E P I C A l e r t
The new Congress this week passed a measure intended to implement recommendations of the 9/11 Commission. Among other provisions, the bill aims to strengthen the the oversight powers of government civil liberties and privacy officers and mandates inspection of all land and sea cargo entering the US.
The bill removes the Privacy and Civil Liberties Oversight Board from the White House and turns it into an independent agency. Board members must be approved by the Senate, and the Board must report directly to Congressional oversight committees. The bill also directs other government agencies to appoint Privacy and Civil Liberties Officers who will be accountable to Congress and to the Privacy and Civil Liberties Oversight Board, and expands the powers of the Chief Privacy Officer of the Department of Homeland Security.
The new setup for the Board includes many of the recommendations advanced by EPIC in its 2006 report on privacy oversight in the post-9/11 world, which emphasized that the Board must act in the public eye in order to increase its transparency and accountability. EPIC also called for the Board to have the authority to issue subpoenas, a power conferred by the new bill, in order to make its oversight activities more meaningful.
The new structure for the Privacy and Civil Liberties Board addresses several of the concerns regarding the inability of the current board to provide meaningful oversight and to ensure compliance with federal law. The bill is likely to encounter opposition from the White House and may be subject to a veto or a court challenge on the grounds that requiring executive branch officials to report to Congress may be viewed as an encroachment on presidential power.
The new bill also includes a commitment to improve the inspection of cargo carried on passenger aircraft and ships destined for the U.S. The legislation mandates inspection of all air cargo and requires that every sea cargo container be screened before reaching U.S. shores.
EPIC has supported the use of improved screening procedures for cargo entering the United States, but opposed the use of these techniques, such as the Automated Targeting System, to screen individuals by conducting secret background checks.
New York Times, "Under-the-Rug Oversight," Dec. 29, 2006: http://www.nytimes.com/2006/12/29/opinion/29fri3.html
Implementing the 9/11 Commission Recommendations Act of 2007: http://thomas.loc.gov/cgi-bin/query/z?c110:H.R.+1:
EPIC Testimony Before 9/11 Commission (pdf): http://www.epic.org/privacy/terrorism/911commtest.pdf
EPIC Report on Oversight: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=933690
EPIC's Automated Targeting System Page: http://www.epic.org/privacy/travel/ats/default.html
In May 2005, the Department of Defense announced that it had created a massive database for recruiting. The "Joint Advertising and Market Research" system proposed to combine student information, Social Security Numbers, and information from state motor vehicle repositories into a mega database of all those 16-25 years of age. The information would be housed at a private direct marketing firm. In June 2005, EPIC and eight privacy and consumer groups objected to the creation of the database, arguing that it violated the Privacy Act and was unnecessarily invasive.
It was announced this week in the settlement of a lawsuit brought by the New York Civil Liberties Union that the Department of Defense has agreed to limit access to the recruitment database. The lawsuit charged that the system was in violation of a 1982 recruitment law that prohibited the collection of information on individuals under the age of 17. In 2005, when the database was disclosed, it contained records on an estimated 30 million individuals. Although the database was purportedly created for recruitment purposes, its information was also being shared with law enforcement, intelligence, and other government agencies.
EPIC comments brought public scrutiny to the Department of Defense's database. Problems identified with the database included the sources of the information being used to build the database, an inability to opt out the data retention plan, and the clear illegality in the creation of the database. The federal Privacy Act requires that before an agency creates or alters a system of records that public notice be provided through the Federal Register. The Department of Defense failed to fulfill its obligations of public notice by waiting 2 years to make public that it had created the database.
EPIC Memo on Department of Defense Database (pdf):
Coalition Letter to the Department of Defense:
On November 24, 2006, the Internet Corporation for Assigned Names and Numbers (ICANN) invited public comments on its Preliminary Task Force Report on WHOIS services. The report highlights two different approaches to limitations on the public availability of WHOIS data.
The first proposal, supported by the Registrar, Registry, and Non-Commercial Users Constituencies, removes registrants' mailing addresses, phone and fax numbers and email addresses from the Whois database, and requires the use of an "operational point of contact," an intermediary who would contact the registrant in the case of an issue with the domain name. WHOIS would continue to publish the registrant's name and country.
The second proposal, supported by the Intellectual Property and Business Constituencies, retains the current data fields required under WHOIS, but allows individuals who can demonstrate reasonable concern that public access to their contact data would jeopardize their personal safety or security to substitute contact details of the registrar for their data.
