E P I C A l e r t
In a letter to Google's Eric Schmidt, the top Republican of a powerful Congressional committee has asked the Google CEO to explain the company's privacy practices since the acquisition of Internet advertiser Doubleclick. Rep. Joe Barton (R-TX) is the co-founder of the House Privacy Caucus.
"Individually, Google and Doubleclick collect a great deal of data relating to their users' online activity. It is critical that Google's and Doubleclick's policies and procedures for handling this information be transparent, and that every effort is made to protect consumers' data," Rep. Barton wrote. He also pressed Google about the retention of persistent identifiers, such as IP addresses and User IDs.
Last year, EPIC, CDD and US PIRG filed a complaint with the Federal Trade Commission requesting that the Commission open an investigation into the proposed acquisition, specifically with regard to the ability of Google to record, analyze, track, and profile the activities of Internet users with data that is both personally identifiable and data that is not personally identifiable. EPIC further urged the Commission to require Google to publicly present a plan to comply with well-established government and industry privacy standards such as the OECD Privacy Guidelines. Pending the resolution of these and other issues, EPIC encouraged the Commission to halt the acquisition. However, the Commission failed to impose privacy safeguards as a condition of the Google-Doubleclick merger.
Earlier this year, in testimony before the European Parliament in Brussels, EPIC President Marc Rotenberg said that Google was beginning to reveal the characteristics of an "information monopolist" and that it was important for governments to act to preserve the rights of citizens and to safeguard competition and innovation in the information economy. EPIC also recommended to the European Commission that IP addresses be considered personally identifiable information. A subsequent report from the Article 29 Data Protection Working Party endorsed this approach.
Letter from Rep. Barton to Google (May 21, 2008) (pdf):
http://epic.org/redirect/goog_let0508.html 2003 California Online Privacy Protection Act:
Article 29 Data Protection Working Party, Opinion on data protection issues related to search engines (April 4, 2008) (pdf):
EPIC's Testimony before the European Parliament (pdf):
EPIC page on Privacy? Proposed Google-DoubleClick Merger:
The 18th Annual meeting of Computers Freedom and Privacy took place in New Haven Connecticut from May 20-24, 2008. The meeting hosted panel discussions on a wide range of topics, including: Constitutional Law in Cyberspace, e-Deceptive Campaign Practices, Presidential Policy and Technology: Priorities for the Next Executive, the National Security State, and all day Hands-on Session on Social Networking.
The theme of the meeting focused on the opportunities to shape information technology policy of the next President of the United States. Meeting planners sought to offer perspectives and advice to the next Administration on key technology and policy issues such as: surveillance, consumer protection, innovation, and sustainable Internet technology policy. The meeting included representatives from Senators John McCain and Barack Obama, who presented their candidates' views on technology policy and the presidency.
An in-depth discussion on technology and the changing face of society reviewed key areas that have seen the greatest change for the 2008 Presidential election. Key areas are the deployments of Fusion Centers, the Surveillance State, and e-Deceptive Campaign Practices. Plenary panel discussions on the 21st Century Panopticon and the National Surveillance State and the Next Administration looked closely at the adoption of surveillance policies and their infrastructures. A panel discussion on e-Deceptive Campaign Practices explored the first signs that voter deceptive practices in the off-line world may be reaching cyberspace.
The conclusion of the meeting was the collective drafting of an open letter to all of the presidential candidates on the importance of information technology policy. The letter outlined key topics for the unfolding election year debate such as: creating a safer Internet for children and adults; reducing identity theft; the role of content ownership; using new technologies effectively; enabling access to technology and knowledge; as well as protecting privacy.
Computers, Freedom, and Privacy 2008:
Information on e-Deceptive Campaign Practices; National Surveillance State and the Next Administration; and the 21st Century Panopticon can be found at:
EPIC's Privacy '08 Campaign:
Congressional leaders and White House officials are reportedly considering a compromise in the ongoing debate over changes to the President's warrantless surveillance powers. Changes to the Foreign Intelligence Surveillance Act ("FISA") are being debated along with a provision of immunity for telecommunications companies that participated in the President's warrantless surveillance program.
The President had previously vowed to veto any bill that did not include immunity for those telecom companies. The Senate passed an immunity bill, but the House has twice-passed a different bill. The latest, HR 3773, rejects administration demands for automatic retroactive immunity for the telecom companies, establishes a bipartisan commission to investigate the President's warrantless wiretapping program, and provides for greater oversight of surveillance targeted against persons overseas. The House bill also allows secret evidence to be introduced in court instead of being barred by claims of the state secrets privilege by the President.
