E P I C A l e r t
On July 27, EPIC, Privacy International and Human Rights Watch wrote to the US Secretary of Defense to warn that a new system of biometric identification contravenes international privacy standards and could lead to further reprisals and killings. The groups cite the particular risk of identification requirements in regions of the world torn by ethnic and religious division.
According to USA Today, U.S. troops are using mobile scanners to take fingerprints, eye scans, and is linked to profiles maintained by the US military. This information is then being used to build an unprecedented secret database of Iraqis that is administered by the U.S. military. However, there is as yet no indication of any privacy safeguards protecting this information from illegitimate uses.
The secret profiling of Iraqis creates an unprecedented human rights risk that could easily be exploited by a future government, and yet the idea of the U.S. military turning over the database system to the Iraqi government is already under discussion. In May 2007, the Council on Foreign Relations, a prominent think tank, floated the possibility of a national identification program for Iraq similar to the U.S. REAL ID system. The proposal, also described in the New York Times, would introduce biometric ID cards to Iraqis that could be read with portable machines linked to a centralized database. The proposal also envisaged Iraqi government census workers going door-to-door to catalogue residents. The program's purported purpose would be to distinguish insurgents from lawful citizens, but the proponents admitted that the central database could also be misused for ethnic cleansing.
According to Gianni Magazzeni, head of the U.N. human rights office for Iraq, "People are basically killed or taken away simply because of their name, their identity or specific affiliations." Because names are associated with religious identity, many Iraqis change their names or carry fake IDs to avoid being murdered by rival sects. Numerous reports indicate that Iraqis regularly risk death if they are proven to be of a different sect than gunmen at a checkpoint. In July 2006, Shiite militiamen established a fake checkpoint and killed up to 50 Sunnis after examining their identification documents. The establishment of the biometric database erodes what limited protection Iraqis have in concealing their true identities.
The letter from EPIC, Privacy International and Human Rights Watch draws attention to international privacy obligations, including Article 12 of the Universal Declaration of Human Rights, that the United States has endorsed. As the USA Today article notes, "Many Iraqis carry fake IDs with last names that suggest a sectarian background other than their own - a method of survival in a country where violence between Sunnis and Shiites have killed thousands since the war began." The letter concludes, "The new system of biometric identification and secret profiles raises the very real possibility of future reprisals and killings on a far more widespread basis."
Letter from privacy groups to Robert Gates, Secretary of Defense, July 27, 2007:
USA Today Article, July 13, 2007:
Council on Foreign Relations, "A National ID Program for Iraq?":
EPIC's Iraqi Biometric ID Page:
Human Rights Watch's page on Iraq:
EPIC's page on Biometric Identifiers:
On July 26, EPIC sent a letter to the Senate Committee on the Judiciary, urging Congress to repeal the National Security Letter (NSL) authority in the Patriot Act. NSLs are an extraordinary search procedure by which the FBI can compel disclosure of certain customer and consumer data from telephone companies, financial institutions, Internet service providers and consumer credit agencies without judicial approval.
In 2005, EPIC uncovered documents concerning NSLs that revealed violations of law reported to the Intelligence Oversight Board. In a letter to the Senate Judiciary Committee in October 2005, EPIC highlighted the need for the Attorney General to report to Congress on potentially unlawful intelligence investigations that are forwarded to him from the Intelligence Oversight Board. In March 2007, EPIC said that the findings by the Office of the Inspector General Report and EPIC Freedom of Information Act requests were “particularly troubling in light of the fact that the Attorney General told Congress during the oversight hearings on Patriot Act Reauthorization that he was not aware that violations of law had occurred.” A Washington Post article discussed the results of an internal FBI audit that found that FBI agents abused their NSL powers more than 1,000 times, far more than was previously documented. On July 10, reports revealed that Attorney General Alberto Gonzales had received specific reports about NSL abuses when he testified to Congress that “[t]here has not been one certified case of civil liberties abuse” when the reauthorization of the Patriot Act was under scrutiny in 2005.
