Home | Databases | WorldLII | Search | Feedback EPIC Alert

EPIC Alert 16.08 [2009] EPICAlert 8

E P I C A l e r t

http://www.epic.org/alert/EPIC_Alert_16.08.html

"Defend Privacy. Support EPIC." http://epic.org/donate

EPIC 15th Anniversary Dinner and the EPIC Champion of Freedom Awards Cosmos Club, Washington, DC June 9, 2009

EPIC@15 Invitation: http://www.epic.org/epic15/invite.pdf Your Reply: http://epic.org/epic15/reply.pdf Register (or donate to EPIC@15): http://epic.org/donate

On April 20, 2009, EPIC filed a "friend of the court" brief in the Massachusetts Supreme Judicial Court, urging the Justices to require a warrant before police covertly track drivers using concealed surveillance technology. In Commonwealth v. Connolly, the Court will determine whether Massachusetts police must obtain a search warrant before surreptitiously installing location tracking devices on individuals' cars. The GPS-based systems record a vehicle's location and speed around the clock, and transmit the data to law enforcement agents. EPIC said the proliferation of police tracking devices "creates a large, and largely unregulated, repository containing detailed travel profiles of American citizens." The EPIC brief warned that "law enforcement access to such information raises the specter of mass, pervasive surveillance without any predicate act that would justify this activity."

EPIC said that GPS systems are becoming increasingly widespread, and identified particular growth among vehicle-installed GPS systems. The federal government is currently tracking drivers in six states using GPS tracking systems designed to assess a mileage tax as an adjunct or replacement for federal gasoline tax revenue. Several states, including Massachusetts, have proposed similar plans. Some private firms, including UPS, mandate GPS tracking on their vehicles. Others, such as OnStar, offer GPS tracking services to the public. The EPIC brief explains that, as GPS trackers become more commonplace, it is easier for law enforcement to engage in large-scale, simultaneous surveillance of multiple individuals. Such ease raises the troubling prospect of mass, pervasive surveillance. EPIC's brief urges the court to require a warrant, based on independent judicial review of the evidence, prior to law enforcement use of GPS tracking.

The brief details the privacy risks raised by warrantless GPS tracking. GPS technology enables law enforcement to track and store details of individuals' movements. Such details can produce "a detailed record of travel to doctors' offices, banks, gambling casinos, tanning salons, places of worship, political party meetings, bars, grocery stores, exercise gyms, places where children are dropped off for school, play, or day care, the upper scale restaurant and the fast food restaurant, the strip club, the opera, the baseball game, the ‘wrong' side of town, the family planning clinic, and the labor rally." Such surveillance capabilities can be useful in solving crimes. But they represent a significant limitation on citizens' freedom from scrutiny, and therefore require oversight and independent review.

In Commonwealth v. Connolly, the defendant, Everett Connolly, sought to suppress evidence generated through GPS surveillance. The trial court admitted the evidence, and Connolly was convicted on drug charges. Connolly appealed the suppression ruling, arguing that warrantless use of GPS tracking technology by law enforcement agents violates the Fourth Amendment's protection against unreasonable searches and seizures.

The U.S. Supreme Court has not ruled on the propriety of warrantless GPS tracking by police. In a 1983 case, U.S. v. Knotts, the Court authorized warrantless law enforcement use of a "beeper." Beepers allow pursuing officers to approximate the location of a fleeing suspect, but gather far less information that GPS trackers. However, the Court cautioned in Knotts that future technologies might require a warrant if they became so sophisticated as to enable "twenty-four hour surveillance of any citizen of this country ... without judicial knowledge or supervision." In a 2007 case, U.S. v. Garcia, the Seventh Circuit Court of Appeals warned that "new technologies
[including GPS tracking] enable, as the old (because of expense) do not, wholesale surveillance." In that case, Judge Posner wrote that mass, pervasive GPS tracking by law enforcement raises substantial Fourth Amendment concerns.

