E P I C A l e r t
Congress passed the "Protect America Act of 2007," making significant changes to the Foreign Intelligence Surveillance Act (FISA). FISA was enacted in 1978 to regulate intelligence gathering following revelations of abusive uses of covert intelligence powers. The 1978 law created a secret FISA court to oversee this intelligence gathering. The new law removes some surveillance from the limited FISA court review, allows the government to create more surveillance programs with limited review, and immunizes from lawsuits telecommunications companies who participate in these programs. These powers are temporary, as the new law expires in 6 months.
The law does not focus on "terrorists," but on communications when one of the parties is outside of the United States. The law amends the legal definition of "electronic surveillance," as monitored by the FISA court, "Electronic surveillance" no longer encompasses surveillance of people reasonably believed to be outside of the United States.
The law allows the Director of National Intelligence and the Attorney General to approve surveillance on a program-wide, rather than individual basis. These officials must certify that, among other conditions, these programs have as "a significant purpose" the obtaining of foreign intelligence information. Instead of individually reviewing each application for surveillance, the FISA court may only review the proposed program to determine whether Executive branch officials are "clearly erroneous" in how they design and certify a given program.
Lastly, the law forces information holders, such as telecommunications companies and Internet service providers, to turn information over to the government, or face the criminal penalty of contempt of court.
Protect America Act of 2007:
EPIC's FISA page:
EPIC Resources on Domestic Surveillance:
Last week, the President signed the Implementing Recommendations of the 9/11 Commission Act of 2007. The law is a compromise between a Senate bill (S. 4) passed in March and a House bill (H.R. 1) passed in January. Both houses of Congress passed the harmonized version in July.
The law implements certain recommendations of the 9/11 Commission, including improving privacy and civil liberties protections in agencies that perform law enforcement or anti-terrorism functions. The bill also provides for establishing regional law enforcement "fusion centers" for information sharing.
The law strengthens the Privacy and Civil Liberties Oversight Board. Previously, members of the Board served at "the pleasure of the President." The House bill, H.R. 1, originally proposed to make the Oversight Board into an independent agency, but the new Act allows the Oversight Board to remain in the Executive Office of the President. The new Act also implements fixed 6-year terms, and limits the number of members from the same political party as the President to three. Although the members of the Board are still appointed by the President, the new law mandates that all members be subject to Senate approval. The new Board may request attorney general-issued subpoenas in the course of their investigations. The attorney general is required to submit a written explanation of any denials of or modifications to the subpoena request to the Board as well as the House and Senate Judiciary Committees.
The Act also strengthens privacy oversight in individual agencies. The new Act directs several specific agencies to appoint privacy and civil liberties officers. The law also contains some whistleblower protections, preventing reprisals against employees who disclose possible privacy and civil liberties violations to privacy officers or the Board. Furthermore, the Privacy Officer of the Department of Homeland Security is given the power to access records of DHS components and may, with the permission of the Secretary, issue subpoenas for DHS records.
Final Text of Implementing Recommendations of the 9/11 Commission Act of 2007:
EPIC's Report on Privacy Oversight (September 2006):
EPIC Spotlight on Fusion Centers:
EPIC's Privacy Oversight page:
EPIC's 9/11 Commission page:
In a complaint to the Canadian Commissioner of Competition, the Canadian Internet Policy and Public Interest Clinic (CIPPIC) at the University of Ottawa last week requested an investigation into the proposed $3.1 billion merger between Google and Internet advertising company DoubleClick. CIPPIC said the merger should be reviewed "on the grounds that it is likely to prevent or lessen competition substantially in the targeted online advertising industry."
"Through the merger, Google-DoubleClick will gain unprecedented market power, with which they can manipulate online advertising prices. Advertisers and web publishers will have no real choice but to choose Google's advertisement platforms in order to remain visible in the e-commerce market," said CIPPIC Director Philippa Lawson. CIPPIC cited the US Federal Trade Commission complaint and supplement filed by EPIC, the Center for Digial Democracy and the US Public Interest Research Group, as well as the ongoing European investigations into the merger. The Federal Trade Commission has made a "second request" to Google concerning the merger, which means the FTC is closely scrutinizing the proposed deal under antirust and privacy issues.
