Home | Databases | WorldLII | Search | Feedback EPIC Alert

EPIC Alert 15.21 [2008] EPICAlert 21

E P I C A l e r t

http://www.epic.org/alert/EPIC_Alert_15.21.html

This week the Electronic Privacy Information Center issued a report on electronic deceptive campaign practices and the 2008 election. Deceptive campaign practices are attempts to misdirect targeted voters regarding the voting process for public elections. Election activity that would be considered deceptive could include false statements about polling times, date of the election, voter identification rules, or the eligibility requirements for voters who wish to cast a ballot. Historically, disinformation and misinformation efforts intended to suppress voter participation have been systemic attempts to reduce voter participation among low-income, minority, young, disabled, and elderly voters.

EPIC's "E-Deceptive Campaign Practices Report: Internet Technology & Democracy 2.0" focuses on the challenge of deceptive election related communications while online. The report looks at the potential for deceptive tactics, including spoofing, pharming and phishing, denial of service, social engineering, rumor-mongering, and link bombs. The tools of Internet communications, such as search engines, e-mail, social networking, Web advertising and behavioral targeting, VoIP, and e-mail are reviewed. The report outlined deceptive tactics seen so far this election season, and made recommendations on what Election Protection, Election Administrators, and voters might do to protect themselves.

In 2008, millions of new voters are engaging the political process through Internet communication, which presents an opportunity to review the technology and the incident of e-deceptive campaign practices. Voters are relying on Internet enabled communications to engage in political decision-making. Deceptive practices tactics that target e-mail, instant message, and cell phone users can compress the timeline for launching successful disinformation and misinformation attacks from days to hours or minutes.

Common Cause, in collaboration with the Lawyers Committee for Civil Rights Under Law, published the law and policy version of the report. EPIC's voting project also published recommendations on the use of electronic voting systems for the November 4, 2008 election.

E-Deceptive Campaign Practices Report: Internet Technology & Democracy 2.0: http://votingintegrity.org/pdf/edeceptive_report.pdf

EPIC Voting Project: http://votingintegrity.org

EPIC Voting Privacy Page: http://epic.org/privacy/voting/

Voting Machine Recommendations: http://votingintegrity.org/pdf/voting_machine_recommend-2008.pdf

Common Cause Report: http://www.commoncause.org/deceptivepracticesreport

On October 20, 2008, the Supreme Court announced that it will review a case that imposed enhanced criminal identity theft penalties on a person who presented an identity document that contained his own name. The Court will determine whether individuals who include identification numbers that are not theirs, but don't intentionally impersonate others, can be subject to harsher punishments under federal law.

In Flores-Figueroa v. United States, the petitioner challenged his conviction for "aggravated identity theft" under the Identity Theft Penalty Enhancement Act. Flores-Figueroa maintains that he did not commit identity theft when he used an identity document with his real name and an identity number that was not his to maintain employment.

The federal law provides for enhanced penalties when a person "knowingly transfers, possesses, or uses, without lawful authority, a means of identification of another person." Flores-Figuero identified himself by his real name to his employer, but provided a false Social Security Number and false Permanent Resident Number. Both ID numbers were issued to someone else, but neither person shared Flores-Figuero's name, and the government presented no evidence that Flores-Figuero knew that the ID numbers were assigned to real people. The case will resolve whether a person can be convicted of aggravated identity theft if he does not "knowingly" use an ID number assigned to "another person."

Federal courts have split over this issue. Courts in the First, Ninth, and D.C. Circuit, which cover New England, seven western states, and the nation's capitol, require the government to prove that alleged identity thieves knew that their bogus ID numbers belonged to real people. Conversely, courts in the Fourth, Eighth, and Eleventh Circuits, which cover the coastal southeast, several gulf states, and much of the upper midwest, permit convictions even if the government concedes that the accused simply made up an ID number. In his petition requesting Supreme Court review, Flores-Figuero argued that "this division of authority is considered, entrenched, and untenable. The continued disparate application of the severe penalties ... to similarly situated defendants should not endure."

