======================================================================= E P I C A l e r t ======================================================================= Volume 11.12 June 24, 2004 ----------------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org/alert/EPIC_Alert_11.12.html ====================================================================== Table of Contents ====================================================================== [1] Supreme Court Upholds Arrest for Refusal to Give Identification [2] EPIC Recommends Protections for Social Security Numbers [3] Info on PATRIOT Act Surveillance Authority Released [4] EPIC Proposes RFID Privacy Guidelines to the FTC [5] EPIC Opposes Ratification of Cybercrime Convention [6] Top TSA Official Admits Vast Collection of Air Passenger Data [7] News in Brief [8] Upcoming Conferences and Events ====================================================================== [1] Supreme Court Upholds Arrest for Refusal to Give Identification ====================================================================== A sharply divided Supreme Court ruled on Monday that, under certain circumstances, a person may be required to give his name to a police officer. The decision upheld a Nevada law allowing police to arrest an individual when there are "suspicious circumstances surrounding his presence" and he refuses to identify himself. Larry Dudley Hiibel challenged the constitutionality of the law when he was convicted for refusing to give his name to a police officer. He asserted that the law violates the right against unreasonable search and seizure based in the Fourth Amendment, and the right against self-incrimination guaranteed by the Fifth Amendment. The Supreme Court opinion, authored by Justice Kennedy, held only a bare majority (5-4). The Court narrowed its holding to the particular facts of the case: "As we understand it, the statute does not require a suspect to give the officer a driver's license of other document. Provided that the suspect either states his name or communicates it by other means . . . the statues is satisfied and no violation occurs." When an officer stops an individual based on "reasonable suspicion," he has the right to "pat down" the person to search for weapons in interest of the officer's safety. However, the question of whether the scope of such searches extended to allowing an officer to compel identification had been unresolved. The Court in Hiibel held that the Nevada law was related to the "purpose, rationale and practical demands" of the stop, leaving open the question of whether querying vast criminal databases -- some of which may contain incorrect information -- violates the Fourth Amendment. Such databases are increasingly interconnected and available to street-level police. The most critical systems are severely flawed: the National Crime Information Center (NCIC) database was exempted from accuracy requirements by the Justice Department and the Multi-State Anti-Terrorism Information Exchange (MATRIX) may be in violation of state privacy laws. Reliance on such systems may be an unreasonable search since it must be "reasonably related in scope to the circumstances which justified the initial stop," a question left unanswered by the court. Justices Breyer, Souter and Ginsberg strongly dissented based on the Fourth Amendment prohibition against unreasonable searches and seizures, following a long line of cases that held that an individual is "not obliged to respond" when questioned by police, even when asked to identify himself. The Court also found that Hiibel's Fifth Amendment rights against compelled self-incrimination were not violated because "As best we can tell, petitioner refused to identify himself only because he thought his name was none of the officer's business." However, the Court invited a case in which the individual's name itself may be incriminating and "would furnish a link in the chain of evidence needed to prosecute him." Such a situation arises when extensive criminal databases, some of which may contain incorrect information, are searched in the normal course of a stop based on reasonable suspicion. Said the Court, "In that case, the court can then consider whether the privilege applies, and, if the Fifth Amendment has been violated, what remedy must follow." Justice Stevens' dissenting opinion recognized the danger of vast police databases, finding that -- in this context -- laws requiring an individual to identify himself violate the Fifth Amendment. "A name can provide the key to a broad array of information about the person, particularly in the hands of a police officer with access to a range of law enforcement databases," asserted Justice Stevens. EPIC was one of several groups to submit briefs in support of Hiibel. EPIC's brief focused on the wealth of information in national law enforcement databases that becomes available to police officers once they input a person's name. Other briefs in support of Hiibel focused on the difficulty of proving one's identity, especially as it affects the homeless, and the harms of punishing silence. The Supreme Court opinion is available at: http://supct.law.cornell.edu/supct/html/03-5554.ZO.html EPIC's amicus brief filed in Hiibel v. Sixth Judicial Court of Nevada: http://www.epic.org/privacy/hiibel/epic_amicus.pdf For more information about the case, see EPIC's Hiibel v. Sixth Judicial Court of Nevada Page: http://www.epic.org/privacy/hiibel ====================================================================== [2] EPIC Recommends