WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 2008 >> [2008] EPICAlert 17

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 15.17 [2008] EPICAlert 17

E P I C A l e r t

Volume 15.17 August 25, 2008
Published by the
Electronic Privacy Information Center (EPIC)
Washington, D.C.

Table of Contents
[1] Watch List Decisions Are Subject to Court Review
[2] EPIC Demands Accuracy for Employment Eligibility Database
[3] Privacy 08 Campaign Underway
[4] APEC Data Privacy Group Meets in Lima, Peru
[5] ACTION ITEM: Signon - Civil Society Seoul Declaration
[6] News in Brief
[7] EPIC Bookstore: “Born Digital"
[8] Upcoming Conferences and Events - Subscription Information - Privacy Policy - About EPIC - Donate to EPIC - Support Privacy '08

[1] Watch List Decisions Are Subject to Court Review

On August 18, 2008, a federal court ruled that airline passengers who are on no-fly lists can sue to clear their names. In Ibrahim v. Dep't of Homeland Security, the Ninth Circuit Court of Appeals held that federal trial courts can hear complaints from individuals who are named on the government's air travel watch lists. The ruling states that trial courts are the proper venues for such challenges, because the lists are maintained by the Terrorist Screening Center, a federal entity separate from the Transportation Security Administration (TSA). Federal trial courts cannot hear challenges to TSA orders. The decision promises to increase judicial oversight of the "no-fly list" and other federal aviation watch lists.

At least one lawsuit followed swiftly on the heels of the Ibrahim decision. Erich Scherfen, a commercial pilot and Gulf War veteran, has filed a complaint in Pennsylvania federal court challenging his inclusion on a government watch list. Scherfen wants a judge to order his name removed from the list, and alleges that time is of the essence - his employer suspended him based on his inclusion on the list. Scherfen further argues that he attempted to rectify the situation through the Dep't. of Homeland Security's suggested procedure, but was stymied by the agency's unwillingness to delete his name, or even acknowledge that his name appears on a watch list.

Air travel watch lists include at least 400,000 names, and can prevent flyers from boarding planes. Several high-profile cases have highlighted watch list inaccuracies, including errors involving Senator Edward Kennedy, military veterans, and former high-ranking federal officials. The watch lists are filled with incorrect data and generate many false positives, but adverse determinations are virtually impossible to challenge. Homeland Security Secretary Michael Chertoff has objected to court oversight, but refuses to disclose the details behind the lists.

EPIC previously documented numerous errors and complaints regarding air travel watch lists. EPIC obtained more than a hundred complaints filed by irate passengers who felt they had been incorrectly identified for additional security or were denied boarding. The complaints describe the bureaucratic maze passengers find themselves in if they happen to be mistaken for individuals on the lists. In one case, the federal government directed an aggrieved passenger to contact the airline. In another case, an airline directed a passenger to contact the federal government. The litany of problems is long, but all point to a lack of transparency and due process in the operation of the watch lists.

The government administers three lists: a "terror watch list," a "selectee" list, and a "no fly" list. The "selectee" list requires passengers to go through additional security measures. The "no fly" list prohibits passengers from flying altogether. The names are provided to air carriers through Security Directives or Emergency Amendments and are stored in their computer systems so that an individual with a name that matches the list can be flagged when getting a boarding pass. A "no fly" match requires the agent to call a law enforcement officer to detain and question the passenger. In the case of a Selectee, an "S" or special mark is printed on their boarding pass and the person receives additional screening at security. Federal officials have refused to describe selection criteria in detail, and have failed to implement open and transparent procedures for correcting watch list errors.

Ninth Circuit Ruling in Ibrahim v. Dep't. of Homeland Security:

EPIC's "Air Travel Privacy" page:

EPIC's Analysis of Watchlist Errors and Complaints:

EPIC, "Travelers Continue to Struggle With Wrongful Watch List Matches"

[2] EPIC Demands Accuracy for Employment Eligibility Database

EPIC argued for privacy protections for federal contractor employees in August 11 comments to a proposed rule issued by the General Services Administration (GSA). The proposed rule would change the Federal Acquisition Regulations (FAR) -- which govern federal contracts -- to require that certain contractors be mandated to use the E-Verify system. The E-Verify system is a web-based service run by the Department of Homeland Security and the Social Security Administration that compares worker's information to several government databases. EPIC recommended fixing database errors, applying Privacy Act protections, and exempting current employees before implementing the rule.

