Home | Databases | WorldLII | Search | Feedback EPIC Alert

EPIC Alert 15.16 [2008] EPICAlert 16

E P I C A l e r t

http://www.epic.org/alert/EPIC_Alert_15.16.html

On July 30, 2008, Senators Sam Brownback and Jim Bunning introduced a Senate Resolution expressing concern regarding the "deterioration of respect for privacy and human rights in the People's Republic of China before the 2008 Olympic Games in Beijing." Senator Brownback announced that he has obtained an order from China's Public Security Bureau that requires foreign-owned hotels to install invasive snooping equipment that monitors Olympic visitors' Internet activity. The hardware and software installed on hotel networks will collect and transmit sensitive data from hotel guests, including foreign visitors and journalists, to the Chinese Government. Brownback observed that this directive contradicts China's pledge to the International Olympic Committee that the country would "maintain an environment free of government censorship during the Games."

China's security practices prompted the U.S. State Department to issue a warning for Americans intending to travel to the 2008 Beijing Olympics. The U.S. Government cautioned visitors to expect lowered standards of privacy, as well as surveillance by the Chinese authorities. The travel advisory warns that hotel rooms and offices may be subject to technical monitoring and may be accessed without the consent or knowledge of the occupant. In response, Chinese Foreign Ministry Spokesperson Qin Gang called the State Department warning "irresponsible" and maintained that foreign visitors would have privacy protections in China, as guaranteed by the law. The Chinese Constitution and statutes do provide some privacy protections, but enforcement has been uneven. The spying plan also contravenes longstanding international privacy and human rights norms, including Article 12 of the Universal Declaration of Human Rights, which prohibits "arbitrary interference with privacy, family, home or correspondence."

In addition, Senators Sherrod Brown and James Inhofe sent a letter to IOC President Jacques Rogge calling on the International Olympic Committee to reverse a reported Internet censorship deal it has made with China. Contrary to promises made by China's Olympic organizing committee, the Chinese government will censor sensitive sites "not considered Games related." In 2001, to secure the Summer Olympics, China assured Olympic organizers that foreign journalists would enjoy "complete freedom to report" when they arrive in 2008. But, the temporary regulations enacted for the duration of the Games that allowed for reporting on "political, economic, social and cultural matters" included the caveat that such reporting be done "in conformity with Chinese laws and organizations." The IOC denied entering into any censorship arrangement and continues to encourage the Chinese officials "to provide media with the fullest access possible to report on the Olympic Games, including access to the Internet." Currently, web sites associated with sensitive issues are blocked, including those related to Amnesty International and Tibet.

In the most recent edition of the annual Privacy and Human Rights report, EPIC reported that China was building a massive infrastructure for state surveillance and noted that US firms, such as China Information Security Technologies and L-1 Identity Solutions, were supplying surveillance equipment in apparent violation of the Department of Commerce guidelines, adopted after the Tiananmen Square massacre of 1989. In September 2006, EPIC wrote to Commerce Secretary and urged Mr. Gutierrez to address the risk that the Chinese government would use the technology exported from the United States to track "dissidents, journalists, and members of 'unauthorized religions.'"

Senate Resolution Regarding Olympic Spying, S. Res. 633: http://thomas.loc.gov/cgi-bin/query/z?c110:S.Res.633:

Letter to IOC President Jacques Rogge: http://epic.org/redirect/080808_ioc.html

U.S. State Department Travel Advisory for Olympics 2008: http://epic.org/redirect/080808_olym_travel.html

EPIC Letter to Secretary Gutierrez (Sept. 20, 2006) http://www.epic.org/privacy/intl/doc_china_letter.pdf

EPIC's Privacy and Human Rights report: http://epic.org/phr06/

EPIC page on Olympic Privacy: http://epic.org/privacy/olympic/

On July 30, 2008, President Bush revised a key Executive Order that defines the authorities of the US intelligence agencies. First written in 1981, Executive Order 12333 establishes the "Goals, Directions, Duties, and Responsibilities with Respect to United States Intelligence Efforts" as well as the "Conduct of Intelligence Activities." The Director of National Intelligence (DNI) drafted the revised Order that grants the top intelligence office new powers to coordinate domestic surveillance. According to Director Mike McConnell, these amendments respond to key findings of the 9/11 and WMD Commissions while "maintain[ing] or strengthen[ing] the protections for privacy rights and civil liberties."