Republican Sen. Kit Bond offered some terms of compromise in an attempt to make the Senate bill more palatable to the House. The compromise proposal would allow the secret FISA court to dismiss cases if a preponderance of evidence supported a certification by the attorney general that the President authorized the programs. The FISA court would not determine whether the telecommunications companies broke the law, whether the programs were lawful, or whether there was a basis in the companies for believing that they were being asked to participate in a lawful program.
The FISA court consists of judges appointed by the Chief Justice of the United States; its normal role involves hearing secret applications for government wiretaps. The government has submitted thousands of applications for secret warrants and less than 10 have been denied.
Other offers in the compromise include an Inspector General review of the warrantless surveillance program, and language duplicating the provision that FISA is the "exclusive means" by which electronic surveillance is done. These debates follow the expiration of the Protect America Act, which expanded the President's warrantless surveillance powers. The Act removed some surveillance from the limited FISA court review and allowed the government to create more surveillance programs with limited review.
Sen. Bond's Compromise Offer (pdf):
House Bill, HR 3773:
EPIC page on FISA:
EPIC page on FISA Court Orders:
On May 20, the Senate Judiciary Committee held a hearing examining "Global Internet Freedom: Corporate Responsibility and the Rule of Law." Representatives from Google, Yahoo, and Cisco answered questions about corporate practices. The surveillance firm L-1, which was the focus of a recent Rolling Stone article regarding surveillance in China, did not participate.
EPIC and Privacy International annually publish Privacy and Human Rights, a detailed report on the state of privacy around the world. The most recent edition discusses new systems of surveillance in China and notes privacy concerns surrounding the upcoming Beijing 2008 Summer Olympics. It was recently reported that tickets for the opening and closing ceremonies will be embedded with microchips containing the tickeholder's photograph, passport details, addresses, e-mail and telephone numbers. This represents an unprecedented link between personal information and Olympic tickets.
In March, the U.S. State Department issued a warning for Americans intending to travel to China for the 2008 Summer Olympics. The Department warned that visitors should expect lowered standards of privacy and increased surveillance by the Chinese authorities.
In the Department's 2007 Human Rights Report, China is described as an authoritarian state. The report maintains that while the laws ostensibly protect the freedom and privacy of citizens, in practice privacy is not respected. According to the report: "During [2007,] authorities monitored telephone conversations, facsimile transmissions, e-mail, text messaging, and Internet communications. Authorities also opened and censored domestic and international mail. The security services routinely monitored and entered residences and offices to gain access to computers, telephones, and fax machines. All major hotels had a sizable internal security presence, and hotel guestrooms were sometimes bugged and searched for sensitive or proprietary materials."
EPIC previously urged the Department of Commerce to restrict the export of high-tech surveillance equipment to China. Following the 1989 Tiananmen Square massacre, the U.S. restricted the export of products such as tear gas, handcuffs, and shotguns to China. EPIC has noted that American firms sell technology products to Chinese police and security authorities that can be used to track political dissidents, in spite of China's dismal human rights record. Cisco, for example, has marketed and sold its products as "strengthening police control."
Congress has criticized American technology companies for their role in supplying China with tools to suppress free speech and invade privacy. In 2006, members of Congress accused four major U.S. Internet companies, Microsoft, Yahoo, Cisco Systems, and Google, of helping the Chinese government block certain online information by providing it with surveillance and filtering tools. Yahoo has been further criticized for its role in helping Chinese authorities identify dissidents who posted information on the Web through Yahoo's online services. Two such dissidents were identified, arrested and sentenced to prison terms of eight and 10 years.
EPIC's Privacy and Human Rights Report:
EPIC page on Olympic Privacy:
U.S. State Department travel warning regarding privacy in China:
U.S. State Department's 2007 Human Rights Report on China:
EPIC's 2006 Letter Regarding Surveillance Technology Exports To China (pdf):
Rep. Edward J. Markey (D-MA) and Rep. Joe Barton (R-TX), senior members of Congress, challenged the legality of Charter Communications' plan to intercept and inspect their customers' Internet activity. The Congressmen stated that Charter's plan "raises substantial questions" related to the federal Cable Television Privacy Act. Charter, the nation's fourth-largest cable provider, recently announced that it has partnered with NebuAd to intercept and analyze Charter customers' Internet activity and develop profiles based on the data. Congressmen Markey and Barton requested that Charter hold off on the proposed venture with NebuAd.
In mid-May, some Charter customers received notices stating that the cable giant would soon begin to perform "deep packet inspection" of their Internet traffic. Deep packet inspection can reveal the substance of nearly all Internet traffic over a subscriber's connection, including Web surfing content, search engine queries, and e-mail messages. The notices were sent to customers in four markets: Fort Worth, Texas; San Luis Obispo, California; Oxford, Massachusetts; and Newtown, Connecticut. Charter plans to use the initial four locations as test markets, and intends to expand its deep packet inspection activities to all Charter customers in the future.