EPIC's Flores-Figueroa v. United States page: http://epic.org/privacy/flores-figueroa/

EPIC's Identity Theft Page: http://epic.org/privacy/idtheft/

Petitioner's Brief for Supreme Court Review in Flores-Figueroa v. United States: http://epic.org/privacy/flores-figueroa/pet_cert.pdf

The Government's Brief Regarding Supreme Court Review in Flores-Figueroa v. United States: http://epic.org/privacy/flores-figueroa/gov_cert.pdf

The Federal Appellate Court's Decision in Flores-Figueroa v. United States: http://epic.org/privacy/flores-figueroa/8th_Cir.pdf

Delegates at the 30th International Data Protection Conference in Strasbourg, France called for increased international co-operation among data protection authorities and emphasized that data protection must play a more prominent role in the policies of public and private institutions. The event jointly organized by the French and German Data Protection Authorities to celebrate the 30th anniversary of their institutions was held under the auspices of French Presidency Sarkozy and attracted about 600 participants from all over the world.

The data protection commissioners gathered at Strasbourg recalled the Montreux Declaration adopted at the 2005 conference and urged law makers worldwide to adopt rules or adapt their existing regulations to provide adequate answers to the data breaches and losses occurring these days. Personal data should only be collected and processed if the purpose is clearly laid down and the persons concerned are properly informed of such processing. In light of recent scandals all over the world, a strong independent supervision with tangible sanction powers is more necessary than ever, said the delegates

One of the most important topics raised in Strasbourg was the protection of minors and their private sphere. Representatives from around 60 countries agreed that an education-based approach is the best way to teach youngsters how to surf the Internet in a privacy-friendly way while also respecting the rights of others. A resolution adopted by the commissioners calls on website operators to adapt their privacy policies to the needs of children by informing them in clear and simple language about the risks they might face when online.

Another important resolution summarizing the debates during the open sessions focused on social networks and their potential harm to users who are often unaware of the consequences the widespread dissemination of information related to them and to third persons in such networks might have. In particular, the commissioners point out that service providers have a special responsibility for such services. Providers should inform users on how to limit access to personal information. Opt-out for general profile data and opt-in for sensitive data should be offered. Users need to know that little protection exists against the copying of personal data they put into their profiles regardless of whether these data concern themselves or others.

The Conference also highlighted the importance of increased co-operation between the data protection community and the business sector. In a globalised world, essential guarantees for smooth and flexible data transfers are more needed than ever. Personal Information of customers and consumers should only be processed under strict conditions. Data protection must not be considered as an obstacle by the corporate world but should be conceived as an asset in business to consumer relations, said the delegates.

The Conference supported a proposal to set up a working group to establish an international data protection award. The 31st International Data Protection Conference will be held in Madrid next year.

30th International Data Protection Conference: http://www.privacyconference2008.org

Resolutions Adopted: http://www.privacyconference2008.org/index.php?page_id=197

EPIC Privacy and Human Rights report http://epic.org/phr06/

Among the most significant of the resolutions adopted at the 30th annual Conference of the Privacy and Data Protection commissioners was a proposal to establish an international standard for privacy and personal data protection in a borderless. The resolution, prepared by the privacy agencies of Spain and Switzerland and joined by twenty other twenty protection authorities, called for the establishment of a legally binding instrument on data protection and privacy. Among the key findings, the Conference said: - The rights to data protection and privacy are fundamental rights of every individual irrespective of his nationality or residence. - With the expansion of the information society, the rights to data protection and privacy are essential conditions in a democratic society to safeguard the respect for the rights of individuals, a free flow of information and an open market economy. - The globalisation of information exchange and personal data processing, the complexity of systems, the potential harms derived from the misuse of more and more powerful technologies and the increase of security measures require a quick and adequate answer to guarantee the respect for rights and fundamental freedoms, and in particular the right to privacy. - The persisting data protection and privacy disparities in the world, in particular due to the fact that many states have not yet passed adequate laws, harm the exchange of personal information and the implementation of effective global data protection.