The newly amended Order establishes the Director of National Intelligence as the head of the Intelligence Community who bears ultimate responsibility for the production and dissemination of intelligence. Also, the Director "may enter into intelligence related agreements with foreign governments and international organizations." The DNI exercises budgetary authority over the National Intelligence Program to create groups and acquire resources that facilitate the task of "lead[ing] a unified, coordinated, and effective intelligence effort." This Order contains several definitional changes, including the introduction of the terms "civil liberties" and "privacy," and replacement of the vaguely descriptive "special activities" with the better understood "covert action."

Critics claim that the amended Executive Order 12333 unnecessarily expands Executive power. The American Civil Liberties Union has expressed fears that the new focus on domestic threats allows the DNI to task any agency to spy on American citizens at home. The Electronic Frontier Foundation asserts that the proposed amendments are unnecessary because sufficient mechanisms are already in place to conduct surveillance. Currently, the National Security Agency may obtain the Attorney General's authorization for such surveillance only if the AG has probable cause to believe a U.S. person overseas is an agent of a foreign power, a spy, a terrorist, or someone who aids or abets them.

Some legislators condemn the Bush administration's penchant for secrecy and prior violations of existing Executive Orders. Senators Russ Feingold and Sheldon Whitehouse plan to introduce a bill that requires the President to place a notice in the Federal Register upon modification or revocation of a published Order. Senator Feingold cites the administration's claim that the warrantless wiretapping program constituted a tacit amendment, not a violation, of Executive Order 12333.

EPIC previously warned the 9/11 Commission that new surveillance authorities require new forms of oversight. Freedom of Information Act litigation pursued by EPIC found that the Intelligence Oversight Board has routinely failed to investigate unlawful investigations since passage of the Patriot Act and urged Congress to establish a statutory basis for oversight of intelligence abuses within the United States.

2008 Amendments to Executive Order 12333: http://www.whitehouse.gov/news/releases/2008/07/20080731-2.html

Executive Order 12333: http://www.whitehouse.gov/infocus/nationalsecurity/amended12333.pdf

Senate Bill, S. 3405 (introduction pending): http://www.fas.org/sgp/congress/2008/secretlaw.html

EPIC Testimony Before the 9-11 Commission: http://epic.org/privacy/terrorism/911commtest.pdf

EPIC FOIA Notes #12: More Reports of Unlawful Intelligence Investigations http://epic.org/foia_notes/note12.html

EPIC Letter to Senators Specter and Chairman (June 16, 2006) http://epic.org/privacy/surveillance/sen_iob_letter.pdf

The Federal Trade Commission (FTC) has finalized two separate settlements, one with discount retailer TJX, and another with data brokers Reed Elsevier and Seisint. The settlements arise from the companies' failures to provide reasonable and appropriate security for sensitive consumer information, resulting in the exposure of the sensitive personal information of over 500,000 consumers and millions of dollars in financial fraud. The final settlements announced this week impose security and audit responsibilities on the companies, but none of the financial penalties that EPIC had requested.

In April, EPIC filed comments with the FTC urging federal regulators to include civil penalties in the settlements. EPIC acknowledged the security and audit provisions may result in marginal improvements to the security and privacy practices of TJX (whose retail stores include Marshall's and TJMaxx) and to Reed Elsevier and Seisint, the databrokers responsible for the LexisNexis database service. However, EPIC argued that information security programs and audits were insufficient to safeguard the sensitive consumer data held by TJX and LexisNexis. EPIC argued that substantial civil penalties were warranted, not only as a punitive measure against TJX and LexisNexis, but also to provide strong practical incentives to these and companies who collect and store sensitive consumer data.