Protections for Social Security Numbers ====================================================================== In testimony before the House Ways and Means Subcommittee on Social Security, EPIC associate director Chris Hoofnagle argued that Congress should regulate the collection, use, and disclosure of individuals' Social Security Numbers (SSNs). The hearing concerned H.R. 2971, the Social Security Number Privacy and Identity Theft Prevention Act of 2003, which was introduced by Subcommittee Chairman Clay Shaw (R-FL) and has bipartisan support. H.R. 2971 would place limits on both private sector and government disclosure of the SSN. It would empower the Attorney General to allow disclosure of the SSN where there is a compelling interest served through use of the identifier that cannot be satisfied with an alternative number. Other provisions of the bill would prohibit the printing of SSNs on government checks, employee ID badges, and driver's licenses. The legislation prohibits "coercive disclosure," a practice in which a business conditions the provision of a product or service upon disclosure of the SSN. The bill also moves the SSN "below the line," meaning that sale of SSNs from "credit headers," identification information from a credit report, would be subject to a full set of Fair Credit Reporting Act protections. EPIC made a number of recommendations for improvement of the legislation. EPIC recommended that exceptions allowing use of the SSN be limited in duration, as time limits encourage users of the SSN to transition to alternative identifiers. Users of the SSN should also be required to maintain technical safeguards and be subject to legal liability for misuse of the identifier. EPIC recommended that Congress look to the leadership of state legislatures in crafting SSN legislation. Broad protections for the SSN have been provided recently in Colorado, Arizona, and California. Many states have created protections for the SSN in specific sectors, including limiting use of the identifier at educational institutions and limiting its disclosure in public, vital, and death records. EPIC's testimony closed with a recommendation that Congress examine how dependence on the SSN exacerbates identity theft. Businesses use the SSN as both a record identifier and as a password, making it a poor tool for both purposes. Also, in a number of high-profile cases, banks have issued credit to applicants based solely on a SSN match, meaning that a criminal, armed only with a SSN, can commit identity theft. In one case detailed in the testimony, credit was granted to an impostor who had a correct SSN but listed an incorrect date of birth and address on an application. If credit grantors relied less on the SSN and were required to more carefully examine applications for new accounts, identity theft would be harder to commit. EPIC's testimony: http://www.epic.org/privacy/ssn/ssntestimony6.15.04.html H.R. 2971, the Social Security Number Privacy and Identity Theft Prevention Act of 2003: http://thomas.loc.gov/cgi-bin/bdquery/z?d108:h.r.2971: For more information about privacy issues raised by Social Security Numbers, see EPIC's SSN Page: http://www.epic.org/privacy/ssn ====================================================================== [3] Info on PATRIOT Act Surveillance Authority Released ====================================================================== EPIC received two sets of documents last week revealing that the scope of the FBI's powers under a controversial provision of the USA PATRIOT Act is broader than what government officials have publicly acknowledged. The documents concern Section 215 of the USA PATRIOT Act, which grants the FBI the authority to request an order "requiring the production of any tangible things (including books, records, papers, documents, and other items)" relevant to an investigation of international terrorism or clandestine intelligence activities. United States citizens may be investigated in part on the basis of their First Amendment activities, and the FBI need not show a reason to believe that the target of a surveillance order is engaged in criminal activity. A memo obtained by EPIC and allied civil liberties groups, dated October 15, 2003, shows that the FBI submitted an application for a Section 215 order just weeks after Attorney General John Ashcroft publicly stated that the controversial provision of the USA PATRIOT Act had never been invoked. The October 15 application does not reveal the purpose of the investigation, or the type of information sought. Among other FBI documents released last week is an internal FBI memo from October 2003 acknowledging that Section 215 may be used to obtain information about innocent people. In discussing the FBI's ability to obtain "business records" under the provision, an unknown FBI employee writes: "The business records request is not limited to the records of the target of a full investigation. The request must simply be sought for a full investigation. Thus, if the business records relating to one person are relevant to the full investigation of another person, those records can be obtained by a [Foreign Intelligence Surveillance Court] order despite the fact that there is no open investigation of the person to whom the subject of the business records pertain." Also released was an FBI memo indicating that any "tangible things," including apartment keys, may be obtained under Section 215. A judge for the United States District Court for the District of Columbia ordered release of the Section 