The Conference noted the central role of Convention 108 of the Council of Europe in the establishment of an international privacy framework and stated: The Conference supports the efforts that the Council of Europe is making to improve the fundamental rights to data protection and privacy. Therefore the Conference invites the member-states of this organization which have not yet ratified the Convention for the protection of individuals with regard to automatic processing of personal data and to its additional protocol to do so. The Conference invites non- member states in a position to do so to consider responding to the Council of Europe's invitation to accede to Convention STE No 108 and its additional protocol.

Forty countries have ratified the Council of Europe Convention on Privacy. Non-member countries, such as the United States, Canada, and Japan, which recently signed on to the Council of Europe Cybercrime Convention, could presumably ratify the Council of Europe Convention on Privacy.

The Conference also created a new working group, coordinated by the organizers of the 31st International conference and interested data protection authorities, that would draft a "Joint proposal for setting international standards on privacy and personal data protection."

The Conference said that "the process of drafting this joint proposal should be carried out by encouraging extensive participation in the working groups, fora or hearings, of public and private organisations and entities, with the purpose of obtaining the broadest institutional and social consensus."

Council of Europe, "Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data" http://conventions.coe.int/Treaty/en/Treaties/Html/108.htm

Council of Europe, "Convention on Cybercrime": http://conventions.coe.int/Treaty/en/Treaties/Html/185.htm

EPIC, Privacy Law Sourcebook (contains COE Convention 108): http://epic.org/bookstore/pls2004/

The Department of Homeland Security (DHS) announced the Final Rule allowing the Transportation Security Administration (TSA) to implement the Secure Flight program. The rule directs airlines to provide the agency with all passengers' details. The covered aircraft operators must transmit to the TSA, if available, full name, date of birth, gender, passport details, itinerary, reservation control number, record sequence number, record type, passenger update indicator, traveler reference number and, if applicable, the traveler's watchlist complaint Redress Number related to passenger's challenges of watchlist designations.

For the purposes of Secure Flight, the TSA initially defines watchlist as he "No Fly List" and the "Selectee List" of the Terrorist Screening Database (TSDB) maintained by the Terrorist Screening Center under the jurisdiction of the Federal Bureau of Investigation (FBI). However, when warranted by "security considerations", the definition may be expanded to include other watchlists of the Federal government. Further, if the passenger appears to be on the watchlist, a TSA analyst will check other databases including governmental terrorist, law enforcement, and intelligence databases in order to resolve the problem.

The existence and operation of these watchlist can significantly hinder the constitutional right to travel. First, passenger complete reservations much prior to travel and then make other plans around it. Being denied boarding upon arrival to the airport can prove extremely distressing. Further, clearing one's name also requires giving up some privacy. Initially the existence of such watchlists were denied; they were finally admitted by the TSA in October 2002 through the efforts of EPIC. The watchlists have always been riddled with errors. The Inspector General of the US Department of Justice have found the watchlist nomination to be incomplete or containing inaccuracies. Recent news have revealed more incidents of false positives and harrowing experiences of legitimate travelers.

In an attempt to redress the watchlist errors, the DHS initiated a Traveler Inquiry Redress Program (DHS TRIP) which collects additional information about a passenger. While this enables the screening out of a passenger, it does not address how passenger's name appeared in the watchlist in the first instance. EPIC testified before the Congress in September on cleaning up the watchlists and underscored the Privacy Act requirements and exemptions claimed by the DHS. EPIC also stressed the need for limiting the over collection of information and recommended appropriate penalties for violations of privacy and civil liberties obligations.

