EPIC logo

                           E P I C  A l e r t
Volume 13.06                                              March 24, 2006

                            Published by the
               Electronic Privacy Information Center (EPIC)
                            Washington, D.C.


Table of Contents
[1] EPIC, Archive File Brief Supporting Release of Abu Ghraib Images
[2] EPIC Testifies Against Social Security Number Expansion
[3] House Committee Approves Bill to Weaken Data Breach Laws 
[4] Judge Restricts Justice Department's Demand for Google Records 
[5] Security Flaws at Retailers Affect Thousands of Debit Card Holders
[6] News in Brief
[7] EPIC Bookstore: Mark S. Monmonier's "Spying with Maps"
[8] Upcoming Conferences and Events

[1] EPIC, Archive File Brief Supporting Release of Abu Ghraib Images

EPIC and the National Security Archive have filed an amicus brief urging
an appeals court to permit the disclosure of photos and videos showing
American troops abusing detainees at Abu Ghraib prison in Iraq. The
Pentagon has refused to release the information to the American Civil
Liberties Union under the Freedom of Information Act, claiming that it
would endanger U.S. soldiers serving in Iraq. EPIC and the Archive argue
that the government is turning FOIA on its head by claiming that
information likely to expose government misconduct should be withheld to
prevent public outrage.

In this case, the ACLU submitted Freedom of Information Act requests to
several government agencies for information about the treatment of
detainees in U.S. custody, including controversial images of abuse that
had been reported in the media. When the government failed to respond to
the ACLU's request nearly a year later, the organization filed suit in
the District Court for the Southern District of New York. U.S. District
Judge Alvin K. Hellerstein reviewed a sampling of photos depicting abuse
of detainees, and ordered the government to release them in redacted
form to protect the privacy of the pictured individuals.

The government appealed the ruling to the Second Circuit Court of
Appeals, arguing that disclosure of the images would "endanger the life
or physical safety" of U.S. troops and coalition forces by provoking
insurgent and terrorist attacks against them. The government also said
that the photos should not be released, even in the redacted form
required by Judge Hellerstein, because such disclosure could invade the
personal privacy of the detainees.

The amicus brief written by EPIC and the Archive argues that the
government's claims undermine the FOIA's purpose of promoting open,
honest and accountable government.  The brief shows that U.S. courts
have never allowed the potential for public anger to thwart the right to
free expression guaranteed by the Constitution and reflected, in part,
by the FOIA.

The brief also argues that disclosure of the photos will not threaten
personal privacy because Judge Hellerstein has already taken precautions
to safeguard the rights of the pictured detainees. Disclosure of these
redacted images will advance the public interest in examining the
propriety of the U.S. soldiers' conduct. Such disclosure will also help
to hold higher government officials responsible for the abuses at Abu

Amicus Brief Filed by EPIC and the National Security Archive (pdf):


District Court Decision in ACLU v. Department of Defense (pdf):


National Security Archive Press Release:


[2] EPIC Testifies Against Social Security Number Expansion

In testimony before the House Subcommittee on Social Security, EPIC
Executive Director Marc Rotenberg urged Congress not to expand the uses
of the Social Security number and the Social Security card. "Every
system of identification is subject to error, misuse, and exploitation,"
Rotenberg said.

The hearing was the fourth in a series held by Representative McCrery
(R-LA) to focus on high-risk issues facing the Social Security number.
The hearings, held over the course of the last four months, examined
fraud, the use of the number in verifying employment eligibility, and
possible modification of the card.

Some members of Congress have proposed that the card contain digital
photos, machine-readable identifiers, and biometric identifiers that
could turn the Social Security card into a national ID card. Current
Social Security cards, while bearing anti-counterfeiting features such
as those used on banknotes, are not intended or designed to be used for

In creating the Social Security Administration in the 1930s, Congress
was concerned with the number being used as a universal identifier that
could aid in government tracking of activities, and that the first act
of the newly formed Administration was to limit the card's use. Congress
also halted later expansions of expansion of the card's role by passing
Section 7 of the Privacy Act of 1974. Putting the card to new,
unintended uses, Rotenberg testified, would erode privacy, running
counter to this trend of protection. Rotenberg also noted that the
improper use of the SSN for identification by the private sector
contributes to identity theft.

