E P I C A l e r t
On June 21, the Senate Judiciary Committee voted to subpoena Justice Department documents regarding the NSA's warrantless surveillance program, including any legal opinions the Bush administration has received concerning the surveillance program. Senate Judiciary Chairman Patrick Leahy issued a statement following the vote in which he said, “Why has this Administration been so steadfast in its refusal? Deputy Attorney General Comey's account suggests that some of these documents would reveal an Administration perfectly willing to ignore the law. Is that what they are hiding?”
The authorization comes after the Committee's ninth formal document request in 18 months went unfulfilled by the Justice Department. On May 21, Chairman Leahy and Ranking Member Arlen Specter wrote to Attorney General Alberto Gonzales to demand that he provide documents containing analysis or opinions regarding the legal basis for the surveillance program. In their letter, the senators stated that Gonzales has “rebuffed all requests for documents and your answers to our questions have been wholly inadequate and, at times, misleading.”
The letter came a week after the testimony of former Deputy Attorney General James Comey before the Senate Judiciary Committee. Comey testified that he had informed the White House that the Justice Department found no legal basis in the ongoing surveillance program, and that the program was certified over the objections of the Justice Department.
Following Comey's testimony, EPIC, the American Civil Liberties Union and the National Security Archive urged a federal district court to compel the Justice Department to disclose documents about the NSA surveillance program. EPIC had previously filed FOIA requests with the NSA and the Justice Department just hours after the New York Times first reported on the warrantless surveillance program in December 2005. When the agencies failed to comply with the FOIA deadline of 20 working days, EPIC filed a lawsuit against the Justice Department to compel disclosure. The case was consolidated with lawsuits initiated by American Civil Liberties Union and the National Security Archive. In March 2006, U.S. District judge Kennedy granted a Justice Department request for an extension of the disclosure deadline.
Text of subpoena authorization and statement of Sen. Leahy:
Letter from Sen. Patrick Leahy and Sen. Arlen Specter to Attorney General Alberto Gonzales:
EPIC's Spotlight on Surveillance "Legality of NSA's Secret Eavesdropping Program Is Suspect and Cost is Unknown":
EPIC's page on Domestic Surveillance:
EPIC's FOIA work on the NSA's warrantless surveillance program:
EPIC's page on FISA:
On June 21, Marc Rotenberg, Executive Director of EPIC, testified before the House Ways and Means Committee's Subcommittee on Social Security. He urged Congress to adopt legislation to address the misuse of the Social Security Number (SSN) and the growing problem of identity theft. Citing a recent report from the Federal Trade Commission that finds that identity is the number one concern of American consumers, EPIC called for "strong and effective legislation that will limit the use of the SSN," and context-dependent identifiers "that will encourage the development of more robust systems for identification that safeguard privacy and security." EPIC also criticized the President's Identity Theft Task Force for failing to make more aggressive recommendations regarding theft of Social Security Numbers.
The connection between identity theft and Social Security Numbers is not new. SSNs represent the virtual keys to an individual's identity and are improperly used as both an identifier and an authenticator. The Subcommittee on Social Security has held a total of sixteen hearings on the issue in the last seven years. During that time, despite the fact that “[i]dentity theft is one of the fastest-growing crimes in the United States” and “the FTC receives between fifteen and twenty-thousand contacts each week from those who have been victimized by” or are concerned about identity thieves, little has been done legislatively to address this problem. Congressman Michael R. McNulty, chairman of the subcommittee, however, indicated in his opening statement that he is “committed to moving forward with legislation aimed at making it more difficult for thieves and other wrongdoers to obtain a Social Security Number and use it to commit identity theft or other crimes.”
The Social Security Number Protection Act of 2007, H.R. 948, been reported out of the Committee on Energy and Commerce to the House and is currently being examined by the Subcommittee on Social Security. The purpose of H.R. 948 is to prohibit the display and purchase of Social Security numbers in interstate commerce. Although EPIC generally favors the bill, it believes it can be strengthened in several key areas.