On June 13, the Federal Bureau of Investigations released new internal guidelines for the use of NSLs. The guidelines fail to address the concerns EPIC has expressed in its letters to the Senate Judiciary Committee. The FBI's guidelines continue to allow NSLs to be issued under the lower post-Patriot Act standard that the information “be relevant to an investigation to protect against international terrorism or foreign spying” provided that the investigation of a United States person is not conducted “solely on the basis of activities protected by the first amendment of the Constitution of the United States.” The pre-Patriot Act standard required “specific and articulable facts giving reason to believe that the customer of entity whose records are sought is a foreign power or an agent of a foreign power.” The guidelines also continue the practice of allowing field offices to issue NSLs, rather than the pre-Patriot requirement of headquarters approval.
EPIC's Letter to Senators Specter and Leahy (July 26, 2007):
Statement Of Sen. Patrick Leahy, Chairman, Hearing On Oversight Of The Department Of Justice:
EPIC's Letter to Senators Specter and Leahy (March 21, 2007) (pdf):
EPIC's Letter to Senators Specter and Leahy (Oct. 24, 2005) (pdf):
EPIC's NSL page:
The OECD has launched an online public consultation process to receive input on the proposed themes and issues of the upcoming OECD Ministerial to be held in Seoul, Korea on June 17-18, 2008. The theme of the Ministerial is the “Future of the Internet Economy.” The Ministerial represents an opportunity for high-level stakeholders from government, business, the technical community, and civil society to consider broad social, economic and technical trends shaping the development of the Internet Economy, and to discuss policies that can respond to evolving societal needs.
The questionnaire seeks comments on four policy areas. First, how can the Internet be used to improve future economic performance and social welfare? Second, in order to benefit from technology convergence, what overarching principles are needed for the transition to the next generation of high speed networks, what guidance will help consumers navigate the transition, and what policies should be in place for evolving RFID and sensor networks? Third, how can the OECD encourage creativity in areas such as e-science, enable innovation and encourage growth and employment, and enable maximum access to public sector information and content and its re-use by the private sector? Lastly, the OECD requests comments on the kinds of policies that are needed to ensure the security of critical information infrastructure and combat malicious software, to address digital identity management, to ensure multi-stakeholder, cross-border co-operation for privacy, security and consumer protection, to empower consumers online, and to ensure fair mobile commerce transactions and combat online identity theft. Answers should be brief, i.e. between 350-400 words, but the OECD welcomes any supporting documents that individuals may wish to attach to their comments.
The OECD states that the participation of all players in the dialogue is important to ensure that the Ministerial is able to benefit from a wide range of viewpoints and expertise. This important online outreach tool provides an excellent opportunity for civil society members to contribute comments, suggestions as well as papers and reports that may aid in the formation of the Ministerial agenda. The comments will be published online, and will be made available for consideration to the OECD Secretariat, member countries, and participants at the next preparatory OECD meetings in October, where the agenda for the Ministerial will be discussed.
The Online Public Consultation is one of a series of initiatives aimed at involving non-governmental stakeholders in the OECD Ministerial meeting and in its preparation. The public consultation will be open until Friday, September 14, 2007.
OECD Online Public Consultation Page:
The Public Voice page:
Public Voice OECD Ministerial page:
On June 26, the Department of Health and Human Services (HHS) proposed to establish the National Disaster Medical System (NDMS) Patient Treatment and Tracking Records System. The goal of this new records system is to collect individual health data from people receiving medical care provided by NDMS. The NDMS is a joint effort between HHS, the Department of Defense, the Department of Homeland Security, and the Veteran's Administration to provide additional resources to supplement the public health and health care actions local and state governments provide during emergencies.
Under the proposal, all persons treated by NDMS medical staff may have their health data recorded and placed into a record system. This would include demographic information as well as data regarding patient diagnosis, treatment, and location. This data may be obtained from the individual patients, their physicians, or by access to the health records of patients.
The NDMS Patient Tracking System contains various “routine use” disclosures to all the federal agencies that share responsibility for evacuation and treatment of patients under NDMS in order to ensure the highest level of patient care possible. Routine use disclosures may also be made to consultants, contractors, and grantees who may require access to the health records for business purposes related to the collection of the data. Lastly, routine use disclosures will be made to state and federal agencies as necessary to establish the benefit entitlement of the patient or to help families locate evacuated family members.
