E P I C A l e r t
In advance of National Sunshine Week in the United States, important efforts are underway around the world to promote access to information and greater government transparency.
The Carter Center in Atlanta hosted an International Conference on the Right to Public Information with former President Jimmy Carter, South African Supreme Court Justice Albie Sachs, Justice Diego Garcia-Sayan of the Inter-American Court of Rights, and other top government officials, academics, and advocates working to promote open government. The conference is preparing a declaration to advise governments on how best to promote openness and transparency around the world.
At the OECD in Paris, delegates met recently to consider a new Recommendation for Enhanced Access and More Effective Use of Public Sector Information. The OECD Framework on Access to Information is expected to be presented at the OECD Ministerial Conference that will take place in Seoul, June 17-18, 2008.
From March 16-22, 2008, U.S. National Sunshine Week will bring together open government advocates to discuss transparency issues. The 2008 National FOI Day Conference, hosted in Washington, D.C. by the First Amendment Center, will brief attendees on recent changes to U.S. open records law and feature comments from experts on a variety of open government topics. On March 18, 2008, Associated Press President and CEO Tom Curley will speak on freedom of information issues at The National Press Club. The speech will update Mr. Curley's 2004 Hays-Enterprise Lecture, which many view as a catalyst for ongoing attempts to preserve and strengthen U.S. transparency laws.
Carter Center, International Conference on the Right to Public Information:
Carter Center, "Access to Information: A Key to Democracy"
Certer Center, "Acceso a la Información: La Llave para la Democracia"
OECD Minsiterial Conference 2008
Sunshine Week 2008 Events:
2008 National FOI Day Conference:
AP President and CEO Tom Curley to Speak on FOI:
The Public Voice
Reed-Elsevier, the corporate parent of Lexis-Nexis, announced that it plans to acquire Choicepoint, the databroker, for approximately $4 billion. The proposed merger would consolidate two of the America's largest aggregators of personal consumer information. Consumer privacy will be seriously affected if the merger is approved without privacy safeguards. The previous Google-Doubleclick merger, which involved two large databases of personal information, similarly raised privacy as well as antitrust issues. EPIC asked the Federal Trade Commission to require privacy safeguards as a condition of approving the Google-Doubleclick deal.
Choicepoint is a large player in the commercial databroker market, selling data products that are used by law enforcement, government agencies, and the private sector. The company has been the target of an EPIC privacy complaint as a result of the privacy harms caused by its business practices. EPIC has been especially critical of Choicepoint's collection and provision of data without Fair Credit Reporting Act protections.
In 2005, Choicepoint disclosed the personal financial records of more than 163,000 consumers to identity thieves. More than 800 cases of identity theft arose from the data breach. Choicepoint was fined $15 million by the Federal Trade Commission as a result of the disclosures. In addition, Choicepoint paid $500,000 to settle lawsuits brought by the Attorneys General of forty-four states, and paid another $10 million to settle a class action lawsuit brought by victims of the breach.
Lexis-Nexis also has history of wrongfully disclosing consumers' sensitive personal information. In 2005, the company disclosed personal information about 310,000 Americans to identity thieves. Lexis-Nexis disclosed information including consumers' names, addresses, social security numbers, and drivers' license details. In the immediate wake of Lexis-Nexis' data breach, New York Senator Charles E. Schumer told The Washington Post, "it is clear that things are totally out of hand."
EPIC's page on Choicepoint:
FTC web page detailing $15 million fine levied against Choicepoint:
EPIC's December 16, 2004 FTC Complaint regarding Choicepoint:
EPIC's page on the proposed Google/Doubleclick Deal:
A German Constitutional Court ruling recognized a new "fundamental right to the protection of confidentiality and the integrity of information technology systems." The court was deciding a case involving the use of spyware by authorities as part of computer searches. A state law in North Rhine-Westphalia permitted police officials to monitor suspect's computers by sending a Trojan horse or other spyware to the computer. This would permit complete access to the suspect's hard drive as well as ongoing monitoring of emails and other communications. The ruling halts an effort to create a federal law permitting such monitoring.
The court struck down the law, complementing earlier decisions on the right to informational self-determination and the right to absolute protection for the core area of private conduct of life. The court recognized that the use of information systems is of central importance to the personal development of many individuals. The monitoring of such systems allows far reaching conclusions about the personal development of individuals.
