E P I C A l e r t
On February 6, Senators Leahy and Specter introduced the Personal Data Privacy and Security Act of 2007 (S. 495). The bipartisan bill, which is substantially similar to one introduced in 2005, requires government and commercial entities to ensure that the personal data they collect is protected by adequate security.
The bill aims to prevent and mitigate identity theft, ensure privacy, provide notice of security breaches, and enhance criminal penalties, law enforcement assistance, and other protections against security breaches, fraudulent access, and misuse of personally identifiable information.
The bill adds “unauthorized access to sensitive personally identifiable information” to the criminal prohibition against computer fraud under the Criminal Code. It also provides a criminal penalty for intentional and willful concealment of a security breach involving personal data, and increases criminal penalties for identity theft involving electronic personal data.
The bill also requires the government to establish rules protecting privacy and security when it uses information from commercial data brokers. Among other protections, agencies would have to regularly audit the security measure of their vendors, and the General Services Administration would be required to review all government contracts to make sure that vendors have appropriate security programs in place and that they don't provide information to the government that they know to be inaccurate. Government contractors that fail to meet data privacy and security requirements would be subject to penalties.
Commercial data brokers, in addition to establishing internal policies to protect personal data, are required to allow individuals access to, and the opportunity to correct, any personal information that they hold. Entities that maintain personal data must give notice to law enforcement, consumers and credit reporting agencies when they experience a breach involving sensitive personal data that demonstrates a “significant risk of harm.” In the spirit of creating a national standard, the bill preempts state legislation that governs these issues for interstate commerce. Unfortunately, this preemption has the effect of lessening protections in jurisdiction with more stringent standards. Currently, over 35 states have enacted or pending security breach legislation that provide varying standards of notification requirements.
Personal Data Privacy and Security Act Of 2007 (pdf): http://www.epic.org/privacy/pdf/DPSA2007.pdf
Comments of Senator Leahy on the Personal Data Privacy and Security Act Of 2007: http://leahy.senate.gov/press/200702/020607.html
President Bush's $2.9 trillion budget proposal for Fiscal Year 2008 is a 4.2 percent increase over Fiscal Year 2007's budget. Agencies other than State, Defense and Homeland Security will receive increases of about 1 percent, less than the rate of inflation. The budget includes significant cuts for spending on health care, education, housing and other domestic programs, such as Medicare and the State Children's Health Insurance Program.
However, the Department of Homeland Security is seeking an 8 percent increase over last year's request for several expensive surveillance systems.
According to the Department, the agency is seeking:
- $252 million for the Western Hemisphere Travel Initiative, which creates new identification requirements for US citizens traveling to Canada, Mexico, and the Caribbean
- An increase of $146.2 million for the "Unique Identity initiative" that will put in place a 10-Print identification system and link the Automated Biometric Identification System (IDENT) at the Department of Homeland Security with the Integrated Automated Fingerprint Identification System (IAFIS) at the Department of Justice.
- An increase of $38 million in funding for the Secure Flight system, a program that was suspended by Congress following a government report that found an inconclusive risk assessment and 144 security vulnerabilities.
- An increase of $16.5 million for the Transportation Worker Identification Credential (TWIC), a credential-based, identity verification program that uses biometric technology.
- $30 million for the Employment Eligibility Verification (EEV) program to expand government enforcement of workplace credentials.
Some of the $13 billion requested for border security and immigration enforcement will be spent on the Automated Targeting System, a federal database that creates secret terrorist ratings on tens of millions of American citizens that will be secret, unreviewable, and maintained by the government for 40 years. A recent EPIC Spotlight on Surveillance report, "Customs and Border Protection's Automated System Targets U.S. Citizens," detailed the problems with the system, originally established to assess cargo that may pose a threat to the United States.
Proposed Federal Budget for Fiscal Year 2008: http://www.whitehouse.gov/omb/budget/fy2008/budget.html
Fact Sheet: U.S. Department of Homeland Security Announces Eight Percent Increase in Fiscal Year 2008 Budget Request: http://www.dhs.gov/xnews/releases/pr_1170702193412.shtm
Government Accountability Office Testimony on Secure Flight on Feb. 9, 2006 (pdf): http://www.gao.gov/new.items/d06374t.pdf
EPIC's Spotlight on Surveillance on the Automated Targeting System (Oct. 2006): http://www.epic.org/privacy/surveillance/spotlight/1006/
EPIC's page on Secure Flight: http://www.epic.org/privacy/airtravel/secureflight.html
Last week, the Maine House and Senate registered nearly unanimous opposition to the federal REAL ID Act, which mandates federal requirements for state driver's licenses. Another dozen states are reviewing legislation against REAL ID, including Arizona, Georgia, Hawaii, Massachusetts, Missouri, New Hampshire, New Mexico, Oklahoma, Utah and Wyoming.