Charter partnered with NebuAd to implement its deep packet inspection program. NebuAd will install its hardware on Charter's system, and pay Charter a monthly fee per subscriber. Charter and NebuAd will use deep packet inspection techniques to develop profiles of customers' online behavior, and then target advertising at individual users. This sort of intensive inspection and monitoring has been criticized by network neutrality advocates, as well as in the online advertising context in the UK. Charter's deep packet inspection program is the first large-scale implementation by a major US Internet Service Provider.
The law cited by Congressmen. Markey and Barton, the Cable Television Privacy Act, regulates companies that provide cable services. The Act prohibits cable companies from disclosing subscribers' personally identifiable information without "prior written or electronic consent of the subscriber." Charter plans to disclose its customers' personally identifiable information to NebuAd and others without obtaining prior written consent.
In addition to the questions raised by Congressmen Markey and Barton, Charter's deep packet inspection plan may run afoul of other laws. For example, the federal Wiretap Act bars, in most cases, interception of electronic communications. The Act provides for civil liability and criminal penalties against any entity that "intentionally intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept any […] electronic communication [except as provided in the statute]."
EPIC page on Deep Packet Inspection and Privacy:
Letter from Rep. Markey and Rep. Barton to Charter (pdf):
Charter's Letter to Subscribers (pdf):
EPIC Supports New Internet Privacy Standard
On May 24, EPIC submitted comments to ICANN (which manages domain names and IP addresses) in support of the Domain Name System Security Extensions (“DNSSEC”) proposal currently under consideration. The DNS security extension would help protect users from attempts by hackers to spoof, masquerade, and hijack Web sites, EPIC said. “Whereas an Internet user with unsecured DNS can only guess about the authenticity of the server which provides his browser with the IP address for a given domain name, with DNSSEC users can validate the identity of the DNS server.” The Public Interest Registry has proposed to implement DNSSEC for the .ORG domain. DNSSEC is already in use by the top-level country code domains of Sweden, Bulgaria, Brazil, and Puerto Rico.
Internet Corporation for Assigned Names and Numbers (ICANN):
EPIC Comments to ICANN in Support of DNSSEC Proposal (May 24, 2008):
EPIC page on Domain Name System Security Extensions (DNSSEC):
President Signs Genetic Nondiscrimination Act
President Bush has signed into law the Genetic Information Nondiscrimination Act of 2008. The Act had been introduced in 2003, but died in the U.S. House after passing the U.S. Senate. The bill was reintroduced in January and was passed by both chambers in the last few weeks. The Act prohibits discrimination on the basis of genetic information with respect to health insurance and employment. However, the Act does not address the privacy risks associated with the collection and storage of electronic health records.
Genetic Information Nondiscrimination Act, S. 358:
EPIC page on Genetic Privacy:
China Adds RFID Tags to Olympics Tickets
The Chinese government has announced that it will embed radio frequency identification (“RFID”) tags into tickets for the 2008 Summer Olympic Games. The RFID tags transmit data wirelessly and there are questions about the security of the data, which will include the ticketholder's passport details, address, and other personal data. In March, The U.S. State Department issued a travel advisory warning that hotel rooms and offices may be subject to monitoring and may be accessed without the consent or knowledge of the occupant.
U.S. State Department Travel Warning About 2008 Olympic Games in Beijing:
EPIC's page on Privacy and the 2008 Olympic Summer Games:
DHS Releases Privacy Impact Assessment for EINSTEIN 2 System
The Department of Homeland Security (DHS) has released a Privacy Impact Assessment for the EINSTEIN 2 intrusion detection system. Though the system collects IP and e-mail addresses, the Assessment states that no System of Records Notice will be issued under the Privacy Act of 1974. EINSTEIN 2 upgrades the previous EINSTEIN system, described in a 2004 Privacy Impact Assessment. The EINSTEIN system produced analyses on all network traffic and recorded personally identifiable information for later use. EINSTEIN 2 adds a system to automatically detect malicious network activity, creating alerts when it is triggered. These alerts may contain personally identifying information such as e-mail and IP addresses.
EINSTEIN 2 Privacy Impact Assessment:
US House Committee on Homeland Security Hearing On "The Cyber Initiative":
EPIC Page on Deep Packet Inspection and Privacy:
'Privacy Lives': New Site Monitors the Pulse of Privacy
"Privacy Lives" is a new site covering privacy and civil liberties issues in modern society. "In 1755, Benjamin Franklin wrote, 'Those who would give up essential liberty to purchase a little temporary safety deserve neither liberty nor safety.' Centuries later, we face numerous attacks on our privacy and civil rights, ostensibly for national security. Phone calls are tapped, e-mails are read, and individuals are tracked by video surveillance. We're told that if you're not for these invasive surveillance tactics, then you're with the terrorists. PrivacyLives.com rejects such fear mongering. This site will chronicle and analyze these attacks and various defenses against them to show that privacy lives on, despite this onslaught." The publisher of the site, Melissa Ngo, was previously EPIC's Senior Counsel and Director of EPIC's Identification and Surveillance Project. She is currently a Privacy and Information Policy Consultant.
