E P I C A l e r t
EPIC held a Privacy '08 event at the National Press Club on September 5, 2008. At the event, Bob Barr, the Libertarian Party candidate for President of the United States, addressed privacy concerns facing the American public.
Congressman Barr spoke about laptop searches at borders, government surveillance of U.S. citizens, immunity to telecom companies and online data tracking. Barr further highlighted that the otherwise vigorous Presidential debate neglected to address issues of Constitutional rights and civil liberties. Privacy issues were not even raised. Barr exhorted the candidates to debate on wiretapping and surveillance and urged the public to challenge the next leader to articulate a position on how citizen's privacy interfaces with the government's need to promote industry and prevent crime.
The federal government has been spending an increased amount of money on surveillance technology and programs at the expense of other projects. However, citizens have not been fully informed of the extent of government surveillance. Barr promised to reverse the anti-privacy trend and favor data protection. He compared the protection of privacy to the protection of property and stressed that both needed to be afforded similar legal rights.
Congressman Barr further highlighted that recent suggested statutory changes indicated the continual erosion of privacy rights. Speaking on this issue, he cited the amendments to the Foreign Intelligence Surveillance Act, the Patriot Act and the Real ID Act and said that Congress had been largely responsible in perpetuating privacy invasions. He suggested that remedial action begin with open discussion and an acknowledgement of the concerns raised by warrantless surveillance and data collection.
Barr stated that privacy involved a wide range of issues and any scheme would need a multifaceted approach because not only individuals are affected, but also trade and commerce, corporate efficiency and law enforcement both in the United States as well as abroad. Barr supported initiating the process by bringing great focus on privacy issues and then encouraging discussion.
Privacy '08 is a nonpartisan effort to promote privacy discussions during the 2008 Presidential campaign. It encourages voters to take an active interest in privacy as an election issue. The campaign aims to encourage discussion among the public and the candidates.
A panel of three members of the media consisting of Charlie Savage of the New York Times, Christine Mumford of the Bureau of National Affairs and Julian Sanchez of Ars Technica was present. The event opened with a discussion on the concentration of power in the hands of the government and whether this concern was being addressed in the presidential debates.
EPIC's Privacy 08 campaign page: http://privacy08.org/
Privacy '08 Facebook Cause: http://apps.new.facebook.com/causes/causes/show/80487
Support Privacy '08: https://www.causes.com/fb/donations/new?cause_id=80487
Bob Barr's Presidential campaign website: http://www.bobbarr2008.com/
EPIC Associate Director Lillie Coney testified at a Congressional hearing on "Ensuring America's Security: Cleaning Up the Nation's Watchlists." EPIC testified that there are three primary problems with the security watchlists. First, the databases in the system are not subject to the full safeguards of the Privacy Act of 1974, as the Transportation Security Administration (TSA) has sought wide-ranging exemptions for the record system and private companies engaged by the agency are not subject to the Privacy Act. As a result, legal safeguards that help ensure accuracy and accountability in other databases are absent from the watchlist system.
The second flaw of the program aggravates the issue further -- the security watchlists on which the system is based are riddled with inaccurate and obsolete data. Documents obtained by EPIC under the Freedom of Information Act in September 2005 revealed travelers' struggles with watchlist errors. The situation has not changed materially and recent news continues to reveal more incidents of false positives and harrowing experiences of legitimate travelers.
Third, the existence of the Registered Traveler program may become a textbook example of "Security Theater." Further, the approach is triggering typical hallmarks of "mission creep" - the databases of personal information collected by private sector companies will be used for purposes other than originally intended - aviation security. The TSA has outsourced the vetting of bona fide air-travelers to Verified Identity Pass, Inc. (Verified ID), a privately held company running The Clear Registered Traveler program (Clear).
EPIC recommended that DHS employ the expertise of a human factors expert to revamp the TRIP query process to help limit the data collection process to only those affected by watchlist issues; the agency should be prohibited from exempting itself from Privacy Act obligations; the process for citizens and non-citizens should be clear and governed by a series of questions. The information presented should make it clear if it is intended for a citizen or non-citizen. The information collected should only apply to that category; respondents should be told their rights and protections afforded to them; over-collection of data should be prohibited; and agency personnel, airlines, and contractors should be held accountable by Privacy Act civil and criminal penalties or held to contractual obligations with the equivalent effect.