The routine use disclosures contained within the NDMS Patient Tracking System raise some privacy concerns that EPIC addressed in comments submitted to HHS on July 26. In the comments, EPIC stated that HHS should build privacy protections into the system in order to ensure that patients receive quality emergency health care without having to sacrifice their medical privacy. EPIC also urged HHS to clearly define how the system of records notice will comport with the Health Insurance and Portability Act (HIPAA). Any proposed routine use disclosures that violate HIPAA provisions should not be included.
The NDMS Patient Tracking System collects data during emergency situations. Due to the extreme nature of these events, privacy and safety can easily be overlooked if they have not already been built into the system. EPIC urged HHS to consider the impact that the proposed routine use disclosures could have on victims of domestic violence, as well as other displaced individuals. After Hurricane Katrina, numerous evacuees faced instances of personal information abuse. For this reason, EPIC encourages the use of health data collected by the NDMS for patient treatment purposes only.
EPIC's Webpage on Hurricane Katrina and Identity Theft:
EPIC's Webpage on Domestic Violence and Privacy:
EPIC's Comments on NDMS Patient Treatment and Tracking Records System (pdf):
Department of Health and Human Services System of Records Notice (June 26, 2007) (pdf):
On July 18, the Health Information Privacy and Security Act of 2007 (HIPSA) (S.1814), was introduced into the Senate. The bill was sponsored by Senator Patrick Leahy (D-VT) and co-sponsored by Senator Edward Kennedy (D-MA). HIPSA seeks to provide individuals with access to their personal health information while ensuring patient privacy.
HIPSA provides individuals the right to access their health data, prohibits the use of health data without patient authorization. The bill requires that organizations that store health information electronically notify individuals of their privacy practices and establish adequate safeguards to prevent security breaches, or face civil penalties. If a breach does occur, the bill requires patient notification within 15 days of the occurrence. HIPSA also authorizes the Attorney General to file a civil action against organizations that do not properly safeguard electronic health records or provide individuals with information about their health privacy rights.
Further, HIPSA requires de-identification of individually identifiable health information used for research purposes. The bill provides exceptions for public safety, national security, and law enforcement purposes. In addition, providers may disclose health information to law enforcement personnel and a patient's next of kin, so long as the patient has been given the right to opt-out of the disclosure.
HIPSA will establish a health information privacy department within the Department of Health and Human Services. The department's main function will be to provide consumers with information regarding their privacy rights. HIPSA makes it a federal crime to “knowingly and intentionally disclose or use sensitive health information without an individual's consent.” If a person commits an offense, they may be fined $50,000 and could be imprisoned for one year. If the violation is committed with the intent to sell or use the information for economic gain, violators may be fined up to $500,000 and face up to 10 years in prison.
Health Information Privacy and Security Act of 2007, S.1814:
EPIC's Webpage on Medical Privacy:
Patient Privacy Rights
New Report Reveals Increased Secrecy of US Government
A report by OpenTheGovernment.org and People For the American Way Foundation documents how, at a time when technology should enable government openness, the executive branch limits public access to public information. According to "Government Secrecy: Decisions Without Democracy 2007", President Bush has used executive orders to limit use of the Freedom of Information Act and Presidential Records Act, expanded the power to classify information for national security reasons, and created a range of new categories of "sensitive" information. In some cases, the government has gone so far as to reclassify documents that had been available to the general public for many years. The report suggests that citizen journalists should utilize the Internet to organize coalitions that promote openness and accountability, and to publicize further governmental abuses by using services like YouTube and Myspace.
Government Secrecy: Decisions Without Democracy 2007 (pdf):
EPIC's FOIA page:
Spotlight on "National Network" of Fusion Centers
EPIC's current Spotlight on Surveillance reviews "fusion centers," data sharing entities that acquire information from many sources, including private sector firms and anonymous tipsters. The Department of Homeland Security is seeking to create a national network of local and state fusion centers. The federal agency has provided more than $380 million to state and local governments in support of these centers. The fusion center program gives DHS enormous domestic surveillance powers.