Privacy Lives, "Monitoring the Pulse of Privacy":
Privacy Journal Survey of State and Federal Laws, 2008 Update
"Privacy Journal has published the newest Supplement to its acclaimed book of state laws on privacy, showing that 35 states have enacted laws requiring notifications to persons affected by security breaches in databases held by businesses or government agencies. The federal government has not yet passed such protections.
"A total of 22 states now provide a consumer an opportunity to have a 'security freeze' placed on a credit report, to make it more difficult for a stranger to have credit reported in the name of an innocent consumer. Oregon and California now require all entities to have information security plans in place. And a few states have laws requiring shredding of business records with individuals' account numbers or Social Security numbers on them, according to Privacy Journal's latest survey of state and federal privacy laws."
"Information Privacy Law: Cases and Materials, Second Edition" Daniel J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98.
This clear, comprehensive introduction to the field of information privacy law allows instructors to enliven their teaching of fundamental concepts by addressing both enduring and emerging controversies. The Second Edition addresses numerous rapidly developing areas of privacy law, including: identity theft, government data mining and electronic surveillance law, the Foreign Intelligence Surveillance Act, intelligence sharing, RFID tags, GPS, spyware, web bugs, and more. Information Privacy Law, Second Edition, builds a cohesive foundation for an exciting course in this rapidly evolving area of law.
"Privacy & Human Rights 2006: An International Survey of Privacy Laws and Developments" (EPIC 2007). Price: $75.
This annual report by EPIC and Privacy International provides an overview of key privacy topics and reviews the state of privacy in over 75 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy & Human Rights 2006 is the most comprehensive report on privacy and data protection ever published.
"FOIA 2006: Litigation Under the Federal Open Government Laws," Harry A. Hammitt, Marc Rotenberg, Melissa Ngo, and Mark S. Zaid, editors (EPIC 2007). Price: $50.
This is the standard reference work covering all aspects of the Freedom of Information Act, the Privacy Act, the Government in the Sunshine Act, and the Federal Advisory Committee Act. The 23nd edition fully updates the manual that lawyers, journalists and researchers have relied on for more than 25 years. For those who litigate open government cases (or need to learn how to litigate them), this is an essential reference manual.
"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on the Information Society" (EPIC 2004). Price: $40.
This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, and recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process.
"The Privacy Law Sourcebook 2004: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price: $40.
The Privacy Law Sourcebook, which has been called the "Physician's Desk Reference" of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act.
"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20.
A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression.
EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at:
"EPIC Bookshelf" at Powell's Books
EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act.
Subscribe to EPIC FOIA Notes at:
A Progressive Framework for Bridging the ID Divide, Center for American
Progress. June 2, 2008. Washington, D.C. For more information:
2008 National Convention, American Constitution Society. June 12-14, 2008. Washington, DC. For more information: http://acslaw.org/
Making the Future of the Internet Economy Work for Citizens, Consumers and Workers, The Public Voice Conference. June 16, 2008. Seoul, Korea. For more information: http://thepublicvoice.org/events/seoul08/
Future of the Internet Economy - OECD Ministerial Meeting. June 17-18,
2008. Seoul, Korea. For more information:
Second Annual National Institute on Cyberlaw: Expanding the Horizons.
June 18-20, 2008. Washington DC. For more information:
Conference on Ethics, Technology and Identity. The Hague. June 18-20, 2008. For more information: http://www.ethicsandtechnology.eu/ETI
Privacy Laws & Business 21st Annual International Conference. Value
Privacy, Secure Your Reputation, Reduce Risk. 7-9th July, 2008,
John’s College, Cambridge. For more information:
The Privacy Symposium - Summer 2008: An Executive Education Program on
Privacy and Data Security Policy and Practice, August 18-21,
Harvard University, Cambridge, MA. For more information:
Subscribe/unsubscribe via web interface:
Back issues are available at:
The EPIC Alert displays best in a fixed-width font, such as Courier.
The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information."
The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax).
If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at:
Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers.
Thank you for your support.
If you would like more information on Privacy '08, go online and search for "Privacy 08". You'll find a Privacy08 Cause at Facebook, Privacy08 at Twitter, a Privacy08 Channel on YouTube to come soon, and much more. You can also order caps and t-shirts at CafePress Privacy08.
Start a discussion. Hold a meeting. Be creative. Spread the word. You can donate online at epic.org. Support the campaign.