EPIC has testified before Congressional committees and submitted extensive agency comments regarding the development and use of watchlists, the passenger redress program, and secure flight.
EPIC Privacy Act Page: http://epic.org/privacy/1974act/
EPIC Spotlight on Surveillance: Secure Flight: http://epic.org/privacy/surveillance/spotlight/0807/default.html
EPIC Spotlight on Surveillance: Problem Filled Traveler Redress Program: http://epic.org/privacy/surveillance/spotlight/1106/default.html
House Committee on Homeland Security Hearing: http://homeland.house.gov/Hearings/index.asp?ID=163
EPIC's Air Travel Privacy Page: http://epic.org/privacy/airtravel/
On September 10, 2008, a federal court in the District of Columbia heard arguments in a challenge to telephone privacy regulations. At issue is an April 2, 2007 Federal Communications Commission order that protects consumers' telephone record information. The federal rule requires telephone companies to obtain affirmative, opt-in consent from customers before they disclose personal information to outside corporations. The National Cable & Telecommunications Association challenged the privacy rule, claiming that companies have a free speech interest in disclosing their customers' personal information without their opt-in consent. The industry group asked the court to invalidate federal regulators' opt-in requirement, and replace it with an opt-out regime, which provides less protection for customers' privacy.
On May 6, 2008, EPIC filed a "friend of the court" brief in the case urging support for opt-in safeguards for telephone customers. The brief was filed on behalf of consumer and privacy organizations, technical experts, and legal scholars. "Consumers have a legitimate expectation of privacy with respect to sensitive personal information such as whom they call on a telephone," the brief said. "An opt-out policy would provide neither adequate protection for consumer data nor sufficient notice to consumers." The case is presently pending before the U.S. Court of Appeals for the District of Columbia Circuit.
The FCC rule prohibits companies from sharing "customer proprietary network information" with third parties without a consumer's opt-in consent. Customer proprietary network information (CPNI) is the data collected by telecommunications corporations about a consumer's telephone calls. It includes the time, date, duration and destination number of each call, the type of network a consumer subscribes to, and any other information that appears on the consumer's telephone bill. EPIC has detailed the privacy violations that have resulted from unauthorized disclosure of CPNI. Such violations include pretexting, stalking, and the widespread sale of individuals' phones records on the Internet.
The Telecommunications Act of 1996 required telecommunications companies to obtain customers' approval prior to sharing their CPNI with third parties. However, there was a difference of opinion on the interpretation of "approval." EPIC and other privacy advocates and consumer rights groups argued that "approval" required that a consumer give positive, express consent to the sharing of information: that is, to "opt-in" to the marketing scheme. Telecommunications industry entities supported a presumption of consent ? an opt-out system. The FCC rule clarified that the law requires "opt-in consent." The National Cable and Telecommunications Association challenged the FCC rule, alleging that corporations had a First Amendment right to share CPNI with third parties for marketing purposes.
EPIC has a long history of supporting privacy safeguards in this area. In 2000, EPIC filed a friend of the court brief in US West v. FCC, the first case that considered privacy safeguards for CPNI information. More recently, in August 2005, EPIC filed a petition urging the FCC to require security measures to protect access to CPNI from pretexters and other unauthorized parties. In July 2007, EPIC filed detailed comments asking the FCC to implement additional safeguards for consumer telecommunications data. EPIC's proposals included encryption of CPNI, the implementation of audit trails, and limitations on data retention.
EPIC's "friend of the court" brief in NCTA v. FCC: http://epic.org/privacy/nctafcc/epic-ncta-050608.pdf
EPIC's NCTA v. FCC Web Page: http://epic.org/privacy/nctafcc/
EPIC, US West v. FCC -- The Privacy of Telephone Records http://epic.org/privacy/litigation/uswest/
FCC Order Regarding CPNI opt-in: http://hraunfoss.fcc.gov/edocs_public/attachmatch/FCC-07-22A1.pdf
EPIC's 2005 Petition to the FCC: http://www.epic.org/privacy/iei/cpnipet.html
EPIC's July 9, 2007 Comments to the FCC: http://epic.org/privacy/cpni/cpni_070607.pdf
EPIC Executive Director Marc Rotenberg spoke at the European Parliament on September 8 at a conference for Internet bloggers on "EU Protection of Privacy and Consumers Rights in the Age of the Internet." European Parliament Members Stavros Lambrinidis and Mary Matsouka sponsored the meeting. Mr. Rotenberg discussed the recent efforts of EPIC to promote discussion about privacy in the context of the U.S. Presidential elections through the Privacy '08 campaign.