In his testimony, Mr. Rotenberg outlined the elements that EPIC considers essential to any piece of legislation addressing SSNs and identity theft. First, Mr. Rotenberg highlighted the need to avoid preempting state law in order to allow for innovation by state governments in this field. Second, Mr. Rotenberg emphasized the need for clear legislative guidance to the body that is delegated rulemaking authority. EPIC finds inadequate the provisions in H.R. 948 that grant the FTC broad discretion in creating exceptions to the legislation. Finally, Mr. Rotenberg underscored the importance of creating a private right of action in order to ensure vigorous enforcement of the law.
EPIC's Testimony before the House Subcommittee on Social Security on Protecting the Privacy of the Social Security Number from Identity Theft (June 21, 2007) (pdf):
EPIC's page on Social Security Numbers:
Congressman McNulty's opening statement (June 21, 2007):
FTC's consumer fraud and identity theft complaint data (pdf):
Presidential Task Force's strategic plan on combating identity theft (April, 2007) (pdf):
Last week, EPIC staff counsel Allison Knight testified before the Senate Commerce Committee on caller ID spoofing and the Truth In Caller ID Act of 2007, S.704. Caller ID spoofing occurs when a caller conceals his or her phone number and causes another number to appear on the call recipient's caller identification system. EPIC previously testified on a bill of the same name that recently passed the House.
The Senate bill as currently drafted does not distinguish between appropriate and inappropriate uses of caller ID spoofing, Knight stated. EPIC recommended that any ban on caller ID spoofing include an intent requirement, so that spoofing is only prohibited where a person "intends to defraud or cause harm." This language was included in the House bill, H.R. 251.
EPIC noted that spoofing caller ID numbers can create a real risk to individuals who might be defrauded or harmed by illegitimate uses of this technology. However, there are also several legitimate uses of spoofing that allow callers to limit the disclosure of their phone numbers in order to protect their privacy and in some cases their safety. This includes domestic violence survivors who are trying to reach family members and do not want their locations revealed. EPIC also pointed out that many individuals have legitimate reasons to report a different number than the one presented on caller ID. For example, a person may wish to keep her direct line private when making calls from within an organization.
An intent requirement would protect legitimate uses of the technology while prohibiting uses where it is clear a person who does not provide accurate identifying information intends to defraud or cause harm. Further, EPIC opposed an exemption in the Bill provided to law enforcement, as an intent requirement would adequately protect legitimate law enforcement activities.
EPIC called for the Federal Communications Commission to investigate the President's domestic surveillance program, and asked Members to support EPIC's recommendation that the Commission undertak an investigation of the possibly improper disclosure of telephone toll records by the telephone companies that are subject to the privacy obligations contained in the Communications Act.
EPIC's Testimony before the Senate Commerce Committee on the Truth in Caller ID Act of 2007, S.704 (pdf):
The Truth in Caller ID Act of 2007, S.704:
EPIC's page on Domestic Surveillance:
On June 13, the FBI released its updated guidelines for field agents in the use of National Security Letters (NSLs). The revised guidelines summarize and compile existing and new FBI NSL policies. The FBI created the revised guidelines after there was extensive documentation of abuses in an Office of the Inspector General report and a FBI internal audit. Both reports found that the FBI violated its own internal policies, the requirements of the NSL statute and Attorney General guidelines.
NSLs are an extraordinary search procedure by which the FBI obtains customer and consumer transactional information from communications providers, financial institutions and consumer credit agencies without obtaining a warrant or any court authorization. NSLs are issued to third parties during terrorism, espionage, and classified information leak investigations, and are typically accompanied by a non-disclosure certification, also known as a “gag order.” This gag order prohibits the recipient from disclosing to anyone, except his or her lawyer, that an NSL letter was issued.
The PATRIOT Act broadened the FBI's authority to use NSLs by lowering the threshold standard for issuing them and by expanding the number of FBI officials who could sign them. These changes led to an increase in the numbers of NSLs issued, from 8,500 in 2000 to 39,000 in 2003, 56,000 in 2004 and 47,000 in 2005. EPIC has written to Congress asking that the PATRIOT act provision expanding the NSL power be repealed.
The FBI's updated guidelines prohibit the use of exigent letters, and require that FBI officials make a “case by case determination” for the issuance of a gag order, as opposed to the prevailing practice of issuing gag orders as a matter of course. In another change of policy, the guidelines direct their divisions to retain copies of signed NSLs. However, the guidelines continue the practice of permitting field offices to issue NSLs, rather than requiring headquarters approval. The guidelines also allow for the retroactive issuance of an NSL to cover any “overproduction” of information given to the FBI. The guidelines do not provide for judicial review of NSLs, and continue to allow their issuance under the lowered thresholds of the Patriot Act.