EPIC also noted that the FTC imposed $10 million in civil penalties in a similar settlement regarding privacy breaches by Choicepoint. After EPIC filed a complaint in 2004 alleging that the databroker's business practices put consumers' privacy at risk, the Commission determined that ChoicePoint's failure to employ reasonable security policies compromised the sensitive personal data of more than 163,000 consumers. Like the TJX and LexisNexis Consent Orders, the ChoicePoint settlement required the company to implement a comprehensive information security program and obtain independent audits of its information security programs for twenty years. Unlike the Consent Orders, the ChoicePoint settlement also required the company to pay $10 million in civil penalties and $5 million in consumer redress. "The similarities are striking between the ChoicePoint data breach on the one hand, and the TJX and LexisNexis breaches on the other," EPIC wrote to the FTC in April. "The difference between the financial penalty imposed in the ChoicePoint settlement and the TJX and LexisNexis Consent Orders is equally remarkable. Given the greater severity of the TJX and LexisNexis data breaches, each Consent Order should include civil penalties of at least $10 million - the civil penalty levied in the ChoicePoint settlement."

The settlements arose from data breaches that exposed the sensitive personal information of over 500,000 consumers and resulted in millions of dollars in financial fraud. According to the FTC complaint against TJX, the retailer, which operates over 2,500 stores worldwide, failed to use reasonable and appropriate security measures to prevent unauthorized access to personal information on its computer networks. As a result, an intruder was able to access tens of millions of credit and debit payment cards, as well as the personal information of approximately 455,000 consumers. Banks claimed that tens of millions of dollars in fraudulent charges were made on the cards and millions of cards were cancelled and reissued. In its action against data brokers Reed Elsevier (REI) and Seisint, the FTC alleged that the companies allowed customers to use easy-to-guess passwords to access Seisint's "Accurint" databases. The databases contained sensitive consumer information, including drivers license numbers and Social Security numbers. Identity thieves exploited these security failures, and obtained sensitive information about at least 316,000 consumers from Accurint databases. The identity thieves used the information to activate credit cards and open new accounts, and made fraudulent purchases on the cards and new accounts.

EPIC's comments on the FTC consent orders with TJC, Reed Elseivier and Seisint: http://epic.org/privacy/idtheft/042808_ftc.pdf

FTC announces settlement with TJC, Reed Elsevier and Seisint for failing to provide adequate security for consumers' data (March 27, 2008): http://www.ftc.gov/opa/2008/03/datasec.shtm

FTC approves final Consent Order (August 1, 2008): http://ftc.gov/opa/2008/08/tjxreed.shtm

For more on data breaches and ID theft, see EPIC's Identity Theft: Its Causes and Solutions page: http://epic.org/privacy/idtheft/

The Transportation Security Administration (TSA) announced that it is suspending new applications to the Clear Registered Traveler Program after vulnerabilities were discovered in the storage of applicants' sensitive personal information. The security flaws came to light after an unencrypted laptop computer was stolen from San Francisco International Airport on July 26. The computer was owned by Verify Identity Pass (VIP), the company which operates the registered traveler scheme. It contained unencrypted personal information regarding approximately 33,000 travelers, including names, addresses, and passport and driver's license numbers.

In the wake of the data theft, government officials suspended new applications to the Clear program, and also asked that the subcontractor for the program immediately notify the individuals impacted. In addition, San Francisco and all other airports using Clear have been instructed to ensure that VIP suspends enrollment, ceases use of any unencrypted computers, and secures the devices until encryption can be installed. TSA requires registered traveler service providers and sponsoring entities to encrypt all files containing participants' sensitive personal information. Noncompliance can result in actions including suspension of a program and possible civil penalties.

