E P I C A l e r t
On February 6, 2008, EPIC urged a federal district court to order the Department of Justice (DOJ) to produce legal opinions and related documents that were prepared to justify and monitor the President's warrantless domestic surveillance program. The brief, signed by EPIC, the American Civil Liberties Union, and the National Security Archive, renews EPIC's prior request that a federal judge review the documents and make an independent determination as to whether they must be revealed to public under the Freedom of Information Act (FOIA). The DOJ has refused to turn over the documents to EPIC, and opposes judicial review of the documents.
EPIC seeks the disclosure of opinions prepared by the DOJ Office of Legal Counsel regarding the President's warrantless domestic surveillance program. The Office of Legal Counsel regularly issues opinions on a variety of topics in response to legal questions posited by the President and the heads of executive departments. The Office of Legal Counsel's authority is long-standing, and its final opinions must be publicly disclosed in response to FOIA requests. The DOJ has refused to make the warrantless wiretapping opinions public, and has even refused to inform all members of Congress of the documents' contents. Senator Edward Kennedy recently criticized the secrecy surrounding the Office of Legal Counsel opinions, arguing that the Administration's selective disclosure of the documents to a tiny number of legislators "is a pale shadow of the real disclosure that Americans deserve."
Previously in this litigation (EPIC v. DOJ, D.D.C. Case No. 06-cv-0096), the Court ordered the DOJ to be more forthcoming about its basis for withholding documents from public disclosure. The Court also indicated its willingness to review disputed documents "in camera” - that is, for the DOJ to produce the documents, confidentially, to the Court - so that the Court can independently assess the propriety of the DOJ's refusal to publicly disclose the documents.
The activities giving rise to EPIC v. DOJ began in December 2005, immediately after press reports uncovered the President's surveillance program. EPIC requested documents relating to legal opinions that were prepared to justify the program. The American Civil Liberties Union and the National Security Archive also submitted FOIA requests. The DOJ refused to produce several key documents, and EPIC sued, demanding that the DOJ disclose the documents in compliance with the Freedom of Information Act.
EPIC's Page on FOIA Work on the National Security Agency's Warrantless Surveillance Program:
EPIC's Complaint Against the Department of Justice (PDF):
United States Department of Justice - Memoranda and Opinions:
Press release, "Kennedy Calls for Oversight of Warrantless Wiretapping" January 24, 2008:
EPIC v. DOJ "Memorandum Opinion and Order" (PDF):
On February 7, 2008, EPIC and five other privacy organizations filed a supplemental complaint with the Federal Trade Commission (FTC) against Ask.com. EPIC alleges that Ask.com is engaging in unfair and deceptive trade practices regarding its representations concerning AskEraser, a new search product that purports to protect Internet search privacy.
The supplemental complaint states that despite recent changes to the product, AskEraser continues to threaten consumer privacy. AskEraser's chief privacy threats result from AskEraser's cookie-based implementation, Ask.com's policy of secretly disabling AskEraser without any notice to consumers, and the transmittal of personal information to third parties while AskEraser is "on."
The supplemental complaint was filed after Ask.com modified its product: the persistent identifier associated with the AskEraser enabling cookie was replaced with a non-identifying marker. This modification, which followed EPIC's letter to Ask.com complaining of AskEraser's flaws, addresses one, but not all, of the consumer privacy threats identified in EPIC's original complaint.
Since EPIC filed the original complaint on January 18, 2008, the privacy problems associated with AskEraser have attracted media attention. Search engine technology expert Danny Sullivan pointed out that the flow of information to third parties such as Google is "a serious concern, a serious flaw in what searchers may think they're getting - but don't get - in terms of privacy protection." The supplemental complaint notes that this deficiency continues to threaten AskEraser users.
In the original complaint, pending an adequate resolution of the issues identified in the complaint, EPIC and the other privacy groups called on the FTC to promote the development of genuine Privacy Enhancing Techniques that would protect the privacy interests of American consumers. Specifically, the complaint urged the FTC to use its authority to review AskEraser's privacy flaws and order Ask.com to remove AskEraser from the marketplace.
EPIC's Supplemental Complaint to the FTC (PDF):
EPIC's Complaint to the FTC (PDF):
EPIC's letter to Ask.com (PDF):
EPIC's Page on the AskEraser FTC complaint:
Ask.com's AskEraser FAQ Page:
On February 1, 2008, Microsoft made public its $44.6 billion bid to acquire Yahoo. The announcement immediately drew the attention of the U.S. Congress. Yahoo is considering the offer, and any merger would require approval by U.S. and international regulators.