"Friend-of-the-court," Brief by EPIC in Commonwealth v. Connolly (Apr. 20, 2009): http://epic.org/privacy/connolly/042009amicus.pdf

Massachusetts Supreme Judicial Court Docket page for Commonwealth v. Connolly: http://www.ma-appellatecourts.org/display_docket.php?dno=SJC-10355

EPIC's Commonwealth v. Connolly page: http://epic.org/privacy/connolly/

On April 23, 2009, EPIC President Marc Rotenberg testified before the House Subcommittee on Communications, Technology and the Internet on the "Recent Developments in Communications Networks and Consumer Privacy." Mr. Rotenberg focused on the privacy risks of deep packet inspection and other similar methods of analyzing consumer internet traffic for Internet advertising.

While acknowledging that advertising plays an important role in enabling services and information on the Internet, Mr. Rotenberg said, "we believe it is becoming clear that unregulated collection of consumer data is posing an increasing danger to online privacy and maybe even to the economic model itself. A small number of companies and large advertising networks are obtaining an extraordinarily detailed profile of the interests, activities and personal characteristics of Internet users."

According to EPIC, the threats of identity theft and security breaches are also increasing. Several reports have been published over the last few months detailing several cases of security breaches across the country, and identity theft has been identified as the number one crime committed in the United States. If the data collection continues unregulated, Mr. Rotenberg warned, there was every reason to anticipate that these problems would get worse.

EPIC President Marc Rotenberg also cautioned against the economic harm to online publishing if internet advertising continued on its current course. "Significantly also for the economics of the online advertising industry, the profiles that are being developed are increasingly untethered from the editorial content of web sites or the business-customer relations that online consumers have with particular companies. . . . . This has profound implications for the future of online advertising and the relationship between users, web publishers, and advertising networks," he said.

In the United Kingdom European Commissioner Viviane Reding began legal proceedings against the UK government for violating EU law by allowing Phorm, which pursued a business model employing deep packet inspection, to go forward with its controversial Internet monitoring plan. Commissioner Reding had alleged violations of both the 1995 EU Directive concerning data protection as well as the 2002 EU Directive concerning electronic communications.

Mr. Rotenberg also brought to the attention of the subcommittee that service providers and their businesses partners also had an obligation not to intercept the content of a communication except for the purposes of providing the service, complying with a court order or other similar legal obligation. The companies have not demonstrated the viability of the non-PII model as it was easy to reconstruct actual identity from network traffic. Therefore, it was necessary to enact legislation to place the burden on the advertising company to prevent the reconstruction of user identity. Further, long term consequences of encouraging network-based advertising was likely to degrade network security and privacy.

Mr. Rotenberg concluded, "Congress needs to keep a long-term view of the growth of the Internet. If the claim of Internet advertisers that they must have the unrestricted ability to monetize user traffic goes unchallenged, users will face new privacy risks, web publishers will find that their content is less valuable, and the technical standards that are necessary for the integrity of the Internet will be further delayed. Once down this road, it will be difficult to turn back."

Other witnesses at the hearing were from Free Press, the Center for Democracy and Technology, the National Cable and Telecommunications Association, AT&T, Loopt, and BroadbandPolitics.

House Energy and Commerce Committee http://www.energycommerce.house.gov/

Testimony of EPIC. Marc Rotenberg, April 23, 2009: http://epic.org/privacy/dpi/rotenberg_HouseCom_4-09.pdf

"Communications Networks and Consumer Privacy: Recent Developments" http://tiny.cc/WGojj

EPIC's Page on Deep Packet Inspection: http://epic.org/privacy/dpi

EPIC's Page in Identity Theft: http://epic.org/privacy/idtheft

Facebook announced the audited results of its vote on site governance. Approximately 75 percent of the users who cast their votes supported the Statement of Rights and Responsibilities and the new Facebook Principles. Under the new Principles, Facebook users will "own and control their information."