Invited speakers included Mr. Tony Bunyan of Statewatch, Mr. Benjamin Henrion of the Foundation for a Free Information Infrastructure, European Parliament Member Sophia in't Veld, Mr. Christophe Espern of the "Squaring the Net" group, Mr. Emilio De Capitani, the Head of Secretariat of the Civil Liberties, Justice and Home Affairs Committee, and Mr. Peter Hustinx, the European Data Protection Supervisor.
The European Parliament also hosted a meeting to consider proposed amendments to the European Union Directive for Privacy in Electronic Communications. The 2002 Directive covers a wide range of communications activities. Proposed amendments address such topics as the scope of personally identifiable information, security breach notification and data retention.
And Google's proposal to reduce data retention to 9 months was greeted with some skepticism when the details of the search giant's procedures for "anonymization" were examined.
EU Directive 2002/58/EC on Data Protection and Privacy: http://epic.org/redirect/091208_eu.html
Google, "Another Step to Protect User Privacy": http://epic.org/redirect/091208_google.html
Google Response to Article 29 Working Party, September 8, 2008: http://epic.org/redirect/091208_google_response.html
US News & World Report, "Google's Supposed Enhancements to Privacy are 'Totally Worthless':" http://epic.org/redirect/091208_us_news.html
European Digital Rights Initiative: http://www.edri.org/
Privacy advocates also criticized Chrome's data collection practices, which collect detailed information about users' online behavior. By default, the Google browser collects every keystroke entered into the address bar. This information is transmitted to Google, and associated with users' Internet Protocol addresses and Google account identifiers. Google also retains a percentage of user data, which remains linked to personal identifiers.
In response to the privacy backlash, Google altered the Chrome license agreement and some aspects of its data retention policies. The license agreement dropped language relating to Google's reproduction and public display of information submitted through the browser. Google also stated that it would take steps to alter the IP address data that it collects, though no date was set for the change, and technical experts have criticized the company's IP address obfuscation techniques as ineffective.
This week also saw further developments regarding Google's proposed advertising deal with Yahoo - an arrangement that has been criticized by privacy advocates. The U.S. Justice Department has reportedly hired Sanford Litvack, an experienced litigator, as a consultant in its review of the deal. The federal probe focuses on Google's growing power in advertising. Privacy experts have faulted the arrangement on similar grounds. Combined, Google and Yahoo control more than 80% of U.S. online-search ads.
EPIC has a long history of opposing actions that consolidate data concerning users' online habits. On April 20, 2007, EPIC and other privacy groups filed a complaint with the Federal Trade Commission, requesting that federal regulators open an investigation into the proposed Google/Doubleclick merger. EPIC identified specific privacy threats arising from the heightened ability of the merged company to record, analyze, track, and profile Internet users' activities. In February 2000, EPIC filed a regulatory complaint challenging DoubleClick's plan to personally identify internet users through data acquired by the online advertising colossus from Abacus Direct, a giant in offline marketing information. DoubleClick subsequently backed off the controversial web-tracking plan.
Google Chrome License Agreement (after revision): http://www.google.com/chrome/eula.html
EPIC's Search Engine Privacy page: http://epic.org/privacy/search_engine/
EPIC's page on Privacy? Proposed Google/DoubleClick Deal: http://www.epic.org/privacy/ftc/google/
EPIC page on DoubleClick/Abacus merger: http://epic.org/privacy/doubletrouble/
Virginia Supreme Court Strikes Down Spam Law
The Virginia Supreme Court has determined that the state spam law violates the First Amendment. The Court held that the law is overbroad on its face, prohibiting the anonymous transmission of all unsolicited bulk e-mails ? including those containing political, religious or other protected speech. Referring to the pseudo-anonymous essays written by the framers of the Constitution, Justice Agee wrote that "were the Federalist Papers just being published today via e-mail, that transmission by Publius would violate the statute.'' The Virginia law is unusual in that it does not distinguish between commercial and non-commercial spam. EPIC has testified in support of legislation for unsolicited commercial email but has opposed the regulation of political speech on the Internet.