In July, the European Commission Directorate on Competition announced that it would review the merger. The decision was made shortly after European consumer group BEUC sent a letter urging the Commission to investigate the merger, noting that the European Commission has considered consumer choice as an element in its review of past mergers. BEUC also reminded the Commission that it has publicly defined its role as preventing mergers that would deprive consumers of "high quality products, a wide selection of goods and services, and innovation."
The Article 29 Data Protection Working Party also recently expanded an investigation of Google's data retention policies after receiving Google's response to their initial inquiry. The initial review focused on Google's storage periods of server logs, whereas the Working Party has indicated that its new investigation will evaluate the previous analysis in addition to the data protection issues at stake with other search engines.
Canadian Internet Policy and Public Interest Clinic, Section 9 Application for an Inquiry into the Proposed Merger of Google, Inc. and DoubleClick Inc. (Aug. 2, 2007) (pdf):
The European Commission Directorate on Competition:
BEUC's letter on Proposed Acquisition of DoubleClick by Google (pdf):
Article 29 Data Protection Working Party Press Release (pdf):
EPIC's page on Proposed Google/DoubleClick Merger:
Federal Trade Commission, Press Release: FTC to Host Town Hall to Examine Privacy Issues and Online Behavioral Advertising (Aug. 6, 2007):
The Department of Homeland Security announced revisions to two passenger profiling programs this week: the Automated Targeting System and Secure Flight. However, privacy and security threats remain in both programs. DHS also announced a final rule on the Advance Passenger Information System.
The Advance Passenger Information System final rule "enables DHS to collect manifest information for international flights departing from or arriving in the United States prior to boarding," DHS said. The rule requires air carriers to transmit manifests 30 minutes before departure or "provide manifest information on passengers as each passenger checks in for the flight, up to the time when aircraft doors are secured." For vessels departing from foreign ports to the United States, the rule does not change current requirements to transmit passenger and crew arrival manifest data between 24 to 96 hours prior to arrival, "but requires vessel carriers to transmit [Advance Passenger Information System] data 60 minutes prior to departure from the United States."
In response to a November rulemaking, DHS announced changes to the Automated Targeting System, a federal database that created secret, terrorist ratings on tens of millions of American citizens. The system was originally established to assess cargo that might pose a threat to the United States. Since 1999, ATS was used to assign a "risk assessment," which is essentially a terrorist risk rating, to all people "seeking to enter or exit the United States," "engag[ing] in any form of trade or other commercial transaction related to the importation or exportation of merchandise," "employed in any capacity related to the transit of merchandise intended to cross the United States border," and "serv[ing] as operators, crew, or passengers on any vessel, vehicle, aircraft, or train who enters or exits the United States."
Some positive changes to ATS include a significant reduction in the data retention period (from 40 years to 15 years) and the elimination of a routine use that was unnecessary and far too broad (it allowed data to be used for hiring decisions). However, there remain many of the security and privacy risks outlined in comments previously filed by EPIC, 29 organizations and 16 privacy and technology experts that urged the agency to suspend the program and to fully enforce Privacy Act obligations. Most importantly, the Automated Targeting System still creates terrorist risk profiles that are secret and unreviewable.
DHS released a Response to Public Comments to the November 2006 ATS Rulemaking, new Notice of Proposed Rulemaking, System of Records Notice and Privacy Impact Assessment concerning the revised Automated Targeting System. Comments on this new rulemaking are due on September 5.
More than a year after Secure Flight was suspended for a comprehensive review, the Department of Homeland Security has announced major revisions to the program. Previously, DHS sought to use Secure Flight to assess possibilities for criminal behavior from travelers. The new program will "determine if passenger data matches the information on government watch lists, and transmit matching results to aircraft operators," according to DHS. Currently, the airlines run passenger names against the watch lists.