In February, Facebook changed is terms of Terms of Service and asserted broad, permanent, and retroactive rights to users' personal information - even after they deleted their accounts. The new terms attracted severe criticism with close to 150,000 people joining a group protesting its adoption. EPIC drafted a complaint which was supported by more than a dozen consumer and privacy organizations stating unfair and deceptive trade practices. However, hours before EPIC filed the complaint with the Federal Trade Commission regarding the changes to Facebook's Terms of Service, the social network service announced that it will restore the original policy.

Subsequently, the social networking giant proposed a set of guidelines and a statement of rights and responsibilities governing its relationship with users and called for user comment on the principles, which included "Ownership and Control of Information" and "Transparent Process." Facebook further committed to "open[ing] up Facebook so that users [could] participate meaningfully in [] policies and [the] future." Comments were made over a 30-day period by individuals and experts from various fields highlighting several concerns and proposed changes.

Thereafter, in April, the governing documents were updated to reflect feedback from users and experts. Users were asked to participate in a vote to adopt these proposed rules or maintain the previous terms. Facebook established a fan page for the purpose of keeping users informed about site governance. EPIC supported the adoption of the news term of service. With the new terms being adopted, Facebook granted its users ownership and control of their information, and also agreed that it would publicly make available information about its purpose, plans, policies, and operations in the future. Facebook also took steps to improve account deletion, to limit sublicenses, and to reduce data exchanges with application developers. Facebook would have a town hall process of notice and comment and a system of voting to encourage input and discourse on amendments to these Principles or to the Rights and Responsibilities.

Facebook Site Governance: http://www.facebook.com/fbsitegovernance

Results of the Inaugural Facebook Site Governance Vote: http://blog.facebook.com/blog.php?post=79146552130

Facebook Town Hall: Proposed Facebook Principles: http://www.facebook.com/group.php?gid=54964476066

Facebook Town Hall: Proposed Statement of Rights & Responsibilities: http://www.facebook.com/group.php?gid=67758697570

Facebook Terms of Service: http://www.facebook.com/terms.php

People Against the New Terms of Service: http://www.facebook.com/group.php?gid=77069107432

EPIC's Page on Social Networking Privacy: http://epic.org/privacy/socialnet/default.html

The Supreme Court heard a case involving a strip-search of a thirteen- year-old girl by school officials looking for possession of an ibuprofen tablet in violation of school policy. The search was conducted based on allegation by another student, who had been caught with the drug. The case involves whether the school violated Redding's Fourth Amendment right to be free from unreasonable searches and, if so, whether qualified immunity protects the school authorities from liability.

Previously, a federal appellate court held that the search of the student was unreasonable and that a school official could be liable for violating the girl's Fourth Amendment rights. The petitioners appealed to the Supreme Court and argued that the search was reasonable based upon the allegations and the dangers of prescription drug abuse. Additionally, the petitioners argued that the school officials must have qualified immunity in exercising their discretion so that they are free to exercise their judgment regarding drug abuse in schools and, further, without such authority, the school authorities would not have the ability to respond in the face of threats to student safety in school.

Respondent April Redding argued that a strip search was unreasonable since the school did not have any cause to believe that the student had pills hidden in her undergarments, and that the school officials should be held responsible. She contended that holding such a search reasonable would enable school officials to conduct highly invasive searches based on only minimal, vague suspicion.

The Supreme Court has previously addressed schools' authority to conduct drug searches and tests to prevent proliferation of drug abuse. In one case, the Supreme Court held that the Fourth Amendment's prohibition on unreasonable searches and seizures applied to searches conducted by public school officials by virtue of the special nature of their authority over schoolchildren. However, the Court clarified that school officials did not have to obtain a warrant before searching a student who is under their authority if the officials have reasonable grounds for suspecting that the search will turn up evidence that the student has violated the law or the rules of the school. The court had held that searches of students' belongings are permissible if the measures adopted are reasonably related to the objectives of the search and not excessively intrusive in light of the student's age and sex and the nature of the infraction. However, the strip-searches of students have not been addressed by the Court.

