========================================================================
E P I C A l e r t
========================================================================
Volume 13.12 June 16, 2006
------------------------------------------------------------------------
Published by the
Electronic Privacy Information Center (EPIC)
Washington, D.C.
http://www.epic.org/alert/EPIC_Alert_13.12.html
========================================================================
Table of Contents
========================================================================
[1] Appeals Court Wrongly Extends Wiretap Requirements
[2] EPIC Testifies Before Homeland Security on Video Surveillance
[3] Documents Reveal More Potential PATRIOT Act Abuses
[4] Coalition Urges Strong International Privacy Rules
[5] Federal, State Governments Struggle to Investigate Domestic Spying
[6] News in Brief
[7] EPIC Bookstore: Stanton and Stam: The Visible Employee
[8] Upcoming Conferences and Events
========================================================================
[1] Appeals Court Wrongly Extends Wiretap Requirements
========================================================================
The U.S. Court of Appeals for the D.C. Circuit has decided (pdf) that
the Federal Communications Commission can require broadband and VoIP
providers to make their services wiretap-friendly. The decision allowed
the FCC to apply the Communications Assistance for Law Enforcement Act
(CALEA) to Internet-based communications, even though the law explicitly
exempted "information services."
CALEA, passed by Congress in 1994, was created when law enforcement
officials worried that advances in the traditional telephone system,
including wireless technologies, might make wiretapping more difficult.
The solution proposed was to require telephone companies to construct
their systems to allow easy eavesdropping by law enforcement.
Recognizing that wiretapping internet connections posed distinct
problems, however, the law did not apply to "information services" like
Internet service providers.
Last year, the FCC declared that, despite this prohibition, CALEA would
apply to broadband Internet service providers and providers of voice
communications over the Internet (known as voice over Internet Protocol,
or VoIP). A broad coalition of privacy advocates, Internet providers,
and educational institutions, who would now be required to design their
systems to meet the government's surveillance needs.
The D.C. Circuit upheld the FCC's decision based upon a previously
unused portion of CALEA that authorized the FCC to apply CALEA to any
"wire or electronic communication switching service," so long as that
service "is a replacement for a substantial portion of the local
telephone exchange service and. . . it is in the public interest to do
so." The court sided with the FCC's argument that, since aspects of
broadband Internet and VoIP services replace aspects of traditional
telephone service, CALEA applies to these new technologies.
Judge Edwards, dissenting from the Circuit court's opinion, said that
the FCC's interpretation of this provision runs squarely contrary to the
information services exception. "If all information services that are
carried out 'via telecommunications' are subject to CALEA, then the
'information services' exception is an empty set," he said. During oral
argument, Edwards characterized the FCC's convoluted interpretation of
the statute as "gobbledygook."
Senator Patrick Leahy, the primary sponsor of CALEA during its creation
and passage, criticized the D.C. Circuit's interpretation of the law,
saying that "Stretching a law written for the telephone system of 1994
to cover the Internet of 2006 is simply inconsistent with congressional
intent."
D.C. Circuit Opinion (pdf):
http://www.epic.org/privacy/wiretap/ace_v_fcc.pdf
Text of CALEA:
http://www.epic.org/privacy/wiretap/calea/calea_law.html
EPIC's Wiretap Page:
http://www.epic.org/privacy/wiretap/
Senator Leahy's Statement:
http://leahy.senate.gov/press/200606/060906.html
========================================================================
[2] EPIC Testifies Before Homeland Security on Video Surveillance
========================================================================
In testimony before the Department of Homeland Security's Data Privacy
and Integrity Advisory Committee, EPIC Associate Director Lillie Coney
highlighted the threat that video surveillance poses to the rights of
privacy and anonymity.
The meeting, held in San Francisco, focused on the use of radio
frequency identification devices (RFID) and the adoption of public
closed-circuit television (CCTV) surveillance systems. The committee
advises Homeland Security on policy and technology issues that relate to
privacy.
Coney's testimony emphasized that, even in public, individuals have a
right to privacy in their anonymity. An individual in public, observed
by strangers, has an expectation of privacy because she will not be
recorded or scrutinized as a matter of course. CCTV systems remove the
privacy protections that human memory provides.
EPIC said that privacy in public spaces was a vital part of our
democratic experience. Video surveillance, in combination with newer
technologies like facial recognition systems, poses a real threat to
lawful First Amendment protected activity. Documents obtained by EPIC
demonstrate that CCTV systems have been used in Washington, D.C. to
record peaceful public demonstrations and identify individual
participants within the captured images.
Not only does video surveillance affect fundamental privacy rights, its
ability to deter and combat crime is often overstated. Research on the
effectiveness of the technology for these purposes has not demonstrated
a causal relationship between the technology and the goals stated for
its deployment.
EPIC recommended the development of model guidance to local, state, and
federal governments to discern the need for the technology and guide its
use. The lack of information on the cost benefit analysis and privacy
impacts assessments of CCTV technology should make these the first steps
in the decision making process.