Nevertheless, members of Congress, including Representatives David
Dreier (R-CA) and Silvestre Reyes (D-TX), called for additions to the
card. Representative Drier insisted both that Social Security numbers
are already used for identification purposes by the private sector, and
also that the new photograph-bearing, machine-readable card would not,
in fact, be an identification document.

Frederick Streckewald of the Social Security Administration testified
that adding ID-like features to the Social Security card would cost at
least $9.5 billion. Dr. Stephen Kent of the National Research Council
also testified that complex ID systems like the one proposed for the
Social Security card often are pressed into unintended secondary uses
that can cause privacy and security problems.

Testimony of EPIC Executive Director Marc Rotenberg before Subcommittee
on Social Security (pdf):


Subcommittee on Social Security, Fourth Hearing on High-Risk SSN Issues:


EPIC's SSN Page:


[3] House Committee Approves Bill to Weaken Data Breach Laws 

The House Financial Services Committee approved legislation last week
that would roll back protections for many Americans' personal records.
The Financial Data Protection Act would create a weak national standard
for consumer protection, overriding or "preempting" stronger state
consumer protection laws.

For instance, comapnies only have to notify consumer of data breaches
where "information is reasonably likely to have been or to be misused in
a manner causing substantial harm or inconvenience." However, many
states have more stringent requirements that cause notices to be issued
whenever a security breach occurs. The reasoning behind these
requirements is that businesses have significant incentives not to give
notice, and may overlook breaches and their potential harms to avoid
embarrassment. But other loopholes in the language further limit the
requirement to give notice. These include that the information must be
"sensitive financial personal information," and that the company must
know the scope of the breach (in many cases, the scope is unknown).

The credit freeze provisions are similarly weak. Credit freeze is the
ability of an individual to limit disclosure of their consumer report to
new creditors, thus stopping companies from opening new accounts.  This
erects a nearly perfect shield against identity theft. Many states allow
any concerned residents to freeze their credit as a precaution against
future fraud. H.R. 3997, however, only allows credit freeze once someone
has become a victim of identity theft. Furthermore, H.R. 3997 creates a
difficult to use freeze mechanism that requires the victim to provide
proof of the crime, to send the freeze request by certified mail, and it
allows the consumer reporting agency to wait five business days before
implementing the freeze. These inconveniences are designed to stop
consumers from freezing their reports.

The main driver of this legislation is preemption--the desire of many
businesses to supersede stricter state laws. Additionally, the bill
prohibits enforcement by the state attorneys general, weakening any
possible enforcement of the law. The bill will next be considered by
other committees in the House and Senate, where there is a possibility
that it could be strengthened.
H.R. 3997, the Financial Data Protection Act:

EPIC's Page on Choicepoint and Other Security Breaches:


Coalition letter on ID Theft Legislation:


[4] Judge Restricts Justice Department's Demand for Google Records 

On March 17, a federal district judge in California issued an order
limiting the Justice Department's demand for records from Google. While
Google must still turn over a list of 50,000 web addresses, it will not
have to reveal any Internet search terms submitted by users.

The government's demands had been significantly narrowed compared, to
the subpoena filed last August. That subpoena asked for the addresses of
all web sites indexed by Google, as well as every search term entered
into Google during a two-month period in 2005.  Yahoo, Microsoft, and
AOL, were also asked to provide records. Of the companies, Google alone
objected, claiming that the demand threatened Google's trade secrets and
its image as a protector of users' privacy.

In making the decision, Judge Ware of the Northern District of
California recognized that the demand affected not just Google, but also
the privacy rights of individual Google users. Not only do users want
the terms they search for to be private, search terms alone can
sometimes reveal a user's identity, such as when people search for their
social security numbers or credit card numbers to see if that
information is available on the Internet. The judge also noted that the
government might, in looking through search terms, decide to follow up
on information for unauthorized purposes, quoting a Justice Department
spokesperson who said that "if something raised alarms, we would hand it

Because of these concerns, the judge ruled that Google did not have to
turn over search terms, but that the list of web addresses, since they
did not impact privacy, had to be turned over.

The Justice Department is seeking the records to conduct a statistical
study for the defense of the Child Online Protection Act, an online
censorship law that was blocked as unconstitutional by the Supreme Court
in 2004. The government has given few details as to how it intends to
use the information--an omission that the judge called "particularly
striking," considering the time the government had to prepare the case,
and given that it already had essentially the same information from the
other major search engines.