Several hours after Microsoft announced its bid, the U.S. House of
Representatives Judiciary Committee made plans for a February 8,
hearing regarding the "State of Competition on the Internet." The
hearing will include discussion of the proposed Microsoft-Yahoo
Congressmen John Conyers, Jr. and Lamar Smith, senior members of the
Judiciary Committee, said, "Microsoft's bid to acquire
certainly one of the largest technology mergers we've seen and presents
important issues regarding the competitive landscape
of the Internet.
[We] intend to give the proposal a careful examination …" The U.S. Department of Justice also plans to analyze the deal. Department spokeswoman Gina Talamona stated, "[t]he antitrust division would be interested in looking at the competitive effects of the transaction."
In the past, Microsoft acknowledged that similar mergers raised serious consumer privacy concerns. Last September, Microsoft's general counsel, Brad Smith, criticized the privacy implications of Google's $3.1 billion acquisition of online ad firm Doubleclick. Smith told the U.S. Senate, "with this merger, Google seeks to record nearly everything [consumers] see and do on the Internet and use that information to target ads," and "[t]hese privacy issues in fact have antitrust consequences." Privacy advocates have raised similar concerns regarding the proposed Microsoft-Yahoo deal. Jeff Chester, the executive director of the Center for Digital Democracy, said "Microsoft has been trying to make Google seem like a threat to privacy, when in fact it's both of them … [w]e may now have two companies that will rival the National Security Agency in their ability to compile detailed profiles of users wherever they go online."
In 2007, privacy groups, including EPIC, had asked regulators to impose privacy-protecting conditions on the Google-Doubleclick merger. EPIC noted that an unconditional approval of the merger would pave the way for Google to become an "information monopolist." EPIC Executive Director Marc Rotenberg told the European Parliament that the EU must establish privacy safeguards to protect consumers.
In response to the proposed Microsoft-Yahoo merger, EPIC called on regulators to take into account the privacy consequences for Internet users, in addition to concerns about competition and innovation.
U.S. House of Representatives, Committee on the Judiciary, Press Release, February 1, 2008:
EPIC's Submission to the European Parliament (PDF):
Remarks of Brad Smith, senior vice president, general counsel and corporate secretary, Microsoft Corporation, Sept. 27, 2007:
The Department of Homeland Security has just published the 2007 Annual Privacy Report, several months after it was due; following the pattern of tardiness that the agency has maintained since its creation. The first report (April 2003 to June 2004) was published in February 2005. The second report (July 2004 to July 2006) was published in December 2006. EPIC has urged the timely publication of the Annual Reports so that the Congress and the public can meaningfully evaluate the impact of the Department's programs on privacy.
In its report, the Privacy Office emphasized its increased publication of Privacy Impact Assessments and Systems of Records Notices for Homeland Security programs. The Privacy Office also said the "designation of privacy officers within each operational component" of the agency is a "high priority."
The report discusses general efforts the Privacy Office has made since July 2006 to "embed" privacy considerations into the evaluation processes in the Department of Homeland Security, however there is no information on whether these efforts have succeeded in reducing threats to the privacy of Americans. Travel programs were of particular focus: passenger prescreening program Secure Flight, border security program US-VISIT, and the Automated Targeting System (which assigns secret, terrorist "risk assessments" to tens of millions of U.S. citizens and foreign visitors every year). EPIC has detailed the various privacy and security risks involved in the technologies and processes of these programs. EPIC also recently detailed comments urging the agency to either suspend the Automated Targeting System or to fully apply all Privacy Act safeguards to any individual subject to the system.
The Privacy Office discussed the meetings of the agency's Data Privacy and Integrity Advisory Committee, including the committee's comments on the draft regulations for the proposed REAL ID national identification system. The report says the committee issued recommendations addressing "such topics as security safeguards, privacy safeguards, storing personally identifiable information in the machine readable zone of the card, access to the States' driver's license databases, and background checks for employees involved in the manufacturing and production of REAL ID licenses." However, the report does not disclose that the committee refused to endorse the agency's plan.
Congress will be able to use the new report to evaluate the Privacy Office's performance.
