EPIC logo

                           E P I C  A l e r t
Volume 13.08                                              April 21, 2006

                            Published by the
               Electronic Privacy Information Center (EPIC)
                            Washington, D.C.


Table of Contents
[1] ICANN Chooses Privacy for Whois
[2] Congress, Administration Push for U.S. Data Retention Laws
[3] International Privacy Commissioners Meet in Washington
[4] U.S. Archives Had Reclassification Agreements With CIA, Air Force 
[5] Immigration Bill Would Require DHS Checks for All U.S. Jobs
[6] News in Brief
[7] EPIC Bookstore: David Lyon's "Surveillance as Social Sorting"
[8] Upcoming Conferences and Events

[1] ICANN Chooses Privacy for Whois

The Internet Corporation for Assigned Names and Numbers (ICANN), the
body that controls the assignment of domain names to Internet addresses,
has voted to adopt a policy protecting the privacy of domain holders'
personal information. ICANN stated that Whois, a public database
containing the contact information of domain name holders, should be
used only for its original purpose: to resolve issues related to the
configuration of the records associated with the domain name. The ruling
means that Whois data will not be expanded for other purposes, such as
law enforcement and copyright investigations.

The Generic Names Supporting Organization (GNSO), which develops domain
name policy for ICANN, held a vote on April 12 to decide how Whois
should be used. Two definitions were proposed.  The first stated that
the purpose of Whois was to provide contact information so that
technical problems with domain name servers could be addressed and
resolved. The second proposed definition stated that Whois was intended
to provide contact information to resolve technical, legal or any other
issues dealing with a domain name. The first definition was agreed to,
with a vote of 18 to 9.

The more expansive definition was supported by commercial Internet
users, Internet service providers, and intellectual property holders,
who viewed Whois as a tool to locate and serve process on domain name
owners accused of infringing on trademarks or copyrights. Non-commercial
users, domain name registrars and registries supported the more limited
purpose, which would better protect privacy and prevent abuses of
personal information contained within the Whois database.

EPIC, which is a member of the non-commercial users constituency
advocated this position in its comments to ICANN in February.

ICANN page on Whois:


GNSO Announcement of Resolutions at April 12 Meeting:


EPIC's Whois page:


[2] Congress, Administration Push for U.S. Data Retention Laws

Members of Congress are calling for laws in the United States that would
compel Internet service providers and telecom companies to store
information about their customers for months or years and make those
records available to the police upon request. Supporters of a data
retention law include Rep. Ed. Whitfield (R-KY) and Homeland Security
Secretary Michael Chertoff. Attorney General Alberto Gonzales recently
stated that retaining records of Internet users would help fight crime,
especially online crimes involving child pornography.

The data at stake includes information as sensitive as mobile phone
location data, e-mail headers, e-commerce web site transactional data,
and web browsing or chat room activities. This information normally gets
discarded if it is not useful to companies for billing, marketing,
network monitoring or fraud prevention purposes. Some of that deleted
data, law enforcement is now claiming, could be useful to solve criminal

In the United States, law enforcement can currently subpoena Internet
providers and phone companies to keep records on specific suspects for a
renewable period of 90 days. This system is called "data preservation."
A few other countries, however, have chosen a "data retention" system,
where companies have to store the data of all customers for months or
years. For example, the European Union adopted last year a data
retention directive that requires all of its member states to enact data
retention laws. The implementation of the directive is facing stiff
resistance in several member states, and data protection officials
within the EU's Article 29 Working Party on Data Protection have
criticized the directive as lacking adequate safeguards for privacy.

To date, law enforcement has not been able to show that retaining all
users' data helps to solve criminal cases. Traffic data is seldom
essential in criminal investigations and data retained for longer than 6
months is rarely useful. Retaining all customer data could also raise
serious security and privacy risks. The huge data warehouses created by
such laws would provide tempting targets for hackers and identity
thieves. Criminals could also easily evade data retention rules by using
anonymous online access or prepaid mobile phones, leaving law-abiding
Internet and phone users with the prospect of permanent and highly
invasive surveillance.

Article 29 Working Party Comments on the EU Data Retention Directive


Comments of the EPIC and the Yale Internet Society Project to the
European Commission on Traffic Data Retention (pdf):


EPIC Data Retention page: 


[3] International Privacy Commissioners Meet in Washington

The International Working Group on Data Protection in Telecommunications
met in Washington, DC on April 6-7. The Working Group is composed of the
data protection commissioners of twenty-five countries and privacy
experts from around the world. The meeting, co-hosted by EPIC, began
with an address by U.S. Federal Trade Commissioner Jonathan Leibowitz.
The delegations from each country discussed the most significant events
in the privacy laws of their respective countries, before conferring
upon specific emerging issues of privacy.  Among the topics covered at

Electronic health records: Digitized medical records are often promoted
as a means for patients to receive better care, especially when away
from home.  But the mobility of the records means that breaches of
patient privacy may have more widespread effects than before.