The Court permitted exceptions. Under extreme conditions, and with permission of a judge, the police may monitor information technology systems. If there are factual indications of concrete danger to life, the foundations of the state or the freedom of people, then limited monitoring may occur. Steps must be taken to protect core data. Improperly collected data must be deleted and cannot be re-used. These maintain the requirement of proportionality.
Spyware has been used in the United States to capture information from suspect's computers. The FBI used spyware to capture suspected mobster Nicodemo Scarfo's encryption passphrase. A court permitted surreptitious entry into his office in order to allow the installation and maintenance of the keylogger software. Applications for warrants before the secret Foreign Intelligence Surveillance Act court also sometimes involved the use of spyware.
Court Press Release (German):
Germany: New basic right to privacy of computer systems:
EPIC Wiretap Page:
EPIC Keylogger (US v. Scarfo) Page:
Cleveland Clinic patients who participate in the online data-sharing project can disclose among other personal information prescriptions, allergies, and laboratory results. Google reports that it will not share or sell the information, but does not explicitly reject use of the data for internal commercial purposes. Google's interest in the project is to build a platform that would allow access to many sources of medical information.
In 2000, the Health Insurance Portability and Accountability Act (HIPAA) became the first federal law that provided privacy protection for personal health information. However, the Department of Health and Human Services' final rule implementing the law includes a large number of exemptions. HIPAA does not protect personal health information voluntarily shared by patients with a non-health care provider. HIPAA does allow states with strong medical privacy laws to continue to protect residents.
Google is emerging as a major online ad service provider with a growing base of businesses purchasing services to market effectively to online consumers. The Federal Trade Commission, which exercises jurisdiction in matters of consumer and competition protection declined to consider privacy in its decision to allow the merger of Google and Double Click, a major online advertiser service provider.
Electronic health records federal legislation has been introduced in the US Senate and House.
EPIC Medical Records Privacy Page:
House Resolution 1368 Personalized Health Information Act of 2007:
Senate Resolution 1814 Health Information Privacy and Security Act:
The European Commission has published draft guidelines on the use radio frequency identification (RFID) technology in member countries. The Commission launched the public debate on RFID in 2006 and has held workshops, an online consultation, and a conference to gather information to create these draft guidelines. The Commission seeks to "provides guidance to Member States and stakeholders on the design and operation of RFID applications in a lawful, ethically admissible and socially and politically acceptable way, respecting the right to privacy and ensuring protection of personal data and appropriate information security."
The Commission makes a number of privacy recommendations including: RFID operators should conduct privacy impact assessments before deploying the technology "to determine what implications its implementation could raise for privacy and the protection of personal data, and whether the application could be used to monitor an individual," "Member States should ensure that RFID application operators and providers of components of such applications take appropriate technical and organizational measures to mitigate the ensuing privacy and data protection risks," and that there should be immediate deactivation of RFID tags when goods are purchased. The Commission also said, "deactivation or removal of tags should not entail any reduction or termination of the legal obligations of the retailer or manufacturer towards the consumer. Consumers should be able to verify that the action is effective."
The use of RFID technology is increasing daily. The tags have been added to clothing, passports, credit cards, and a number of other consumer products. At least one company sells RFID chips that can be implanted into individuals, and these implants have been used by companies for security purposes. In the United States, Wisconsin and North Dakota have banned forced RFID implantation, but there is continuing debate about the definition of "voluntary" implantation.
Last year, the National Institute of Standards and Technology (NIST) issued its "Guidelines for Securing Radio Frequency Identification (RFID) Systems," detailing how to address, in the context of an RFID system, the basic principles of the Organization for Economic Co-operation and Development's Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. NIST urged retailers, federal agencies, and other organizations to evaluate the potential security and privacy risks of RFID technology and use best practices to reduce them. "As people possess more tagged items and networked RFID readers become ever more prevalent, organizations may have the ability to combine and correlate data across applications to infer personal identity and location and build personal profiles in ways that increase the privacy risk," NIST said.
EPIC has detailed the privacy and security problems that can accompany use of RFID technology in testimony and analyses. Privacy and security risks associated with RFID-enabled identification cards include "skimming," or reading of RFID data from an unauthorized reader, and "eavesdropping," interception of data as it is being read by an authorized reader. In 2004, EPIC released "Guidelines on Commercial Use of RFID Technology," which address commercial, private applications that may use RFID tags to draw conclusions about consumers without their knowledge or consent, or that might generate data that could be used for entirely different purposes at a later date.
In the Guidelines, EPIC imposes minimum requirements on RFID users, recognizing the advantages that RFID technology can provide while at the same time addressing privacy problems. EPIC also details practices that RFID users should never engage, including tracking, snooping, and coercing consumers to accept live RFID tags or associate their personal data with an RFID application. EPIC also states the rights of consumers who are exposed to RFID technology, including: access to the data collected, removal of the tags and data, and ability to challenge RFID users and data collectors' processes.
The public is encouraged to submit comments on the European Commission recommendations. The deadline is April 25. A final version of the recommendations is expected in Summer 2008.
European Commission, Public consultation on draft recommendation on the implementation of privacy, data protection and information security principles in applications supported by Radio Frequency Identification:
National Institute of Standards and Technology, "Guidelines for Securing Radio Frequency Identification (RFID) Systems" (April 2007) (pdf):
EPIC's Guidelines on Commercial Use of RFID Technology (pdf):
EPIC's page on Radio Frequency Identification (RFID) Technology:
Study Shows Consumers Support Limits on Law Enforcement Access to Cell Phone Location Information
A study, published this week by the Samuelson Law, Technology & Public Policy Clinic at the University of California-Berkeley School of Law, reveals that consumers strongly favor requirements that law enforcement obtain a warrant and provide notice to an individual before obtaining access to historical location information. More than 70% of Californians polled favored stronger privacy protections than those currently set forth in federal law, 18 U.S.C. § 2703(d), which permits disclosure when information is "relevant and material to an ongoing criminal investigation." Law enforcement agencies are increasingly able to locate individuals by accessing wireless phone records, as well as records generated by other wireless devices and services. The study also indicated broad support for location tracking in emergency situations.
Research Report: A Supermajority of Californians Supports Limits on Law Enforcement Access to Cell Phone Location Information:
EPIC's page on Customer Proprietary Network Information:
New Cyber Initiative to Monitor All Traffic Crossing Government Networks
On February 28, the House Committee on Homeland Security held a hearing on the new Cyber Initiative being implemented by the Department of Homeland Security. The new initiative proposes measures to increase network security of government run networks including all .gov websites and local, state, and federal e-gov operations.
The measures include reducing the number of external Internet connections that the government network has currently and also to install the traffic monitoring and intrusion detection system known as EINSTEIN on all of those connections. EINSTEIN is an enterprise level system that is similar to what Internet service providers use now to monitor the activities over their networks. The EINSTEIN system produces analyses on all network traffic and records personally identifiable information for later use.
House Committee on Homeland Security Hearing Page:
Privacy Impact Assessment Produced by US-CERT (pdf):
EPIC's page on Internet Privacy:
EAC Extends Comment Period for Voting Standards
The Election Assistance Commission has extended the public comment period on the agency's Technical Guidelines Development Committee draft of voluntary voting system guidelines until May 5, 2008. The deadline for public comment is to allow those with interest in standards development for electronic voting systems to have time to participate in the public comment process.
The Help America Vote Act (HAVA) of 2002 was the first time the federal government has completely taken on the task of developing voting system standards. This will be the second Voluntary Voting Systems document prepared by the Election Assistance Commission since the new law was passed. The first voluntary voting system document was released in December 2005.
EAC Public Comment Page for Voluntary Voting System Guidelines:
EPIC Voting Project Page:
Version of the VVSG Adopted in December 2005 (pdf):
UK rejects mandatory DNA database
The UK Home Office has rejected a proposal for a universal DNA register, consisting of the DNA of every UK resident, citing practical and ethical concerns. A senior police officer proposed the mandatory DNA database, after DNA evidence identified a suspect in the murder of a woman in 2005. The DNA was collected from the suspect after he had been arrested for an unrelated assault.
The UK already has the largest DNA database in the world, containing 4.5 million profiles. DNA is routinely collected from individuals who are arrested, whether or not they are charged with a crime.
EPIC's page on Genetic Privacy:
UK Home Office - The National DNA Database:
Researchers Create Easy Process to Access Encrypted Computer Data
In a technology paper released February 21, researchers at Princeton's Center for Information Technology Policy revealed a cheap and easy process for accessing encrypted data stored on computer hard disks. When the computer is turned off, then standard memory chips that temporarily hold data, including encryption keys, are supposed to be erased. However, the researchers learned that the data is retained for up to several minutes after the power is cut off. By using cold air from a standard can of dust remover, the researchers were able to cool the chips, which then "hold their state for hours at least, without any power." When the chips are put into other computers, their contents can be accessed using special programs and the encryption keys read.
Princeton, Center for Information Technology Policy, "Lest We Remember: Cold Boot Attacks on Encryption Keys":
EPIC and Privacy International, "Privacy and Human Rights Report 2006," chapter on "Surveillance of Communications":
Canadian Privacy Commissioner Issues Report on Camera Surveillance
On March 3, Ontario Information and Privacy Commissioner Ann Cavoukian issued a report on the Toronto Transit System's recent expansion of its video surveillance system. Privacy International had filed a complaint with the office regarding plans to deploy 12,000 cameras across Toronto's transportation network of buses, streetcars, and subways at a cost of $18 million. Privacy International argued that the collection principles in the relevant legislation are not being sufficiently attended to in that the collection is not necessary, that the scheme is being deployed without consideration to privacy and associated protocols, and with insufficient consideration regarding access powers. After a four-month investigation, the Commissioner ruled that the system, "is in compliance with Ontario's Municipal Freedom of Information and Protection of Privacy Act - but she is calling on the TTC to undertake a number of specific steps to enhance privacy protection." The Commissioner recommends that TTC reduce its retention period "from a maximum of seven days to a maximum of 72 hours (the same standard as the Toronto Police), unless required for an investigation"; that the "video surveillance policy should specifically state that the annual audit must be thorough, comprehensive, and must test all program areas of the TTC employing video surveillance to ensure compliance with the policy and the written procedures" and be conducted by an independent third party; and other privacy recommendations.
"TTC's surveillance cameras comply with privacy Act, but additional steps needed to enhance privacy protection," says Privacy Commissioner Ann Cavoukian.
Office of the Ontario Information and Privacy Commissioner:
Privacy International complaint (Oct. 24) (pdf):
EPIC page on Video Surveillance:
FBI Director reports bureau privacy breaches
FBI Director Robert Mueller reported further FBI privacy breaches to the Senate Judiciary Committee on March 5, 2008. In 2006, the FBI improperly used national security letters to obtain personal data on American citizens, in relation to terrorism and spy investigations. National security letters allow the FBI to collect personal data without court approval. The FBI can gather the data using national security letters from various sources, including banks, credit bureaus, telephone companies, and Internet service providers.
The committee held the hearing to examine the effectiveness of the FBI in carrying out its responsibilities. In a statement, Senator Patrick Leahy, Chairman of the Committee, said "It is vitally important for the FBI to master emerging and enhanced technologies in the fight against crime and terrorism. But we must also be cognizant of the impact that such a database can have on the privacy rights and civil liberties of Americans. It is more important than ever that the FBI acts in ways that protect and enhance the rights and values that define us as Americans, not undermine them."
Senate Judiciary Committee Hearing:
EPIC's page on Domestic Surveillance:
Searching Eyes: Privacy, the State, and Disease Surveillance in America by Amy L. Fairchild, Ronald Bayer and James Colgrove
The boundaries between privacy and public health welfare are being constantly renegotiated and remain heavily contested in the realm of governmental disease surveillance, due to competing social, ethical and legal interests. Authors Amy Fairchild, Ronald Bayer and James Colgrove highlight the shifting tensions between the competing interests of privacy and public health in their book “Searching Eyes: Privacy, The State, and Disease Surveillance in America”. The book chronicles over a century of disease surveillance with meticulous documentation of disease reporting and examines the underlying politics of surveillance and privacy.
The definition of disease surveillance has evolved with time, as has the justification for such surveillance. Disease surveillance began as the required name-based reporting of disease to state and local health departments, often resulting in government program-planning or interventions to control the disease. The justification for state intrusion and intervention often stems from the fear and panic that is induced by disease and palpable threats to public health welfare, with disease surveillance promising to protect society from epidemics.