215 documents last month, overturning the FBI's decision to withhold the documents until 2005. Under the District Court judge's order, more documents are to be released in July. The documents respond to an October 2003 Freedom of Information Act request filed by EPIC, the American Civil Liberties Union, the American Booksellers Foundation for Free Expression and the Freedom to Read Foundation. Another set of documents released to EPIC this month show that the FBI acknowledges that it may obtain library patrons' reading and web browsing documents without having probable cause. This determination is revealed in an e-mail sent by an unknown FBI official in December 2003, in which the official points out that the FBI web site incorrectly stated that Section 215 requires that the FBI have probable cause to request library records. This inaccurate statement was posted on the FBI website in response to the question "Can the FBI look at your library records any time they want?" Another e-mail concerns the criminal prohibition against librarians informing their patrons about any Section 215 orders. The e-mail states: "One of the primary complaints from the librarians is that 215 orders must be complied with secretly, as if there is something sinister about the fact that they would not be permitted to share with others a request for information." The e-mail writer goes on to suggest that an FBI official, in his upcoming testimony on Section 215, address a certain case "as an example of why secrecy is important." That case, however, involved using pre-USA PATRIOT Act authority to obtain a person's library web searches as part of an espionage investigation. There was no Section 215 authority at the time of that investigation. These documents were obtained by EPIC under a January 2004 Freedom of Information Act request to the FBI. For more information about Section 215 and other USA PATRIOT Act provisions, see EPIC's USA PATRIOT Act Page: http://www.epic.org/privacy/terrorism/usapatriot ====================================================================== [4] EPIC Proposes RFID Privacy Guidelines to the FTC ====================================================================== In testimony to the Federal Trade Commission on radio frequency identification (RFID) technologies, EPIC Policy Counsel Cedric Laurant urged the agency to adopt strong privacy guidelines to protect consumers against potential abuses of the tracking technology. RFID is an emerging information technology designed to facilitate the remote capture of information from physical objects. Associated data is stored on a small token (a "tag") affixed to, or embedded in, the object. Tags in use today are small enough to be invisibly embedded in products and product packaging. Data is read from these tags via radio waves transmitted by special RFID reading devices. RFID readers are often connected to computer networks, facilitating the transfer of data from the physical object to databases and software applications thousands of miles away and allowing objects to be continually located and tracked through space. Today, major uses of RFID include supply chain management, animal tracking, and electronic roadway toll collection. RFID technology represents a fundamental change in the information technology infrastructure with dramatic privacy implications. Although the use of RFID in the retail sector is now primarily in the supply chain, products with embedded RFID are beginning to appear on store shelves. Product level tagging, if left unregulated, could facilitate unprecedented levels of consumer surveillance, tracking, and profiling. EPIC's testimony to the Commission proposed guidelines that outline the duties of RFID users such as warehouses and retail stores, as well as the rights of individuals who come in contact with RFID-enabled products. At a minimum, RFID users must clearly label or identify products containing RFID, disable them before the completion of a sale, attach tags in a way that makes them easily removable, and designate an individual responsible for user compliance with RFID guidelines. Further, any RFID users that gather personal data about individuals must inform them of the purpose and scope of the data's use, obtain written consent before proceeding, enable individuals to access and correct their data, and post a comprehensive privacy policy establishing their duties towards customers. The guidelines also prohibit the use of RFID data to track or identify individuals beyond what is required to manage inventory. EPIC also recently surveyed developers and manufacturers of RFID technology, as well as retailers who have begun to employ RFID in the supply chain and in the retail setting. EPIC asked about their use of RFID tags in the retail environment and requested details about how they were enabling customers to disable tags (a process known as "tag killing") or remove tags from retail merchandise. Results from the survey to date indicate that there is no standard for tag killing in industry today. Tags may be physically destroyed in the process or simply erased for later recycling. Leading retailer Wal-Mart has told EPIC that there are no RFID tag readers anywhere on their sales floors. Further, both RFID manufacturers and end user retailers have indicated that when consumers do buy products with RFID they are clearly labeled and only embedded in packaging which can be easily removed. These practices should become industry standards. Complete results of the survey are available on the EPIC web site. Over