The proposed rule is implementing a Bush administration executive order creating these mandates for Federal contractors following earlier failed attempts to mandate verification. Congress last year considered but rejected mandating verification nationwide. A court in California stopped a DHS administrative initiative requiring employers to fire employees for which they received "no match" letters.

Contractors will have to process all of their new hires as well as current employees directly working on contracts via the E-Verify system. The rule is expected to cover nearly 170 thousand contractors leading to the processing of 3.8 million workers. Contracts which include work in the United States, are greater than 3000 dollars, and are not for commercially available off the shelf items are covered. An expansion of E-Verify has severe implications for national and individual security, civil liberties and privacy. The Government Accountability Office has detailed several problems associated with implementing mandatory employment verification.

EPIC recommended fixing database errors. Independent studies have found that up to 42% of negative responses, termed "non-confirmations," are erroneous. The Social Security Inspector General estimates that 17 million records in its databases have errors. Further, some of the systems that E-Verify checks are exempt from Privacy Act protections. The Treasury Enforcement Communications System (TECS) is exempt from requirements that citizens be able to access their data, correct their data, and that data be kept reliably. EPIC recommended that these exemptions be lifted before expanding E-Verify. Further, EPIC recommended exempting current employees from the mandate, as the E-Verify system is based on law covering hiring and recruiting, not retaining employees.

EPIC Comments:

E-Verify Proposed Rule:

Executive Order 12989:

EPIC Spotlight on Surveillance - Electronic Employment Verification:

[3] Privacy 08 Campaign Underway

With the Presidential Conventions beginning this week, EPIC has launched the Privacy 08 Campaign, a nonpartisan effort to promote privacy discussions during the the 2008 Presidential campaign.

Voters of the 21st Century are experiencing a revolution in the way they engage and are engaged by the electoral process. Election officials are using the Internet as a tool to enhance the information services provided to voters. Campaigns are using the Internet as a more efficient means of targeting voters for messaging and solicitation of financial support. And for the first time, individual voters and advocacy organizations are empowered by the Internet to speak directly to the electorate, candidates, and policymakers through their own messaging. Because the Internet bypasses traditional media outlets like television, radio, and newspapers, the ability to present issues in context is an additional benefit. Web blogs, instant messaging, e-mail, YouTube, and web publishing are just a few of the ways the American electoral experience has changed from just 4 years ago.

Privacy 08’s Facebook page provides a platform for providing consumer advocacy views on key privacy issues such as domestic surveillance, employment verification, citizen dossiers, secret databases, identity theft, health information technology, micro targeting, and Social Networking.

Facebook is featured because it offers a platform that is easy to find and allows collaboration among participants. EPIC has noted the challenges faced by Facebook users regarding the privacy of information they share, while not recommending suspension of use of the web resource. This technology is proving to be of utility to millions of Internet users, which means that the privacy ramifications must be addressed in a concrete way.

The 2008 Presidential candidates -- Former Congressman Bob Barr, Senator McCain, Ralph Nader, and Senator Obama -- have made several statements about privacy, though perhaps not as much as had been hoped. Key concerns about the future of the Patriot Act, the power of Homeland Security, and the need to create meaningful privacy for Internet users have yet to be addressed. Learn more about where the candidates stand. Visit their issue pages, search for privacy, and compare their positions. Then vote!

Privacy 08 Facebook:

Democratic National Convention, August 25-28, 2008:

Republican National Convention, September 1-4, 2008:

Bob Barr, "Barr Blasts McCain, Obama for Supporting National ID, Again Urges Congress to Repeal Real ID Act" (August 1, 2008):

Bob Barr, "Federal Government Must Respect Americans’ Civil Liberties and Privacy" (July 31, 2008):

Bob Barr, "Privacy and Surveillance":

John McCain, "Ensuring the Personal Security and Privacy of Americans in the Digital Age" (August 14, 2008):

Ralph Nader, "Civil Liberties:"

Barack Obama, "Safeguard Our Right to Privacy:"

[4] APEC Data Privacy Group Meets in Lima, Peru

On August 12 & 13, the Peruvian Economy of the Asia Pacific Economic Cooperation (APEC) Forum hosted the Second Technical Assistance Seminar on the International Implementation of the APEC Privacy Framework 2008 “Data Privacy in APEC: Enhancing privacy in global transactions," to coincide with the APEC Data Privacy Sub-Group meeting and the 18th APEC Electronic Commerce Steering Group held in Lima, Peru on August 14-16.