The Child Online Protection Act makes it a criminal offense for anyone
to post adult material on the web, unless they first collect information
from users proving that the user is not a minor. The Supreme Court
barred enforcement of the law, saying that the government had not proven
that this restriction on free speech was the most effective means to
prevent minors from viewing adult material on the Internet.

Text of the Decision in Google v. Gonzales (pdf):


Supreme Court Ruling on the Child Online Protection Act, Ashcroft v.


EPIC's Child Online Protection Act Page:


[5] Security Flaws at Retailers Affect Thousands of Debit Card Holders

Hundreds of thousands of debit cards may have been affected by fraud,
but affected banks, card companies, and retailers are releasing very few
details on the incident. Consumers first became aware of the problem as
major banks, including Citibank, Wells Fargo, Washington Mutual, and
Bank of America blocked ATM transactions in Canada, the United Kingdom
and Russia, and quietly began issuing new debit cards to customers.

The affected banks have since told reporters that the problems were
related to fraudulent transactions that had been traced to data breaches
at unspecified retailers. Recent reports have named OfficeMax and Sam's
Club stores as likely sources for the breach, although OfficeMax
continues to deny that it knew of any security mishaps.

Thieves have apparently been able to collect not only the data contained
within the magnetic strips on victims' ATM cards, but also the PIN codes
that allow access to their accounts. Fraudulent withdrawals in Canada,
the United Kingdom, and Russia apparently triggered the blocks in those
countries, and have led to the arrests of 14 people in New Jersey.

When consumers purchase goods with an ATM card, the PIN entered into the
register is supposed to be encrypted when it is sent out for
verification, and deleted after the transaction is complete. For the
breaches to have occurred, the information must have been improperly
retained on a computer and the thieves must have been able to decrypt
the coded PINs, either because the encryption key was carelessly stored
on the same server, or through hacking by an insider.

The scope of the breach underscores the need for laws that will protect
consumers from such crimes, by notifying them when breaches occur and
allowing them to freeze accounts if they suspect fraud. Many bills
currently before Congress provide loopholes that would allow breaches
like this one to go unreported, and would not allow victims to place
security freezes on their accounts unless they first filed a police
report. Some of the proposed laws would also eliminate state stronger
state consumer protections.

EPIC's Identity Theft Page:


Coalition letter on ID Theft Legislation:


[6] News in Brief

Lawmakers Propose .xxx Domain 

Senators Max Baucus (D-MT) and Mark Pryor (D-AR) have proposed the Cyber
Safety for Kids Act, a bill that would require the creation of a .xxx
top-level domain. The law would require websites in the business of
distributing adult material to register and host all adult material at
the .xxx domain, instead of using any of the current top-level domains
(such as .com, .net, .biz or others). Those who fail to use the .xxx
domain would be subject to civil penalties by the Department of
Commerce. The bill has not yet been introduced.

Text of the .xxx TLD Bill (pdf):


Supreme Court Limits Warrantless Searches of Homes by Police

The Supreme Court ruled Wednesday in Georgia v. Randolph that police,
who do not have a warrant, may not search a home when one resident
allows entry but another refuses it. Officers found evidence of illegal
drugs in a home after a woman had given her consent to the officers but
her husband had objected. In 1974, the Supreme Court ruled in United
States v. Matlock that one occupant may give police permission to search
a residence without a warrant if the other resident either is absent or
does not object.

Supreme Court Opinion in Georgia v. Randolph (pdf):


Federal Court: Fliers Must Complete Search Process Once It's Begun

Last week, the Ninth Circuit Court of Appeals ruled in United States v.
Aukai that travelers who begin the security screening process at
airports cannot change their minds. The court said passengers who walk
through airport metal detectors implicitly consent to a search, and they
can't revoke that consent even if they are chosen to undergo a more
extensive "secondary screening" process. The court did not rule on
whether a passenger could refuse searches that are more invasive than
simple pat-downs.