The Clear program permits users to bypass normal airport security lines after they enroll and undergo a background check. Applicants are required to fill out basic background information, then the company verifies an applicant's identity by requiring two forms of government-issued identification. Clear captures an applicant's photograph, fingerprint images and iris images. Clear is the largest registered traveler program participant with over 165,000 fliers for sixteen different programs at Albany, Cincinnati, Denver, Washington D.C. Dulles, Washington D.C. Reagan National, Indianapolis, Little Rock, New York LaGuardia, New York JFK, Newark, Oakland, Orlando, Salt Lake City, San Jose, San Francisco and Westchester Airports.

EPIC has warned of the privacy and security risks posed by registered traveler programs. EPIC has expressed concerns because the programs' members do not have the protections of the federal Privacy Act, as only government agencies are subject to the law. Also, the programs can suffer from mission creep - a risk that information volunteered will be used for reasons not related to their original aviation security purposes. EPIC has also warned about the problem of "false positives" within the system and the absence of effective redress procedures that would leave many travelers improperly designated as "high-risk."

EPIC's page on passenger profiling: http://epic.org/privacy/airtravel/profiling.html

EPIC's Spotlight on Surveillance Regarding Registered Traveler Programs: http://epic.org/privacy/surveillance/spotlight/1005/

TSA's press release on the suspension of the Clear program: http://www.tsa.dhs.gov/press/releases/2008/0804.shtm

Clear: http://www.flyclear.com/about/clear_howclearworks.html

Senior members of Congress have requested details of Internet companies' efforts to spy on their customers. In a letter sent to 33 companies, including AT&T, Time Warner, Microsoft, and Google, the Congressmen ask whether the companies have experimented with certain behavioral advertising techniques which impinge on consumer privacy and may fall afoul of federal law.

The inquiries come after Congress criticized two companies that publicly announced their own plans to spy on their users. In May, some subscribers of Charter Communications' broadband Internet service received notices stating that Charter would soon begin to perform Deep Packet Inspection (DPI) of their Internet traffic. Charter had partnered with a company called NebuAd to use DPI techniques to develop profiles of customers' online behavior, and then target advertising at individual users. Charter dropped the program a month later, after Reps. Edward J. Markey (D-MA) and Joe Barton (R-TX) challenged its legality under the federal Wiretap Act and the Cable Television Privacy Act.

In July, another internet service provider, Embarq, dropped its own partnership with NebuAd after Congressmen raised similar criticisms. Digital rights groups have documented how NebuAd's hardware uses security exploits to spy on users, violating fundamental expectations of Internet privacy and security. This week, Congressman Edward J. warned that "new technologies, such as 'deep packet inspection' technologies, have the ability to track every single website that a consumer visits while surfing the Web" and stated that these techniques "raise clear privacy issues."

Members of Congress are now taking a preemptive step to determine whether other leading telcos and Internet firms are experimenting with similar invasive techniques. In the letter, leaders from both parties question the "growing trend of companies tailoring Internet advertising based upon consumers' Internet search, surfing, or other use." They ask whether the companies correlate that data across other services or applications, and, if not, "what steps you take to make sure such correlation does not happen." They also seek assurances that the companies offer such targeted advertising as an "opt-in" service, and if not, asks how customers were notified of their opportunities to opt-out. The letter also expresses concern that these practices may violate the privacy protections contained in the Communications Act of 1934, the Cable Act of 1984, and the Electronic Communications Privacy Act. It also raises the prospect of new legislation "to ensure that the same protections apply regardless of the particular technologies or companies involved."