the past year there has been increased activity worldwide to draft guidelines, principles and legislation governing the use of RFID in order to protect privacy. Last November, a joint position statement on RFID use, signed by more than twenty consumer privacy and civil liberties organizations including EPIC, called for a voluntary moratorium on item-level RFID tagging until a formal technology assessment process involving all stakeholders, including consumers, can take place. Also in November, a resolution on RFID was adopted at the International Conference of Data Protection and Privacy Commissioners in Sydney. Country-level guidelines have been drafted in Europe and Asia, and several bills have been introduced into state legislatures in the United States. EPIC's survey of the RFID industry: http://www.epic.org/privacy/rfid/survey.html For more information about radio frequency identification technologies, see EPIC's RFID page: http://www.epic.org/privacy/rfid ====================================================================== [5] EPIC Opposes Ratification of Cybercrime Convention ====================================================================== On June 17, EPIC submitted a letter to the Senate Committee on Foreign Relations urging it to oppose the ratification of the Council of Europe's Convention on Cybercrime (the Cybercrime Convention). The same day, the Committee held a hearing to consider whether the United States should ratify the international treaty. In 1997, the Council of Europe formed a Committee of Experts on Crime in Cyberspace, and met in secret for several years drafting the Cybercrime Convention, which was released in final form in June 2001. In November 2001, the United States joined about 30 other countries in the ceremonial act of signing the Cybercrime Convention. Since then, only Albania, Croatia, Estonia, Hungary, Lithuania and Romania have actually ratified the treaty. On November 17, 2003, President Bush transmitted the Convention, along with the State Department's report on the treaty, to the U.S. Senate with a view to receiving its advice and consent to ratification. The State Department report states, among other things, that adoption of the treaty will not require implementation of any new legislation in the U.S. EPIC's letter to the Committee recommended against ratification of the Cybercrime Convention for several reasons. First, the Convention threatens core human rights protected by the U.S. Constitution. The treaty grants law enforcement authorities sweeping investigative powers regarding computer surveillance, search and seizure, but fails to provide adequate safeguards for privacy or checks on government use of these powers. While the treaty does mention a concern for privacy protections, its language is weak and vague. The Cybercrime Convention also ignores several important existing international treaties and conventions regarding privacy and human rights, such as the 1948 Universal Declaration of Human Rights and the Council of Europe's own 1981 Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data. Second, the Cybercrime Convention was drafted in a secretive and undemocratic manner. Nineteen drafts of the treaty were produced before the document was released to the public. Even after public release, little effort was made to incorporate concerns of privacy and civil liberties groups. The June 17 hearing before the Senate Committee on Foreign Relations continued that trend. The only witnesses who testified about the Cybercrime Convention were government officials, and no nongovernmental organizations or industry groups were given the opportunity to participate. The government witnesses did not mention any criticisms or possible drawbacks of ratifying the treaty. Finally, very few European countries have ratified the Cybercrime Convention. In fact, the treaty remains very controversial in Europe, particularly the provisions relating to the lack of protections for the use, collection, and distribution of personal data. As Italian Privacy Commission official Giovanni Buttarelli noted at EPIC's recent Freedom 2.0 conference in Washington, privacy and data protection have come to be considered in the European Union Charter of Fundamental Rights as fundamental human rights which European officials are committed to protecting, and there is concern that the extensive surveillance tools enabled by the Cybercrime Convention are threats to a democratic society. To become binding on the U.S., the treaty requires approval of two-thirds of the Senate. When the Senate considers a treaty, it may approve it as written, approve it with specified conditions, reservations, or understandings, reject and return it, or prevent its entry into force by withholding approval. Chairman Richard Lugar has indicated that the Foreign Relations Committee may soon act on the Administration's ratification request, but treaty critics are asking for additional hearings to address their concerns. The text of the Convention on Cybercrime: http://conventions.coe.int/Treaty/en/Treaties/Html/185.htm The hearing schedule and witnesses' testimonies: http://foreign.senate.gov/hearings/2004/hrg040617a.html An explanation of the U.S. treaty ratification process is available at: http://www.epic.org/redirect/ratification.html For more information, see EPIC's page on the Council of Europe's Convention on Cybercrime: http://www.epic.org/privacy/intl/ccc.html ====================================================================== [6] Top TSA Official Admits Vast Collection