Supreme Court Docket: http://origin.www.supremecourtus.gov/docket/08-479.htm

Brief for the petitioners: http://epic.org/redirect/042809_SCOTUS_Redding_Pet.html

Brief for the respondents: http://epic.org/redirect/042809_SCOTUS_Redding_Resp.html

Oral Arguments (transcript): http://epic.org/redirect/042809_Redding_OralArguments.html

Ninth Circuit Decision: http://epic.org/redirect/042809_Redding_CA9enbanc.html

Board of Education of Independent School District #92 Pottawatomie City v. Earls http://supct.law.cornell.edu/supct/html/01-332.ZS.html

New Jersey v. T.L.O: http://epic.org/redirect/042809_NJvTLO.html

EPIC's Page on Student Privacy: http://epic.org/privacy/student/

The Federal Trade Commission has issued a notice of proposed rulemaking and request for public comments regarding rules requiring vendors of personal health records and related entities to notify individuals when the security of their individually identifiable health information is breached. The deadline for public comments is June 1, 2009.

The Recovery Act mandated the Department of Health and Human Services to study, in consultation with the FTC, potential privacy, security, and breach notification requirements to be submitted to the Congress within a year. As an interim measure, the FTC is to enforce temporary requirements which includes vendors of personal health records, PHR related entities, third party service providers and online applications that interact with such personal health records to notify customers in the event of a breach. The proposed rule clarifies that it does not apply to HIPAA-covered entities or to any entity's activities as a business associate of a HIPAA-covered entity.

The Commission is seeking comments on the scope of the proposed rule with respect to (1) the nature of entities to which the proposed rule will apply; (2) the products and services offered; (3) the extent to which the affected entities may be covered under HIPAA rules; (4) whether some vendors of personal health records may have a dual role as a business associate under HIPAA; and (5) circumstances when such dual roles may lead to multiple breach notices.

The proposed rule adds Part 318 to 16 CFR and defines various terms anew or borrows from other statutes including the Recovery Act. The definitions include "breach of security;" "business associate;" "HIPAA- -covered entity;" "personal health record;" "PHR identifiable health information;" "PHR related entity;" "Third party service provider;" "unsecured;" and "vendor of personal health records."

The notification requirements call for individual notification as well as notification to the FTC to be made "without unreasonable delay" and within 60 calendar days and 5 business days, respectively, after the discovery of the breach. A section of the proposed rule addresses methods of notice to individuals, the Commission, and the media.

Another section of the rule requires the content of the notice to include a description of how the breach occurred; a description of the types of information involved in the breach; steps to be taken by the individual to protect from potential harm; and a description of action being taken by the entity involved in the breach. The rule borrows other sections heavily from the Recovery Act.

FTC Proposed Rule: http://www.ftc.gov/os/2009/04/R911002healthbreach.pdf

Federal Register: http://edocket.access.gpo.gov/2009/pdf/E9-8882.pdf

FTC Public Comment Submission (Deadline June 1, 2009): http://www.ftc.gov/os/publiccomments.shtm

The American Recovery and Reinvestment Act of 2009: http://epic.org/redirect/022309_Stimulus_Act.html

Subtitle D - Privacy: http://epic.org/privacy/pdf/StimulusPassedBill-SubD.pdf

EPIC's Page on Medical Privacy: http://epic.org/privacy/medical

EPIC's Page on Identity Theft: http://epic.org/privacy/idtheft

Body Scanner Legislation Introduced in Congress

Congressman Jason Chaffetz (R-UT) introduced legislation before Congress seeking a ban on Whole-Body Imaging devices from being used by the Transportation Security Administration in various airports across America. The legislation seeks to bar the highly expensive scanners from being used as the sole or primary method of screening a passenger unless another method of screening, such as metal detection, demonstrated cause for preventing such passenger from boarding an aircraft. The proposed statute also gives passengers who are to be scanned, the right to information on the operation of such technology, the image generated by the machine, privacy policies relating to such technology, and the right to request a pat-down search prior to the use of WBI scanners. The bill also prohibits the use of images generated by the scanners from being stored, transferred, shared or copied in any form after the boarding determination is made. Describing the existing method as unnecessary to securing an airplane, Congressman Chaffetz stated that the new law was to "balance the dual virtues of safety and privacy."