ICANN's current policy requiring the publication of personal information violates the privacy rights of registrants and may violate international laws and the privacy rights in the UN's Universal Declaration of Human Rights. In its preliminary report, the Task Force agrees that new mechanisms to restrict some contact data from publication should be adopted to address privacy concerns.
EPIC has prepared comments for submission to ICANN on the Preliminary Report. EPIC supports the Operational Point of Contact proposal's removal of registrants' postal addresses, phone and fax numbers and email addresses from the Whois database, but pushes for the deletion of registrants' names and countries of origin from the Whois public database as well. As explained in Privacy and Human Rights 2005, concealing actual identity may be critical for political, artistic, and religious expression on the Internet.
The public comment period runs until January 15, 2007. The task force will consider the public comments received and prepare a final report for submission to the Generic Names Supporting Organization Council.
ICANN Launches Public Comments on WHOIS Task Force Report:
ICANN Preliminary Task Force Report on WHOIS Services:
EPIC's WHOIS Page:
In comments to the State Department, EPIC warned that a proposed People Access Security Service (PASS) card for travel between the United States, Canada, Mexico, and the Caribbean would jeopardize the privacy and security of US travelers. EPIC urged the State Department to reject the use of "vicinity read" (long-range) radio frequency identification (RFID) technology, because it contains substantial privacy and security risks, such as "skimming" and "eavesdropping", and it does not contain Basic Access Control.
The data on the PASS card would include the personal information currently displayed in passports, "bearer's facial image, full name, date and place of birth, passport card number, dates of validity and issuing authority." The card will use RFID technology to "store and transmit" a unique reference number to the border official so that she may access the traveler's information in a large federal database, "which could include additional information, for example, information about the bearer's membership in one of [Customs and Border Protection's] international trusted traveler programs," according to the State Department.
Although the State Department states that the tags will only carry a unique reference number, and not personally identifiable information, the numbers are linked to data files and are subject to interception. EPIC explained that anytime a U.S. citizen is carrying his RFID-enabled PASS card, his unique reference number, which is linked to his individual biographic information, could be accessed by unauthorized individuals. And because the RFID wireless technology is unseen, the person would not know that his information was intercepted. Privacy and security risks associated with RFID-enabled identification cards include "skimming", or reading of RFID data from an unauthorized reader, and "eavesdropping", interception of data as it is being read by an authorized reader. These problems are exacerbated by "vicinity read" RFID technology that will the passport card data to be read at a distance of up to 20 feet from the reader.
Because the PASS cards, like U.S. passports, will be valid for 10 years, it is certain that new means of attack will be developed, EPIC said. While the distance necessary to read RFID tags was initially thought to be a few inches, tests have shown they can be read from 70 feet or more. If the Department of State does implement the long-range RFID-enabled PASS card proposal, it should at least incorporate Basic Access Control or equivalent security features, into the cards, EPIC urged. Basic Access Control would require the receiving device to authenticate itself before gaining access to the data contained on the card.
EPIC Comments on the Western Hemisphere Travel Initiative Proposal (pdf):
State Department's Federal Register PASS Card Proposal:
EPIC's Spotlight on Surveillance: "Homeland Security PASS Card: Leave Home Without It":
EPIC's RFID Page:
A report from the privacy office of the Department of Homeland Security has found that information provided by DHS about the airline screening system was misleading and incomplete. The privacy office report follows a Government Accountability Office report and testimony earlier this year that the Transportation Security Administration approved Secure Flight to become operational in September, despite inconclusive risk assessments and 144 known security vulnerabilities. Congress suspended the Secure Flight program earlier this year.
Secure Flight was introduced as a successor to the now-abandoned second generation Computer Assisted Passenger Prescreening System (CAPPS II). Many of the problems with CAPPS II that led to its demise continued to plague Secure Flight in its test phase. The controversial program has been the focus of two government investigations. On February 9, the Government Accountability Office testified that "TSA may not have proper controls in place to protect sensitive information", and that the documents underlying the program "contained contradictory and missing information".
The report from the DHS privacy office found a sharp "disparity between what TSA proposed to do and what it actually did in the testing program". This "resulted in significant privacy concerns being raised about the information collected to support the commercial data test as well as about the Secure Flight program." The privacy office concluded that, "Privacy missteps such as these undercut an agency's effort to implement a program effectively, even one that promises to improve security".
EPIC has criticized the Secure Flight program in the past. Documents obtained by EPIC in 2004 under the Freedom of Information Act revealed that the government airline screening system would make extensive use of commercial data without informing the public, as required by law. EPIC also criticized Secure Flight's initial efforts to use inaccurate commercial data in making passenger threat determinations.