Personal data and web services: Consumers are increasingly relying upon
web-based applications, like webmail, for common online tasks.
Businesses that handle and store information for consumers have an
obligation to respect users' confidentiality in storing and processing
this information.

Copyright Management and Privacy: Technical efforts to prevent
unauthorized uses of copyrighted works often identify individual users,
or report their personal information. How can copyright protections
avoid becoming surveillance mechanisms?

Radio frequency identification, or RFID: Both governments and the
private sector are promoting the use of remotely-readable radio
frequency tags to uniquely identify both goods and people. Individuals
should know of the presence of the tags and be able to disable or
destroy them when desired.

The Working Group's papers on these topics are yet to be finalized, and
should be available on the Working Group's website within a few weeks.

International Working Group on Data Protection:


English-Language Site for the Working Group:


[4] U.S. Archives Had Reclassification Agreements With CIA, Air Force

The United States' chief archivist has revealed that the National
Archives and Records Administration entered into secret agreements with
the CIA and Air Force to reclassify records that had been public for
decades. The classified Memoranda of Understanding, signed in 2001 and
2002, also required the Archives not to tell the public why records were
being pulled from the shelves.

Archivist of the United States Allen Weinstein released a statement this
week blasting the agreements, declaring that "there can never be a
classified aspect to our mission. Classified agreements are the
antithesis of our reason for being . . . . If records must be removed
for reasons of national security, the American people will always, at
the very least, know when it occurs and how many records are affected."

The reclassification program at the Archives was first publicly
disclosed by the New York Times earlier this year. According to the
initial report, several intelligence agencies had reclassified about
9,500 documents that were available to the public for years at the
Archives. About 8,000 documents have been reclassified during the Bush
presidency alone.

The Archives' Information Security Oversight Office is now developing
procedures to govern the review of previously declassified records. Once
completed, the office's proposal will be available for public comment.

Press Release, National Archives, National Archives Releases Second
Declassified MOU:


National Archives Memorandum of Understanding with the Air Force (pdf):


National Archives Memorandum of Understanding with the CIA (pdf):


National Archives, Background on NARA Classified MOUs:


EPIC's Open Government Page:


[5] Immigration Bill Would Require DHS Checks for All U.S. Jobs

All employees in the United States would have their names, Social
Security numbers and job information stored in a massive government
database if a pending immigration bill becomes law. The House of
Representatives recently passed H.R. 4437 and it is now before the
Senate. The Border Protection, Antiterrorism, and Illegal Immigration
Control Act of 2005 would expand the currently voluntary Basic Pilot
program, which now involves 3,600 employers. If the bill passes, the
nation's 8.4 million employers would have to send employee names and
Social Security numbers to the federal government, which would check
that information against databases for to verify employment eligibility.

The Government Accountability Office reviewed the employment database
program in August and found several problems, including an "inability to
detect identity fraud" and erroneous entries in databases. These
problems "have made it difficult for employers who want to comply with
the employment verification process to ensure that they hire only
authorized workers and have made it easier for unscrupulous employers to
knowingly hire unauthorized workers," the GAO said.

The massive employment database, which would include sensitive data
about all employed citizens as well as immigrants, would be a tempting
target for identity thieves. Customs and Immigration officials also told
GAO that an expansion would create significant backlogs in employment

H.R. 4437 does not include the right for employees to review their files
or appeal any errors. This is despite the fact that GAO found many
errors in the federal employment verification databases. Illinois Sen.
Barack Obama (D-IL) has introduced an amendment seeking to increase
privacy protections for the verification system. Sen. Obama would
include the right to appeal erroneous data, accuracy standards, privacy
protection, and limits on data sharing.

H.R. 4437, The Border Protection, Antiterrorism, and Illegal Immigration
Control Act of 2005:


GAO Report on Immigration Enforcement Weaknesses (pdf):


[6] News in Brief

Transportation Security Administration Appoints New Privacy Director

The Transportation Security Administration has named a new director to
oversee its expanded privacy office. The agency announced this week that
Peter Pietra, currently the agency's Assistant Chief Counsel for
Information Law, will serve as Director of Privacy Policy and
Compliance. Lisa Dean, who has been TSA's privacy officer since 2004,
will continue to work with the office. Since its creation in 2001, TSA
has pursued several programs that raised substantial privacy concerns,
including transportation worker and airline passenger prescreening

TSA Press Release on New Director:


EPIC's Secure Flight Page:


Sprint Unveils GPS-Enabled Tracking of Kids

Sprint, one of the country's largest mobile service providers, has
launched a service intended to allow parents to use GPS technology to
track children carrying cell phones.  For approximately $10 a month, the
Sprint Family Locator will allow subscribers to display the location of
an individual on an interactive map, complete with nearby street
addresses and landmarks. The service will also allow subscribers to ask
for alerts when individuals reach specific locations.