Letter from members of Congress to 33 telecom companies: http://markey.house.gov/docs/telecomm/letter_dpi_33_companies.pdf

Letter from senior members of Congress to Charter Communications: http://www.epic.org/privacy/dpi/051608charter_ltr.pdf

EPIC's page on Deep Packet Inspection and Privacy: http://www.epic.org/privacy/dpi/

Washington State Supreme Court rules in favor of privacy rights

Last week the Washington State Supreme Court ruled in favor of the privacy rights of teachers accused of sexual misconduct. The lawsuit was brought by 15 teachers asking the judiciary to prevent their districts from releasing their identities in response to a public-records request by The Seattle Times. The court, in 6-3 vote, sided with the accused teachers, finding that the names of teachers must be disclosed only in cases where sexual misconduct has been found or some form of discipline has taken place. In unsubstantiated cases, the details of any investigation may be disclosed - but with the teacher's name redacted, or blacked out. Justice Mary Fairhurst, for the majority, wrote: "The mere fact of the allegation of sexual misconduct toward a minor may hold the teacher up to hatred and ridicule in the community, without any evidence that such misconduct ever occurred." Justice Barbara Madsen dissented, writing that as a consequence of the court's ruling, "predatory teachers may go undetected and unpunished. But the most unfortunate consequence, and one that is completely unacceptable, is that if predatory teachers are undetected, children will continue to suffer at their hands."

Seattle Times Article: http://epic.org/redirect/080808_seattle.html

Decision: http://epic.org/redirect/080808_washington.html

EPIC Files Brief in Email Privacy Case

On August 1, 2008, EPIC submitted a brief in Bunnell v. MPAA, a privacy case pending in the Ninth Circuit Court of Appeals. EPIC's "friend of the court" brief supported enforcement of federal protections for email privacy. In Bunnell, a former TorrentSpy employee hacked the peer-to-peer search engine's corporate email server to copy private emails that were of interest to the MPAA, a motion picture industry group. The federal Wiretap Act bars unauthorized interception of electronic communications, and Bunnell, a TorrentSpy employee and victim of the email snooping, sued. Last year, a California federal trial court reasoned that emails secretly swiped en route to their final destination were not "intercepted" under the federal Wiretap Act because they were in milliseconds-long "storage" on an email server. EPIC argued that the federal law's language and legislative history reflect Congress' intent to prohibit exactly the sort of unauthorized email interceptions implicated by Bunnell. The Electronic Frontier Foundation and Stanford Law School's Center for Internet and Society also filed briefs in support of Bunnell and other TorrentSpy employees. EPIC previously advocated for email privacy protections in a similar case, U.S. v. Councilman. In Councilman, the First Circuit Court of Appeals agreed with EPIC, and ruled that the interception of e-mail in brief, temporary storage violates federal law.

EPIC's Brief: http://epic.org/privacy/bunnell/bunnell_amicus_final.pdf

EPIC page on Bunnell v. MPAA: http://epic.org/privacy/bunnell/

EPIC page on United States v. Councilman: http://epic.org/privacy/councilman/

The Wiretap Act: http://www4.law.cornell.edu/uscode/18/ch119.html

Google Launches Street View Surveillance Project in Australia

On August 4, 2008, Google Street View added Australia to its roster of countries subjected to 360-degree photographic surveillance. Google Street View enables users to view and navigate 360-degree street level imagery originally taken from cameras mounted on vehicles. In the past, Google Street View has posted compromising images that remain publicly available until someone files an online complaint. Privacy advocates worry that Google's images invade an individual's right to privacy. The Australian Privacy Foundation's expressed concerns regarding: the posting of individuals' images on the Internet without their consent; the unwanted identification of individuals' presence in a specific location; and the use of inappropriate or illegal photo collection techniques.