DHS Privacy Office report on Secure Flight (Dec. 2006) (pdf):
Government Accountability Office Testimony on Secure Flight on Feb. 9, 2006 (pdf):
FOIA documents obtained by EPIC in 2004:
EPIC's page on Secure Flight:
When President Bush signed the Postal Accountability and Enhancement Act, he included a 'signing statement' that may give the government the power to open citizens' mail without a warrant. Under the law, the government must get warrants to open first-class letters, but in the signing statement, Bush said he would construe the provision, "in a manner consistent, to the maximum extent permissible, with the need to conduct searches in exigent circumstances," which Bush defined as protecting against hazardous materials and "the need for physical searches specifically authorized by law for foreign intelligence collection".
President Bush has issued at least 750 signing statements, more than all other presidents combined, according to the American Bar Association. The very use of signing statements remains controversial for their modification of duly enacted laws. A 2006 report by the ABA emphasized that signing statements "undermine the rule of law and our constitutional system of separation of powers".
This most recent authorization comes less than a year after President Bush admitted to approving the warrantless surveillance of international telephone and Internet traffic by the National Security Agency. While the program was ruled illegal in ACLU v. NSA, a decision of the Detroit District Court, this decision has been stayed pending appeal. EPIC had previously raised questions regarding the legality and the cost of the domestic surveillance program. Despite high profile resignations and a prolonged public outcry, President Bush has continued his support of the NSA's surveillance program.
The postal amendment signing statement expands the executive right for warrantless surveillance to include both digital and physical communications.
Postal Accountability and Enhancement Act (pdf): http://www.epic.org/redirect/postalact0111.html
White House Signing Statement: http://www.whitehouse.gov/news/releases/2006/12/20061220-6.html
ABA Blue-Ribbon Task Force on Signing Statements: http://www.abanet.org/media/releases/news072406.html
ACLU v. NSA No.06-CV-10204 (pdf): http://www.epic.org/privacy/terrorism/fisa/acluvnsaop081706.pdf
EPIC Spotlight on NSA Eavesdropping Program: http://www.epic.org/privacy/surveillance/spotlight/0106/
EPIC's Wiretapping Page: http://www.epic.org/privacy/wiretap/
Senate Judiciary hearing on data mining
This week the Senate Judiciary Committee, now under new leadership, turned its attention to government data mining efforts. Senator Leahy, the committee chair, announced the introduction of the Federal Agency Data Mining Reporting Act of 2007 -- previous versions were introduced in 2003 and 2005. Concerned that data mining is practically ineffective and represents data collection on millions of Americans, the bill aims to provide some oversight over the practice. Agencies will have to report their uses of data mining to Congress.
Data Mining Hearing Webpage: http://judiciary.senate.gov/hearing.cfm?id=2438
Previous Version of Federal Agency Data Mining Reporting Act (2005): http://thomas.loc.gov/cgi-bin/bdquery/z?d109:s.01169:
Supreme Court rejects opportunity to review secret travel ID requirements
The Supreme Court on Monday, January 8th, refused to hear a challenge to secret Transportation Security Administration (TSA) rules on passenger identification. The case, Gilmore v. Gonzales, was filed after John Gilmore was refused the ability to board a plane without showing ID. The TSA also refused to reveal the "secret" regulations governing passenger identification. Gilmore sued, claiming his right to travel anonymously and a due process right to know the regulations he was expected to follow.
EPIC's Amicus Brief in Favor of Gilmore's cert petition (pdf): http://www.epic.org/privacy/airtravel/gilmore_amicus.pdf
EPIC's Air Travel Privacy Page: http://www.epic.org/privacy/airtravel/
Gilmore Case Website: http://www.papersplease.org/gilmore/
OneDOJ program attempts to broaden data sharing
Over the past year and a half, the Justice Department has been assembling a database of millions of case files in order to facilitate information-sharing between law enforcement officials. The OneDOJ database already provides uniform access to over 1 million case records from Justice's five main agencies: FBI; Bureau of Alcohol, Tobacco, Firearms and Explosives; Drug Enforcement Administration; U.S. Marshals Service and the Federal Bureau of Prisons. Currently, OneDOJ is allowing local and state law enforcement regional access to Justice's records, but plans to expand to allow local and state law enforcement to exchange data nationally.
Deputy Attorney General's OneDOJ memorandum (pdf): http://i.a.cnn.net/cnn/2006/images/12/26/dag.onedoj.pdf
FTC seeks comments on ID theft
On December 28, 2006, the Federal Identity Theft Task Force announced it "is seeking public comment on ways to improve the effectiveness and efficiency of federal government efforts to reduce identity theft". The Identity Theft Task Force is responsible for developing a strategic plan to better prevent identity theft, coordinate prosecution, and ensure recovery for victims. Comments must be filed on or before January 19, 2007. EPIC is in the process of drafting a response to the Identify Theft Task Force.