The resolution passed in Maine stated that, "Maine State Legislature refuses to implement the REAL ID Act and thereby protest the treatment by Congress and the President of the states as agents of the federal government." The resolution also asks Congress to repeal the law. Sen. Daniel Akaka (D-HI) and Sen. John Sununu (R-NH) introduced legislation, the Identification Security Enhancement Act, on December 8, 2006, to repeal REAL ID and replace it with language that includes strong security and privacy protections. Sen. Sununu expects to introduce similar legislation in this Congressional session.
Congress passed REAL ID without a hearing even though legislators in both parties urged debate. The senators said they believe REAL ID "places an unrealistic and unfunded burden on state governments and erodes Americans' civil liberties and privacy rights." The National Conference of State Legislatures has released a report estimating REAL ID's cost to the states would be more than $11 billion over five years.
Under the REAL ID Act, state DMVs will have to verify identification documents and the legal status of immigrants. States are mandated to link their databases so that all information collected by each DMV can be accessed. State DMV offices are often the targets of identity thieves. If the Department of Homeland Security Secretary doesn't grant states an extension to meet the certification requirements, then by May 11, 2008 (three years after passage of the REAL ID Act) states must meet federal standards to be accepted for federal use (entrance into a courthouse, onto a plane; receiving federal benefits, such as Social Security or Medicare). The Department of Homeland Security has yet to issue the guidelines explaining how the states can meet these standards.
Maine Legislature's Resolution Against the REAL ID Act: http://www.mainesenate.org/mitchell/realid.htm
National Conference of State Legislatures Report: The Real ID Act: National Impact Analysis (pdf): http://www.epic.org/redirect/ncsl_id_0906.html
The Identification Security Enhancement Act (S. 4117): http://thomas.loc.gov/cgi-bin/bdquery/z?d109:s.04117:
Text of the REAL ID Act (pdf): http://www.epic.org/privacy/id_cards/real_id_act.pdf
EPIC's page on National ID Cards and REAL ID Act: http://www.epic.org/privacy/id_cards/
The Department of Justice will turn over secret documents detailing the government's domestic spying program, Attorney General Alberto Gonzales said last week. The warrantless program, run by the National Security Agency, monitors phone calls and e-mails between individuals in the United States and other countries that have suspected links to terrorist organizations. A federal judge in Detroit last August declared the program unconstitutional.
The Attorney General's announcement came the day after the Bush administration announced it had agreed to put the program under the authority of the Foreign Intelligence Surveillance Court. The package of documents the Bush administration is giving to lawmakers is expected to include investigators' applications for permission to eavesdrop, the legal briefs submitted to the Foreign Intelligence Surveillance Court, and judges' orders. The documents will be given to Senate Judiciary Chairman Patrick Leahy and Ranking Member Arlen Specter. Gonzales stated that the documents would not be released publicly, because of their “highly classified nature.”
At a committee hearing two weeks ago, senators criticized Gonzales for refusing to release the documents even though the Foreign Intelligence Surveillance Court's presiding judge had no objections to making them available to lawmakers who have been cleared to receive details about program.
In his testimony at the committee hearing, Leahy stressed that “only with an understanding of the contours of the wiretapping program and the scope of the Court's orders can the Judiciary Committee determine whether the Administration has reached the proper balance to protect Americans while following the law and the principles of checks and balances.” He went on to say that he looks forward to “reviewing the Court's orders and then deciding what further oversight or legislative action is necessary.”
US Senate Committee on the Judiciary hearing on “Oversight of the U.S. Department of Justice”: http://judiciary.senate.gov/hearing.cfm?id=2473
Comment of Sen. Leahy on the Bush Administration's Announcement That It Will Make FISA Court Orders Available http://leahy.senate.gov/press/200701/013107a.html
EPIC's page on the Foreign Intelligence Surveillance Act http://www.epic.org/privacy/terrorism/fisa/
EPIC Feature: Resources on Domestic Surveillance http://www.epic.org/features/surveillance.html
Florida's new Governor Charlie Crist proposed spending $32.5 million in state funds to replace all paperless touch screening voting systems with Optical Scan ballots, which would move Florida away from paperless voting to paper based voting. This decision follows 86 days after the controversial end of the race to fill the seat for the 13th Congressional District, an election contest in which 18,000 ballots or 13% of votes cast on the Election Systems & Software's iVotronic paperless touch-screen voting systems did not register a vote. Typically a 2.5 percent under-vote can be expected in an election.