Ninth Circuit Opinion in United States v. Aukai (pdf):


EPIC's Passenger Profiling page:


Washington State Passes Pretexting Law
Washington State appears to be the first to pass legislation to protect
telephone records. The House and Senate have passed SB 6776, but the
bill still awaits the Governor's signature. SB 6776 prohibits the
intentional sale of phone records without consent of the account holder.
It also prohibits pretexting. Under the law, it is a "class c felony" to
sell, pretext, or knowingly purchase phone records, while it is a "gross
misdemeanor" to knowingly receive records. There are also civil
remedies, including a $5,000 liquidated damages award and attorneys'
fees. Government entities and telephone companies are exempt from the
EPIC Illegal Access to Phone Records Page:
Washington State Senate Bill 6776:

RFID Chips Vulnerable to Viruses

A study by European researchers has revealed that radio frequency
identification (RFID) systems can be affected by viruses encoded into
individual chips. Melanie Rieback, Bruno Crispo, and Andrew Tanenbaum
have authored a paper describing how the remotely readable tags can be
programmed to infect the machines that read them and the databases that
store their information. Such malicious programs could then force the
systems to produce more infected tags, further spreading the virus.

Text of the RFID Virus Paper (pdf):


Paper Authors' Page on RFID Viruses:


EPIC's RFID page:


Deleted Gmails to be Turned Over in FTC Case

A federal magistrate judge has ordered that Google turn over all of the
email correspondence of a Gmail user, including emails that he has
deleted. The Federal Trade Commission, investigating a credit counseling
scam, subpoenaed the emails of Peter Baker, the owner of a company
linked to the case. The subpoena asked not only for the email in Baker's
Gmail mailboxes, but also for deleted emails that were retained on
Google computers. Google's privacy policy says that copies of deleted
email may remain on active servers for up to 60 days, or indefinitely on
offline backup servers.

Google's Gmail Privacy Policy:


EPIC's Gmail page:


Homeland Security Gets Another 'F' for Computer Security

A report by the House Government Reform Committee found that many
federal agencies are failing to protect their computer and information
networks. The committee gave the Department of Homeland Security an 'F'
for a third straight year. The departments of Agriculture, Defense,
Energy, State, Health and Human Services, Transportation, and Veterans
Affairs also received failing grades again this year. The annual report
bases the grades on information the agencies submit to the White House
Office of Management and Budget, and the agencies' own internal

Report and Testimony from Various Agency Leaders:


[7] EPIC Bookstore: Mark S. Monmonier's "Spying with Maps"

Mark S. Monmonier. "Spying with Maps: Surveillance Technologies and the
Future of Privacy" (University of Chicago Press, 2002).


"Maps, as we know, help us find our way around. But they're also powerful
tools for someone hoping to find you. Widely available in electronic and
paper formats, maps offer revealing insights into our movements and
activities, even our likes and dislikes. In Spying with Maps, the
"mapmatician" Mark Monmonier looks at the increased use of geographic
data, satellite imagery, and location tracking across a wide range of
fields such as military intelligence, law enforcement, market research,
and traffic engineering. Could these diverse forms of geographic
monitoring, he asks, lead to grave consequences for society? To assess
this very real threat, he explains how geospatial technology works, what
it can reveal, who uses it, and to what effect.

Despite our apprehension about surveillance technology, Spying with Maps
is not a jeremiad, crammed with dire warnings about eyes in the sky and
invasive tracking. Monmonier's approach encompasses both skepticism and
the acknowledgment that geospatial technology brings with it
unprecedented benefits to governments, institutions, and individuals,
especially in an era of asymmetric warfare and bioterrorism. Monmonier
frames his explanations of what this new technology is and how it works
with the question of whether locational privacy is a fundamental right.
Does the right to be left alone include not letting Big Brother (or a
legion of Little Brothers) know where we are or where we've been? What
sacrifices must we make for homeland security and open government?"


EPIC Publications:

"Information Privacy Law: Cases and Materials, Second Edition" Daniel J.
Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98.

This clear, comprehensive introduction to the field of information
privacy law allows instructors to enliven their teaching of fundamental
concepts by addressing both enduring and emerging controversies. The
Second Edition addresses numerous rapidly developing areas of privacy
law, including: identity theft, government data mining,and electronic
surveillance law, the Foreign Intelligence Surveillance Act,
intelligence sharing, RFID tags, GPS, sypware, web bugs, and more.
Information Privacy Law, Second Edition, builds a cohesive foundation
for an exciting course in this rapidly evolving area of law.


"Privacy & Human Rights 2004: An International Survey of Privacy Laws
and Developments" (EPIC 2004). Price: $50.