DHS Final Rule on the Secure Flight program: http://edocket.access.gpo.gov/2008/pdf/E8-25432.pdf

TSA Secure Flight Program: http://www.tsa.gov/what_we_do/layers/secureflight/index.shtm

EPIC's Page on Secure Flight: http://epic.org/privacy/airtravel/secureflight.html

EPIC's Spotlight on Surveillance- Secure Flight should remain grounded: http://epic.org/privacy/surveillance/spotlight/0807/default.html

EPIC's testimony before Congress (September 2008): http://epic.org/privacy/airtravel/watchlist_test_090908.pdf

Watchlist FOIA Documents: http://epic.org/privacy/airtravel/foia/watchlist_foia_analysis.html

EPIC's page on air travel privacy: http://epic.org/privacy/airtravel/

EPIC's page on passenger profiling: http://epic.org/privacy/airtravel/profiling.html

The Department of Homeland Security released the Privacy Office Annual Report to Congress covering the period July 2007 to July 2008. The report covers an overview of the DHS Privacy Office responsibilities, activities compliance, initiatives, implementation of recommendations of the 9/11 Commission as well as privacy complaints. The report gives a summary of its Coordination with the Office of Civil Rights and Civil Liberties, Privacy Office's Outreach to the Congress and also includes Departmental Disclosures. The report comes three months after completion of the period it covered. Statutorily, the Chief Privacy Office must prepare annual reports to the Congress. The last report was late by several months and was finally issued earlier in February, this year. EPIC has urged the timely publication of the DHS Privacy Reports so that a meaningful evaluation can be carried out by interested parties.

DHS Privacy Office Annual Report to Congress: http://epic.org/redirect/102408_DHS_Report08.html

EPIC's page on DHS Privacy Report: http://epic.org/privacy/oversight/

Google's reply to Article 29 Working Party:

Article 29 Working Party issued a recommendation on April 4, 2008 an opinion that search engine retain data for a maximum period of six months and reaffirmed the applicability of European data protection law which mandates deletion or irreversible anonymization of personal data after that period. On September 8, 2008, Google replied that it would reduce search data retention to nine months by anonymizing the associated IP address. Christopher Soghoian, a former Technology Fellow at EPIC drew attention to the fact that the anonymization was only minimal as the IP address was partially anonymized and further, the presence of a cookie would allow the future association of the search data with the IP address and thus could reverse the anonymization. The Chairman of the Working Party believes disagreements remained as Google considered itself not subject to EU data protection law and wanted to retain personal data beyond six months while considering IP address to be confidential information only.

Google: The Beginnings of a dialog: http://epic.org/redirect/102408_Google_EU_dialog.html

Google answers Article 29 Working Party on data retention: http://epic.org/redirect/102408_Google_A29WP_reply.html

Surveillance State: Debunking Google's log anonymization propaganda: http://news.cnet.com/8301-13739_3-10038963-46.html

Google cuts data retention after EU privacy warning: http://euobserver.com/871/26718

Search engines for video surveillance:

Video surveillance will take on a whole new meaning if the Defense Advanced Research Projects Agency (DARPA) is successful in implementing technologies being developed under contracts to private firms worth nearly $20 million. The method, dubbed the Video and Image Retrieval and Analysis Tool (VIRAT) will analyze regular video as well as infrared scanners and archive based on classes of activities or events which includes digging, loitering, walking to following, gathering, kissing and even shaking hands. This system is aimed at indexing and searching databases of videos of movement automatically without human interference. Previously, EPIC had urged the scrutiny of the Department of Homeland Security's proposal of overseeing vast amounts of digital fingerprints, photographs and other personal information. Few years earlier, the General Accounting Office had issued a report that identified almost 200 Federal data mining projects that were operational or were being planned. EPIC had also obtained under the Freedom of Information Act internal communications between DARPA employees considering data broker Acxiom as a supplier of personal information for Total Information Awareness (TIA).