Federal Trade Commission: Identity Theft Task Force Seeks Public Comment: http://www.ftc.gov/opa/2006/12/fyi0688.htm
Federal Trade Commission: The President's Identity Theft Task Force web site: http://www.ftc.gov/bcp/edu/microsites/idtheft/taskforce.htm
EPIC's Federal Trace Commission Page: http://www.epic.org/privacy/internet/ftc/
Federal Trade Commission - President's Identity Theft Task Force Summary of Interim Recommendations (pdf): http://www.ftc.gov/os/2006/09/060916interimrecommend.pdf
U.S. Securities and Exchange Commission Press Release: Federal Identity Theft Task Force Seeks Public Comment: http://www.sec.gov/news/press/2006/2006-220.htm
January 28 is EU data protection day
The Council of Europe, with the support of the European Commission, will be celebrating Data Protection Day on January 28, 2007. The aim of Data Protection Day is to give European citizens the chance to understand what personal data is collected and processed about them and why, and what their rights are with respect to this processing. The day also aims to educate individuals on the risks associated with the illegal mishandling and unfair processing of their personal data. Each interested member state, international and national body is organizing events at a local level, such as panel discussions, media campaigns and education programs.
Council of Europe Data Protection Day Page: http://www.epic.org/redirect/coe0111.html
The Public Voice Page: www.thepublicvoice.org
"Encyclopedia of Privacy" (in 2 volumes) edited by William G. Staples (Greenwood Press 2007).
The Encyclopedia of Privacy takes a comprehensive look at the issue of privacy in the United States today and throughout history. Edited by William G. Staples, professor and chair of the Department of Sociology at the University of Kansas, the Encyclopedia of Privacy is a useful tool for laypersons and experts alike. Its 226 detailed but accessibly-written entries, authored by over 100 privacy scholars and experts, include topics as general as wiretapping and as specific as Carnivore software. The volumes also provide summaries of key cases, brief biographies of notable personalities, a chronology of major privacy-related events, and a short section on general privacy resources. Each entry also provides a list of resources for further study.
-- Allison Knight
"Information Privacy Law: Cases and Materials, Second Edition" Daniel J.
Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005).
This clear, comprehensive introduction to the field of information privacy law allows instructors to enliven their teaching of fundamental concepts by addressing both enduring and emerging controversies. The Second Edition addresses numerous rapidly developing areas of privacy law, including: identity theft, government data mining and electronic surveillance law, the Foreign Intelligence Surveillance Act, intelligence sharing, RFID tags, GPS, spyware, web bugs, and more. Information Privacy Law, Second Edition, builds a cohesive foundation for an exciting course in this rapidly evolving area of law.
"Privacy & Human Rights 2005: An International Survey of Privacy Laws
and Developments" (EPIC 2006). Price: $60.
This annual report by EPIC and Privacy International provides an overview of key privacy topics and reviews the state of privacy in over 70 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy & Human Rights 2005 is the most comprehensive report on privacy and data protection ever published.
"FOIA 2004: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004).
This is the standard reference work covering all aspects of the Freedom of Information Act, the Privacy Act, the Government in the Sunshine Act, and the Federal Advisory Committee Act. The 22nd edition fully updates the manual that lawyers, journalists and researchers have relied on for more than 25 years. For those who litigate open government cases (or need to learn how to litigate them), this is an essential reference manual.
"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.
This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, and recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process.
"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005).
The Privacy Law Sourcebook, which has been called the "Physician's Desk Reference" of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act.
"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.
A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression.
EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at:
EPIC Bookstore http://www.epic.org/bookstore
"EPIC Bookshelf" at Powell's Books
EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act.
Subscribe to EPIC FOIA Notes at:
Assessing Current Privacy Issues. Riley Information Services, Inc.
February 21, 2007. Ottawa, Ontario, Canada. For more information:
5th Conference on Privacy and Public Access to Court Records. Center for
Legal and Court Technology and Administrative Office of the
States Courts. March 22-23, 2007. Williamsburg, Virginia. For more
CFP2007: Computers, Freedom, and Privacy Conference. Association for
Computing Machinery. May 2007. Montreal, Canada. For more information:
Subscribe/unsubscribe via web interface:
Back issues are available at:
The EPIC Alert displays best in a fixed-width font, such as Courier.
The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information."
The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax).
If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at:
Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers.
Thank you for your support.