The workshops brought together APEC member economies to discuss the practical mechanisms for the international implementation of the APEC Privacy Framework, including the Data Privacy Pathfinder projects.

China and Singapore both endorsed the Data Privacy Pathfinder and China indicated it will participate in the testing phase of the Pathfinder. Furthermore, 16 economies are now participating in the Pathfinder Project and six economies have developed or are considering developing domestic frameworks that refer to the APEC Privacy Framework: Australia, Canada, New Zealand, Philippines, Vietnam, and Korea. It will be very important for civil society to assess whether these proposals weaken the existing level of privacy protection.

In another note, the APECs Electronic Commerce Study Group (ECSG) agreed to grant ad hoc membership for Privacy International and the Electronic Privacy Information Center (EPIC), with each organization to apply for guest status before each meeting. This position was adopted with the understanding that it will be revisited after an assessment of the arrangement´s long-term viability. This opportunity will give an independent consumer voice to try to balance those of business interests.

APEC Technical Assistance Seminar website (including presentations):

APEC Data Privacy Sub Group of the Electronic Commerce Steering Group:

Implementation of the APEC Privacy Framework: Global Privacy Solutions for Cross Border Data Transfers:

APEC Data Privacy Pathfinder:

The Public Voice Project:

Privacy Law Sourcebook 2004:

[5] ACTION ITEM: Signon - Civil Society Seoul Declaration

A diverse group of civil society organizations and individuals from the Public Voice Coalition worked on a joint Civil Society Declaration to the OECD 2008 Ministerial Meeting on the Future of the Internet Economy, which took place in Seoul on June 2008. This document raises a number of issues of major importance to the civil society community and makes a number of recommendations to move us towards the future of the Internet that meets the essential needs of all the world's citizens. We urge all Internet users and potential Internet users to support the Civil Society Seoul Declaration as this document will be submitted as a "room document" in the next OECD Committee for Information, Computer and Communications Policy (ICCP) meeting on 11-12 December 2008. We would like to keep pushing for the implementation of the Civil Society Seoul Declaration within the OECD ICCP work.

The declaration is open for sign on by civil society organizations and individuals until October 10, 2008 (Human Rights Day). The declaration has been signed by (so far) 86 organizations and 99 individuals. See the list of signatories at:

ACTION - Sign the Declaration here:

OECD Civil Society Forum in Seoul and The Civil Society Seoul Declaration in different languages:

Facebook: The Public Voice Group:

[6] News in Brief

ICANN: Privacy enhancing registration of WHOIS Services

On June 18, 2008, the Internet Corporation for Assigned Names and Numbers (ICANN) published draft proposed changes to the Registrar Accreditation Agreement (RAA) in order to endorse privacy and data protection enhancing registration services. This amendment helps protect the personal data of the TLD registrants that is stored in the WHOIS Database. The ICANN Board of Directors passed a resolution in San Juan to solicit community input related to RAA amendments and open the call for public comment until August 4, 2008. On August 1, the US Department of Commerce criticized the proposed language arguing that ICANN should study the legitimate uses of WHOIS data and that those changes are contrary of what was suggested by the Government Advisory Committee (GAC).

The WHOIS database, originally intended to allow network administrators to find and fix problems with minimal hassle to maintain the stability of the Internet, now exposes domain name registrants' personal data to spammers, stalkers, criminal investigators, and copyright enforcers. Proxy and privacy services could help protect individuals from the indiscriminate use of their personal information available openly in the WHOIS online database.

Draft Proposed Changes to Registrar Accreditation Agreement:

US Department of Commerce Comments on the Draft proposed Changes to RAA:

IGP: The US Government Tugs the Reins on ICANN, Again:

EPIC page on WHOIS:

Warrantless Wiretapping Case Returns to Trial Court

A lawsuit challenging AT&T's participation in President Bush's warrantless wiretapping program was sent back to trial court. The lawsuit, Hepting v. AT&T, arises from the government's surveillance of Americans' telephone and Internet communications in apparent violation of the Constitution and federal privacy laws. Telecom companies, including AT&T, helped the government spy on Americans, despite the absence of court authorization. Federal officials kept the wiretapping scheme secret for some time. The New York Times first made the spy plan's existence public in December 2005. The next month, Hepting, a class-action case, was brought on behalf of multiple individuals.