Although Election Day 2006 saw many instances of electronic voting machine failures that affected races in the states of Arkansas, Florida, Maryland, Pennsylvania and Virginia, attention came to the Florida election because the under-vote involved a Congressional race with a 369-vote margin of victory. Several legal challenges were launched following the outcome of the election with some still awaiting court rulings on appeal. Sarasota County officials conducted post election investigations of the technology and attributed the under-vote to a ballot design problem.
Post election analyses of 2000 and 2004 and the legal challenges which followed these presidential elections have identified many obstacles to reliable public elections, which include problems with: voter registration, voter roll purges, poll place practices, accessible polling locations, and voting technology, usability of voting mechanisms, absentee ballot problems, and vote tabulation. As a result of election problems, the Help America Vote Act of 2002 became law. This law began a historic shift from lever, paper, and punch card voting systems to optical scan and DRE systems. According to Election Data Services, a political consulting firm specializing in election administration, the transformation to electronic systems is nearly complete. The numbers of registered voters in counties using optical scan voting systems has increased from 46.7 million (29.5%) to 84 million (48.9%). The number of registered voters in counties using DRE systems has increased from 19.7 million (12.4%) to 65.9 million (38.4%) within two federal election cycles. Less than 15% of registered voters are in counties that do not use either system.
This week Congressman Rush Holt introduced H.R. 811, a bill that would amend the Help America Vote Act of 2002 to require a voter-verified permanent paper ballot.
Florida's Governor's Web Page: http://www.flgov.com/
Governor Crist's Press Release: http://www.flgov.com/release/8585 Help America Vote Act 2002: http://www.fec.gov/hava/law_ext.txt
National Committee for Voting Integrity: http://www.votingintegrity.org/
EPIC's page on Voting: http://www.epic.org/privacy/voting/
Rule on Phone Record Privacy Expected Soon
The FCC is expected to issue a rule to protect telephone record privacy from pretexters. Legislation passed by Congress last year made pretexting a crime but did nothing to improve security standards for telephone companies that often release customer information to those engaging in fraud. Expected changes include requirements that telephone companies: use passwords before giving out telephone records; only mail the records to home addresses; and call back at the registered service number to verify requests for disclosure. EPIC filed a petition with the FCC calling for the establishment of strong security standards for customer information in August 2005. EPIC Executive Director Marc Rotenberg and FCC Chairman Kevin Martin testified on the need for stronger security standards before a House Committee in February 2006.
EPIC's page on Illegal Sale of Phone Records: http://www.epic.org/privacy/iei/
EPIC's comments on the FCC notice of proposed rulemaking: http://www.epic.org/privacy/iei/fcccom42806.html
House Commerce Committee Report, "Prevention of Fraudulent Access to Phone Records Act" http://thomas.loc.gov/cgi-bin/cpquery/T?&report=hr398&dbname=109&
European Union Pressure on SWIFT and Passenger Name Records Grows
Members of EU Parliament have become increasingly vocal in their disapproval of what many view as disregard for EU data protection laws in international data transfers. In a January 31, 2007 joint debate of the European Parliament, speakers criticized the Commission and the Council for the institutions' handling of two EU-US data protection issues: the transfer of financial data by SWIFT banking consortium to US authorities, and the transfer of passenger name records by European airlines to the US Department of Homeland Security. French liberal deputy Jean-Marie Cavada referred to both the passenger name record agreements and to the case of SWIFT when he stated that "the EU's sovereignty has not been respected." On February 1, 2007, EU Privacy Commissioner Peter Hustinx issued an opinion blaming the European Central Bank, along with other Banks who are SWIFT members, for neglecting its oversight of the co-operative.