Congressman Chaffetz Seeks to Ban Whole-Body Imaging at Airports: http://epic.org/redirect/042809_Chaffetz_WBI.html

Congressman Jason Chaffetz: http://www.chaffetz.house.gov/about/index.shtml

Aircraft Passenger Whole-Body Imaging Limitations Act, H.R. 2027: http://epic.org/redirect/042809_Chaffetz_WBI_LimiAct.html

TSA - Whole Body Imaging: http://www.tsa.gov/approach/tech/body_imaging.shtm

Transportation Security Administration: http://www.tsa.gov

EPIC's Page on Whole-Body Imaging: http://epic.org/privacy/airtravel/backscatter/

FTC Report Released on Mobile Commerce Marketplace

The Federal Trade Commission staff issued a report based upon a public town hall meeting held last year to explore consumer protection issues arising in the mobile commerce marketplace. The report, "Beyond Voice: Mapping the Mobile Marketplace," highlights the problems associated with mobile services cost disclosures leading to consumer complaints. Another problem is the impact on consumers of unwanted mobile text messages. The federal agency and its law enforcement partners would monitor the situation and take law enforcement action as needed. Wireless carriers currently block vast amounts of mobile text spam every month. The report also acknowledged the increasing use of smartphones to access the mobile Web in presenting unique privacy challenges, especially regarding children. The federal agency agreed to expedite the regulatory review of the Children's Online Privacy Protection Rule to determine whether the rule should be modified to address changes in the mobile marketplace.

Beyond Voice: Mapping the Mobile Marketplace: http://www.ftc.gov/opa/2009/04/mobilerpt.shtm

EPIC's Page on The Children's Online Privacy Protection Act: http://epic.org/privacy/kids/

White House Names First Chief Technology Officer

President Barack Obama appointed Virginia's Secretary of Technology, Aneesh Paul Chopra, as the Chief Technology Officer. Chopra's duty will include promotion of technological innovation to help the country meet its goals from job creation, to reducing health care costs, to protecting the homeland. Together with Chief Information Officer, Vivek Kundra, the objective is to help give all Americans a government that is effective, efficient, and transparent. Chopra, led Virginia's strategy to effectively leverage technology in government reform, promote innovation agenda, and to foster technology-related economic development. Previously, he had worked as Managing Director with the Advisory Board Company, leading the firm's Financial Leadership Council and the Working Council for Health Plan Executives.

The White House, Office of the Press Secretary, April 18, 2009: http://epic.org/redirect/042809_ChopraIsCTO.html

Health Department Issues Guidance on Medical Records Security

The Department of Health and Human Services has released a guidance on protecting health information by rendering them unusable, unreadable, or indecipherable to individuals not having authorization. The guidance on protecting information is based upon the use of encryption as described in NIST Special Publications 800-111, Guide to Storage Encryption Technologies for End User Devices; and the guidance to rendering them unreadable is based on the use of techniques described in NIST Special Publications 800-88, Guidelines for Media Sanitization. The HHS is seeking public comments about the rulemaking till May 21, 2009.