DARPA building search engine for video surveillance footage: http://epic.org/redirect/102408_ArsTechina_vidsrvlnc.html

DARPA Contract Description Hints at Advanced Video Spying: http://epic.org/redirect/102408_WPOST_darpa.html

EPIC's page on Total Information Awareness: http://epic.org/privacy/profiling/tia/

Federal Court Applies Anti-Spam Protections to Web Site

On October 14, 2008, a federal court in Washington state allowed a spam lawsuit to proceed, even though the claimant is not an internet service provider. In Haselton v. Quicken Loans Inc., the web site Peacefire.org sued an alleged spammer for the harm inflicted by spam on Peacefire's online services. The court ruled that Peacefire, a web site that provides anti-censorship tools, is an "Internet access service," and therefore entitled to pursue its case under the CAN-SPAM act, the primary federal anti-spam law. The court further held that monetary damages are not limited to e-mail service providers. The ruling is consistent with other recent opinions that authorized anti-spam suits by Internet social-networking services such as Facebook and MySpace. EPIC has advocated for stronger anti-spam measures before Congress, state legislatures, and federal regulators.

Federal Court Opinion Applying Anti-Spam Protections to Web Site: http://epic.org/privacy/junk_mail/spam/haselton.pdf

EPIC's SPAM - Unsolicited Commercial Email Page: http://epic.org/privacy/junk_mail/spam/

Federal Regulators Win Injunction Against Prescription Drug Spam Ring

On October 15, 2008, the Federal Trade Commission obtained a temporary injunction against an international network of individuals responsible for billions of unsolicited commercial emails. The spammers allegedly used a world-wide network to barrage email users with deceptive offers for prescription drugs, including Viagra and weight loss medication. Federal regulators seek to shut down the network permanently, and recover monetary damages, which they estimate to be substantial. Four companies are accused of masterminding the spam plot, including two US firms, Tango Pay Inc. and Click Fusion Inc., as well two New Zealand entities. EPIC has advocated for restrictions on unsolicited commercial email, and supported substantial monetary penalties in federal regulatory actions.

FTC Announcement Regarding Spam Ring Shutdown: http://www.ftc.gov/opa/2008/10/herbalkings.shtm

EPIC's SPAM - Unsolicited Commercial Email Page: http://epic.org/privacy/junk_mail/spam/

Interpol Proposes Worldwide Facial Recognition System

International Police Organization, the Europe-based international law enforcement group, has proposed an automated face-recognition system for international borders. Such a system could require travelers to undergo face scans, and make the information available to numerous countries. An Interpol face-recognition database would permit Interpol member nations to search records containing travelers' personal biometric information, and could be used in conjunction with travel watch lists. The inaccuracy of facial recognition technology has repeatedly been criticized. Privacy watchdogs have questioned the efficacy and wisdom of government programs that collect ever-more personal information at border crossings. "We need to get our data to the border entry points. There will be such a large role in the future for fingerprints and facial recognition," said Mark Branchflower, head of Interpol's fingerprint unit.

Interpol Presentation at Biometrics Exhibition and Conference 2008: http://www.biometrics.elsevier.com/programme.htm

EPIC's Face Recognition Page: http://epic.org/privacy/facerecognition/

Europe postpones body scanners:

Members of the European Parliament (MEP) have voted overwhelmingly in opposing the implementation of body scanners. The MEPs directed the Commission to carry out a fundament rights impact assessment, consult with European privacy authorities, assess the health impact of the technology, and conduct a cost-benefit impact assessment. Bodyscanners, or backscatter X-rays, show detailed images of a person's naked body and are equivalent to a "virtual strip search" for all air travelers. The MEPs believed that use of such machines would exceed the implementing powers as the measures foreseen have a serious impact on the fundamental rights of citizen and cannot be termed as mere technical measures related to security.