Secure Flight was grounded in February 2006 after government investigations found numerous security and privacy vulnerabilities. One report said the program had inconclusive risk assessments and 144 known security vulnerabilities. In February 2007, the head of the Transportation Security Administration said full implementation of Secure Flight would be delayed until 2010, at least five years behind schedule.
There are ongoing concerns about the secrecy and accuracy of watch lists and adequacy of redress procedures. In February comments to the Department of Homeland Security, EPIC urged the agency to fully apply Privacy Act requirements of notice, access, and correction to the new traveler redress program and its underlying system of watch lists. EPIC noted that the federal watch lists are full of errors. In December 2005, the director of TSA's redress office revealed that more than 30,000 people who are not terrorists have asked TSA to remove their names from the lists since September 11, 2001. Earlier this year, the head of the Transportation Security Administration said that the watchlists were being reviewed, and he expected to cut the list of names in half.
The Secure Flight Notice of Proposed Rulemaking has not yet been published in the Federal Register; comments will be due 60 days after publication. DHS has posted a copy of the notice on its site.
Department of Homeland Security, Press Release: Statement by Homeland Security Chief Privacy Officer Hugo Teufel III on the Privacy Act System of Records Notice for the Automated Targeting System (Aug. 3, 2007) (including links to the Response to Public Comments to the November 2006 ATS Rulemaking, Current Notice of Proposed Rulemaking, System of Records Notice and Privacy Impact Assessment):
Department of Homeland Security, Press Release: DHS Announces Predeparture Screening of International Passengers and First Step Toward Secure Flight (Aug. 9, 2007) (including link to the Notice of Proposed Rulemaking):
Comments on ATS of EPIC, 29 organizations and 16 privacy and technology experts (Dec. 4, 2006) (pdf):
EPIC's Comments to the Department of Homeland Security about TRIP (Feb. 20, 2007) (pdf):
EPIC's page on the Automated Targeting System:
EPIC's page on Secure Flight:
The Senate has passed a freedom of information bill introduced by Senators Leahy and Cornyn. The Openness Promotes Effectiveness in our National Government Act (OPEN Government Act), S.849, ensures that anyone who gathers information to inform the public, including freelance journalists and bloggers, may seek a fee waiver when they request information under FOIA. The bill also clarifies that the definition of news media, for purposes of FOIA fee waivers, includes free newspapers and individuals performing a media function who do not necessarily have a prior history of publication.
Further, the bill imposes a 20-day time frame for responding to requests, and allows FOIA requesters to obtain attorneys' fees when they file a lawsuit to obtain records from the government and the government releases those records before the court orders them to do so. The bill also creates an Office of Government Information Services in the National Archives, an ombudsman to mediate agency-level FOIA disputes, and a Chief FOIA Officer in every federal agency. The bill also creates a hotline service for all federal agencies, so that requesters can track their requests.
Finally, the bill also clarifies that FOIA applies to agency records that are held by outside private contractors, no matter where these records are located. The OPEN Government Act, the first major FOIA reform in over a decade, “will help to reverse the troubling trends of excessive delays and lax FOIA compliance in our government and help to restore the public's trust in their government. This bill will also improve transparency in the Federal Government's FOIA process,” according to Senator Leahy.
Openness Promotes Effectiveness in our National Government Act (the “OPEN Government Act”), S.849:
Senator Leahy Statement, "Bipartisan Leahy-Cornyn Bill Passes Senate, On Course To Increase Government Transparency" (Aug. 6, 2007)
EPIC's FOIA page:
EPIC Warns Federal Agencies About RFID in US Travel Cards
In comments to the departments of State and Homeland Security, EPIC recommended against the use of "long-range" RFID technology (which transmits personal data to remote tracking devices) in the proposed "PASS card" for travel between the United States, Canada, Mexico, and the Caribbean. EPIC explained that the tracking technology would jeopardize the privacy and security of US travelers, and urged the agencies to delay the implementation of the passport card requirement until solutions can be found for the extraordinary delays, problems, costs and privacy risks. Earlier this year, Homeland Security abandoned a similar proposal for US-VISIT travel documents, following criticisms from EPIC and the Government Accountability Office. EPIC also noted that, although the PASS card notice was released on June 26, 2007 and comments are due on or before August 27, the Privacy Impact Assessment for the proposed long-range tracking program was not released until August 10. In the last two fiscal years, DHS has only published 45 of the 189 required Privacy Impact Assessments.
