E P I C A l e r t
On March 9, 2007, the Department of Justice Office of the Inspector General (OIG) issued a report on the FBI's use of the National Security Letter (NSL) authority. National Security Letters represent an extraordinary search procedure that permits the FBI to compel the disclosure of records held by banks, telephone companies, and others without judicial oversight. Recipients of these requests are forbidden to reveal that they have received the request. NSLs have existed since 1986, but the Patriot Act's section 505 expanded the scope of whose records could be reached with an NSL as well as the number of personnel at the FBI that could issue them. NSL requests grew from an average of 8,500 a year to 40,000 in 2003, 56,000 in 2004, and 47,000 in 2005.
The FBI is required to report to Congress on the number of NSLs issued; the OIG found that the FBI underreported this number. The OIG review looked at 77 case files containing 293 NSLs out of a population of 140,000 during the 2003-2005 period. This review found that there were 17% more NSLs in the sample of case files than in FBI reporting databases. Delays in data entry also caused about 4,600 NSLs to not be reported to Congress. The OIG concluded that the FBI database significantly understates the number of NSL requests issued, and that Congress has been misinformed about the scale of the usage of the NSL authority.
The report also found significant violations of law and regulations. Violations are supposed to be self-reported by the FBI to the Intelligence Oversight Board. During the 3-year period in question, the FBI self-reported 26 violations out of the 140,000 NSLs issued. The OIG found 22 potential violations out of the sample of 293 NSLs it reviewed. This indicates that large amounts of violations are not being self-reported, as the OIG found that 22 percent of the files it investigated contained possible violations.
The OIG also found over 700 "exigent letters," which are not authorized by statute and some of which appear to have been issued when no exigency or emergency existed. These letters requested records from telephone companies and promised that proper subpoenas had been submitted or would follow. However the OIG found no confirmation that subpoenas, National Security Letters, or other proper process did follow or had in fact been submitted. In 2005, EPIC uncovered documents concerning National Security Letters that revealed violations of law reported to the Intelligence Oversight Board.
Office of the Inspector General's Report (pdf):
EPIC's Patriot Act Page:
In testimony before the House Energy and Commerce_ Committee on March 9, EPIC Executive Director Marc Rotenberg testified in support of H.R. 936, the Prevention of Fraudulent Access to Phone Records Act. The Act would increase privacy protections for phone records, and has received strong support from both Democratic and Republican committee members alike. In its testimony, EPIC stressed that action in this area is overdue.
In August 2005, EPIC petitioned the Federal Communications Commission (FCC) to initiate a rulemaking to enhance security protections for individuals' phone records. The FCC endorsed EPIC's petition in February 2006. Yet, after more than a year has passed, there has been no proposal from the FCC setting forth clear standards for telephone record privacy. The Prevention of Fraudulent Access to Phone Records Act would begin to address the challenges the FCC has been unwilling or unable to address.
At issue is the security of customer proprietary network information (CPNI). CPNI includes calling history and activity, billing records, and unlisted telephone numbers of service subscribers. CPNI can only be released in limited circumstances, but the security of this data has been compromised in recent years through the use of "pretexting," the practice of online data brokers and private investigators accessing personal information by pretending to be the account holder. The Prevention of Fraudulent Access to Phone Records Act would strengthen a telecommunication carrier's obligations to only disclose CPNI to its owner or to authorized users. Additionally, the Act requires the FCC to prescribe regulations adopting more stringent security standards for CPNI to detect and prevent violations of the Act by telecommunications carriers.
Some of the regulations the Act requires the FCC to set forth rules on are: timely notice to a customer if his or her data has been compromised; requiring telecommunications carriers to keep a record of each time a customer's record is requested, including how that person's authority to access the information was verified; and requiring telecommunications carriers to establish "appropriate" standards to ensure security of CPNI. The Act further recommends that the FCC regulate regarding even stronger security measures, such as encryption of data and data destruction after a certain period. In its testimony, EPIC strongly advocated for these measures, as it had done in its August 2005 petition.
EPIC also called for the Federal Communications Commission to investigate the issue of whether telephone companies violated the federal Communications Act when they disclosed the records of American citizens to the government without judicial oversight.