Federal Register: http://edocket.access.gpo.gov/2009/pdf/E9-9512.pdf

NIST Special Publications 800-111, Guide to Storage Encryption Technologies for End User Devices: http://csrc.nist.gov/publications/nistpubs/800-111/SP800-111.pdf

NIST Special Publications 800-88, Guidelines for Media Sanitization: http://epic.org/redirect/042809_NIST_SP800-88.html

Senate to Investigate NSA "Overcollection"

Senator Dianne Feinstein has announced that the Senate Intelligence Committee will hold a hearing on the National Security Agency's interception of phone calls and private e-mail messages of Americans. Recently, the New York Times reported that the NSA's activities went beyond the legal limits established by the Congress last year. EPIC has a related lawsuit asking a federal court to force the release of memos on the legal authority for domestic surveillance of American citizens.

Senator Dianne Feinstein: http://feinstein.senate.gov/public/

Statement of Senator Feinstein on NSA Wiretapping Report, April 16, 2009: http://epic.org/redirect/042809_FeinsteinOnNSAWiretap.html

Senate Intelligence Committee: http://intelligence.senate.gov/

National Security Agency: http://www.nsa.gov/

Officials Say U.S. Wiretaps Exceeded Law, New York Times, April 16, 2009: http://www.nytimes.com/2009/04/16/us/16nsa.html

FISA Amendments Act of 2008: http://epic.org/redirect/042809_FISA2008Amend.html

US Senate Voting on FISA Amendments: http://epic.org/redirect/042809_SenateFISAVote.html

EPIC's Page on Freedom of Information Act Work on the National Security Agency's Warrantless Surveillance Program: http://epic.org/privacy/nsa/foia/default.html

FCC Seeks Comments on Broadband Privacy Safeguards

The Federal Communications Commission announced that it would develop a plan to expand broadband access which would attempt to "ensure that every American has access to broadband capability," and would be submitted to Congress in February 2010. The Commission is seeking comments from the public concerning on how to best safeguard consumers' privacy in the face of technologies such as deep packet inspection and behavioral advertising. Chairman Michael J. Copps identified priorities for the broadband expansion, including "avoiding invasions of people's privacy." EPIC previously advocated for the FCC to require strong privacy safeguards for telephone customers' personal information, and protect wireless subscribers from telemarketing.

FCC Launches Development of National Broadband Plan: http://hraunfoss.fcc.gov/edocs_public/attachmatch/DOC-289900A1.pdf

EPIC's Page on NCTA v. FCC: http://epic.org/privacy/nctafcc/

EPIC's Comments to FCC against Cellphone Marketing: http://epic.org/privacy/telemarketing/fcc_aca_05-11-06.html

EPIC's Page on Deep Packet Inspection: http://epic.org/privacy/dpi

E-Verify Postponed by Federal Government

The Federal Government is suspending the implementation of an Executive Order that mandates federal contractors to use E-Verify. The order requires the use of E-Verify for all federal contractors if services exceeding $3,000 is provided. The governments is seeking to review the entire rule prior to its application to federal contractors and subcontractors. EPIC has noted that E-Verify could deny many eligible individuals - including U.S. citizens and legal immigrants - the opportunity to work, and is ineffective as a solution to U.S. immigration problems. Last year, EPIC had filed a Freedom of Information request with the DHS seeking documents concerning promotion of E-Verify.

Postponement Notice: http://edocket.access.gpo.gov/2009/pdf/E9-8849.pdf

DHS E-Verify program: http://www.dhs.gov/e-verify

EPIC, "Spotlight on Surveillance: E-Verify System - DHS Changes Name, But Problems Remain for U.S. Workers.": http://epic.org/privacy/surveillance/spotlight/0707/default.html

"Employment Verification - Challenges Exist in Implementing a Mandatory Electronic Employment Verification System," United States Government Accountability Office," June 10, 2008: http://www.gao.gov/new.items/d08895t.pdf

"Safeguards in a World of Ambient Intelligence" by David Wright, Serge Gutwirth, Michael Friedewald, Elena Vildjiounaite, and Yves Punie. (Editors and Authors)

http://www.amazon.com/gp/product/1402066619?tag=e03a6-20

The most entertaining part of the book "Safeguards in a World of Ambient Intelligence" is hidden in one of its forewords. "How do I like this book?" Gary T. Marx asks, "Let me count the ways. If this were a musical comedy, the first song would be 'SWAMI, How I love ya, How I love ya'..." While this rare display of playful humor may leave readers puzzled in the beginning, towards the end they may join Marx on stage to sing along, as if this were a musical comedy. But SWAMI is not a musical comedy. Instead, the book is a refreshing contribution to the literature on ambient intelligence (AmI), which is, according to the editors, a "...phrase coined to describe a world in which 'intelligence' is embedded in virtually everything around us."