Sprint's Press Release on Family Locator:


James C. White, People, Not Places: A Policy Framework for Analyzing
Location Privacy Issues:


Sex Offender Registries Under Renewed Scrutiny
Two individuals were shot to death last week by an attacker who chose
his victims based on their presence on Maine's sex offender registry.
Last year, two other individuals listed on sex offender registries in
Washington State were killed by a vigilante. In Arkansas, an identity
thief used the Indiana registry to steal identities of sex offenders
because their personal information was so easy to obtain. The spate of
vigilante violence and opportunistic crime against sex offenders has
caused Maine to temporarily remove its registry from the Internet. Other
states are also under pressure to restrict access to the registries. In
a challenge to the constitutionality of sex offender registries, EPIC
warned the Supreme Court that they were unjustifiably invasive of
privacy, and that the registries would lead to vigilante violence.
However, the Supreme Court ultimately upheld the registries, holding
that they were non-punitive civil regulation and that they could be
retroactively applied to individuals who already served time for sex
EPIC Privacy and Megan's Laws Page:

SF Chooses Earthlink and Google for Citywide Wifi

The City of San Francisco has preliminarily chosen Earthlink and Google
to provide municipal broadband service. The companies' proposal seeks to
have Google deploy an advertising-supported 300 Kbps connection
citywide. Earthlink will provide a for-fee premium service delivering 1
Mbps. The proposal also seeks to create a surveillance infrastructure
for San Francisco by allowing greater deployment of video cameras and
automated enforcement tools, such as parking meters. EPIC, EFF, and the
ACLU of Northern California urged city officials to tweak privacy
protections for users of the service. The coalition is seeking to ensure
that individuals can use the service without "signing in." Signing in
allows Google to track users across sessions, and raises the risk that
detailed profiles of Internet activity will be built. The groups also
urged the city to require the companies to switch to an opt-in model for
information sharing, as both Google and Earthlink reserve the ability to
sell data unless the user objects. Finally, the groups are seeking
restrictions on the use of the network to deploy cameras to monitor

San Francisco TechConnect:


Coalition Letter on Earthlink / Google:


New Hampshire House Passes Anti-REAL ID Bill

The New Hampshire House of Representatives has just passed HB 1582, an
act "prohibiting New Hampshire from participating in a national
identification card system." If the measure passes the state Senate, New
Hampshire will be the first state to reject the REAL ID Act, which sets
federal standards for state driver's licenses, essentially making them
national ID cards. Implementation costs will be substantial, according
to a recent survey of state motor vehicle administrators. The federal
government initially put the total price at $100 million, but
Pennsylvania alone would spend $85 million on REAL ID, the survey found.
The National Governors Association has called REAL ID "unworkable and

HB 1582:


National Governor Association press release about REAL ID:


EPIC's National ID Cards and REAL ID Act page:


[7] EPIC Bookstore: David Lyon's "Surveillance as Social Sorting"

David Lyon. "Surveillance as Social Sorting: Privacy, Risk and Automated
Discrimination" (Routledge, 2003).


"This book examines some crucial aspects of surveillance processes with
a view to showing what constitutes them, why the growth of surveillance
is accelerating and what is really at stake personally and politically.
It scrutinizes individual surveillance systems - CCTV, biometrics,
intelligent transportation systems, smart cards, on-line profiling - and
discusses their implications for our future. Surveillance as Social
Sorting is a fascinating contribution to a relatively new field -
surveillance studies."


EPIC Publications:

"Information Privacy Law: Cases and Materials, Second Edition" Daniel J.
Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98.

This clear, comprehensive introduction to the field of information
privacy law allows instructors to enliven their teaching of fundamental
concepts by addressing both enduring and emerging controversies. The
Second Edition addresses numerous rapidly developing areas of privacy
law, including: identity theft, government data mining,and electronic
surveillance law, the Foreign Intelligence Surveillance Act,
intelligence sharing, RFID tags, GPS, sypware, web bugs, and more.
Information Privacy Law, Second Edition, builds a cohesive foundation
for an exciting course in this rapidly evolving area of law.


"Privacy & Human Rights 2004: An International Survey of Privacy Laws
and Developments" (EPIC 2004). Price: $50.