Body scanners at airports: MEPs say fundamental rights under threat: http://epic.org/redirect/102408_EUBodyScanning_rightthreat.html

EPIC's page on Backscatter X-Ray Screening Technology: http://epic.org/privacy/airtravel/backscatter/

EPIC's page on TSA's funding of Backscatter X-Ray: http://epic.org/privacy/surveillance/spotlight/0605/

The Shadow Factory: the Ultra-Secret NSA from 9/11 to the Eavesdropping on America by James Bamford (Doubleday 2008)

http://www.powells.com/biblio/1-9780385521321-0?&PID=24075

Over the last several years, I have attended various meetings with representatives of the intelligence agencies who patiently explained the need to "update," always their word of choice, the federal wiretap laws to take account of the rapid changes in technology and the ongoing need to identify those who would threaten the nation's security. Invariably, these meetings would turn to a discussion about how the agencies, such as the NSA, can no longer point their antennas to the sky and capture data traffic broadcast by satellites, but must now work with private sector companies who transmit the world's vast communications traffic on undersea cables and high-speed switches. The traditional legal framework with its court procedures and application process, they argued, is too burdensome, too outdated. A "modern" surveillance law, again their word of choice, must remove unnecessary legal barriers. Many members of Congress attended similar meetings and went on to cast votes to weaken the federal wiretap laws, most notably the Foreign Intelligence Surveillance Act.

I share this story only because I cannot imagine another similar meeting taking place in Washington after the publication of James Bamford's remarkable book about the expansion of surveillance authority after 9-11. If anything, "The Shadow Factory" makes clear the need for greater oversight when surveillance agencies are given greater powers.

Bamford draws on the excellent reporting by many journalists, particularly at the New York Times, who began to shed light on the President's unlawful surveillance activities once the decision was made to ignore the White House pleas to keep the program secret. But only James Bamford, the author of ground breaking 1982 book on the NSA, could pull together the pieces of the puzzle. This is a fact-filled, quick-paced narrative that ties the together the enormous complexity of the world's largest intelligence organization, the personal stories of those who perpetrated the attacks on 9-11 and those who tried to stop them, and the concerns of people inside of the government who wrestled with the ethical and legal implications of the decision to turn the NSA's vast surveillance capabilities on the American public.

Much of the book focuses on the role of then NSA Director Michael Hayden who, as Bamford describes, chose not to use authority he had to identify terrorists when they were in the United States and then later dramatically expanded, with the full backing of the White House, the agencies surveillance powers beyond what the law allowed. (In fact, Cheney wanted Hayden to go further than the NSA Director proposed.) Hayden was not the first director of intelligence to collude with the telephone companies -- Herbert Yardley did so following the first world war at the Black Chamber, as did Brigadier General W. Preston Corderman, the chief of the Signal Security Agency, after the second -- but Hayden's reach as the US entered the twenty-first century was clearly greater and the legal hurdles to overcome, following the revelations of NSA spying on American citizens which led to the passage of FISA, much higher.

Bamford also describes how the White House used the NSA's surveillance to monitor the communications of UN Secretary General Kofi Annan and then to manipulate key votes on the Security Council to win support for the resolution to invade in Iraq. Bamford writes, "by listening in as the delegates communicated back to their home countries, the NSA would be able to discover which way they might vote, which positions they favored or opposed, and what their negotiating positions would be."

But when it came to the actual business of identifying threats to the nation, the NSA had less success. Bamford explains, "those involved in the warrantless wiretapping program soon began to realize its limitations. By gaining speed and freedom they sacrificed order and understanding. Rather than focusing on the most important and potentially productive targets, which was required when going through the FISA court, they took a shotgun approach." Instead of finding the needle, they piled on the hay.

- Marc Rotenberg.