Jaynes v. Commonwealth, Virginia Supreme Court, Sept. 12, 2008 http://www.courts.state.va.us/opinions/opnscvwp/1062388.pdf
EPIC, Spam, Unsolicited Commercial E-Mail http://epic.org/privacy/junk_mail/spam/
Public-Interest NGO's Express Concern on ACTA Draft Treaty
The United States, the European Union, Japan and Switzerland are negotiating a new Anti-Counterfeiting Trade Agreement, in short ACTA. The initiative, which had been joined by Korea, Mexico, Morocco, New Zealand, and Singapore, strives for stronger international copyright enforcement, which will most likely also address measures to curb piracy online. A diverse group of organizations are urging the negotiators of the ACTA to publish immediately the draft text of the agreement as well as pre-draft discussion papers before continuing further discussions over the treaty. Based on news reports from various business associations, civil society is concerned that the pre-draft text may require service providers to monitor communications and terminate internet connections of their users based on the repeat allegations of copyright infringement and disclose users identity without judicial process. The OECD Civil Society Seoul Paper recommends governments to protect their citizens' privacy rights by upholding the foundational principle that ISPs and Internet intermediaries are not required to monitor communications on their networks under any circumstances. Furthermore, the Paper highlights the importance of the end-to-end principle that is central to the Internet's open architecture and conductive to innovation.
OECD Civil Society Seoul Declaration on ACTA (open for signature): http://www.petitiononline.com/iccp/petition.html
OECD Civil Society Background Paper (Section 2.2): http://thepublicvoice.org/events/seoul08/cs-paper.pdf
Wikileaks: ACTA discussion paper: http://epic.org/redirect/091308_ActaDiscussion.html
Letter to Anti-counterfeiting Trade Agreement Negotiators: http://epic.org/redirect/091308_ActaAgreement.html
E-Deceptive Campaign Practices a New Election Threat
EPIC's voting project is collaborating with Common Cause and the Lawyers Committee for Civil Rights Under Law to publish a report on Electronic Deceptive Campaign Practices and the 2008 election.
The rise of political participation is attracting the attention of those who would use technologies in positive and negative ways. Deception of voters can include: reliability of voting systems, voter registration status, polling location information, and positions of candidates for public office. Political fundraising efforts are also vulnerable to pharming and phishing efforts to dupe supporters into sending contributions to thieves.
The report will be completed by early October 2008.
EPIC's page on e-deceptive campaign practices: http://epic.org/redirect/091308_EDeceptiveCampaign.html
EPIC Fundraiser - October 5, 2008
Legal Commentator Jeffrey Rosen will speak on "The Future of the Supreme Court" at a fundraising event for EPIC in Washington, DC on October 5, 2008. Mr. Rosen is Professor of Law at George Washington University Law School, Legal Affairs Correspondent for the New Republic, and the author of several popular books law.
RSVP, EPIC Fundraiser, October 5, 2008 http://www.epic.org/graphics/Epic_Oct_Invite.pdf
"Stolen Lives - Identity Theft Prevention Made Simple," by John D. Sileo
Identity Theft is the fastest growing crime in the United States. It is also the crime that keeps on giving, because victims may have to repeatedly work to clear themselves of fraudulent activity committed in their name. The source of the problem is not consumers, but how credit is granted by American businesses. Because of poor credit granting policies a theft can get a long way with just a name and a social security number.
The advice provided in Stolen Lives- Identity Theft Prevention Made Simple seems to put the responsibility for protecting against this crime on the shoulders of the victims. The author provides a list of personal information that consumers should protect, but he does not discern what individual pieces of information might be more valuable to identity thieves, such as the value of a social security number, verses an individual's height. One piece of personal information, if its the right piece, can be of greater value to an identity theft than several other pieces of information such as height, weight, and ethnicity. However, so long as credit grantors rely on personal information of consumers as the sole means for granting credit, identity theft will continue to thrive.
The recommendations made by the author are practical and may serve a greater purpose by helping consumers become accustomed to challenging commercial request for personal information. The writer correctly informs readers that they are not going to be able to completely protect themselves from identity theft. It is EPIC's position that fair information practices are the rules that support privacy protection and that the primary reason identity theft is the fastest growing crime in the US rests on the lack of adherence to these principles.