DHS Chief Privacy Officer Report Covering July 2004 to July 2006 (PDF):
Homeland Security Act of 2002 (PDF):
EPIC's page on Privacy Report Held Hostage:
DHS Data Privacy and Integrity Advisory Committee, Comments Refusing to Endorse the Draft REAL ID Regulations, May 1, 2007 (PDF):
EPIC's page on National ID Cards and the REAL ID Act:
EPIC's page on the Automated Targeting System:
In a recent report in the IEEE Privacy and Security journal, several computer experts warn of the security risks of expanding warrantless wiretap powers. The report, "Risking Communications Security: Potential Hazards of the Protect America Act," comes as Congress is debating extending the warrantless wiretap power provided by the Protect America Act (PAA) last summer. The PAA removes some surveillance from the limited FISA court review, allows the government to create more surveillance programs with limited review, and immunizes telecommunications companies who participate in these programs from lawsuits. The report recommends that minimization, robust control and oversight be built into surveillance systems from the start. A system without these features will be fraught with risks that are "fundamentally unacceptable," the report concludes.
The report identifies the three most serious security risks: unauthorized outsider access, the misuse by a trusted insider, and misuse by the US government. The surveillance architecture created to exercise PAA powers could be breached and used by outsiders to spy on American communications. The threat has been seen before in other countries, and could come to fruition in the US due to poor security. A Greek wiretapping system was exploited by an unknown party to listen in on government conversations. FBI documents of the DCS 3000 telephone wiretap system revealed several problems in the system's implementation. This risk turns a surveillance system on its head, making it a point of attack rather than a bulwark for defense.
Another risk is the misuse by a trusted insider. Someone with access to the system could use it for improper purposes. Robert Hanssen abused his access to FBI systems to steal information and to track investigations of him. Recently a treasury agent was indicted for using the Treasury Enforcement Communications System in order to stalk his former girlfriend.
The third major risk is misuse by the US government. Watergate era investigations revealed wiretaps of Congressional staff, supreme court justices. These abuses also targeted non-violent activists such as Martin Luther King and members of the American Friends Service Committee and the National Association for the Advancement of Colored People.
Report: Risking Communications Security: Potential Hazards of the Protect America Act (PDF):
Privacy On the Line: The Politics of Wiretapping and Encryption, Updated and Expanded Edition by Whitfield Diffie and Susan Landau:
EPIC's Page on FISA:
European High Court Protects Internet Privacy
In response to a request from the Spanish national court, the European Court of Justice ruled today that European community law does not require European countries to disclose user information in civil cases involving copyright. The high court for the European Union also ruled that European Parliament directives on personal data do not entail an obligation of disclosure of the data for the purposes of ensuring effective protection of copyright in the context of civil proceedings. When interpreting and applying the directives, EU Member States should rely on an interpretation "which allows a fair balance to be struck between the various fundamental rights protected by the Community legal order," the court said. The case is Promusicae, C-275/06.
Judgment of the European High Court (January 29, 2008):
EPIC and Privacy International, "Privacy and Human Rights Report (2006)":
Virginia to Erect Wall of Secrecy Around Fusion Center Activities
On February 1, 2008, the Virginia House Committee on the Militia, Police, and Public Safety reported on House Bill 1007, which would erect a wall of secrecy around the activities of the state's Fusion Intelligence Center located in Richmond Virginia. The bill, entitled "Fusion Intelligence Centers Confidentiality Immunity," was sponsored by Delegate Dwight Clinton Jones and would rewrite Virginia's open records law as well as the state's Government Data Collection and Dissemination Practices Act. Both laws already address issues of data collection and sharing that relate to terrorism and criminal activity.
If the bill becomes law, it would create civil and criminal penalties for information disclosures by employees, and bar subpoena of center staff in civil cases. Information Fusion Centers are new tools deployed by local and state government law enforcement agencies through the awarding of over $380 million in federal grants by the Department of Homeland Security. There is no federal government oversight of the more than 40 local and state centers located in the nation.
EPIC's Page on Information Fusion Centers:
Virginial Bill 1007:
Europe Celebrates Data Protection Day
The Council of Europe designated January 28 as Data Protection Day, a day to "to inform and educate the public at large as to their day-to-day rights." In the U.S., newspapers reporters that U.S. Homeland Security Secretary Michael Chertoff is seeking $6 billion to expand secret surveillance of Internet communications. This surveillance would include installing government sensors on private, company networks. EPIC and Privacy International recently published International Privacy Rankings for 2007, based on the "Privacy and Human Rights Report," which surveys privacy developments around the globe.