Spotlight on Surveillance: "National Network" of Fusion Centers Raises Specter of COINTELPRO:
EPIC's Fusion Centers page:
Groups Urge FCC to Reject Network Filters
EPIC joined Public Knowledge and nine other privacy and consumer rights groups in urging the Federal Communications Commission against requiring broadband Internet Service Providers to use network filters on Web content. Last month, NBC Universal Inc. requested the FCC mandate content suppression in order to limit illegitimate broadband uses such as online piracy through peer-to-peer file sharing. The privacy and consumer rights groups explained, "Any attempt to use this technology to control what may be done on the Internet will have serious unintended consequences. Particularly, these technologies limit First Amendment freedoms, stifle innovation, threaten personal privacy, and do little to address the underlying problem."
Privacy and Consumer Rights Groups Comments (July 16, 2007) (pdf):
EPIC's Publication, “Filters & Freedom 2.0”:
Joint Consumer Comments on RFID in Europe
European consumer groups ANEC and BEUC have issued a joint policy paper on RFID in Europe. The position paper, based on the European Commission Communication on RFID from March 2007, is their contribution to the RFID Experts stakeholder group and designed to help the European Commission draft a recommendation on privacy and security aspects of RFID. The groups recommended that the Commission begin "impartial and comprehensive information campaigns on the RFID technology, its potential benefits and risks," to help consumers choose whether to use RFID. Also suggested is the formation of "a European committee dealing with ethics should be created and consulted" concerning any RFID or near field communication (NFC) technology applications."
ANEC/BEUC, "Consumers' scenarios for a RFID policy: Joint ANEC/BEUC Comments on the Communication on Radio Frequency Identification (RFID) in Europe: Steps towards a policy framework" (pdf):
EPIC's page on RFID:
House and Senate Compromise on 9/11 Recommendations
The House and Senate have agreed to harmonize two competing bills, H.R. 1 and S. 4, in order to implement some of the 9/11 Commission recommendations. The bills include a provision establishing regional fusion centers for sharing criminal and terrorism information with state and local officials. The bills also establish a Privacy and Civil Liberties Oversight Board, which is to have access to relevant material held by other agencies. Members are appointed by the president and confirmed by the senate. The House bill, H.R. 1, originally proposed to make the Oversight Board into an independent agency, but the harmonized bills allow the Oversight Board to remain in the Executive Office of the President.
Improving America's Security Act of 2007, S. 4:
Improving America's Security Act of 2007, H.R. 1:
EPIC Spotlight on Fusion Centers:
EPIC 9/11 Commission Page
GAO Reports on Progress at DHS Privacy Office
The Government Accountability Office (GAO) has released a report on the progress of the Department of Homeland Security (DHS) Privacy Office in complying with its statutory mandates. The GAO concluded that significant progress has been made in meeting statutory requirements. For example, the Privacy Office has increased the number and quality of Privacy Impact Assessments issued, and it has managed to incorporate privacy considerations into DHS decision-making via the privacy advisory committee and public workshops. However, the Privacy Office has not been timely in issuing reports. This tardiness has delayed the effectiveness of these reports and eroded the credibility of the Privacy Office.
DHS Privacy Office Has Made Progress but Faces Continuing Challenges (pdf):
EPIC Privacy Oversight Page:
Privacy on the Line, The Politics of Wiretapping and Encryption, Updated and Expanded Edition by Whitfield Diffie and Susan Landau (MIT Press, 2007)
This much-awaited update of Diffie and Landau's 1998 edition is greatly appreciated by the privacy advocacy community. So much has happened in the span of nine years: the terrorist attack of September 11, 2001; public knowledge of government surveillance programs; increased use of cryptography; and, the broad adoption of Internet-enabled communication services.
The publication is a wonderful exploration of the history of communication privacy and the efforts by the US government to conduct sanctioned and unsanctioned surveillance of domestic communication. Domestic surveillance first began as a means of acquiring information on criminal activities and quickly moved to documenting people's engagement in social or political activities and their exercise of constitutionally protected rights to expression and assembly. The argument that the "Control of society is, in large part, control of communications," is explained in detail by the authors as they walk the reader thought the decades of various technologies, tactics, and rationales deployed by government in its efforts to snoop.