Google Street View Australia: http://maps.google.com.au/help/maps/streetview/

Australian Privacy Foundation's Policy on Google Street View: http://www.privacy.org.au/Papers/StreetView-0804.html

Policy Framework for Analyzing Location Privacy Issues: http://epic.org/privacy/location/jwhitelocationprivacy.pdf

Massachusetts considers bill that includes breach notification

Massachusetts is considering a bill that would create a notification requirement for medical records breaches. The legislation - H4974/S2863, An Act to Promote Cost Containment, Transparency and Efficiency in the Delivery of Quality Health Care - has passed the senate and is awaiting the approval of the house. It includes privacy and data security protections within a statewide electronic medical records system, including notice of unauthorized disclosures of health information, providing patients an audit trail of who has accessed their records, and requiring that participation in an electronic medical record system be based on patient permission. H4974 has been applauded by the Aids Action Committee of Massachusetts for its strong protection of patient privacy, which is of particular concern to people with HIV/AIDS.

S2863: http://www.mass.gov/legis/bills/senate/185/st02/st02526.htm

Amendments Proposed by the House: http://www.mass.gov/legis/bills/house/185/ht04pdf/ht04974.pdf

EPIC article on medical records privacy: http://epic.org/privacy/medical/

AIDS Action Committee of Massachusetts Press Release: http://www.aac.org/site/News2?page=NewsArticle&id=19335

Soviet Dissident, Author, and Nobel Peace Prize Winner Laid To Rest

Alexander Solzhenitsyn, the Russian dissident and Nobel Peace Prize winner who exposed the horrors of the Soviet Gulag, died this week. Solzhenitsyn, who spent eleven years in the Gulag system soon after World War II, is best known for his massive study of the labor camps, "The Gulag Archipelago," as well as novels like "A Day In the Life Of Ivan Denisovich," a simple but detailed description of one day in a camp prisoner's life. Solzhenitsyn wrote powerfully about state surveillance. Justice Douglas cited Solzhenitsyn in a famous dissent in a Supreme Court case concerning the chilling effects of police surveillance of political protest. There is also a famous passage in The Cancer Ward that was later cited in the 1973 HEW Report, "Records, Computers and the Rights of Citizens," and David Burnham's "The Rise of the Computer State."

"As every man goes through life he fills in a number of forms for the record, each containing a number of questions . . . There are thus hundreds of little threads radiating from every man, millions of threads in all. If these threads were suddenly to become visible, the whole sky would look like a spider's web, and if they materialized like rubber bands, buses and trams and even people would lose the ability to move and the wind would be unable to carry torn-up newspapers or autumn leaves along the streets of the city."

Washington Post: Solzhenitsyn Buried in Moscow http://epic.org/redirect/080808_wapo.html

Laird v. Tatum, 408 U.S. 1 (US 1972) http://supreme.justia.com/us/408/1/case.html

Records, Computers, and the Rights of Citizens (HEW 1973) http://www.epic.org/privacy/hew1973report/c3.htm

Freedom Not Fear: International Campaign Against Surveillance Mania

On October 11, 2008 the Electronic Privacy Information Center (EPIC) together with many people and organizations from around the world will take to the streets in a peaceful and creative action. Under the motto "Freedom Not Fear 2008", large demonstrations will include DJs, parties, art festivals, workshops of privacy enhancing technologies, and protest marches against data retention practices. "Freedom Not Fear 2008" will take place in more than 30 capital cities including Washington DC. This worldwide campaign seeks to raise awareness for the need of greater freedom and democracy all over the World requesting: Cutback on surveillance; Evaluation of existing surveillance powers; Moratorium for new surveillance powers; Guaranteeing privacy, freedom of expression and information on the Internet. To join the campaign in the United States, please send a message to EPIC at thepublicvoice[at]datos-personales[dot]org

Freedom Not Fear International Action Overview: http://www.freedom-not-fear.eu/

The Freedom Not Fear Wiki: http://wiki.vorratsdatenspeicherung.de/Freedom_Not_Fear_2008

Get involved: Local organizers and media contacts: http://epic.org/redirect/080808_involved.html

The Public Voice, Freedom not Fear Campaign: http://www.thepublicvoice.org/events/freedom-not-fear-08

"Batman: The Dark Knight"

As a summer full of nefarious privacy invasions draws to a close, EPIC thought it could afford a brief vacation. "Why so serious?" we asked, as we hung up our identity-protecting mask and joined the anonymous masses looking for escapism. But The Dark Knight only reminded us that the anti-privacy villains never take a vacation. When they're hard to identify, it's just because they're hiding in costume.