The book is a short read that promotes action on the part of consumers without explaining the root cause of identity theft, the poor business practices of private sector data collectors.
"Information Privacy Law: Cases and Materials, Second Edition" Daniel J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98.
This clear, comprehensive introduction to the field of information privacy law allows instructors to enliven their teaching of fundamental concepts by addressing both enduring and emerging controversies. The Second Edition addresses numerous rapidly developing areas of privacy law, including: identity theft, government data mining and electronic surveillance law, the Foreign Intelligence Surveillance Act, intelligence sharing, RFID tags, GPS, spyware, web bugs, and more. Information Privacy Law, Second Edition, builds a cohesive foundation for an exciting course in this rapidly evolving area of law.
"Privacy & Human Rights 2006: An International Survey of Privacy Laws
and Developments" (EPIC 2007). Price: $75.
This annual report by EPIC and Privacy International provides an overview of key privacy topics and reviews the state of privacy in over 75 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy & Human Rights 2006 is the most comprehensive report on privacy and data protection ever published.
"FOIA 2006: Litigation Under the Federal Open Government Laws," Harry A. Hammitt, Marc Rotenberg, Melissa Ngo, and Mark S. Zaid, editors (EPIC 2007). Price: $50.
This is the standard reference work covering all aspects of the Freedom of Information Act, the Privacy Act, the Government in the Sunshine Act, and the Federal Advisory Committee Act. The 23nd edition fully updates the manual that lawyers, journalists and researchers have relied on for more than 25 years. For those who litigate open government cases (or need to learn how to litigate them), this is an essential reference manual.
"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on the Information Society" (EPIC 2004). Price: $40.
This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, and recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process.
"The Privacy Law Sourcebook 2004: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price: $40.
The Privacy Law Sourcebook, which has been called the "Physician's Desk Reference" of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act.
"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20.
A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression.
EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at:
"EPIC Bookshelf" at Powell's Books
EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act.
Subscribe to EPIC FOIA Notes at: https:/mailman.epic.org/mailman/listinfo/foia_notes
Data Retention on the Internet: Challenges for Small, Alternative and
Citizen-based Internet Service Providers. September 19, 2008.
Organized by The Center for Media and Communication Studies (CMCS)
at Central European University (CEU) in Budapest.
Workshop on Applications of Private and Anonymous Communications.
September 22, 2008. Istanbul, Turkey. For more information:
OneWebDay - an Earth Day for the internet. September 22, 2008. Worldwide. http://onewebday.org/
World Summit on the Knowledge Society. September 24-28, 2008, Athens, Greece http://www.open-knowledge-society.org/summit.htm
Telecommunications Policy Roundtable. September 26-28, 2008,
George Mason University School of Law, Arlington, Virginia.
Europe-wide action day "Freedom not fear." October 11, 2008.
Multiple sites. For more information:
International Symposium on Data Protection in Social Networks.
October 13, 2008, Strasbourg. For more information:
30th International Data Protection and Privacy Conference:
Protecting Privacy in a Borderless World. October 15-17, 2008,
For more information:
European Dialogue on Internet Governance (EuroDIG). October 20-21, 2008, Strasbourg, France http://www.eurodig.org/
Privacy in Social Network Sites Conference October 23-24, 2008. Delft University of Technology, Faculty of TPM, The Netherlands. For more information: http://www.ethicsandtechnology.eu
Third Internet Governance Forum. December 3-6, 2008. Hyderabad, India. For more information: http://www.intgovforum.org
Tilting perspectives on regulating technologies, Tilburg Institute
for Law and Technology, and Society, Tilburg University. December
10-11, Tilburg, Netherlands
Subscribe/unsubscribe via web interface: https://mailman.epic.org/mailman/listinfo/epic_news
Back issues are available at:
The EPIC Alert displays best in a fixed-width font, such as Courier.
The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information."
The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax).
If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at:
Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers.
Thank you for your support.
If you would like more information on Privacy '08, go online and search for "Privacy 08." You'll find a Privacy08 Cause at Facebook, Privacy08 at Twitter, a Privacy08 Channel on YouTube to come soon, and much more. You can also order caps and t-shirts at CafePress Privacy08.
Start a discussion. Hold a meeting. Be creative. Spread the word. You can donate online at epic.org. Support the campaign.