC's Page on Veteran's Affairs Data Breach:
European Data Protection Law, Corporate Compliance and Regulation, Second Edition by Christopher Kuner (Oxford Press, 2007)
In the updated edition of his text, Kuner sets out the difficulty of expansion into EU markets for US businesses that have not taken the message of data privacy protection seriously. US businesses intent on exploiting the information age through new EU markets or creating more efficiency in existing European markets must effectively convert their business models to comply with EU data protection laws. The various EU data directives create minimum standards that each member state must then adopt though the passage of new laws. However, this model does allow member states to adopt stronger measures for data protection. There is a process for industries to establish self-regulatory codes under Article 27(1) of the General Directive, but according to the author the process is so cumbersome that few industries have created them. He sees the process as taking too long to complete, and the "uncertain legal status" of the measures once adopted.
Additional complexity of EU data protection law comes from the range of European entities that have jurisdiction over its enforcement. These bodies are not equal in their ability to directly impact the bottom line prospects for businesses, but exert some level of influence in the shaping of data protection policy in Europe. Some might speculate that in the new information age it would be easier to just offshore all data collection, processing, and storage of data, but the author warns that the Europeans have thought of that as well and the rules have a number of pitfalls for those who attempt this approach.
Basic EU data protection requirements include: informing data subjects of the purpose that information is being requested, justifying the need to retain the information, making information on the data subject available to them, protecting the information collected, and only using the information for the purpose for which it was collected. In short, the road to success in data protection is paved with a lot of planning, thought, care, and well-established means of protecting the data obtained on European Union citizens.
-- Lillie Coney
"Information Privacy Law: Cases and Materials, Second Edition" Daniel J.
Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005).
This clear, comprehensive introduction to the field of information privacy law allows instructors to enliven their teaching of fundamental concepts by addressing both enduring and emerging controversies. The Second Edition addresses numerous rapidly developing areas of privacy law, including: identity theft, government data mining and electronic surveillance law, the Foreign Intelligence Surveillance Act, intelligence sharing, RFID tags, GPS, spyware, web bugs, and more. Information Privacy Law, Second Edition, builds a cohesive foundation for an exciting course in this rapidly evolving area of law.
"Privacy & Human Rights 2005: An International Survey of Privacy Laws
and Developments" (EPIC 2006). Price: $60.
This annual report by EPIC and Privacy International provides an overview of key privacy topics and reviews the state of privacy in over 70 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy & Human Rights 2005 is the most comprehensive report on privacy and data protection ever published.
"FOIA 2004: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004).
This is the standard reference work covering all aspects of the Freedom of Information Act, the Privacy Act, the Government in the Sunshine Act, and the Federal Advisory Committee Act. The 22nd edition fully updates the manual that lawyers, journalists and researchers have relied on for more than 25 years. For those who litigate open government cases (or need to learn how to litigate them), this is an essential reference manual.
"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.
This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, and recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process.
"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005).
The Privacy Law Sourcebook, which has been called the "Physician's Desk Reference" of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act.
"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.
A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression.
EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at:
EPIC Bookstore http://www.epic.org/bookstore
"EPIC Bookshelf" at Powell's Books
EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act.
Subscribe to EPIC FOIA Notes at:
2007 ALA Annual Conference. Washington Convention Center. June 23-26,
2007. Washington, DC. For more information:
National Institute on Computing and the Law: From Steps to Strides into
the New Age. June 25-26, 2007. San Francisco, CA. For more
Federal Trade Commission: Spam Summit - The Next Generation of Threats
and Solutions. July 11-12, 2007. Washington DC. For more information:
Harvard University Privacy Symposium. August 21-24, 2007. Cambridge, MA. For more information http://www.privacysummersymposium.com
7th Annual Future of Music Policy Summit. September 17-18, 2007.
Washington, DC. For more information
Civil Society Privacy Conference: Privacy Rights in a World Under
Surveillance. September 25, 2007. Montreal, Canada. For more
29th International Conference of Data Protection and Privacy
Commissioners. September 25-28, 2007. Montreal, Canada. For more
OECD and Industry Canada: Shaping Policies for Creativity, Confidence
and Convergence in the Digital World. October 3, 2007. Ottawa,
For more information:
University of Ottawa Faculty of Law: The Revealed "I". October 25-27,
2007. Ottawa, Canada. For more information:
Future of the Internet Economy - OECD Ministerial Meeting. June 14-18,
2008. Seoul, Korea. For more information:
Subscribe/unsubscribe via web interface:
Back issues are available at:
The EPIC Alert displays best in a fixed-width font, such as Courier.
The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information."
The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax).
If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at:
Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers.
Thank you for your support.