EPIC's Comments on the Western Hemisphere Travel Initiative (August 1, 2007) (pdf):
EPIC's page on RFID:
Border Security Computer System Plagued With Problems
The computer system for border control program US-VISIT is riddled with security vulnerabilities, according to a new report from the Government Accountability Office, which outlined security risks in the system last year. "Weaknesses existed in all control areas and computing device types reviewed," the GAO said. Security flaws in the network used at 400 entry points nationwide increase the risk of theft or manipulation of tens of millions of identity records, which include passport, visa, Social Security and biometric data. In 2005, a computer virus crashed the US-VISIT system. According to documents released to Wired News under the Freedom of Information Act, DHS knew of the software vulnerability, but deliberately chose to leave more than 1,300 sensitive US-VISIT workstations vulnerable to attack. EPIC has repeatedly criticized many security and privacy flaws in the US-VISIT system.
Government Accountability Office, "Information Security: Homeland Security Needs to Immediately Address Significant Weaknesses in Systems Supporting the US-VISIT Program GAO-07-870" (July 2007) (pdf):
EPIC's page on US-VISIT:
FTC Seeks Public Comments on SSN Uses
The Federal Trade Commission (FTC) is requesting public comments on private sector Social Security Number uses. This follows the President's Identity Theft Task Force's April recommendation that agencies develop a record on the extent and necessity of privacy sector SSN use. The FTC is requesting that industry, academics, consumer advocates and law enforcement submit comments on private sector Social Security Number uses; the necessity of these uses; what alternatives are available and how to transition to alternative identifiers; and how Social Security Numbers are gathered by identity thieves.
FTC Request for Comments on Social Security Numbers:
President's Identity Theft Task Force:
EPIC Comments to Identity Theft Task Force (pdf):
OECD Communications Outlook 2007 Now Available
The biannual OECD Communications Outlook is now available. The 2007 edition provides an extensive range of indicators on the development of different communications networks and compares performance indicators such as revenue, investment, employment and prices for services throughout the OECD area. These indicators are essential for industry participants and for regulators who use benchmarking to evaluate policy performance. This book is based on the data from the OECD Telecommunications Database 2007, which provides time series of telecommunications and economic indicators, such as network dimension, revenues, investment and employment, for OECD countries from 1980 to 2005.
OECD Communications Outlook 2007:
EPIC Files Comments on E911, Proposes Greater Location Privacy
EPIC filed comments to the Federal Communications Commission on proposed rules for Enhanced 911 location information. Wireless telephone providers are required to meet certain standards for location accuracy. The FCC requested comments on location accuracy standards as well as extending the rules to VOIP services. EPIC reminded the FCC that current privacy rules do not adequately protect location information. EPIC proposed that location privacy rules should improve with location accuracy, and that there should be consistent privacy rules for VOIP and other services.
EPIC's Comments on E911 (pdf):
EPIC's CPNI page:
Cable Industry Opposes Consumer Privacy Safeguards
The National Cable and Telecommunications Association has filed a complaint with a federal appeals court challenging the FCC's rule that would protect the protect of consumers telephone record information. EPIC petitioned the FCC to establish these safeguards after mounting evidence of "pretexting" and identity theft, based on the misuse of telephone records. The industry groups claim a First Amendment right to disclose customer information. Courts have typically rejected that argument.