Coney's Testimony (pdf):
http://www.epic.org/privacy/surveillance/coneytest060706.pdf
EPIC's Video Surveillance Page:
http://www.epic.org/privacy/surveillance/
========================================================================
[3] Documents Reveal More Potential PATRIOT Act Abuses
========================================================================
FBI documents recently obtained by EPIC under the Freedom of Information
Act reveal forty-two cases of alleged FBI intelligence misconduct deemed
serious enough to refer to the Intelligence Oversight Board. These
forty-two known cases occurred in 2000-2005.
One report indicated violations of the Foreign Intelligence Surveillance
Act, when information obtained under the Act was improperly disclosed in
a grand jury subpoena. Another report disclosed that an electronic
communication was inadvertently intercepted because of an error made by
an Internet service provider. In another incident, call detail
information was recorded inadvertently after a surveillance target
changed phone numbers. Yet another report cited wiretaps on the wrong
cell phones. Records also indicated that some surveillance operations
continued past the authorized period.
Each of these reports was referred to the Intelligence Oversight Board
by the FBI's Office of General Counsel because of an executive order
that requires intelligence agencies to report "intelligence activities
that they have reason to believe may be unlawful or contrary to
Executive Order or Presidential Directive." The IOB must then report
these activities to the President and Attorney General, though Congress
is not notified of the allegations, or how the matters are resolved.
The recently disclosed documents were the latest in a series obtained
from the FBI by EPIC following a Freedom of Information Act request for
records concerning the FBI's use of PATRIOT Act powers that were
originally set to sunset in 2005. Based on these documents, EPIC has
requested the Senate Judiciary Committee to consider legislation that
would require the Attorney General to report cases of alleged
intelligence misconduct to the House and Senate Judiciary Committees, as
well as the Justice Department's response to such incidents. The letter
stated that the ever-increasing number of wretaps, and the expnding
scope of domestic surveillance requires additional oversight.
EPIC v. Dept. of Justice page:
http://www.epic.org/privacy/terrorism/usapatriot/foia/
EPIC's FOIA Request:
http://www.epic.org/redirect/fbi_foia_request.html
EPIC's letter to the Senate Judiciary Committee (pdf):
http://www.epic.org/privacy/surveillance/sen_iob_letter.pdf
========================================================================
[4] Coalition Urges Strong International Privacy Rules
========================================================================
A coalition of privacy groups urged the U.S. Department of Commerce to
strengthen privacy rules to protect personal data being transferred
between and out of the Asia Pacific Economic Cooperation Group (APEC).
The Department of Commerce sought comments on how to implement the APEC
Privacy Framework in creating cross-border privacy rules, which would
govern how information is transferred between APEC member countries.
The APEC Privacy Framework sets out a series of general privacy
principles that member economies should follow in handling individuals'
personal information. Specific data privacy rules between member
economies would have to abide by these principles.
The privacy groups emphasized the need for binding laws to protect
privacy, given the often-weak enforcement of self-regulatory industry
schemes. The groups also stated that existing privacy laws in the member
countries should be built upon, and that individuals within a country
with strong privacy laws should not lose those protections simply
because their data is transferred to a country with weaker laws. The
coalition also said that businesses within APEC countries should not
transfer data to countries with unacceptably weak data protection laws,
or at least should face stricter penalties if data transferred to these
other countries is compromised.
The groups also advocated creating a monitoring committee that would
oversee APEC members' compliance with the privacy framework and the
individual cross-border rules, issuing warnings to businesses and other
organizations that violate those rules, and recommending enforcement
actions against violators to the appropriate government officials.
The privacy groups jointly commenting on the plan included Consumer
Federation of America, EPIC, the National Consumers League, Privacy
Rights Clearinghouse, Privacy Times, U.S. Public Interest Research
Group, and the World Privacy Forum.
Coalition Comments on APEC Cross-Border Privacy Rules (pdf):
http://www.epic.org/privacy/intl/apec_cmts.pdf
Comment Notice:
http://www.epic.org/redirect/apec_notice.html
APEC Privacy Framework (pdf):
http://www.epic.org/redirect/apec_framework.html
Organization for Economic Cooperation and Development Privacy Guidelines:
http://www.epic.org/redirect/oecd_guidelines.html
EPIC's Privacy Law Sourcebook 2004 (containing the text of the APEC
Privacy Framework)
http://www.epic.org/bookstore/pls/2004/
========================================================================
[5] Federal, State Governments Struggle to Investigate Domestic Spying
========================================================================
On June 6, the Senate Judiciary Committee decided not to subpoena
telephone company executives in its investigation of the National
Security Agency's domestic surveillance program. Committee Chairman
Arlen Specter backed away from earlier calls to bring the companies in
to testify in exchange for support of a bill that Specter has proposed
to allow a review of the program by the special court created by the
Foreign Intelligence Surveillance Act (FISA).