FBI Comprehensive Guidance on National Security Letters (pdf):
EPIC's National Security Letters page:
Office of the Inspector General: A Review of the Federal Bureau of Investigation's Use of National Security Letters (pdf):
EPIC's letter to Congress on National Security Letters (pdf):
On June 16, the Sixth Circuit court of appeals ruled that portions of the Stored Communications Act violate the Fourth Amendment protection from unreasonable searches and seizures. In Warshak v. United States, the court found that an individual has a reasonable expectation of privacy in the emails one has stored at an ISP. Therefore, the court held, when the government seeks to obtain the contents of emails stored at an ISP, it must either use a warrant or notify the owner of the email account that a subpoena has been issued.
Steven Warshak was under investigation for violating several federal laws. During this investigation the government sent subpoenas to his ISPs requesting his subscriber account information as well as the contents of some of his emails. The orders were issued under seal, but Warshak was later notified of their existence when they were unsealed. Warshak then sued the government asking for an order declaring this access unconstitutional and preventing the government from further accessing his emails. A federal judge in Ohio granted Warshak a temporary injunction barring the government from accessing emails of individuals in its coverage without a warrant or notification to that individual.
The Stored Communications Act (18 U.S.C. §§ 2701 - 2712) permits the government to access emails stored at an ISP under certain conditions with the issuance of a subpoena. (18 U.S.C. § 2703(b)). The act also permits the government to delay notification of this access under certain conditions, such as if it would lead to flight from prosecution, or destruction of evidence. (18 U.S.C. § 2705). The government argued that this provision is constitutional because one does not have an expectation of privacy in what one has turned over to a third party, in this case the ISP. The court ruled otherwise, likening emails to telephone calls. One does not expect privacy in the numbers they dial, but does expect that the content of their calls is private, even if the telephone company could be listening.
Further, the court found that Warshak's suit is not limited to his emails. The court decided that Warshak's request is properly a "facial challenge" that challenges the text of a law on its face, under all circumstances. Thus the effect of the ruling is to prevent the government from access to the emails of all individuals in southern Ohio, the site of the original suit, absent a warrant or a subpoena with notification to the subject.
Sixth Circuit Decision in Warshak v. United States (pdf):
EPIC's page on Wiretapping:
Comprehensive Privacy Approach Needed for Health IT
On June 19, the Government Accountability Office (GAO) released a report recommending that The Department of Health and Human Services (HHS) implement a comprehensive privacy initiative to ensure the protection of electronically stored personal health data. The report was based on Executive Order 13335, in which President Bush called upon HHS to develop and implement a national interoperable health information network. The GAO report recognized that HHS officials have already undertaken some initiatives to address privacy principles; however, it determined that the agency's work is still in the preliminary stages, and not yet integrated.
The report recommended that HHS adopt milestones to ensure that “key privacy principles” and possible data exchange challenges are fully and adequately addressed. The report also identified four key challenges to overcome: 1) assurance of proper minimum disclosures; 2) implementation of sufficient security measures; 3) resolution of varying state privacy laws and policies; and 4) the right of individuals to access and amend their health data. EPIC supports the GAO's findings. In particular, EPIC has continually advocated for adoption of stringent privacy safeguards for electronic health records, as well as the right of individuals to obtain and amend their personal medical records.
GAO Report, “Health Information Technology: Efforts Continue but Comprehensive Privacy Approach Needed for National Strategy” (pdf):
EPIC's page on Medical Privacy:
Patient Privacy Rights:
Court Upholds Rights For Car Passengers
On June 18, the United States Supreme Court ruled that vehicle passengers may challenge the legality of police stops. The decision stems from the 2001 conviction of Bruce Brendlin, a passenger arrested on drug charges after an illegal police stop. Brendlin moved to have the evidence against him suppressed, arguing that “the traffic stop was an unlawful seizure of his person.” The Attorney General of California defended Brendlin's conviction, arguing that the Fourth Amendment only protects drivers, and not passengers, against unreasonable search and seizure. The Supreme Court voted unanimously to vacate Brendlin's conviction. In his opinion for the Court, Justice Souter wrote that traffic stops curtailed the travel of vehicle passengers as well as drivers, and that “no passenger would feel free to leave” after police detained the vehicle they were traveling in. The Court also noted that all nine Federal Courts of Appeals and 47 states allowed passengers to challenge the legality of vehicle stops on Fourth Amendment grounds.