In this comic-book world, as in the real world, the anti-privacy villains pose the biggest threat when they dress up as heroes. The ambivalence that Gothamites feel toward Batman's high-tech terror-fighting techniques is a central theme of the movie. The bat-cave features all the worst ideas invented by modern law-enforcement-surveillance cameras (bought from L-1?) that map facial features, imaging technology that knows no boundaries, fusion-center-like dossiers on every Gothamite, and the wiretapping of millions of cell phones. "Spying on 30 million people isn't part of my job description," retorts Batman's accomplice Lucius, when Batman tries to turn him into a Poindexter with sole control over these tools. "You've turned every cell phone in Gotham into a microphone." Art imitates life so well, it must have been spying on it.

Batman prefers to keep his identity private, and EPIC defends the right of all superheroes to do so. And Gotham's press, police and general population take the same position-as long as it makes them safer. But when the Joker blackmails the city in exchange for Batman's real name, Gotham's principled commitment to privacy goes up in chaos. Thankfully, real-life privacy hero Senator Patrick Leahy, who never hides his views in a costume, enters briefly to take a courageous pro-privacy stand, telling the Joker to his face, "We're not intimidated by thugs."

If only we were still living in a comic book in the '50s, where doing good meant fighting crime, and we knew exactly who the criminals were! But after 9/11, that comic-book world-view sorely needed an update, and Dark Knight provides it. The movie leaves us confused as to the identity of the real bad guy: whether the real threat to Gotham is the terrorist-mob, still making headlines but long on the wane, or Batman, who leads a high-tech but invasive attack on that mob. We also wonder whether the Joker can cow the public with enough high-profile threats that they will willingly betray their most cherished values. "When the chips are down, these civilized people, they'll eat each other," laughs the Joker in a line that has been widely quoted. What deserves greater mention is that when the Joker puts them to the test, they do not.

-- Andrew Gradman

EPIC Publications:

"Information Privacy Law: Cases and Materials, Second Edition" Daniel J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98.

http://www.epic.org/redirect/aspen_ipl_casebook.html

This clear, comprehensive introduction to the field of information privacy law allows instructors to enliven their teaching of fundamental concepts by addressing both enduring and emerging controversies. The Second Edition addresses numerous rapidly developing areas of privacy law, including: identity theft, government data mining and electronic surveillance law, the Foreign Intelligence Surveillance Act, intelligence sharing, RFID tags, GPS, spyware, web bugs, and more. Information Privacy Law, Second Edition, builds a cohesive foundation for an exciting course in this rapidly evolving area of law.

"Privacy & Human Rights 2006: An International Survey of Privacy Laws and Developments" (EPIC 2007). Price: $75.

http://www.epic.org/phr06/

This annual report by EPIC and Privacy International provides an overview of key privacy topics and reviews the state of privacy in over 75 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy & Human Rights 2006 is the most comprehensive report on privacy and data protection ever published.

"FOIA 2006: Litigation Under the Federal Open Government Laws," Harry A. Hammitt, Marc Rotenberg, Melissa Ngo, and Mark S. Zaid, editors (EPIC 2007). Price: $50.

http://www.epic.org/bookstore/foia2006

This is the standard reference work covering all aspects of the Freedom of Information Act, the Privacy Act, the Government in the Sunshine Act, and the Federal Advisory Committee Act. The 23nd edition fully updates the manual that lawyers, journalists and researchers have relied on for more than 25 years. For those who litigate open government cases (or need to learn how to litigate them), this is an essential reference manual.

"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on the Information Society" (EPIC 2004). Price: $40.

http://www.epic.org/bookstore/pvsourcebook

This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, and recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process.