The editors frame the book as a warning. Not in an attempt to scare, but rather to inform and advise everyone in society about the potential harms caused by AmI. Many discussions surrounding AmI emphasize the benefits such as greater user friendliness, efficiency, user empowerment and support for human interactions. SWAMI provides a glimpse into the other side of the story. The book's warning is successfully accomplished in part through its powerful usage of dark scenarios. In a classic display of show rather than tell, the editors incorporate four dark scenarios to demonstrate how the manifestation of AmI in contemporary society can have undesired consequences. As the editors note, "We call them dark scenarios, because they show things that could go wrong in an AmI world, because they present visions of the future that we do not want to become reality. The scenarios expose threats and vulnerabilities as a way to inform policy-makers and planners about issues they need to take into account in developing new policies or updating existing legislation."

The dark scenario of the AmI family may bring across the most powerful message to its readers because it eloquently depicts how AmI can influence every day life in a negative way leading to feelings of loss of control. In the AmI family example this occurs largely as a result of identity theft and inadequate profiling, but other issues remain such as data laundering and illegal interception.

The editors use the scenarios as an effective transition into a more general description of vulnerabilities and threats. "Many of the threats to our privacy today..." the editors acknowledge "...will still be encountered in our AmI future. The same will be true if the threats to our identity and security as well as to our general willingness to trust other people, technologies and services." If anything the threats, including function creep, identity theft, surveillance and profiling, can be magnified through the incorporation of AmI, which could lead to graver consequences.

The book, however, goes beyond the mere exposure of the principal threats and vulnerabilities present in society and identifies several safeguards and recommendations. The editors classify a wide variety of technological, socio-economic, and legal and regulatory safeguards. They use these safeguards to formulate subsequent recommendations, primarily geared toward the European Commission. The editors demonstrate a charming sense of realism when they write, "Perhaps we have identified too many safeguards or made too many recommendations, at least, in the sense that so many may seem daunting." And intelligently resolve this problem through identifying the top six recommendations for the European Commission. The editors call for, among other things, a formalized risk assessment/risk management process and an awareness campaign to educate society in general, and the public specifically about the arrival of AmI and its associated benefits along with its risks.

Overall, returning to Marx's comparison with the musical comedy, SWAMI is difficult not to love. The tone of the book is realistic without being overly pessimistic. The editors manage to prevent the alienation of readers who may disagree with their 'warning'’ "Some people..." the editors write "...undoubtedly, and perhaps even justifiably, might argue that the development of ambient intelligence per se does not require a formalized risk assessment/risk management process. But ambient intelligence, as wonderful as it may seem, despite its many benefits, will not be risk free; it poses serious risks, not only to our privacy (and, as a consequence, to our democratic values), but also to our security (social safety)." And there are few, if any, who can negate this claim after reading SWAMI.

-- Nicole van der Meulen

"Litigation Under the Federal Open Government Laws 2008," edited by Harry A. Hammitt, Marc Rotenberg, John A. Verdi, and Mark S. Zaid (EPIC 2008). Price: $60.

http://epic.org/bookstore/foia2008/

Litigation Under the Federal Open Government Laws is the most comprehensive, authoritative discussion of the federal open access laws. This updated version includes new material regarding the substantial FOIA amendments enacted on December 31, 2007. Many of the recent amendments are effective as of December 31, 2008. The standard reference work includes in-depth analysis of litigation under Freedom of Information Act, Privacy Act, Federal Advisory Committee Act, Government in the Sunshine Act. The fully updated 2008 volume is the 24th edition of the manual that lawyers, journalists and researchers have relied on for more than 25 years.