Council of Europe, "Data Protection Day":
EPIC and Privacy International, "Privacy and Human Rights Report (2006)":
Canadian Privacy Commissioners Warn Against 'Enhanced' Licenses
On February 5, 2008, Canada's information and privacy commissioners and ombudsmen issued a joint resolution "outlining the steps that will need to be taken to ensure the privacy and security of any Canadian's personal information accessed" as part of the U.S. Department of Homeland Security's so-called enhanced driver's license programs. Homeland Security plans to transform several states' driver's licenses into federal identification cards, containing more data, such as citizenship designations, and different technology than the current licenses. The Canadian officials called for "meaningful and independent oversight," including "regular reporting of oversight activities and corrective measures to the Government of Canada and to the Privacy Commissioner of Canada." The officials also raised questions about the use of long-range RFID technology in the licenses, demanding strong security and privacy safeguards for the technology. The U.S. Government Accountability Office has recommended against RFID chips in ID cards, stating that this could allow for the "tracking and profiling" of individuals.
Office of the Privacy Commissioner of Canada, "Enhanced driver's licences concern Canada's privacy guardians," (February 5, 2008):
EPIC, Spotlight on Surveillance, "Enhanced" Licenses Drive Backwards on Security, Privacy:
UK to Force Youths to Buy National ID Card to Apply for Student Loans
Leaked Home Office documents reveal that UK students aged 16 or older will be expected to obtain a card that could cost up to 100 pounds in order to open a bank account or get a student loan. The UK government initially planned to start issuing ID cards to people applying for a passport in 2010, but the implementation of the plan will be delayed until 2012. Instead, from 2010 onwards ID cards will be issued to students who are applying for a loan and people in "positions of trust" including teachers and social workers. There are concerns that the UK government is planning to take fingerprints and other biometric details of about two million people entering higher education each year.
EPIC's Page on National ID Cards and the REAL ID Act:
Privacy at Risk: The New Government Surveillance and the Fourth Amendment by Christopher Slobogin (University of Chicago Press)
Professor Christopher Slobogin, a leading expert on the Fourth Amendment and new technology, puts forward a new approach to privacy protection in “Privacy at Risk.” Drawing on the Supreme Court’s Terry v. Ohio decision from the 1960s, Slobogin proposes that courts adopt a proportional approach to Fourth Amendment cases. Such an approach would permit less intrusive searches with a lower legal standard – in Terry the Court allowed the police without probable case to “stop and frisk” a suspect – while maintaining a higher standard for more invasive searches. Slobogin also proposes that where searches occur without individualized suspicion – data mining, for example – there should be some alignment between the likelihood of success and the extent of the search. A search through a lot of data should require that a lot of suspicious people will be found.
Courts in the United States, generally accustomed to the yes/no settings of probable cause (the “probable-cause-forever” precept, in the words of Slobogin), have steered clear of proportionality and created a patchwork of exceptions and overlapping doctrines. The consequence is a range of outcomes that include exigency, plain view, “special needs,” and “totality of the circumstances,” which one appellate judge recently described in dissent as a “multi-factor, gestalt high-wire act.”
The US had had a little more experience adjusting the dial of Fourth Amendment protection in the realm of statutory protection. There Congress has, in the wiretap realm for example, cranked up the setting for the content of a communication but left privacy in the low position for transactional data, such as phone numbers dialed. Of course the setting is not always aligned with the sensitivity of the underlying information. Cable subscriber records, in the pre-Patriot Act days, received more protection than medical records.
Proportionality is a more familiar concept in the law flowing from the European Convention on Human Rights where Article 8 explicitly asks judges to determine whether the interference with private life is “necessary in a democratic society.” If recent decisions from the European Court on such topics as personal identity, wiretapping, workplace surveillance, and internet privacy are any indicator, Article 8 and proportionality analysis are more likely to protect privacy.
The attraction of this theory is that it also avoids the downward spiral that is the experience of the reasonable expectation of privacy test. Under that doctrine, at least as interpreted by courts since the 1967 Katz decision (though perhaps not the intent of the 1928 Olmstead Brandeis dissent on which Katz is based) the introduction of new technology almost necessarily diminishes the expectation of privacy unless a judge or a legislator understands the dilemma and realizes that societies and not the technologies societies create should determine their expectations of privacy.