EPIC's Testimony before the House Energy and Commerce Committee on the Prevention of Fraudulent Access to Phone Records Act (pdf):
The Prevention of Fraudulent Access to Phone Records Act of 2007:
EPIC's August 2005 Petition to the FCC:
FCC's Feb. 2006 Press Release on Rulemaking (pdf):
EPIC's page on Phone Record Security:
On March 12, 2007, the Internet Corporation for Assigned Names and Numbers (ICANN)'s WHOIS task force issued its Final Report on WHOIS Services. The task force considered two different approaches to limiting the public availability of WHOIS data, and endorsed the Operational Point of Contact (OPoC) proposal, which would remove registrants' mailing addresses, phone and fax numbers and email addresses from the Whois database, and replace this information with an "operational point of contact" who would contact the registrant in the case of an issue with the domain name.
EPIC submitted comments to ICANN supporting the Operational Point of Contact proposal to limit access to registrants' information. EPIC stressed that current WHOIS policies requiring the publication of personal information conflict with national privacy laws, and reach beyond the original technical purpose of WHOIS, putting individual registrants at risk of spamming, phishing, and identity theft. However, EPIC also stated that while the OPoC proposal does provide more privacy safeguard than currently exist, it does not go far enough. According to EPIC, registrants' names and/or countries should be removed from public access, because anonymous registration of domain names may be critical for political, artistic and religious expression.
The OPoC proposal met with much resistance from the intellectual property community, who considers WHOIS data an important tool for trademark enforcement and investigation of infringing and/or fraudulent web sites. The OPoC proposal's initiators acknowledged EPIC's statement that the name and country of registrants should also be removed, but stated that "in the interests of preserving the existing compromises" made by the task force, the name and country information will remain publicly available.
Also on March 12, the Article 29 Working Party issued a letter to ICANN expressing its support of the OPoC. Similar to EPIC's comments, the Working Party pointed to conflicts between current WHOIS practice and EU legislation and international guidelines, and concluded that non-commercial users' names and countries should only be published with consent.
The Final Report will be discussed at the upcoming public ICANN meetings in Lisbon on March 26-30, 2007. The GNSO Council will then make a policy recommendation to the ICANN Board.
Final Task Force Report on WHOIS Services:
Article 29 Working Party Letter to ICANN (pdf):
EPIC's Comments on Preliminary Task Force Report:
EPIC's WHOIS page:
At a Department of Homeland Security Data Privacy and Integrity Advisory Committee meeting on Wednesday, EPIC and other groups explained the many security, financial and privacy costs created by the REAL ID Act and its proposed implementation regulations. On March 1, more than two years after Congress rushed through passage of the REAL ID Act, the Department of Homeland Security announced proposed regulations that would turn the state driver's license into a national identity card. The estimated cost of the plan could be as high as $23.1 billion, according to the federal government.
At the hearing, EPIC, officials from the Department of Homeland Security, the ACLU, the Center for Democracy and Technology, the states of Massachusetts and Texas, and the National Governors Association testified about the proposed regulations. All those who testified, with the exception of representatives from DHS, discussed various problems created by the proposed regulations. Melissa Ngo, Director of EPIC's Identification and Surveillance Project, said, "the biggest problem is the failure to establish adequate privacy and security safeguards in a system to identify 245 million license and ID cardholders nationwide."
EPIC, ACLU and CDT explained that the ubiquity of state driver's licenses and ID cards mandate that only REAL ID cards will be used for federal purposes, and universal design for non-REAL ID cards discussed in the proposed regulations, add up to a national ID card and an atmosphere where people without such cards will be looked upon with suspicion. Ngo said, "We already see this with states that have rejected REAL ID implementation … and other critics of the REAL ID Act and proposed regulations have been labeled anti-security. It is not anti-security to reject a national identification system that does not add to our security protections."
Jonathan Frenkel, DHS Senior Policy Adviser, admitted in his testimony that it will be possible to circumvent the REAL ID system's security, because every system can be compromised. This universal vulnerability of any centralized system of identification, such as the proposed scheme, increases the criminals doing an end-run around the system, Ngo said. "Several layers of security protect you more than one universal layer, such as a national ID card," she said.
Barry Steinhardt, Director of the ACLU's Technology & Liberty Program, described the many ways in which the proposed regulations failed to address security and privacy concerns. ACLU found that the regulations "solve only 9 percent of problems with the act that have been identified." He said the regulations failed to address, among other things, threats to safety of individuals, such as domestic violence victims, from the "principal address" requirement. Sophia Cope, Staff Attorney at the Center for Democracy and Technology, explained that the national database and unencrypted machine-readable zone would lead to a massive expansion of data-gathering by third parties, such as clubs or insurance companies. This would greatly increase the risk of identity theft, and increase the possibility of mission creep. Department of Homeland Security Secretary Michael Chertoff has discussed the possibility of broadly expanding the use of REAL ID cards. He said they might "be used for a whole host of other purposes where you now have to carry different identification."