of Air Passenger Data ====================================================================== The Transportation Security Administration's top official has admitted that Delta, Continental, America West, JetBlue and Frontier Airlines disclosed passenger records to the agency's contractors in 2002 to help them test the second generation Computer Assisted Passenger Prescreening System (CAPPS II). David Stone's concession, which was made in sworn written testimony responding to questions asked by the Senate Governmental Affairs Committee prior to his confirmation hearing, contradicts repeated denials that the agency had acquired or used real passenger data from airlines to test the controversial passenger profiling system. The admission flies in the face of a February report to Congress by the General Accounting Office, Congress' investigative arm, which stated that the Transportation Security Administration had tested CAPPS II only with 32 simulated passenger records based upon itineraries provided by agency employees and contractor staff. Stone further disclosed that agency contractors were given passenger records from Galileo International and "possibly" Apollo, two airline reservation systems. The agency directly received passenger information from a third reservation system, Sabre, which is one of the largest in the world and used by most Internet travel web sites. Stone also stated that the agency failed to publish a "system of records" notice for the collection of passenger records, which is generally required by the Privacy Act. Stone said the agency "did not believe" that the notice was necessary because the personal information was "not to be accessed or retrieved by name or personal identifier to make individual determinations[.]" Questions also arose earlier this year about the agency's compliance with the federal privacy law in relation to passenger records. In February, the Department of Homeland Security Privacy Office chastised the agency for acting "without appropriate regard for individual privacy interests or the spirit of the Privacy Act" when it facilitated the transfer of passenger data from JetBlue Airways to a Defense Department contractor. David Stone's answers to questions posed by the Senate Governmental Affairs Committee: http://www.epic.org/privacy/airtravel/stone_answers.pdf General Accounting Office's Report to Congress on CAPPS II: http://www.epic.org/privacy/airtravel/ago-capps-rpt.pdf Department of Homeland Security Privacy Office's Report to the Public on Events Surrounding JetBlue Data Transfer: http://www.epic.org/privacy/airtravel/jetblue/dhs_report.pdf For more information about passenger data disclosures, see EPIC's page on the Northwest Airlines disclosures: http://www.epic.org/privacy/airtravel/nasa For more information about CAPPS II, see EPIC's Passenger Profiling Page: http://www.epic.org/privacy/airtravel/profiling ===================================================================== [7] News in Brief ====================================================================== EPIC LAWSUIT COMPELS RELEASE OF PASSENGER DATA INFO Two weeks after EPIC filed suit to compel the Transportation Security Administration and Federal Bureau of Investigation to release information about their efforts to acquire airline passenger data from major commercial airlines (see EPIC Alert 11.11), the FBI has granted expedited processing of EPIC's request for information about the agency's collection of a year's worth of passenger information from numerous airlines after 9/11. Last month, the FBI refused to expedite EPIC's request on the grounds that "the primary activity of EPIC does not appear to be information dissemination," though two federal judges have found otherwise. The Bureau also justified its denial by stating that EPIC had not "demonstrated any particular urgency to inform the pubic about the subject matter of [its] request beyond the public's right to know generally." EPIC's complaint is available at: http://www.epic.org/privacy/airtravelfoia/complaint.pdf EPIC's motion for a preliminary injunction is available at: http://www.epic.org/privacy/airtravelfoia/pi_motion.pdf For more information about passenger data disclosures, see EPIC's Northwest Disclosure Page: http://www.epic.org/privacy/airtravel/nasa LEGISLATORS INTRODUCE SWEEPING CIVIL LIBERTIES BILL The Civil Liberties Restoration Act of 2004, a major piece of civil liberties legislation, was introduced in Congress this month. Numbered H.R. 4591 in the House and S. 2528 in the Senate, the Act would require, among other things, that the Attorney General comply with the Privacy Act's accuracy requirements with respect to the data entered in the National Crime Information Center Database (NCIC). In March 2003, a regulation had been issued exempting the NCIC from the accuracy requirement. The Act would also ensure that individuals who are charged with a crime under the USA PATRIOT Act would see the evidence against them under the procedure set forth in the Classified Information Procedures Act. Further, the Act would require federal agencies to submit a report to Congress on their data mining activities. The text of the Civil Liberties Restoration Act of 2004: http://thomas.loc.gov/cgi-bin/bdquery/z?d108:s.02528: For information about NCIC inaccuracy, see EPIC's Joint Letter to Require Accuracy for the National Crime Information Center: http://www.epic.org/privacy/ncic SENATE COMMITTEE CONSIDERS VOIP RULES The Senate Committee on Science, Commerce, and Transportation heard testimony on June 16 