The strongest recommendation for the book is its grasp of communication technology and the issue of cryptography, which the authors propose is the key factor that can make or break the privacy rights of telecommunication users. The 1970s was the decade of enlightenment for easy access by the public to affordable and practical cryptographic tools. Diffie, Hellman, Merkle, Rivest, Shamir, Adelman, Feistel, all made significant contributions to online banking and digital commerce. According to Diffie and Landau, the National Security Agency's efforts to hobble research and business opportunities presented the greater obstacle to public access to good cryptographic tools.
One key lesson that is provided by "Privacy on the Line": electronic surveillance is unlike any other form of spying because the intruder can hide the fact that a message or communication has been compromised. Diffie and Landau make it very clear that only amateurs attempting to spy on modern telecommunication systems would make mistakes that would tip-off the target, and the National Security Agency is no amateur. This updated edition makes for a great read - academic in nature, but very accessible for someone interested in understanding the current debate over the President's various domestic surveillance programs headed by the National Security Agency.
-- Lillie Coney
"Information Privacy Law: Cases and Materials, Second Edition" Daniel J.
Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005).
This clear, comprehensive introduction to the field of information privacy law allows instructors to enliven their teaching of fundamental concepts by addressing both enduring and emerging controversies. The Second Edition addresses numerous rapidly developing areas of privacy law, including: identity theft, government data mining and electronic surveillance law, the Foreign Intelligence Surveillance Act, intelligence sharing, RFID tags, GPS, spyware, web bugs, and more. Information Privacy Law, Second Edition, builds a cohesive foundation for an exciting course in this rapidly evolving area of law.
"Privacy & Human Rights 2005: An International Survey of Privacy Laws
and Developments" (EPIC 2006). Price: $60.
This annual report by EPIC and Privacy International provides an overview of key privacy topics and reviews the state of privacy in over 70 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy & Human Rights 2005 is the most comprehensive report on privacy and data protection ever published.
"FOIA 2004: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004).
This is the standard reference work covering all aspects of the Freedom of Information Act, the Privacy Act, the Government in the Sunshine Act, and the Federal Advisory Committee Act. The 22nd edition fully updates the manual that lawyers, journalists and researchers have relied on for more than 25 years. For those who litigate open government cases (or need to learn how to litigate them), this is an essential reference manual.
"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.
This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, and recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process.
"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005).
The Privacy Law Sourcebook, which has been called the "Physician's Desk Reference" of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act.
"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.
A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression.
EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at:
EPIC Bookstore http://www.epic.org/bookstore
"EPIC Bookshelf" at Powell's Books
EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act.
Subscribe to EPIC FOIA Notes at:
7th Annual Future of Music Policy Summit. September 17-18, 2007.
Washington, DC. For more information
PIPA Conference: Private Sector Privacy in a Changing World. September
20-21, 2007. Vancouver, Canada. For more information:
Civil Society Privacy Conference: Privacy Rights in a World Under
Surveillance. September 25, 2007. Montreal, Canada. For more
29th International Conference of Data Protection and Privacy
Commissioners. September 25-28, 2007. Montreal, Canada. For more
Internet Bill of Rights meeting. September 27, 2007. Rome, Italy. For more information: http://www.internet-bill-of-rights.org/en/
OECD and Industry Canada: Shaping Policies for Creativity, Confidence
and Convergence in the Digital World. October 3, 2007. Ottawa,
For more information:
University of Ottawa Faculty of Law: The Revealed "I". October 25-27,
2007. Ottawa, Canada. For more information:
Future of the Internet Economy - OECD Ministerial Meeting. June 14-18,
2008. Seoul, Korea. For more information:
Subscribe/unsubscribe via web interface:
Back issues are available at:
The EPIC Alert displays best in a fixed-width font, such as Courier.
The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information."
The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax).
If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at:
Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers.
Thank you for your support.