During the question and answer period, several committee members expressed concern about the possible security and privacy threats. Committee member Neville Pattinson said that security and privacy questions about the machine-readable zone technology, which allows data to be directly downloaded, are not "question[s] of encryption, but of accessibility and who should have access to it." Committee member Ana Anton noted that privacy and security are not independent of each other. "Privacy is an operational consideration … the cost is far greater if we don't design [privacy safeguards] from the start."
The proposed REAL ID implementation regulations are open for comment until May 8, 2007. To take action and talk to Congress about this ill-conceived identification scheme, visit the Electronic Frontier Foundation's Take Action page: http://www.epic.org/redirect/EFF030907
DHS Data Privacy and Integrity Advisory Committee:
DHS's Notice of Proposed Rulemaking on REAL ID:
DHS Privacy Office's Privacy Impact Assessment of the Proposed Regulations (pdf):
EPIC's Testimony at March 21, 2007 Meeting of DHS Data Privacy and Integrity Advisory Committee (pdf):
CDT's Testimony at March 21, 2007 Meeting of DHS Data Privacy and Integrity Advisory Committee:
ACLU's Real ID Scorecard:
National Governors Association's Page on REAL ID:
EPIC's Spotlight on Surveillance on REAL ID Regulations:
EPIC's page on National ID Cards and the REAL ID Act:
The House Committee on the Judiciary held a hearing entitled, "Protecting the Right to Vote: Election Deception and Irregularities in Recent Federal Elections," on March 7, 2007. The hearing took testimony from several members of Congress, including Senators Obama and Cardin as well as Congresspersons Emanuel, Sanchez, King and Bilbray.
Both the Senate and the House of Representatives introduced bills that define election engagement activity as a "deceptive practice" if it is known that the "communication is false information." Penalties for deceptive campaign practices would include a felony charge and increasing the penalty up to $250,000 or five years imprisonment.
Some the deceptive campaign tactics used in recent elections include: auto-dialers that provided inaccurate information on polling locations to voters; direct mail that warned naturalized individuals and voters with Hispanic surnames of criminal penalties should they vote; and leaflets that implied community leaders' support for candidates that were not factual.
Other issues raised during the hearing included the charge of voter identity fraud and the need to increase voter identification requirements. Recently, several proposals have been advanced at both the federal and state level to change existing election administration regulations to require eligible electors to provide proof of citizenship in order to register to vote and/or present a form of photo identification in order to cast a ballot. The approved forms of proof of citizenship or photo identification vary across jurisdictions but, in general, the options are limited to a few government-issued documents.
EPIC submitted a statement for the hearing record that said, "[t]he notable increase of disinformation and misinformation efforts directed at otherwise eligible voters to impede their decision to vote in public elections is disturbing. Further, the idea of voter identity theft raises alarm about the security and integrity of the voter registration and ballot casting process." However, "EPIC finds the ideas of proof of citizenship and photo identification requirements an extreme approach to a yet undefined problem that has yet to be acknowledged by election administration professionals or state attorneys generals as a pressing issue."
EPIC's Testimony before the House Committee of the Judiciary on “Protecting the Right to Vote” (pdf):
Judiciary Committee Hearing “Protecting the Right to Vote: Election Deception and Irregularities in Recent Federal Elections”:
Senate Resolution 453, Deceptive Practices and Voter Intimidation Prevention Act of 2007 (pdf):
House Resolution 1281, Deceptive Practices and Voter Intimidation Prevention Act of 2007 (pdf):
National Committee for Voting Integrity:
EPIC's Voting Privacy Page:
Google Announces Data Retention Policy
Google Inc. announced its new data retention policy last week. Google stated that it will partly obscure the IP address associated with its users' searches after somewhere between 18 and 24 months, "unless legally required to retain the data for longer." Previously, said Google, "we kept this data for as long as it was useful." The information on specific searches will remain indefinitely but it will be harder to tie searches to specific individuals or computers. The 18-24 month retention period represents the maximum period of data retention currently adopted in the EU Directive on Mandatory Retention of Communications Traffic Data. The US has not yet legislated on data retention periods, but bill H.R. 837, introduced in the House on February 6, 2007, would require the Attorney General to issue regulations governing the retention of records by Internet Service Providers.