The trial court will apply newly passed federal law to the case. Recently, Congress amended the Foreign Intelligence Surveillance Act, the law that governs domestic wiretaps. The new law provides immunity for corporations' participation in the governments' warrantless wiretapping activities if certain conditions are met. In 2007, EPIC filed a "friend-of-the-court" brief in collaboration with the Stanford Constitutional Law Center, supporting judicial review of the domestic spy program.

Appeals Court Decision Returning Hepting v. AT&T to Trial Court:

EPIC's Hepting v. AT&T Page:

Internet Corporations Reveal Snooping Plans, Identify Privacy Threats

In response to a request from senior members of Congress, 33 internet companies have detailed how they spy on users' behavior. The statements respond to inquiries from lawmakers regarding companies' efforts to monitor their customers generally, as well as the corporations' specific practices regarding particular behavioral advertising techniques that impinge on consumer privacy and may run afoul of federal law. The documents describe a variety of surveillance techniques, ranging from internet service providers capturing users' full browsing activities to search engines creating detailed records of web surfers' online behavior. EPIC has identified substantial threats to consumers' privacy that arise from these programs.

The disclosures come at a time of heightened scrutiny for companies that spy on their users' online habits. Congressmen recently criticized Charter Communications' plan to perform Deep Packet Inspection (DPI) of its customers' internet traffic, challenging its legality under the federal Wiretap Act and the Cable Television Privacy Act. Charter subsequently dropped the plan. In July, another internet service provider, Embarq, shut down its partnership with NebuAd, a DPI technology provider, after lawmakers raised similar criticisms.

33 Companies Detail Their Monitoring Practices:

EPIC's Search Engine Privacy Page:

Microsoft May Introduce New Privacy Tools

Records obtained from the US Patent and Trademark office suggest that Microsoft may introduce new privacy features in the next version of Internet Explorer. According to the patent application, Cleartracks are "computer programs for accessing and using the Internet and the World Wide Web, and computer programs for deleting search history after accessing Web sites." A second service, dubbed InPrivate, involves "computer programs for disabling the history of file caching features of a Web browser, and computer software for notifying a user of a Web browser when others are tracking Web use and for controlling the information others can access about such use."

Although privacy remains a key concern for the design of browser software, major Internet firms have had little success so far with strong privacy tools. Microsoft's orginal platform for privacy was P3P; there are many privacy and security add-ons for Firefox, but the defaults are not privacy friendly and Google discourages the use of the most popular privacy tools for Firefox.

Microsoft, IE8 and Trustworthy Browsing:

Internet Explorer8 Beta:

Virginia Court Finds Free Speech Rights in Publication of SSN

A federal judge upheld the right of a privacy advocate to post the Social Security Numbers, obtained from public records, of prominent people and court officials to demonstrate that the state of Virginia failed to protect privacy. Judge Robert Payne, in strking down the state law that limits the publication of the SSN, wrote "It is difficult to imagine a more archetypal instance of the press informing the public of government operations through government records than Ostergren's posting of public records to demonstrate the lack of care being taken by the government to protect the private information of individuals."

Ostergren v. McDonnell, No. 3:2008cv00362 (Va. E.D. August 22, 2008)


[7] EPIC Bookstore: “Born Digital"

"Born Digital: Understanding the First Generation of Digital Natives," by John Palfrey and Urs Gasser

[From the publisher]

"The most enduring change wrought by the digital revolution is neither the new business models nor the new search algorithms, but rather the massive generation gap between those who were born digital and those who were not. The first generation of “digital natives”-children who were born into and raised in the digital world-is now coming of age, and soon our world will be reshaped in their image. Our economy, our cultural life, even the shape of our family life will be forever transformed. But who are these digital natives? How are they different from older generations, and what is the world they’re creating going to look like? In Born Digital, leading Internet and technology experts John Palfrey and Urs Gasser offer a sociological portrait of this exotic tribe of young people who can seem, even to those merely a generation older, both extraordinarily sophisticated and strangely narrow. Based on original research and advancing new theories, Born Digital explores a broad range of issues, from the highly philosophical to the purely practical: What does identity mean for young people who have dozens of online profiles and avatars? Should we worry about privacy issues? Or is privacy even a relevant value for digital natives? How does the concept of safety translate into an increasingly virtual world? Is “stranger-danger” a real problem, or a red herring? A smart, practical guide to a brave new world and its complex inhabitants, Born Digital will be essential reading for parents, teachers, and the myriad of confused adults who want to understand the digital present-and shape the digital future."