"Information Privacy Law: Cases and Materials, Second Edition" Daniel J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98.

http://www.epic.org/redirect/aspen_ipl_casebook.html

This clear, comprehensive introduction to the field of information privacy law allows instructors to enliven their teaching of fundamental concepts by addressing both enduring and emerging controversies. The Second Edition addresses numerous rapidly developing areas of privacy law, including: identity theft, government data mining and electronic surveillance law, the Foreign Intelligence Surveillance Act, intelligence sharing, RFID tags, GPS, spyware, web bugs, and more. Information Privacy Law, Second Edition, builds a cohesive foundation for an exciting course in this rapidly evolving area of law.

"Privacy & Human Rights 2006: An International Survey of Privacy Laws and Developments" (EPIC 2007). Price: $75.
http://www.epic.org/phr06/

This annual report by EPIC and Privacy International provides an overview of key privacy topics and reviews the state of privacy in over 75 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy & Human Rights 2006 is the most comprehensive report on privacy and data protection ever published.

"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on the Information Society" (EPIC 2004). Price: $40.

http://www.epic.org/bookstore/pvsourcebook

This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, and recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process.

"The Privacy Law Sourcebook 2004: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price: $40.

http://www.epic.org/bookstore/pls2004/

The Privacy Law Sourcebook, which has been called the "Physician's Desk Reference" of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act.

"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20.

http://www.epic.org/bookstore/filters2.0

A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression.

EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at:

EPIC Bookstore
http://www.epic.org/bookstore

"EPIC Bookshelf" at Powell's Books
http://www.powells.com/bookshelf/epicorg.html

EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act.

Subscribe to EPIC FOIA Notes at: https:/mailman.epic.org/mailman/listinfo/foia_notes

"THE FUTURE OF PRIVACY: What's Next?" - a one day seminar. April 28, 2009, Cartier Suites Hotel, 180 Cooper Street, Ottawa, Canada. For more information,
http://www.rileyis.com/seminars/

2009 FTC Workshop: Best Practices for Business: Protecting Personal Information and Fighting Fraud with the Red Flags Rule: Pope Auditorium, Lincoln Center Campus, Fordham School of Law's Center for Law and Information Policy, 113 West 60th Street, New York, NY 10023. For more information,
http://www.ftc.gov/bcp/workshops/infosecurity/index.shtml

"2nd Annual Research Symposium for the Identity, Privacy and Security Initiative," , May 6, 2009, University of Toronto. For more information, http://www.ipsi.utoronto.ca/site4.aspx

IEEE Symposium on Security and Privacy, May 17-20, 2009, The Claremont Resort, Oakland, California. For more information,
http://oakland09.cs.virginia.edu/

Web 2.0 Security & Privacy 2009, Thursday, May 21, The Claremont Resort, Oakland, California. For more information,
http://w2spconf.com/2009/

Computers, Freedom, and Privacy, 19th Annual Conference, Washington, D.C., June 1-4, 2009. For more information,
http://www.cfp2009.org/wiki/index.php/Main_Page

"The Transformation of Privacy Policy," Institutions, Markets Technology Institute for Advanced Studies (IMT)Lucca, Italy, July 2-4, 2009.

Join the Electronic Privacy Information Center on Facebook
http://epic.org/facebook

Start a discussion on privacy. Let us know your thoughts. Stay up to date with EPIC's events. Support EPIC.

The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information."

The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at:

http://www.epic.org/donate

Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers.

Thank you for your support.

Subscribe/unsubscribe via web interface:
http://mailman.epic.org/mailman/listinfo/epic_news

Back issues are available at:
http://www.epic.org/alert

The EPIC Alert displays best in a fixed-width font, such as Courier.