EU Directive on Mandatory Retention of Communications Traffic Data:
H.R. 837, Internet Stopping Adults Facilitating the Exploitation of Today's Youth Act (SAFETY) of 2007:
EPIC's Data Retention page:
DHS Privacy Office Assesses Proposed REAL ID Regulations
The Department of Homeland Security Privacy Office has released its Privacy Impact Assessment of the proposed regulations to implement the REAL ID Act, which mandates federal requirements for state driver's licenses and requires state DMVs to verify identification documents, such as birth certificates. The Assessment "examines the manner and method by which the personal information of American drivers and ID holders will be collected, used, disseminated, and maintained pursuant to the proposed [regulations]." Notably, the proposed regulations do not mandate encryption technology to protect the privacy and security of personal, data even though the Privacy Office recommends such technology in its assessment.
DHS Privacy Office's Privacy Impact Assessment of the Proposed Regulations (pdf):
EPIC's page on National ID Cards and the REAL ID Act:
European Commission Report Discusses Public Knowledge of RFID Use
A new report from the European Commission reviewed a poll of 2,190 respondents from European Union member-states concerning the use of radio frequency identification technology. "Overall, 60% of respondents feel that there is insufficient information available to make an informed analysis of RFID technologies," the report said. The report also looked at privacy questions, and found that "privacy is seen as being more than just the security of the devices or the protection of the personal data per se (integrity, illegal access, etc.). It extends to the use of personal data in networks; its storage, collection and how it is linked to different sources," (emphasis in original). The report is one of the first steps in the European Commission's plan to develop guidelines for the use of RFID by government agencies and commercial businesses. In December, a report from the U.S. Department of Homeland Security Data Privacy and Integrity Advisory Committee urged against using RFID technology unless it is the "least intrusive means to achieving departmental objectives."
European Commission Report: Results of the Public Online Consultation on Future Radio Frequency Identification Technology Policy (pdf):
Department of Homeland Security, Data Privacy and Integrity Advisory Committee, The Use of RFID for Human Identity Verification (Report No. 2006-02) (Dec. 6, 2006) (pdf):
EPIC's Page on RFID:
Senate Fails to Establish Independence for Privacy Oversight Board
Bill S.4, Improving America's Security Act of 2007, passed by the Senate last week, purports to implement unfinished recommendations of the 9/11 Commission. However, the bill fails to establish independence for the Privacy and Civil Liberties Oversight Board, which is currently within the Executive Office of the President. EPIC recommended stronger oversight mechanisms for the Board, consistent with the recommendations of the 9-11 Commission Report, in its testimony before the 9/11 Commission. The House has introduced the Implementing the 9/11 Commission Recommendations Act of 2007, H.R.1, that would make the Privacy Board into an independent agency, require Senate confirmation of all members, and establish subpoena authority and reporting requirements. The measure passed the House of Representatives on January 9, 2007.
S.4, Improving America's Security Act of 2007:
H.R.1, Implementing the 9/11 Commission Recommendations Act of 2007:
EPIC's Testimony Before 9/11 Commission (pdf):
EPIC's Report on Oversight:
EPIC Calls on Congress to Withdraw Abused NSL Authority
In a letter to the Senate Judiciary Committee, EPIC recommended that Congress repeal the National Security Letter authority. National Security Letters permit the FBI to compel the disclosure of records held by banks, telephone companies, and others without judicial oversight. In 2005, EPIC uncovered documents concerning National Security Letters that revealed violations of law reported to the Intelligence Oversight Board. More recently, the Office of Inspector General reported serious misuse of the power at the FBI.
EPIC's Letter to Committee of the Judiciary:
EPIC Patriot Act Page:
The Hidden Face of Technology: Is Technology Turning Britain into a Fascist State? By Philip N. Thompson (Frogeye Publications 2006).