European Data Protection Supervisor Opinion on SWIFT (pdf): http://www.epic.org/redirect/edpc2907.html
EPIC's Spotlight on Surveillance on SWIFT: http://www.epic.org/redirect/spotlight2907.html
EPIC's page on EU-US Airline Passenger Data Disclosure: http://www.epic.org/privacy/intl/passenger_data.html
Accountability Office Criticizes Federal Agency Over Security of Health Data
In a report issued on February 1, the US Government Accountability Office criticized the Department of Health and Human Services (HHS) for issuing contracts to develop initiatives for health information technology records-sharing without setting up adequate privacy guidelines. The report recommends that HHS “define and implement an overall privacy approach that identifies milestones for integrating the outcomes of its initiatives, ensures that key privacy principles are fully addressed, and addresses challenges associated with the nationwide exchange of health information.” In its comments, HHS disagreed with this recommendation and stated that it has established a comprehensive privacy approach, and that rigid benchmarks would impede its dialogue with stakeholders.
US Government Accountability Office Report on Health Information Technology (pdf): http://www.gao.gov/new.items/d07400t.pdf
EPIC's page on Medical Privacy: http://www.epic.org/privacy/medical/
EPIC Joins Civil Liberties Brief in Newsletter Subscriber Privacy Case
EPIC has joined six civil liberties groups to submit a "friend of the court" brief in Forensic Advisors, Inc. v. Matrixx Initiatives, Inc., which is currently before the Maryland Court of Appeals, the highest court in the state. In this case, pharmaceutical company Matrixx is attempting to force Timothy Mulligan, a newsletter publisher, to disclose his subscriber list so that Matrixx can use it in connection with a lawsuit filed against unidentified people who posted derogatory comments about the company on Internet discussion boards. The brief argues that the subscriber list is protected under the First Amendment, since disclosure of the list would deter readership and violate constitutionally established privacy rights. A lower state court held that Mulligan is a member of the news media under Maryland law. The brief argues, therefore, Mulligan is covered by a state law protecting journalists' sources. EPIC previously joined a "friend of the court" brief for the case when it was before a lower state court.
January 2007 Amicus Brief Submitted by EPIC, et. al (pdf): http://www.epic.org/free_speech/forensic_amic0107.pdf
June 2005 Amicus Brief Submitted by EPIC, et. al (pdf): http://www.epic.org/free_speech/forensic_amicus.pdf
Homeland Security Secretary Outlines Policy on Information Sharing
In a memo dated February 1, Department of Homeland Security (DHS) Secretary Michael Chertoff outlined his policy for information exchange and sharing, which calls for all DHS components to share “potential terrorism, homeland security, law enforcement and related information” with each other. According to the memo, all DHS components are considered one agency under the Privacy Act, and “the presumption is that information will be shared, not hoarded.” Each component agency is required to amend any information-sharing agreements that are inconsistent with the new policy, and to submit copies of all agreements to the DHS Executive Secretariat by February 15.
Department of Homeland Security memo (February 1, 2007) (pdf): http://www.epic.org/redirect/dhsmemo020707.pdf
Congressional Reports on FISA, Electronic Surveillance, Made Available
The Federation of American Scientists has made available two Congressional Research Service reports, which are not usually released to the general public. The first report provides an overview of the Foreign Intelligence Surveillance Court, its history, structure and jurisdiction. The second report analyses a bill passed by the House in the last Congress in response to the President's domestic surveillance program.
"The U.S. Foreign Intelligence Surveillance Court and the U.S. Foreign Intelligence Surveillance Court of Review: An Overview," (January 24, 2007) (pdf): http://www.epic.org/privacy/pdf/crs-1.pdf
"Electronic Surveillance Modernization Act, as Passed by the House of Representatives," (January 18, 2007) (pdf): http://www.epic.org/privacy/pdf/crs-2.pdf
"Proskauer on Privacy" edited by Christopher Wolf (Practising Law Institute 2006).