EPIC Publications:

"Information Privacy Law: Cases and Materials, Second Edition" Daniel J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98.

This clear, comprehensive introduction to the field of information privacy law allows instructors to enliven their teaching of fundamental concepts by addressing both enduring and emerging controversies. The Second Edition addresses numerous rapidly developing areas of privacy law, including: identity theft, government data mining and electronic surveillance law, the Foreign Intelligence Surveillance Act, intelligence sharing, RFID tags, GPS, spyware, web bugs, and more. Information Privacy Law, Second Edition, builds a cohesive foundation for an exciting course in this rapidly evolving area of law.

"Privacy & Human Rights 2006: An International Survey of Privacy Laws and Developments" (EPIC 2007). Price: $75.

This annual report by EPIC and Privacy International provides an overview of key privacy topics and reviews the state of privacy in over 75 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy & Human Rights 2006 is the most comprehensive report on privacy and data protection ever published.

"FOIA 2006: Litigation Under the Federal Open Government Laws," Harry A. Hammitt, Marc Rotenberg, Melissa Ngo, and Mark S. Zaid, editors (EPIC 2007). Price: $50.

This is the standard reference work covering all aspects of the Freedom of Information Act, the Privacy Act, the Government in the Sunshine Act, and the Federal Advisory Committee Act. The 23nd edition fully updates the manual that lawyers, journalists and researchers have relied on for more than 25 years. For those who litigate open government cases (or need to learn how to litigate them), this is an essential reference manual.

"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on the Information Society" (EPIC 2004). Price: $40.

This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, and recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process.

"The Privacy Law Sourcebook 2004: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price: $40.

The Privacy Law Sourcebook, which has been called the "Physician's Desk Reference" of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act.

"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression.

EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at:

EPIC Bookstore

"EPIC Bookshelf" at Powell's Books

EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act.

Subscribe to EPIC FOIA Notes at:


[8] Upcoming Conferences and Events

Privacy Awareness Week. August 24, 2008. Australia, New Zealand, Hong Kong, Korea and Canada. For more information:

The Third International Conference on Legal, Security and Privacy Issues in IT. September 3-5, Prague, Czech Republic

Youth Privacy Online: Take Control, Make It Your Choice! September 4, 2008, Eaton Centre Marriott, Toronto. For more information:

Access to Information: Twenty-five Years on. September 8, 2008, Minto Suites Hotel, Ottowa. For more information:

The third annual Access to Knowledge Conference (A2K3). September 8-10, 2008, Geneva, Switzerland

High Level Expert Conference: Towards a European Policy on RFID. September 9, 2008, Brussels, Belgium

Workshop on Applications of Private and Anonymous Communications. September 22, 2008. Istanbul, Turkey. For more information:

World Summit on the Knowledge Society. September 24-28, 2008, Athens, Greece

Telecommunications Polucy Roundtable. September 26-28, 2008, George Mason University School of Law, Arlington, Virginia.

Europe-wide action day "Freedom not fear." October 11, 2008. Multiple sites. For more information:

International Symposium on Data Protecion in Social Networks. October 13, 2008, Strasbourg. For more information:

30th International Data Protection and Privacy Conference: Protecting Privacy in a Borderless World. October 15-17, 2008, Strasbourg. For more information:

European Dialogue on Internet Governance (EuroDIG). October 20-21, 2008, Strasbourg, France

Privacy in Social Network Sites Conference October 23-24, 2008. Delft University of Technology, Faculty of TPM, The Netherlands. For more information:

Third Internet Governance Forum. December 3-6, 2008. Hyderabad, India. For more information:

Tilting perspectives on regulating technologies, Tilburg Institute for Law and Technology, and Society, Tilburg University. December 10-11, Tilburg, Netherlands

Subscription Information

Subscribe/unsubscribe via web interface:

Back issues are available at:

The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information."

About EPIC

The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax).

Donate to EPIC

If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at:

Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers.

Thank you for your support.

Support Privacy '08

If you would like more information on Privacy '08, go online and search for "Privacy 08". You'll find a Privacy08 Cause at Facebook, Privacy08 at Twitter, a Privacy08 Channel on YouTube to come soon, and much more. You can also order caps and t-shirts at CafePress Privacy08.

Start a discussion. Hold a meeting. Be creative. Spread the word. You can donate online at Support the campaign.

Facebook Cause:



END EPIC Alert 15.17


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback