E P I C A l e r t
The U.S. Senate passed the Genetic Information Nondiscrimination Act ("GINA") on April 24 with a vote of 95-0. The bill addresses the risk that advances in genetics open new opportunities for medical progress and will also give rise to the potential misuse of genetic data to discriminate. The genetic privacy bill seeks to establish a national standard to prohibit genetic discrimination by health insurance providers and employers. Under the bill, these entities cannot require genetic testing, cannot determine premiums or eligibility for insurance or employment based on genetic information, and are limited in their collection and use of genetic data.
"A person’s unique genetic code contains the most personal aspects of their identity. As we begin to decipher this information, Americans have legitimate fears about how this deeply private information will be used," said bill co-sponsor Sen. Edward Kennedy. The legislation "takes a substantial step to preserve the value of new genetic technology and protect the basic rights of every American," said bill co-sponsor Sen. Edward Kennedy.
However, experts caution against too much optimism over the legislation. "Perhaps the greatest risk posed by enacting GINA would be that lawmakers might become complacent and believe that the problem of genetic discrimination in health insurance and employment has been adequately addressed by the new federal law," noted Mark Rothstein in a recent analysis of the legislation in the Journal of Law, Ethics and Medicine. He is Director of the Institute for Bioethics, Health Policy and Law at the University of Louisville School of Medicine.
The bill, which passed the Senate in 2003 but died in the House, was reintroduced on January 16. Now that it has passed the Senate, the bill goes back to the House; President Bush has said he supports the legislation.
Genetic Information Nondiscrimination Act, S. 358:
Institute for Bioethics, Health Policy and Law at the University of Louisville School of Medicine:
EPIC page on Genetic Privacy:
The International Working Group On Data Protection in Telecommunications has released a report and guidance (pdf) on privacy in social networking services. The report identifies risks to privacy and security, and provides guidance to regulators, service operators and users to counter these risks. Risks include the large amount of data collection; the misuse of profile data by third parties; insecure infrastructure; and application programming interfaces. Social networking services are seen by the report as "pushing the boundaries" of individual space. Large quantities of personal information are quickly and globally made available, particularly digital images and video. The identified risks are only the "tip of the iceberg" as new uses for personal data in user profiles are identified by law enforcement, secret services, and the private sector.
Government officials should ensure that service providers are honest and clear about their information practices, to enable informed user choice. Providers should be obliged to give notice of data breaches. Educational institutions should introduce tools for informational self-protection in their curricula.
For providers, the main elements for fair information practices are transparent, open information uses, and providers living up to promises made to users. Further, providers should enable and encourage the use of pseudonymous profiles. Privacy friendly default settings, including the non-indexibility of profiles by search engines, play a key role in protecting user privacy. Methods for enabling user control of data should be devised, both within the community and for third party uses. Improved complaint handling, security and offering of encrypted connections will also improve data protection.
The report closed by calling upon privacy and consumer groups to raise awareness with regulators, service providers, the public and young people about privacy risks.
Report and Guidance on Privacy In Social Network Services:
http://epic.org/redirect/repguidanceSNS.html International Working Group On Data Protection In Telecommunications:
http://www.berlin-privacy-group.org EPIC Social Networking Privacy Page:
EPIC Facebook Privacy Page:
On April 24, 2008, EPIC made final arguments in its Virginia Freedom of Information Act lawsuit against the Virginia State Police. EPIC asked the Court to: 1) assess, through in camera review, the propriety of redactions made by the Virginia State Police to documents disclosed in response to EPIC’s open government requests; and 2) award EPIC its attorneys’ fees and costs incurred in the case. Virginia law permits a FOIA requestor to recover reasonable fees and costs from a Virginia agency if the requestor "substantially prevails on the merits of the case." As a result of EPIC’s lawsuit, the State Police disclosed several hundred pages of documents relating to the Virginia Fusion Intelligence Center. EPIC expects the Richmond General District Court to issue its final order in the case within two weeks.
EPIC sued the State Police to compel the disclosure of public records relating to the role of federal agencies in the Virginia Fusion Center. The Virginia Fusion Center is a database that collects information on ordinary citizens. Of particular interest to EPIC was federal involvement in recent legislative efforts to limit Virginia’s open government and privacy laws. EPIC sought to determine whether the U.S. Dept. of Justice or the U.S. Dept. of Homeland Security participated in the development of the legislation, HB 1007. The legislation, introduced in January 2008 and recently signed by Virginia Governor Tim Kaine, limits Virginia's open government and privacy statutes, as well as Virginia's common law right of privacy, for the Virginia Fusion Center. The fusion center is one of several similar entities established by state governments throughout the United States.
As a result of its Freedom of Information Act lawsuit, EPIC obtained documents, including a Memorandum of Understanding between the FBI and the Virginia State Police that limits the state's open government law. The Memorandum is a secret contract that was executed prior to the enactment of HB 1007. The agreement requires the state agency to comply with federal regulations that restrict the disclosure of records about the Virginia Fusion Center that would otherwise be available to the public. The federal regulations (28 CFR Part 16) cited in the Memorandum contain at least thirty-seven exemptions from open government and privacy laws. The Memorandum also requires the State Police to refer state-law open government requests to federal agents if the requests relate to information shared by the FBI with the fusion center.
On the heels of the lawsuit against the Virginia State Police, EPIC expanded its investigation of fusion centers. On April 18, 2008, EPIC filed an open government request with the Texas Department of Public Safety. EPIC’s request seeks documents about the federal government’s role in the Texas Fusion Center’s transparency and privacy policies. The White House's official position requires fusion centers to respect state open government and privacy laws. However, the Memorandum of Understanding between the Virginia State Police and the FBI is inconsistent with the While House’s stated policy. EPIC seeks to determine the extent of federal involvement in the Texas Fusion Center’s compliance with Texas open government and privacy laws.
Fusion centers are intelligence databases that collect information from federal, state, municipal, and private sources. Privacy advocates have criticized the non-transparent operation of fusion centers, and their lack of meaningful civilian oversight. Federal guidelines call for fusion centers to accumulate and retain information about citizens from sources such as: financial records, credit reports, medical records, internet and email data, video surveillance from retail stores and sporting facilities, data from preschools, and welfare records.
EPIC v. Virginia Department of State Police - Fusion Center Secrecy Bill:
EPIC’s Freedom of Information Act Lawsuit:
Memorandum of Understanding Between the Virginia State Police and the Federal Bureau of Investigation:
EPIC’s Freedom on Information Act Request to the Texas Department of Public Safety:
EPIC - Information Fusion Centers and Privacy:
On April 24, 2008, EPIC testified before the Election Assistance Commission on the development of the 2007 Voluntary Voting System Guidelines. The standards would replace the 2005 version and be the first major rewrite of voting systems standards, which predated the founding of the new agency in 2004. The work marks the latest step towards a fully federal process for voting system standards, testing, and certification.
The 2007 draft standards document is very different from the 2005 version because it reduces ambiguity, creates an opportunity for new types of voting systems to be considered, and supports the review of more types of voting systems than the earlier version. The 2007 draft standards supports an “independent voter-verifiable record” while at the same time establishing that verification these records must be accessible for minority language speakers and persons with disabilities. The 2007 draft standard has also expanded the usability and accessibility review of voting systems to include summative usability testing to support measures on how accurately voters may cast their ballots. The topic of human factors is covered in the new and expanded material. Human factors have featured prominently in failed election processes in the 13th District of Florida in 2006 and the Florida 2000 election.
Another key development in the new draft standards is software independence, which requires that “an undetectable error or fault in the voting system’s software is not capable of causing an undetectable change in election results. The standard as currently drafted requires that all voting systems certified under the standard must be software independent. The most controversial measure in the proposed standard maybe the establishment of an “innovation class,” which would allow consideration of voting systems that are not addressed by the final version of the standards.
EPIC Testimony on Voluntary Voting System Guidelines (April 24, 2008):
EPIC’s Voting Privacy Page:
EPIC’s Voting Project: National Committee for Voting Integrity:
The U.S. Supreme Court on April 28 struck down a challenge to a voter ID law in Indiana. In 6-3 opinion, the majority said the state interests "are both neutral and sufficiently strong to require us to reject petitioners’ facial attack on the statute," and the burden imposed on voters was "minimal and justified."
The Indiana law requires individuals to show a government-issued photo ID card before they are allowed to vote. Prior to the enactment of this law, voters were required only to sign a book at the polling place, where a photocopy of the voter's signature was kept on file.
In the lead opinion, Justice Stevens admitted that the case contained "no evidence" of the type of voter fraud the law was devised to deter: cases in which a voter attempts to cast a ballot in another person’s name. But Justice Stevens also wrote that the risk of voter fraud is "real" and the state has a "valid interest in protecting ‘the integrity and reliability of the electoral process.’" Justice Stevens rejected the assertion that the "imposes ‘excessively burdensome requirements’ on any class of voters." Neither the state nor the courts have been able to identify one case in which a photo ID requirement would have prevented voter fraud. Indiana has a recent and documented history of absentee voter fraud, but the law at issue creates an exception for absentee voters, allowing them to vote without presenting government-issued photo identification.
Writing in dissent, Justice Souter said, "this statute imposes a disproportionate burden upon those without" government-issued photo IDs, and Indiana has failed to justify this burden. "The onus of the Indiana law is illegitimate just because it correlates with no state interest so well as it does with the object of deterring poorer residents from exercising the franchise."
In November, EPIC and 10 legal scholars and technical experts had submitted a "friend of the court" brief urging the Court to invalidate the law. The group argued: "First, the Indiana law ostensibly seeks to address the problem of voter fraud through the establishment of photo requirement at the polling place, yet leaves open the ongoing risk of fraud made possible by absentee voting. As a matter of logic, the identification requirement is flawed. Second, the state voter ID law will almost certainly rely upon the federally mandated REAL ID, a controversial system of identification that will introduce additional privacy and security risks." With its decision, the Supreme Court has not barred all future challenges to voter ID laws, but keeps the door open for future cases that seek to test such laws as they were applied in a specific election. In short, if a voter is actually disenfranchised by such laws, then the Court would consider that case. However, such challenges would have difficulty succeeding. Indiana is one of seven states with a voter photo ID requirement. A number of other states are considering similar legislation.
US Supreme Court decision in Crawford v. Marion County (April 28, 2008) (pdf):
EPIC's page on Crawford v. Marion County, Indiana:
EPIC's page on Voting and Privacy:
The National Committee for Voting Integrity:
NJ Supreme Court: Subscribers Have Privacy Right In Internet Data
In a 7-0 ruling on April 21, the New Jersey Supreme Court upheld a lower court ruling and found that Internet service providers must protect user information and a valid subpoena is needed before the providers can disclose private data about subscribers. "We now hold that citizens have a reasonable expectation of privacy, protected by Article I, Paragraph 7, of the New Jersey Constitution, in the subscriber information they provide to Internet service providers – just as New Jersey citizens have a privacy interest in their bank records stored by banks and telephone billing records kept by phone companies," the court ruled. Last year, EPIC joined five groups in filing a "friend of the court" brief to the NJ Supreme Court in New Jersey v. Reid. In their brief, the groups explained, "This case raises far-reaching questions about the scope of privacy protection in the electronic environment," especially because subscriber information "can reveal substantially more about an individual than, for example, the phone numbers she dials."
New Jersey Supreme Court ruling in State v. Reid (April 21, 2008) (pdf):
"Friend of the court" brief of EPIC and five groups (July 5, 2007) (pdf):
DHS Chief: Fingerprints Not "Personal Data."
Michael Chertoff, Secretary of the Department of Homeland Security, told Canadian journalists that fingerprints are not personal data. Chertoff explained that, "you leave it on glasses and silverware and articles all over the world, they’re like footprints." Canada's privacy commissioner, Jennifer Stoddard replied that Canadian legislation defines fingerprints as personal information. In a letter to the Minster of Public Safety and emergency Preparedness Canada, Stoddard pointed to the holding of several courts that compelling fingerprint collection might violate rights under the Charter of Rights and Freedoms. In the United States, the Privacy Act includes fingerprints in its definition of records identifying individuals, bringing them under the protection of the Privacy Act.
Chertoff Says Fingerprints Aren’t ‘Personal Data’:
Letter to the Minister of Public Safety and Emergency Preparedness Canada:
EPIC Privacy Act Page:
GAO: Feds Aiding Challenges of State Information Fusion Centers
Almost all states and several local governments have begun setting up information fusion centers to share law enforcement and intelligence information with the federal government. The GAO reports that DHS and DOJ have taken steps to grant these centers access to federal information systems. The centers are turning to the federal government for guidance, training as well as funding. This training includes federal assistance in setting up state and local privacy and civil liberties policies. EPIC has sued the Virginia State Police requesting documents detailing their relationship with the federal government and their efforts to change state open government laws.
Homeland Security: Federal Efforts Are Helping to Address Some Challenges Faced by State and Local Fusion Centers:
EPIC v. Virginia Department of State Police: Fusion Center Secrecy Bill:
Information Fusion Centers and Privacy:
Justice Dept. Seeks Comments on Proposed DNA Fingerprint Rules
On April 18, the Justice Department released its proposed regulations for implementation of the DNA Fingerprint Act of 2005. "This rule directs agencies of the United States that arrest or detain individuals, or that supervise individuals facing charges, to collect DNA samples from individuals who are arrested, facing charges, or convicted, and from non-United States persons who are detained under the authority of the United States." Also, "Agencies collecting DNA samples are directed to furnish the samples to the Federal Bureau of Investigation, or to other agencies or entities as authorized by the Attorney General, for purposes of analysis and entry into the Combined DNA Index System." The regulations include other directions and limitations. Comments on the proposed regulations are due by May 19 and must include reference to "OAG Docket No. 119."
Justice Department rulemaking on DNA Fingerprint Act of 2005 (April 18, 2008):
EPIC’s page on Genetic Privacy:
The Future of the Internet -- And How to Stop It by Jonathan Zittrain (Yale University Press: 2008, ISBN: 978-0-300-12487-3)
Professor Zittrain's modestly titled "The Future of the Internet -- And How To Stop It" elucidates what has made the Internet so successful, so creative, and yet has also placed it in danger. Zittrain finds the solution by isolating ways these key ingredients can be used to solve the rising problems. From the punch card census to Wikipedia; from the Internet worm to massive botnets run by mobsters; from government mainframes to embarrassing user-generated viral videos, Zittrain covers the gamut of the Internet history and experience, tying it under his model of the competition between generative networks and controlled, limited appliances and networks.
As Zittrain explains, the Internet is a generative network -- it fosters innovation and disruption -- in contradiction to appliancized networks such as the old America Online or Compuserve, which greatly limited innovation in favor of control. This generativity works on several "layers" of the internet -- from the basic IP, or Internet Protocol, to devices, operating systems and even the content or social aspects of the Internet. This generativity has allowed the explosion of the Internet and its various uses: any device can be made to connect to the IP protocol; transport protocols such as FTP and HTTP can be made to work on IP; Websites and email services run on those protocols; computer components can run many operating systems; operating systems can run any software; Wikis and other software allow anyone to modify websites without the need to learn HTML.
While generativity has brought the Internet's benefits into existence it has also brought a new breed of problems. Computers that run any code can easily fall victims to viruses, and become sources of annoyance or malfeasance to the rest of the Internet. Compromised computers can launch spam, phishing and denial of service attacks. One answer to these problems is to reduce the generativity, to create more "tethered appliances." In some ways the next generation does not see the same generativity that the Internet previously had. Youth communicate via instant messaging, texting and social network sites, avoiding e-mail as too filled with spam, viruses and phishing attempts. Zittrain considers these "contingently generative" services -- you're free to do a lot, to create, but this license may be withdrawn.
But centralized, contingently generative devices raise other problems, of control and information collection. An automobile with a navigation device under control of a provider can have that device hijacked for eavesdropping by law enforcement. A digital video recorder that receives updates from its central server can be updated according to a court order, disabling functions that users were expecting.
Zittrain offers a different solution from the tethered appliance model. The answer is to promote solutions that preserve and indeed depend on the generative features. At the technical level, computers can be technically configured to easily recover from user mistakes -- undoing virus installations. Or users can share simple statistics about their computers, allowing the creation of systems that decide whether new code is safe or not.
Privacy is the subject of one chapter, with Zittrain proposing that the solution for generative privacy problems lie in the "social layer." Privacy regulations, based on the 1973 principles of Fair Information Practice (FIPs), are appropriate to "privacy 1.0" threats of centralized information collection. Privacy 2.0 sees the dangers of ubiquitous sensors, of peer production and reputation systems. Zittrain would promote code-backed norms -- so that one can list one's privacy preferences similar to the way that the Creative Commons facilitates one listing their Copyright licensing preferences. Or users could be enabled to contextualize their data online, or enact "reputation bankruptcies" that would expire some of their older activity. But these ideas are still reminiscent of Fair Information Practices, still focused on the privacy 1.0 principles. Code backed norms are simply another way to talk about user control and consent. Contextualizing one's data online is similar to the FIP of being able to amend or correct a record. Reputation bankruptcy is akin to deleting a record. And lastly, social networks are not quite distributed -- YouTube is a centralized place to take down videos; Facebook and Myspace can booth surveil as well exclude the content on it.
Norms and methods for expressing privacy preferences may help, but ultimately privacy 1.0 harms will remain and may indeed grow with the Internet. Traditional concepts of regulation will still be relevant - they just need to be re-thought, engineered in. Perhaps even re-generated.
"Information Privacy Law: Cases and Materials, Second Edition" Daniel J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98.
This clear, comprehensive introduction to the field of information privacy law allows instructors to enliven their teaching of fundamental concepts by addressing both enduring and emerging controversies. The Second Edition addresses numerous rapidly developing areas of privacy law, including: identity theft, government data mining and electronic surveillance law, the Foreign Intelligence Surveillance Act, intelligence sharing, RFID tags, GPS, spyware, web bugs, and more. Information Privacy Law, Second Edition, builds a cohesive foundation for an exciting course in this rapidly evolving area of law.
"Privacy & Human Rights 2006: An International Survey of Privacy Laws and Developments" (EPIC 2007). Price: $75.
This annual report by EPIC and Privacy International provides an overview of key privacy topics and reviews the state of privacy in over 75 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy & Human Rights 2006 is the most comprehensive report on privacy and data protection ever published.
"FOIA 2006: Litigation Under the Federal Open Government Laws," Harry A. Hammitt, Marc Rotenberg, Melissa Ngo, and Mark S. Zaid, editors (EPIC 2007). Price: $50.
This is the standard reference work covering all aspects of the Freedom of Information Act, the Privacy Act, the Government in the Sunshine Act, and the Federal Advisory Committee Act. The 23nd edition fully updates the manual that lawyers, journalists and researchers have relied on for more than 25 years. For those who litigate open government cases (or need to learn how to litigate them), this is an essential reference manual.
"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on the Information Society" (EPIC 2004). Price: $40.
This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, and recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process.
"The Privacy Law Sourcebook 2004: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price: $40.
The Privacy Law Sourcebook, which has been called the "Physician's Desk Reference" of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act.
"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20.
A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression.
EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at:
"EPIC Bookshelf" at Powell's Books
EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act.
Subscribe to EPIC FOIA Notes at:
Identity, Privacy and Security Research Symposium, May 2, 2008, Toronto. For more information: http://www.ipsi.utoronto.ca
CFP 2008: Technology Policy 08. New Haven, Connecticut. May 19-23, 2008. For more information http://www.cfp2008.org Future of the Internet Economy - OECD Ministerial Meeting. June 17-18, 2008. Seoul, Korea. For more information: http://www.epic.org/redirect/OECD180608.html
Second Annual National Institute on Cyberlaw: Expanding the Horizons. June 18-20, 2008. Washington DC. For more information: http://www.abanet.org/cle/programs/n08ceh1.html
Conference on Ethics, Technology and Identity. The Hague. June 18-20, 2008. For more information http://www.ethicsandtechnology.eu/ETI
Privacy Laws & Business 21st Annual International Conference. Value Privacy, Secure Your Reputation, Reduce Risk. 7-9th July, 2008, St. John’s College, Cambridge. For more information: http://www.privacylaws.com/
The Privacy Symposium - Summer 2008: An Executive Education Program on Privacy and Data Security Policy and Practice, August 18-21, 2008, Harvard University, Cambridge, MA. For more information: http://www.privacysummersymposium.com/
Subscribe/unsubscribe via web interface:
Back issues are available at:
The EPIC Alert displays best in a fixed-width font, such as Courier.
The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information."
The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax).
If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at:
Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers.
Thank you for your support.
If you would like more information on Privacy '08, go online and search for "Privacy 08". You'll find a Privacy08 Cause at Facebook, Privacy08 at Twitter, a Privacy08 Channel on YouTube to come soon, and much more. You can also order caps and t-shirts at CafePress Privacy08.
Start a discussion. Hold a meeting. Be creative. Spread the word. You can donate online at epic.org. Support the campaign.