“An essential tool for attorneys, businesses, and public agencies that must secure personal data. Government surveillance of private citizens is challenging the limits of the law. Businesses are bound by more data security standards as ID theft soars. Globalization is triggering more privacy directives impacting U.S. multinationals. Out of all these often-intertwined laws, what privacy and data security standards do you have to satisfy? How can you comply with them and avoid sanctions and penalties? You'll get the crucial answers you need when you turn to PLI's new PROSKAUER ON PRIVACY - today's most comprehensive and current guide to privacy and data security laws in the U.S. and around the globe. Essential reading for legal and business practitioners, Proskauer on Privacy provides today's most exhaustive and up-to-date analysis of the staggering array of domestic and international privacy and data security laws governing the public and private sectors. Covering everything from the Foreign Intelligence Surveillance Act to the Fair Credit Reporting Act to the CAN-SPAM Act, PROSKAUER ON PRIVACY helps: Federal agencies satisfy provisions of the Privacy Act of 1974 and related law. Employers observe the privacy-related provisions of the Americans with Disabilities Act. Website and online services comply with the Children's Online Privacy Protection Act. U.S. businesses deal effectively with Canada's complex patchwork of privacy laws. At the same time, PROSKAUER ON PRIVACY sheds light on privacy standards in Japan, China, Hong Kong, India, Australia, Russia, and other nations -- privacy laws in California and other vanguard states -- the intense legal debate over warrantless wiretapping -- the payment card industry's bold data security initiatives -- and a lot more.”
"Information Privacy Law: Cases and Materials, Second Edition" Daniel J.
Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005).
This clear, comprehensive introduction to the field of information privacy law allows instructors to enliven their teaching of fundamental concepts by addressing both enduring and emerging controversies. The Second Edition addresses numerous rapidly developing areas of privacy law, including: identity theft, government data mining and electronic surveillance law, the Foreign Intelligence Surveillance Act, intelligence sharing, RFID tags, GPS, spyware, web bugs, and more. Information Privacy Law, Second Edition, builds a cohesive foundation for an exciting course in this rapidly evolving area of law.
"Privacy & Human Rights 2005: An International Survey of Privacy Laws
and Developments" (EPIC 2006). Price: $60.
This annual report by EPIC and Privacy International provides an overview of key privacy topics and reviews the state of privacy in over 70 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy & Human Rights 2005 is the most comprehensive report on privacy and data protection ever published.
"FOIA 2004: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004).
This is the standard reference work covering all aspects of the Freedom of Information Act, the Privacy Act, the Government in the Sunshine Act, and the Federal Advisory Committee Act. The 22nd edition fully updates the manual that lawyers, journalists and researchers have relied on for more than 25 years. For those who litigate open government cases (or need to learn how to litigate them), this is an essential reference manual.
"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.
This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, and recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process.
"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005).
The Privacy Law Sourcebook, which has been called the "Physician's Desk Reference" of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act.
"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.
A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression.
EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at:
EPIC Bookstore http://www.epic.org/bookstore
"EPIC Bookshelf" at Powell's Books
EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act.
Subscribe to EPIC FOIA Notes at:
Expanding Access to Criminal History Information and Improving Criminal
Record Backgrounding. SEARCH. Monday, February 12, 2007. Arlington,
Virginia. For more information:
The Centre for Innovation Law & Policy: A Practical Approach to Global Privacy Compliance. February 13, 2007. Toronto, Canada. For more information, contact Jean McNeil at: firstname.lastname@example.org
Working Group Discussion on Federal Government Outsourcing of Intelligence Gathering and Law Enforcement Duties. EPIC and Liberty Coalition. February 14, 2007. Washington DC. For more information contact Melissa Ngo at: email@example.com
Assessing Current Privacy Issues. Riley Information Services, Inc.
February 21, 2007. Ottawa, Ontario, Canada. For more information:
Internet Privacy Symposium: Research Findings from the OPC Contributions
Program. Privacy Commissioner of Canada and Law and Technology
University of Ottawa. February 23, 2007. Ottawa, Ontario. For more
RFID and Ubiquitous Computing. Trans Atlantic Consumer Dialogue. March
12, 2007. Brussels, Belgium. For more information:
Consumer Authentication: How Do You Know It Is Really Me? American Bar Association, Section of Business Law. March 16, 2007. Washington, DC.
National FOI Day Conference. March 16, 2007. Washington DC. For more information: http://www.firstamendmentcenter.org
5th Conference on Privacy and Public Access to Court Records. Center for
Legal and Court Technology and Administrative Office of the
States Courts. March 22-23, 2007. Williamsburg, Virginia. For more
CFP2007: Computers, Freedom, and Privacy Conference. Association for
Computing Machinery. May 2007. Montreal, Canada. For more information:
29th International Conference of Data Protection and Privacy
Commissioners. September 25-28, 2007. Montreal, Canada. For more
Subscribe/unsubscribe via web interface:
Back issues are available at:
The EPIC Alert displays best in a fixed-width font, such as Courier.
The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information."
The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax).
If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at:
Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers.
Thank you for your support.