The book begins in the late 19th century, with an account of public health officials seeking reporting on patients with tuberculosis and venereal diseases. Later, the emergence of “democratic privacy” altered the landscape of the privacy debate, as the people with illnesses themselves demanded registration in databanks for cancer, occupational disease or birth defects, to highlight their cases in order to create support for social and legislative reform.
The identity of medical privacy advocates has also evolved over the last century. In the advent, it was doctors who were the staunch opponents of required name reporting of their patients citing doctor-patient confidentiality. Today, patients themselves and concerned citizens are all involved in defending the privacy rights of individuals who are targeted by disease surveillance.
The authors assess public health surveillance in a broad political and social context. In their conclusion, they candidly concede to not resolving the prevailing controversy surrounding health surveillance, nor did they seek to resolve it. Rather their motivation was to continue the discussion in negotiating these shifting boundaries between privacy and public health, as part of much needed healthy discourse in the realm where the role and reach of government is only expanding.
"Information Privacy Law: Cases and Materials, Second Edition" Daniel J.
Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005).
This clear, comprehensive introduction to the field of information privacy law allows instructors to enliven their teaching of fundamental concepts by addressing both enduring and emerging controversies. The Second Edition addresses numerous rapidly developing areas of privacy law, including: identity theft, government data mining and electronic surveillance law, the Foreign Intelligence Surveillance Act, intelligence sharing, RFID tags, GPS, spyware, web bugs, and more. Information Privacy Law, Second Edition, builds a cohesive foundation for an exciting course in this rapidly evolving area of law.
"Privacy & Human Rights 2006: An International Survey of Privacy Laws
and Developments" (EPIC 2007). Price: $75.
This annual report by EPIC and Privacy International provides an overview of key privacy topics and reviews the state of privacy in over 75 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy & Human Rights 2006 is the most comprehensive report on privacy and data protection ever published.
"FOIA 2006: Litigation Under the Federal Open Government Laws," Harry A. Hammitt, Marc Rotenberg, Melissa Ngo, and Mark S. Zaid, editors (EPIC 2007). Price: $50. http://www.epic.org/bookstore/foia2006
This is the standard reference work covering all aspects of the Freedom of Information Act, the Privacy Act, the Government in the Sunshine Act, and the Federal Advisory Committee Act. The 23nd edition fully updates the manual that lawyers, journalists and researchers have relied on for more than 25 years. For those who litigate open government cases (or need to learn how to litigate them), this is an essential reference manual.
"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.
This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, and recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process.
"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005).
The Privacy Law Sourcebook, which has been called the "Physician's Desk Reference" of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act.
"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.
A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression.
EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at:
EPIC Bookstore http://www.epic.org/bookstore
"EPIC Bookshelf" at Powell's Books
EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act.
Subscribe to EPIC FOIA Notes at:
ALI-ABA, Privacy Law: Developments, Planning, and Litigation. March
13-14, 2008. Washington, D.C. For more information:
First Annual Freedom of Information Day Celebration. March 17, 2008.
American University Washington College of Law, DC. For more information:
Openthegovernment.org, "Government Secrecy: Censoring Your Right to
Know." March 19, 2008. National Press Club, DC. For more information:
Windows Into the Soul: Surveillance and Society in an Age of High
Technology - 2008 Hixon-Riggs Forum on Science, Technology and Society.
March 27-29, 2008. Claremont, California. For more information:
CFP 2008: Technology Policy 08. New Haven, Connecticut. May 19-23, 2008. For more information: http://www.cfp2008.org
Future of the Internet Economy - OECD Ministerial Meeting. June 17-18,
2008. Seoul, Korea. For more information:
Conference on Ethics, Technology and Identity. The Hague. June 18-20, 2008. For more information http://www.ethicsandtechnology.eu/ETI
Subscribe/unsubscribe via web interface:
Back issues are available at:
The EPIC Alert displays best in a fixed-width font, such as Courier.
The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information."
The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax).
If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible.
should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW,
Suite 200, Washington, DC 20009. Or you can contribute
Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers.
Thank you for your support.