to consider S. 2281, the Voice-over-IP (VoIP) Regulatory Freedom Act, sponsored by Senator John Sununu (R-NH). Under the proposed bill, VoIP providers would not be required to meet wiretap standards set forth in the Communications Assistance for Law Enforcement Act of 1994 (CALEA), though they would be required to honor government wiretap orders. The Justice Department contends that applying CALEA-like requirements to VoIP would enable better real-time communications interceptions and the ability to avoid tapping into data from uninvolved third parties. They also argue that wiretap regulations should be technology neutral and that singling out particular technologies for exemptions creates holes in law enforcement's ability to protect national security. The corresponding House bill, sponsored by Rep. Chip Pickering (R-MS), explicitly extends CALEA design requirements to Internet telephony. For more information about VoIP privacy issues, see the EPIC Internet Telephony page: http://www.epic.org/privacy/voip HOUSE SUBCOMMITTEE APPROVES SPYWARE BILL In a brief mark-up session on June 17, the House Subcommittee on Commerce, Trade and Consumer Protection approved an amended version of H.R. 2929, the Securely Protect Yourself Against Cyber Trespass Act (SPY ACT), setting the stage for consideration of the bill by the full House Energy and Commerce Committee on June 24. The amended H.R. 2929 prohibits certain deceptive practices related to spyware such as hijacking a computer's functions, changing homepages without authorization, and surreptitious keystroke logging. The bill also regulates "information collection programs" by mandating express consent before installation, the provision of an uncomplicated disabling function, and the disclosure of the type of information collected and then purpose of collecting it. Under the current draft of H.R. 2929, the Federal Trade Commission will assume enforcement functions, with authorization to levy fines as large as $3 million for certain violations. The speed with which H.R. 2929 has moved from subcommittee to full committee, and the bipartisan nature of the bill's 32 co-sponsors, suggests that the full House is likely to pass it this session. However, the bill's efficacy might be undermined by the fact that it includes no provisions for a private right of action, and it preempts states from legislating their own privacy protections against spyware. The text of H.R. 2929 is available at: http://www.epic.org/redirect/hr2929.html ICANN EXTENDS WHOIS PUBLIC COMMENT PERIOD TO JULY 5 The Internet Corporation for Assigned Names and Numbers (ICANN) has extended the deadline for public comments to be submitted on the WHOIS policy development preliminary reports. The WHOIS database is a public directory of domain registrant data which is available and searchable online. Currently, registrants must enter such personal information as name, address, telephone number, and e-mail address in addition to technical contact information, all of which can be found in the public WHOIS database. Last year ICANN established three task forces to develop policy for the WHOIS database. The task forces' preliminary reports, which focus on access, data, and accuracy, were recently released to the public. Members of the public now have until July 5, 2004 to submit comments to the three task forces developing the WHOIS policy. For more information, visit the Public Voice web site: http://www.thepublicvoice.org/news/2004_whoiscomments.html ================================ EPIC Publications: "The Public Voice WSIS Sourcebook: Perspectives on the World Summit on the Information Society" (EPIC 2004). Price: $40. http://www.epic.org/bookstore/pvsourcebook This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, as well as recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process. ================================ "The Privacy Law Sourcebook 2003: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2003). Price: $40. http://www.epic.org/bookstore/pls2003 The "Physicians Desk Reference of the privacy world." An invaluable resource for students, attorneys, researchers and journalists who need an up-to-date collection of U.S. and International privacy law, as well as a comprehensive listing of privacy resources. ================================ "FOIA 2002: Litigation Under the Federal Open Government Laws," Harry Hammitt, David Sobel and Mark Zaid, editors (EPIC 2002). Price: $40. http://www.epic.org/bookstore/foia2002 This is the standard reference work covering all aspects of the Freedom of Information Act, the Privacy Act, the Government in the Sunshine Act, and the Federal Advisory Committee Act. The 21st edition fully updates the manual that lawyers, journalists and researchers have relied on for more than 25 years. For those who litigate open government cases (or need to learn how to litigate them), this is an essential reference manual. ================================ "Privacy & Human Rights 2003: An International Survey of Privacy Laws and Developments" (EPIC 2002). Price: $35. http://www.epic.org/bookstore/phr2003 This survey, by EPIC and Privacy International, reviews the state of privacy in over fifty-five countries around the world. The survey examines a wide range of privacy issues including data protection, passenger profiling, genetic databases, video surveillance, ID systems and freedom of information laws. ================================ "Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20. http://www.epic.org/bookstore/filters2.0 