"The Privacy Law Sourcebook 2004: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price: $40.

http://www.epic.org/bookstore/pls2004/

The Privacy Law Sourcebook, which has been called the "Physician's Desk Reference" of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act.

"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20.

http://www.epic.org/bookstore/filters2.0

A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression.

EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at:

EPIC Bookstore http://www.epic.org/bookstore

"EPIC Bookshelf" at Powell's Books http://www.powells.com/bookshelf/epicorg.html

EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act.

Subscribe to EPIC FOIA Notes at: https://mailman.epic.org/cgi-bin/control/foia_notes

Data Privacy in APEC: privacy in global transactions. August 11-12. Lima, Peru http://www.osiptel.gob.pe/apec2008/dataprivacy2/index.htm

APEC Privacy Sub Enhancing Group Meeting. August 13-16. Lima-Peru http://www.osiptel.gob.pe/apec2008/dataprivacy2/index.htm

The Privacy Symposium - Summer 2008: An Executive Education Program on Privacy and Data Security Policy and Practice, August 18-21, 2008, Harvard University, Cambridge, MA. For more information: http://www.privacysummersymposium.com/

Latin America & The Caribbean Regional Preparatory Meeting for IGF. August 20, Montevideo, Uruguay. http://lacnic.net/en/eventos/mvd2008/igf.html

Privacy Awareness Week. August 24, 2008. Australia, New Zealand, Hong Kong, Korea and Canada. For more information: http://www.privacyawarenessweek.org/paw

The Third International Conference on Legal, Security and Privacy Issues in IT. September 3-5, Prague, Czech Republic http://www.lspi.net/

Youth Privacy Online: Take Control, Make It Your Choice! September 4, 2008, Eaton Centre Marriott, Toronto. For more information: http://www.ipc.on.ca

Access to Information: Twenty-five Years on. September 8, Minto Suites Hotel, Ottowa. For more information: http://www.rileyis.com/seminars/

The third annual Access to Knowledge Conference (A2K3). September 8-10, Geneva, Switzerland http://isp.law.yale.edu/

High Level Expert Conference: Towards a European Policy on RFID. September 9, Brussels, Belgium http://www.rfid-in-action.eu/conference

Workshop on Applications of Private and Anonymous Communications. September 22, 2008. Istanbul, Turkey. For more information: http://www.alpaca-workshop.org/

World Summit on the Knowledge Society. September 24-28, Athens, Greece http://www.open-knowledge-society.org/summit.htm

Europe-wide action day "Freedom not fear." October 11, 2008. Multiple sites. For more information: http://wiki.vorratsdatenspeicherung.de/Freedom_Not_Fear_2008

International Symposium on Data Protecion in Social Networks. October 13, 2008, Strasbourg. For more information: http://epic.org/intsymposium_sns.html

30th International Data Protection and Privacy Conference: Protecting Privacy in a Borderless World. October 15-17, 2008, Strasbourg. For more information: http://www.privacyconference2008.org

European Dialogue on Internet Governance (EuroDIG). October 20-21, Strasbourg, France http://www.eurodig.org/

Privacy in Social Network Sites Conference October 23-24, 2008. Delft University of Technology, Faculty of TPM, The Netherlands. For more information: http://www.ethicsandtechnology.eu

Third Internet Governance Forum. December 3-6, 2008. Hyderabad, India. For more information: http://www.intgovforum.org

Tilting perspectives on regulating technologies, Tilburg Institute for Law and Technology, and Society, Tilburg University. December 10-11, Tilburg, Netherlands http://www.tilburguniversity.nl/tilt/conference

Subscribe/unsubscribe via web interface:

https://mailman.epic.org/cgi-bin/mailman/listinfo/epic_news

Back issues are available at:

http://www.epic.org/alert

The EPIC Alert displays best in a fixed-width font, such as Courier.

The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information."

The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at: http://www.epic.org/donate

Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers.

Thank you for your support.

.