FCC, "Telecommunications Carriers’ Use of Customer Proprietary Network Information and Other Customer Information" (Apr. 2, 2007):
EPIC's CPNI Page:
Complete Guide to Security and Privacy Metrics by Debra S. Herrman (Auerbach Publications, 2007)
Measuring compliance with privacy and security standards has never been an easy task. Many privacy principles are vague ("collection limitation") and many well defined security requirements are largely unrelated to significant privacy concerns. The law has also thrown up its hands when it comes to measuring privacy harms. Privacy statues typically designate a fixed amount for a privacy violation. Not surprisingly, privacy and security do not fair well under a cost benefit analysis. As a consequence, security breeches are widespread and identity theft is, according to the Federal Trade Commission, the number one concern of American consumers.
Enter this remarkably comprehensive, clearly written, and well organized manual. Debra Herman has broad experience in IT development and system evaluation in the federal government, and a deep regard for privacy protection. Though the book is primarily directed toward IT managers, it is well informed by privacy law and policy. The guide offers plenty of checklists to evaluate key security factors. It also touches upon several of the hot button privacy concerns, including problems with RFID tags and the battles over the use of encryption.
For agency officials who are preparing a privacy impact assessment or privacy experts who want to learn more about the hard work of system security, the Complete Guide to Security and Privacy Metrics is an unbeatable resource.
-- Marc Rotenberg
"Information Privacy Law: Cases and Materials, Second Edition" Daniel J.
Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005).
This clear, comprehensive introduction to the field of information privacy law allows instructors to enliven their teaching of fundamental concepts by addressing both enduring and emerging controversies. The Second Edition addresses numerous rapidly developing areas of privacy law, including: identity theft, government data mining and electronic surveillance law, the Foreign Intelligence Surveillance Act, intelligence sharing, RFID tags, GPS, spyware, web bugs, and more. Information Privacy Law, Second Edition, builds a cohesive foundation for an exciting course in this rapidly evolving area of law.
"Privacy & Human Rights 2005: An International Survey of Privacy Laws
and Developments" (EPIC 2006). Price: $60.
This annual report by EPIC and Privacy International provides an overview of key privacy topics and reviews the state of privacy in over 70 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy & Human Rights 2005 is the most comprehensive report on privacy and data protection ever published.
"FOIA 2004: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004).
This is the standard reference work covering all aspects of the Freedom of Information Act, the Privacy Act, the Government in the Sunshine Act, and the Federal Advisory Committee Act. The 22nd edition fully updates the manual that lawyers, journalists and researchers have relied on for more than 25 years. For those who litigate open government cases (or need to learn how to litigate them), this is an essential reference manual.
"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.
This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, and recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process.
"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005).
The Privacy Law Sourcebook, which has been called the "Physician's Desk Reference" of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act.
"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.
A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression.
EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at:
EPIC Bookstore http://www.epic.org/bookstore
"EPIC Bookshelf" at Powell's Books
EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act.
Subscribe to EPIC FOIA Notes at:
7th Annual Future of Music Policy Summit. September 17-18, 2007.
Washington, DC. For more information
PIPA Conference: Private Sector Privacy in a Changing World. September
20-21, 2007. Vancouver, Canada. For more information:
Civil Society Privacy Conference: Privacy Rights in a World Under
Surveillance. September 25, 2007. Montreal, Canada. For more
29th International Conference of Data Protection and Privacy
Commissioners. September 25-28, 2007. Montreal, Canada. For more
Internet Bill of Rights meeting. September 27, 2007. Rome, Italy. For more information: http://www.internet-bill-of-rights.org/en/
OECD and Industry Canada: Shaping Policies for Creativity, Confidence
and Convergence in the Digital World. October 3, 2007. Ottawa,
For more information:
University of Ottawa Faculty of Law: The Revealed "I". October 25-27,
2007. Ottawa, Canada. For more information:
Computer Professionals for Social Responsibility: Technology in Wartime Conference. AJanuary 26, 2008. Stanford University. For more information: http://cpsr.org/news/compiler/2007/Compiler200707#twc
Future of the Internet Economy - OECD Ministerial Meeting. June 14-18,
2008. Seoul, Korea. For more information:
Subscribe/unsubscribe via web interface:
Back issues are available at:
The EPIC Alert displays best in a fixed-width font, such as Courier.
The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information."
The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax).
If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at:
Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers.
Thank you for your support.