Brendlin v. California, US Supreme Court, June 18, 2007 (pdf):
DHS Releases New Border Crossing Rules
The U.S. government has released proposed border crossing rules under the Western Hemisphere Travel Initiative (WHTI). This is a program, developed by the departments of Homeland Security and State, that requires everyone entering the United States through land or sea ports to present a passport or other documents to prove identity and citizenship. The proposed rules require most U.S. citizens to show either a U.S. passport, U.S. passport card, trusted traveler card (under government programs such as NEXUS, FAST, or SENTRI), Merchant Mariner Document, or U.S. Military identification card. The flawed program has been criticized by many, and its implementation has been filled with problems. Last week, DHS had to delay, by about six months a WHTI requirement that U.S. citizens present a passport, because of massive backlogs in passport processing. Earlier this month, the U.S. House voted to delay the proposed rules until June 2009, and the U.S. Senate is considering a similar measure. EPIC has submitted detailed comments explaining the significant security and privacy problems in the WHTI program. Comments on the proposed rules are due August 27.
EPIC Comments on the Western Hemisphere Travel Initiative Proposal (pdf):
DHS Press Release on WHTI Notice of Proposed Rulemaking:
Notice of Proposed Rulemaking on WHTI (pdf):
New Recommendations on Cross-Border Privacy Law Enforcement
On June 12, the OECD adopted a new Recommendation setting forth a framework for cooperation in the enforcement of privacy laws. The framework reflects a commitment by governments to improve their domestic frameworks for privacy law enforcement to better enable cooperation between domestic and foreign authorities, as well as to provide mutual assistance to one another in the enforcement of privacy laws.
Specific recommendations include the development of international enforcement cooperation mechanisms and mutual assistance tools such as notification, complaint referral, investigative assistance and information sharing, subject to appropriate safeguards. The recommendations also call for stakeholder discussion and collaboration and instruct the relevant OECD committee to monitor and report on the implementation of these measures.
OECD Cross-Border Privacy Law Enforcement page:
OECD Recommendation on Cross-Border Privacy Law Enforcement (pdf):
CIA Report on Wiretapping
The CIA will declassify 693 pages detailing the agency's illegal activities from the 1950s to the 1970s, director General Michael Hayden announced last week. The so-called "family jewels" detail wiretaps and surveillance of journalists, attempted break-ins, a two-year confinement of a Russian defector and the participation on an "unwitting basis" of civilians in behavioral modification studies. The documents will be publicly released this week.
In anticipation of the release of these documents, the National Security Archive at George Washington University separately posted a six-page summary memorandum it obtained in 2000 describing the CIA's questionable activities from the 1950s-1970s.
The National Security Archive at George Washington University:
EPIC's Resources on Domestic Surveillance:
EPIC's Resources on Foreign Intelligence Surveillance Act (FISA):
EU Expands Search Engine Investigation
On June 10, in response to a May 16 letter from the Article 29 Working
Party announcing an investigation of the proposed merger between Google
and DoubleClick, Google announced that it would cut its data retention
times from 24 to 18 months. This response came only two months after
Nicole Wong, Google's deputy general counsel, asserted that, in its
April 20 complaint to the FTC, "EPIC utterly fails to identify any
practice that does not comply with accepted privacy standards."
On June 21, the Article 29 Working Party acknowledged Google's response to their May 16 letter and announced that it will expand its investigation to cover the practices of other search engines. The Working Party indicated that it will scrutinize the activities of search engines “from a data protection point of view, because this issue affects an ever growing number of users.”