This annual report by EPIC and Privacy International provides an
overview of key privacy topics and reviews the state of privacy in over
60 countries around the world. The report outlines legal protections,
new challenges, and important issues and events relating to privacy.
Privacy & Human Rights 2004 is the most comprehensive report on privacy
and data protection ever published.


"FOIA 2004: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price:

This is the standard reference work covering all aspects of the Freedom
of Information Act, the Privacy Act, the Government in the Sunshine Act,
and the Federal Advisory Committee Act.  The 22nd edition fully updates
the manual that lawyers, journalists and researchers have relied on for
more than 25 years.  For those who litigate open government cases (or
need to learn how to litigate them), this is an essential reference


"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.

This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS).  This
reference guide provides the official UN documents, regional and
issue-oriented perspectives, and recommendations and proposals for
future action, as well as a useful list of resources and contacts for
individuals and organizations that wish to become more involved in the
WSIS process.


"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:

The Privacy Law Sourcebook, which has been called the "Physician's Desk
Reference" of the privacy world, is the leading resource for students,
attorneys, researchers, and journalists interested in pursuing privacy
law in the United States and around the world. It includes the full
texts of major privacy laws and directives such as the Fair Credit
Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well
as an up-to-date section on recent developments. New materials include
the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the


"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.


EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:

EPIC Bookstore http://www.epic.org/bookstore

"EPIC Bookshelf" at Powell's Books


EPIC also publishes EPIC FOIA Notes, which provides brief summaries of
interesting documents obtained from government agencies under the
Freedom of Information Act.

Subscribe to EPIC FOIA Notes at:

[8] Upcoming Conferences and Events

Access to Knowledge Conference. Yale Information Society Project.
April 21-23, 2006. New Haven, Connecticut. For more information:

CHI 2006 Workshop on Privacy-Enhanced Personalization. UC Irvine
Institute for Software Research and the National Science Foundation.
April 22-23. Montreal, Quebec, Canada. For more information:

Rethinking the Discourse on Race: A Symposium on How the Lack of Racial
Diversity in the Media Affects Social Justice and Policy. St. John's
University. April 28-29, 2006. New York, New York. For more information:

The First International Conference on Legal, Security and Privacy Issues
in IT (LSPI). CompLex. April 30-May 2, 2006. Hamburg, Germany. For more

Computers, Freedom, and Privacy Conference (CFP 2006). Association for
Computing Machinery May 2-5, 2006. Washington, DC. For more information:

Conference on Data Protection and Security: A Transnational Discussion.
International Association of Young Lawyers. May 5-6, 2006. Washington,
DC. For more information:

Call for papers for the CRCS Workshop 2006: Data Surveillance and
Privacy Protection. Center for Research on Computation and Society. June
3, 2006. Cambridge, Massachusetts. For more information:

7th Annual Institute on Privacy Law: Evolving Laws and Practices in a
Security-Driven World. Practising Law Institute. June 5-6, San
Francisco, California. June 19-20, New York, New York. July 17-18,
Chicago, Illinois. Live webcast available. For more information:

Infosecurity New York. Reed Exhibitions. September 12-14, 2006. New
York, New York. For more information:

34th Research Conference on Communication, Information, and Internet
Policy. Telecommunications Policy Research Conference. September
29-October 1, 2006. Arlington, Virginia. For more information:

The IAPP Privacy Academy 2006. International Association of Privacy
Professionals. October 18-20, 2006. Toronto, Ontario, Canada. For more

International Conference on Privacy, Security, and Trust (PST 2006).
University of Ontario Institute of Technology. October 20-November 1,
2006. Markham, Ontario, Canada. For more information:

BSR 2006 Annual Conference. Business for Social Responsibility. November
7-10, 2006. New York, New York. For more information:

Subscription Information

Subscribe/unsubscribe via web interface:


Back issues are available at:


The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities.  We do not sell, rent or share our
mailing list.  We also intend to challenge any subpoena or other legal
process seeking access to our mailing list.  We do not enhance (link to
other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail address
from this list, please follow the above instructions under "subscription

About EPIC

The Electronic Privacy Information Center is a public interest research
center in Washington, DC.  It was established in 1994 to focus public
attention on emerging privacy issues such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale of personal information. EPIC publishes the
EPIC Alert, pursues Freedom of Information Act litigation, and conducts
policy research.  For more information, see http://www.epic.org or write
EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202
483 1140 (tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible.  Checks
should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW,
Suite 200, Washington, DC 20009.  Or you can contribute online at:


Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation of encryption and
expanding wiretapping powers.

Thank you for your support.

------------------------- END EPIC Alert 13.08 -------------------------