EPIC Publications:

"Litigation Under the Federal Open Government Laws 2008", edited by Harry A. Hammitt, Marc Rotenberg, John A. Verdi, and Mark S. Zaid (EPIC 2008). Price: $60.

http://epic.org/bookstore/foia2008/

Litigation Under the Federal Open Government Laws is the most comprehensive, authoritative discussion of the federal open access laws. This updated version includes new material regarding the substantial FOIA amendments enacted on December 31, 2007. Many of the recent amendments are effective as of December 31, 2008. The standard reference work includes in-depth analysis of litigation under Freedom of Information Act, Privacy Act, Federal Advisory Committee Act, Government in the Sunshine Act. The fully updated 2008 volume is the 24th edition of the manual that lawyers, journalists and researchers have relied on for more than 25 years.

"Information Privacy Law: Cases and Materials, Second Edition" Daniel J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98.

http://www.epic.org/redirect/aspen_ipl_casebook.html

This clear, comprehensive introduction to the field of information privacy law allows instructors to enliven their teaching of fundamental concepts by addressing both enduring and emerging controversies. The Second Edition addresses numerous rapidly developing areas of privacy law, including: identity theft, government data mining and electronic surveillance law, the Foreign Intelligence Surveillance Act, intelligence sharing, RFID tags, GPS, spyware, web bugs, and more. Information Privacy Law, Second Edition, builds a cohesive foundation for an exciting course in this rapidly evolving area of law.

"Privacy & Human Rights 2006: An International Survey of Privacy Laws and Developments" (EPIC 2007). Price: $75.
http://www.epic.org/phr06/

This annual report by EPIC and Privacy International provides an overview of key privacy topics and reviews the state of privacy in over 75 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy & Human Rights 2006 is the most comprehensive report on privacy and data protection ever published.

"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on the Information Society" (EPIC 2004). Price: $40.

http://www.epic.org/bookstore/pvsourcebook

This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, and recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process.

"The Privacy Law Sourcebook 2004: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price: $40.

http://www.epic.org/bookstore/pls2004/

The Privacy Law Sourcebook, which has been called the "Physician's Desk Reference" of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act.

"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20.

http://www.epic.org/bookstore/filters2.0

A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression.

EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at:

EPIC Bookstore
http://www.epic.org/bookstore

"EPIC Bookshelf" at Powell's Books
http://www.powells.com/bookshelf/epicorg.html

EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act.

Subscribe to EPIC FOIA Notes at: https:/mailman.epic.org/mailman/listinfo/foia_notes

Identity Rights Colloquium, October 31, 2008. Faculty Lounge, 78 Queen’s Park, Toronto, Canada. For more information:
http://www.innovationlaw.org/events/calendar/identity.htm

Third Internet Governance Forum. December 3-6, 2008. Hyderabad, India. For more information: http://www.intgovforum.org

International Human Rights Day, December 10, 2008. For more information: http://www.un.org/events/humanrights/2008/

Tilting perspectives on regulating technologies, Tilburg Institute for Law and Technology, and Society, Tilburg University. December 10-11, Tilburg, Netherlands.
http://www.tilburguniversity.nl/tilt/conference

The American Conference Institute is hosting the 8th National Symposium on Privacy and Security of Consumer and Employee Information at the Four Points by Sheraton, Washington, DC. January 27-28, 2009, Washington, DC. http://www.americanconference.com/Privacy.htm

Subscribe/unsubscribe via web interface: https://mailman.epic.org/mailman/listinfo/epic_news

Back issues are available at:
http://www.epic.org/alert

The EPIC Alert displays best in a fixed-width font, such as Courier.

The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information."

The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at:

http://www.epic.org/donate

Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers.

Thank you for your support.

If you would like more information on Privacy '08, go online and search for "Privacy 08." You'll find a Privacy08 Cause at Facebook, Privacy08 at Twitter, a Privacy08 Channel on YouTube to come soon, and much more. You can also order caps and t-shirts at CafePress Privacy08.

Start a discussion. Hold a meeting. Be creative. Spread the word. You can donate online at epic.org. Support the campaign.

Facebook Cause:
http://www.epic.org/redirect/fbprivacy08.html

Twitter:
http://twitter.com/privacy08

CafePress:
http://www.cafepress.com/epicorg

.