Slobogin also makes the bold and necessary argument that the Fourth Amendment should protect the privacy interests of individuals in public spaces, particularly as government cameras systems peer down on innocent citizens below without limitation. Slobogin describes this as an interest in “public anonymity” and points to an early opinion by Justice Rehnquist that recognized the essential problem if police could routinely record public activity without any basis for suspicion. Professor Slobogin, who has studied regulation of camera surveillance for many years, sets out a useful framework for accountability, based on the Fourth Amendment, that should be required reading for any state agency that wants funding from the Department of Homeland Security for a camera surveillance system.
Professor Slobogin also notes what might be called the “public relations problem” of the exclusionary rule: the remedy for violations of the Fourth Amendment typically only arise when a criminal suspect is seeking to keep the ill-gotten evidence from the jury. It is reasonable that the police should not use evidence improperly obtained, but the doctrinal consequence is a long line of cases about criminals getting off on a “technicality.” Maybe a little case law that compensated people suspected of no crime for the government’s unjustified intrusions would give the Fourth Amendment some of the fine Constitutional gloss enjoyed by the First Amendment. In fact, there are several such cases now pending.
The text of the Fourth Amendment has remained unchanged since the days that the drafters of the Constitution tossed the Custom House officers with their writs of Assistance from their homes. Notably, they based this new freedom from unreasonable intrusion on the right of the people “to be secure” in their homes and their persons. Professor Slobogin has written an important book that should help courts preserve this essential security, which is the basis of Constitutional liberty.
- Marc Rotenberg
"Information Privacy Law: Cases and Materials, Second Edition" Daniel J.
Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005).
This clear, comprehensive introduction to the field of information privacy law allows instructors to enliven their teaching of fundamental concepts by addressing both enduring and emerging controversies. The Second Edition addresses numerous rapidly developing areas of privacy law, including: identity theft, government data mining and electronic surveillance law, the Foreign Intelligence Surveillance Act, intelligence sharing, RFID tags, GPS, spyware, web bugs, and more. Information Privacy Law, Second Edition, builds a cohesive foundation for an exciting course in this rapidly evolving area of law.
"Privacy & Human Rights 2006: An International Survey of Privacy Laws
and Developments" (EPIC 2007). Price: $75.
This annual report by EPIC and Privacy International provides an overview of key privacy topics and reviews the state of privacy in over 75 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy & Human Rights 2006 is the most comprehensive report on privacy and data protection ever published.
"FOIA 2006: Litigation Under the Federal Open Government Laws," Harry A. Hammitt, Marc Rotenberg, Melissa Ngo, and Mark S. Zaid, editors (EPIC 2007). Price: $50. http://www.epic.org/bookstore/foia2006
This is the standard reference work covering all aspects of the Freedom of Information Act, the Privacy Act, the Government in the Sunshine Act, and the Federal Advisory Committee Act. The 23nd edition fully updates the manual that lawyers, journalists and researchers have relied on for more than 25 years. For those who litigate open government cases (or need to learn how to litigate them), this is an essential reference manual.
"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.
This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, and recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process.
"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005).
The Privacy Law Sourcebook, which has been called the "Physician's Desk Reference" of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act.
"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.
A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression.
EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at:
EPIC Bookstore http://www.epic.org/bookstore
"EPIC Bookshelf" at Powell's Books
EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act.
Subscribe to EPIC FOIA Notes at:
Mobility, Data Mining And Privacy: Preserving Anonymity in Geographically Referenced Data. February 14, 2008. Rome, Italy. For more information: http://wiki.kdubiq.org/mobileDMprivacyWorkshop
ALI-ABA, Privacy Law: Developments, Planning, and Litigation. March
13-14, 2008. Washington, D.C. For more information:
First Annual Freedom of Information Day Celebration. March 17, 2008.
American University Washington College of Law, DC. For more information:
Openthegovernment.org, "Government Secrecy: Censoring Your Right to
Know." March 19, 2008. National Press Club, DC. For more information:
CFP 2008: Technology Policy 08. New Haven, Connecticut. May 19-23, 2008. For more information: http://www.cfp2008.org
Future of the Internet Economy - OECD Ministerial Meeting. June 17-18,
2008. Seoul, Korea. For more information:
Conference on Ethics, Technology and Identity. The Hague. June 18-20, 2008. For more information http://www.ethicsandtechnology.eu/ETI
Subscribe/unsubscribe via web interface:
Back issues are available at:
The EPIC Alert displays best in a fixed-width font, such as Courier.
The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information."
The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax).
If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible.
should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW,
Suite 200, Washington, DC 20009. Or you can contribute
Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers.
Thank you for your support.