Thompson understands technology, and knows that it raises issues not simply about the inventions themselves, but about how society uses, and forms around, new technologies. He also knows that surveillance is being put in place in democratic countries by design: while many “think of a surveillance society as something sinister and of dictatorships reminiscent of Cold War countries such as Russia and East Berlin… the surveillance society is more a result of the modern organizational practices of businesses, government and the military." The "hidden face" of technology then, is represented by the people directing, controlling, and using technology to monitor. Individuals may or may not see the Radio Frequency Identification (RFID) tag on an item in the store; however, the tag allows a system to surreptitiously track and profile individuals based on that RFID tag. Thompson gives the example of a system that outputs - in real time -- the percentage probability that someone in a given store is planning on stealing a packet of Mach3 razors! We may see the technology, we may be told it exists, and we may be told of its consequences.
The book's sixteen chapters each cover a different privacy topic, such as: video surveillance; biometrics; communications and email monitoring; cell phones; and supermarket loyalty cards. He describes the various stakeholder interests in deploying each technology, such as the constable that wants cameras reading license plates every few miles on the road. Thompson gives examples, real or imagined, of the threats to privacy and security that these systems create. Each chapter describes the technology and the threats faced in straightforward terms, and provides URLs for resources on each topic. Thompson also adds a quick overview of privacy in Britain. The book serves both as a comprehensive introduction for beginners as well as a useful resource for those with more experience in privacy issues.
-- Guilherme Roschke
"Information Privacy Law: Cases and Materials, Second Edition" Daniel J.
Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005).
This clear, comprehensive introduction to the field of information privacy law allows instructors to enliven their teaching of fundamental concepts by addressing both enduring and emerging controversies. The Second Edition addresses numerous rapidly developing areas of privacy law, including: identity theft, government data mining and electronic surveillance law, the Foreign Intelligence Surveillance Act, intelligence sharing, RFID tags, GPS, spyware, web bugs, and more. Information Privacy Law, Second Edition, builds a cohesive foundation for an exciting course in this rapidly evolving area of law.
"Privacy & Human Rights 2005: An International Survey of Privacy Laws
and Developments" (EPIC 2006). Price: $60.
This annual report by EPIC and Privacy International provides an overview of key privacy topics and reviews the state of privacy in over 70 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy & Human Rights 2005 is the most comprehensive report on privacy and data protection ever published.
"FOIA 2004: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004).
This is the standard reference work covering all aspects of the Freedom of Information Act, the Privacy Act, the Government in the Sunshine Act, and the Federal Advisory Committee Act. The 22nd edition fully updates the manual that lawyers, journalists and researchers have relied on for more than 25 years. For those who litigate open government cases (or need to learn how to litigate them), this is an essential reference manual.
"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.
This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, and recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process.
"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005).
The Privacy Law Sourcebook, which has been called the "Physician's Desk Reference" of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act.
"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.
A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression.
EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at:
EPIC Bookstore http://www.epic.org/bookstore
"EPIC Bookshelf" at Powell's Books
EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act.
Subscribe to EPIC FOIA Notes at:
5th Conference on Privacy and Public Access to Court Records. Center for
Legal and Court Technology and Administrative Office of the
States Courts. March 22-23, 2007. Williamsburg, Virginia. For more
The Policy Challenges of Electronic Privacy. European Parliamentary Technology Assessment organization. March 28, 2007. Brussels, Belgium. For more information contact firstname.lastname@example.org
Communications event. American Bar Association. March 28, 2007. Washington DC.
Privacy Coalition meeting. March 30, 2007. Washington DC. For information contact Lillie Coney at: email@example.com
Security and Liberty Forum. University of North Carolina. April 14, 2007. Chapel Hill, NC. For more information: www.seclibforum.org
Proof Positive: New Directions for ID Authentication Public Workshop. Federal Trade Commission. April 23 and 24, 2007. Washington DC. For more information contact: firstname.lastname@example.org
CFP2007: Computers, Freedom, and Privacy Conference. Association for
Computing Machinery. May 2007. Montreal, Canada. For more information:
Conference on Interdisciplinary Studies in Information Privacy and Security. Rutgers University. May 22, 2007. New Brunswick. For more information: http://www.scils.rutgers.edu/ci/isips/
Privacy Compliance Conference. The Canadian Institute. May 30-31, 2007.
Toronto, Canada. For more information:
29th International Conference of Data Protection and Privacy
Commissioners. September 25-28, 2007. Montreal, Canada. For more
Subscribe/unsubscribe via web interface:
Back issues are available at:
The EPIC Alert displays best in a fixed-width font, such as Courier.
The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information."
The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax).
If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at:
Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers.
Thank you for your support.