A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ "The Consumer Law Sourcebook 2000: Electronic Commerce and the Global Economy," Sarah Andrews, editor (EPIC 2000). Price: $40. http://www.epic.org/cls The Consumer Law Sourcebook provides a basic set of materials for consumers, policy makers, practitioners and researchers who are interested in the emerging field of electronic commerce. The focus is on framework legislation that articulates basic rights for consumers and the basic responsibilities for businesses in the online economy. ================================ "Cryptography and Liberty 2000: An International Survey of Encryption Policy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price: $20. http://www.epic.org/bookstore/crypto00& EPIC's third survey of encryption policies around the world. The results indicate that the efforts to reduce export controls on strong encryption products have largely succeeded, although several governments are gaining new powers to combat the perceived threats of encryption to law enforcement. ================================ EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at: EPIC Bookstore http://www.epic.org/bookstore "EPIC Bookshelf" at Powell's Books http://www.powells.com/features/epic/epic.html ====================================================================== [8] Upcoming Conferences and Events ====================================================================== ITU WSIS Thematic Meeting on Countering Spam. International Telecommunication Union and the World Summit on the Information Society. July 7-9, 2004. Geneva, Switzerland. For more information: http://www.itu.int/osg/spu/spam/meeting7-9-04/index.html. PORTIA Workshop on Sensitive Data in Medical, Financial, and Content-Distribution Systems. PORTIA Project. July 8-9, 2004. Stanford, CA. For more information: http://crypto.stanford.edu/portia/workshop.html. O'Reilly Open Source Convention. July 26-30, 2004. Portland, OR. For more information: http://conferences.oreilly.com/oscon. 2004 UK Big Brother Awards. Privacy International. July 28, 2004. London, UK. For more information: http://www.privacyinternational.org/bigbrother/uk2004. First Conference on Email and Anti-Spam. American Association for Artificial Intelligence and IEEE Technical Committee on Security and Privacy. July 30-31, 2004. Mountain View, CA. For more information: http://www.ceas.cc. Crypto 2004: The Twenty-Fourth Annual IACR Crypto Conference. International Association for Cryptologic Research, IEEE Computer Society Technical Committee on Security and Privacy, and the Computer Science Department of the University of California, Santa Barbara. August 15-19, 2004. Santa Barbara, CA. For more information: http://www.iacr.org/conferences/crypto2004. Ninth National HIPAA Summit. September 12-14, 2004. Baltimore, MD. For more information: http://www.HIPAASummit.com. Public Voice Symposium: Privacy in a New Era: Challenges, Opportunities and Partnerships. Electronic Privacy Information Center, European Digital Rights Initiative (EDRi), and Privacy International. September 13, 2004. Wroclaw, Poland. For more information: http://www.thepublicvoice.org/events/wroclaw04/default.html. The Right to Personal Data Protection -- the Right to Dignity. 26th International Conference on Data Protection and Privacy Commissioners. September 14-16, 2004. Wroclaw, Poland. For more information: http://26konferencja.giodo.gov.pl. 2004 Telecommunications Policy Research Conference. National Center for Technology & Law, George Mason University School of Law. October 1-3, 2004. Arlington, VA. For more information: http://www.tprc.org/TPRC04/call04.htm. Health Privacy Conference. Office of the Information and Privacy Commissioner of Alberta. October 4-5, 2004. Calgery, Alberta, Canada. For more information: http://www.oipc.ab.ca/home/DetailsPage.cfm?ID=1453. IAPP Privacy and Data Security Academy & Expo. International Association of Privacy Professionals. October 27-29, 2004. New Orleans, LA. For more information: http://www.privacyassociation.org/html/conferences.html. Privacy and Security: Seeking the Middle Path. Office of the Information & Privacy Commissioner of Ontario; Centre for Innovation Law and Policy, University of Toronto; and Center for Applied Cryptographic Research, University of Waterloo. Toronto, Ontario, Canada. October 28-29, 2004. For more information: http://www.epic.org/redirect/uwaterloo_conf.html. CFP2005: Fifteenth Annual Conference on Computers, Freedom and Privacy. April 12-15, 2005. Seattle, WA. For more information: http://www.cfp2005.org. ====================================================================== Subscription Information ====================================================================== Subscribe/unsubscribe via web interface: https://mailman.epic.org/cgi-bin/mailman/listinfo/epic_news Back issues are available at: http://www.epic.org/alert The EPIC Alert displays best in a fixed-width font, such as Courier. ====================================================================== Privacy Policy ====================================================================== The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information." ====================================================================== About EPIC ====================================================================== The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at: http://www.epic.org/donate Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ---------------------- END EPIC Alert 11.12 ---------------------- .