This annual report by EPIC and Privacy International provides an
overview of key privacy topics and reviews the state of privacy in over
60 countries around the world. The report outlines legal protections,
new challenges, and important issues and events relating to privacy.
Privacy & Human Rights 2004 is the most comprehensive report on privacy
and data protection ever published.


"FOIA 2004: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price:

This is the standard reference work covering all aspects of the Freedom
of Information Act, the Privacy Act, the Government in the Sunshine Act,
and the Federal Advisory Committee Act.  The 22nd edition fully updates
the manual that lawyers, journalists and researchers have relied on for
more than 25 years.  For those who litigate open government cases (or
need to learn how to litigate them), this is an essential reference


"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.

This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS).  This
reference guide provides the official UN documents, regional and
issue-oriented perspectives, and recommendations and proposals for
future action, as well as a useful list of resources and contacts for
individuals and organizations that wish to become more involved in the
WSIS process.


"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:

The Privacy Law Sourcebook, which has been called the "Physician's Desk
Reference" of the privacy world, is the leading resource for students,
attorneys, researchers, and journalists interested in pursuing privacy
law in the United States and around the world. It includes the full
texts of major privacy laws and directives such as the Fair Credit
Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well
as an up-to-date section on recent developments. New materials include
the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the


"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.


EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:

EPIC Bookstore http://www.epic.org/bookstore

"EPIC Bookshelf" at Powell's Books


EPIC also publishes EPIC FOIA Notes, which provides brief summaries of
interesting documents obtained from government agencies under the
Freedom of Information Act.

Subscribe to EPIC FOIA Notes at:

[8] Upcoming Conferences and Events

Beyond the Basics: Advanced Legal Topics in Open Source and
Collaborative Development in the Global Marketplace. University of
Washington School of Law. March 21, 2006. Seattle, Washington. For more

Call for papers for the 34th Research Conference on Communication,
Information, and Internet Policy. Telecommunications Policy Research
Conference. Proposals should be based on current theoretical or
empirical research relevant to communication and information policy, and
may be from any disciplinary perspective. Deadline is March 31, 2006.
For more information:

Making PKI Easy to Use. National Institutes of Health. April 4-6, 2006.
Gaithersburg, Maryland. For more information:

First International Conference on Availability, Reliability and
Security. Vienna University of Technology. April 20-22, 2006. Vienna,
Austria. For more information:

Third International Conference on Security in Pervasive Computing.
University of York. April 19-20, 2006. York, United Kingdom. For more

CHI 2006 Workshop on Privacy-Enhanced Personalization. UC Irvine
Institute for Software Research and the National Science Foundation.
April 22-23. Montreal, Quebec, Canada. For more information:

The First International Conference on Legal, Security and Privacy Issues
in IT (LSPI). CompLex. April 30-May 2, 2006. Hamburg, Germany. For more

Computers, Freedom, and Privacy Conference (CFP 2006). Association for
Computing Machinery May 2-5, 2006. Washington, DC. For more information:

Infosecurity New York. Reed Exhibitions. September 12-14, 2006. New
York, New York. For more information:

34th Research Conference on Communication, Information, and Internet
Policy. Telecommunications Policy Research Conference. September
29-October 1, 2006. Arlington, Virginia. For more information:

International Conference on Privacy, Security, and Trust (PST 2006).
University of Ontario Institute of Technology. October 20-November 1,
2006. Oshawa, Ontario, Canada. For more information:

BSR 2006 Annual Conference. Business for Social Responsibility. November
7-10, 2006. New York, New York. For more information:

Subscription Information

Subscribe/unsubscribe via web interface:


Back issues are available at:


The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities.  We do not sell, rent or share our
mailing list.  We also intend to challenge any subpoena or other legal
process seeking access to our mailing list.  We do not enhance (link to
other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail address
from this list, please follow the above instructions under "subscription

About EPIC

The Electronic Privacy Information Center is a public interest research
center in Washington, DC.  It was established in 1994 to focus public
attention on emerging privacy issues such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale of personal information. EPIC publishes the
EPIC Alert, pursues Freedom of Information Act litigation, and conducts
policy research.  For more information, see http://www.epic.org or write
EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202
483 1140 (tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible.  Checks
should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW,
Suite 200, Washington, DC 20009.  Or you can contribute online at:


Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation of encryption and
expanding wiretapping powers.

Thank you for your support.

------------------------- END EPIC Alert 13.06 -------------------------