EPIC's FTC Google Complaint page:
The Article 29 Working Party's letter to Google (May 16, 2007) (pdf):
Google's response to the May 16 letter (June 10, 2007) (pdf):
The Article 29 Working Party's press release concerning its 61st meeting (June 21, 2007) (pdf):
Privacy and Technologies of Identity A Cross-Disciplinary Conversation by Katherine J. Strandburg and Daniela Stan Raicu (Springer, 2006)
“Privacy and Technologies of Identity: A Cross-Disciplinary Conversation provides an overview of ways in which technological changes raise privacy concerns. It then addresses four major areas of technology: RFID and location tracking technology; biometric technology, data mining; and issues with anonymity and authentication of identity. Many of the chapters are written with the non-specialist in mind, seeking to educate a diverse audience on the "basics" of the technology and the law and to point out the promise and perils of each technology for privacy. The material in this book provides an interface between legal and policy approaches to privacy and technologies that either threaten or enhance privacy.
This book grew out of the Fall 2004 CIPLIT(r) Symposium on Privacy and Identity: The Promise and Perils of a Technological Age, co-sponsored by DePaul University's College of Law and School of Computer Science, Telecommunications and Information Systems. The Symposium brought together leading researchers in advanced technology and leading thinkers from the law and policy arenas, many of whom have contributed chapters to the book. Like the Symposium, the book seeks to contribute to a conversation among technologists, lawyers, and policymakers about how best to handle the challenges to privacy that arise from recent technological advances."
"Information Privacy Law: Cases and Materials, Second Edition" Daniel J.
Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005).
This clear, comprehensive introduction to the field of information privacy law allows instructors to enliven their teaching of fundamental concepts by addressing both enduring and emerging controversies. The Second Edition addresses numerous rapidly developing areas of privacy law, including: identity theft, government data mining and electronic surveillance law, the Foreign Intelligence Surveillance Act, intelligence sharing, RFID tags, GPS, spyware, web bugs, and more. Information Privacy Law, Second Edition, builds a cohesive foundation for an exciting course in this rapidly evolving area of law.
"Privacy & Human Rights 2005: An International Survey of Privacy Laws
and Developments" (EPIC 2006). Price: $60.
This annual report by EPIC and Privacy International provides an overview of key privacy topics and reviews the state of privacy in over 70 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy & Human Rights 2005 is the most comprehensive report on privacy and data protection ever published.
"FOIA 2004: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004).
This is the standard reference work covering all aspects of the Freedom of Information Act, the Privacy Act, the Government in the Sunshine Act, and the Federal Advisory Committee Act. The 22nd edition fully updates the manual that lawyers, journalists and researchers have relied on for more than 25 years. For those who litigate open government cases (or need to learn how to litigate them), this is an essential reference manual.
"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.
This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, and recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process.
"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005).
The Privacy Law Sourcebook, which has been called the "Physician's Desk Reference" of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act.
"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.
A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression.
EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at:
EPIC Bookstore http://www.epic.org/bookstore
"EPIC Bookshelf" at Powell's Books
EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act.
Subscribe to EPIC FOIA Notes at:
2007 ALA Annual Conference. Washington Convention Center. June 23-26,
2007. Washington, DC. For more information:
National Institute on Computing and the Law: From Steps to Strides into
the New Age. June 25-26, 2007. San Francisco, CA. For more
Federal Trade Commission: Spam Summit - The Next Generation of Threats
and Solutions. July 11-12, 2007. Washington DC. For more information:
Harvard University Privacy Symposium. August 21-24, 2007. Cambridge, MA. For more information http://www.privacysummersymposium.com
7th Annual Future of Music Policy Summit. September 17-18, 2007.
Washington, DC. For more information
Civil Society Privacy Conference: Privacy Rights in a World Under
Surveillance. September 25, 2007. Montreal, Canada. For more
29th International Conference of Data Protection and Privacy
Commissioners. September 25-28, 2007. Montreal, Canada. For more
OECD and Industry Canada: Shaping Policies for Creativity, Confidence
and Convergence in the Digital World. October 3, 2007. Ottawa,
For more information:
University of Ottawa Faculty of Law: The Revealed "I". October 25-27,
2007. Ottawa, Canada. For more information:
Future of the Internet Economy - OECD Ministerial Meeting. June 14-18,
2008. Seoul, Korea. For more information:
Subscribe/unsubscribe via web interface:
Back issues are available at:
The EPIC Alert displays best in a fixed-width font, such as Courier.
The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information."
The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax).
If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at:
Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers.
Thank you for your support.