Following this exchange, however, Specter took the unusual step of
writing an open letter to Vice President Cheney, rebuking the Vice
President for privately encouraging other senators to oppose hearings
with the telephone companies. In the letter, Specter stated that
"[t]here is no doubt that the NSA program violates the Foreign
Intelligence Surveillance Act..." Specter also indicated that he may
proceed with subpoenas if he cannot reach an agreement with the White
House on the issue.
The surveillance program, first reported on by USA Today in May,
apparently relied upon telephone companies to secretly hand over
millions of customers' detailed call records to the NSA, in an effort to
analyze the data for supposed terrorist calling patterns. According to
the USA Today report, no warrants were issued or requested by the
government in collecting any of this information.
The Senate is not the only government body to call for an investigation
into the program. Federal Communications Commissioner Michael Copps has
also publicly called for investigations of the phone companies allegedly
involved, noting that their actions would have violated provisions of
the Communications Act that require them to keep customer records
confidential. EPIC has joined the call for FCC investigation, though
FCC Chairman Kevin Martin has so far declined, citing the likelihood
that the program's classified nature would preclude an investigation.
The executive branch has also taken drastic steps to oppose the efforts
of state governments to investigate the potential violations, suing the
state of New Jersey to prevent the state attorney general from
investigating phone companies allegedly involved in the program.
Companies required by the state to respond to the subpoenas were also
warned by federal authorities that responding to the subpoenas would be
a violation of federal law.
Letter of Senator Specter to Vice President Cheney (pdf):
http://www.epic.org/privacy/surveillance/specter-ltr_6-06.pdf
Statement of FCC Commissioner Michael Copps (pdf):
http://hraunfoss.fcc.gov/edocs_public/attachmatch/DOC-265373A1.pdf
EPIC's letter to FCC Chairman Martin (pdf):
http://www.epic.org/privacy/wiretap/epic-fcc-nsa.pdf
EPIC Resources on Domestic Surveillance
http://www.epic.org/features/surveillance.html
========================================================================
[6] News in Brief
========================================================================
Veterans Affairs Data Theft Widens, Includes Active Personnel
The personal information of about 1.1 million active-duty military
personnel, 430,000 members of the National Guard and 645,000 members of
the Reserves, was stolen in the recent theft of computer data from the
Department of Veterans Affairs, the agency announced last week. The
agency previously said that all 26.5 million people affected by the data
theft were veterans and their spouses. The data include Social Security
numbers and disability ratings. The FBI has set up a 24-hour tip line at
1-800-CALL-FBI for information on the burglary. Congress continues to
hold hearings on the theft of sensitive personal information on veterans
and active duty military personnel.
Latest Information on the Theft from Veterans Affairs:
http://firstgov.gov/veteransinfo.shtml
ID Theft Prevention Tips for Veterans from Privacy Rights Clearinghouse:
http://www.privacyrights.org/ar/VABreach.htm
EPIC Files Reply Comments on Phone Record Security
EPIC has filed reply comments on the Federal Communications Commission's
proposal to require phone companies to increase security for consumers'
phone records. In its comments, EPIC urges the FCC to adopt rules that
prevent poor security practices, such as using easily obtained
biographical information as passwords for users to access account
information. EPIC also responded to comments from telephone companies
claiming that audit trails were too expensive, noting that many
telephone companies already use audit trails in fraud prevention.
Finally, EPIC objected to a "safe harbor" proposal that would allow
companies to avoid responsibility for consumer privacy.
EPIC Reply Comments (pdf):
http://www.epic.org/privacy/iei/rm_reply_cmts.pdf
EPIC's Illegal Sale of Phone Records Page:
http://www.epic.org/privacy/iei
One-Third of US and UK Firms Read Employees' E-mail
More than one-third (38%) of large companies in the US and UK read their
employees' e-mail, and another 24% of US firms and 33% of UK firms plan
to implement such surveillance, according to a new study from a company
that offers corporate e-mail protection. However, about 20% of US and
UK firms surveyed do not have a written policy about e-mail use and
monitoring. Proofpoint Inc. and Forrester Research surveyed 406 US and
UK companies with more than 1,000 employees.
Proofpoint and Forrester Research Survey (pdf):
http://www.epic.org/privacy/workplace/proof_email2006.pdf
EPIC's Workplace Privacy page:
http://www.epic.org/privacy/workplace/
Philadelphia Cab Drivers Protest GPS Tracking
Dozens of cab drivers protested in front of Philadelphia's City Hall
after the Philadelphia Parking Authority's plan to mandate that all of
the city's taxi drivers install Global Positioning Satellite (GPS)
systems in their cabs. Drivers went on strike to reject the systems,
which are high-tech devices that would allow the Parking Authority to
track all city cabs and passengers. After installation, the cab owners
would have to pay an $18 per month maintenance fee for the systems.
Privacy and Human Rights 2004 on satellite surveillance:
http://www.epic.org/redirect/phr2004_sat.html
Passenger Data Transfer on G-8 Agenda
The controversial plan that allowed European airlines to transfer
passenger data to the U.S. government will be raised at this week's G-8
summit. The agreement, struck down on narrow procedural grounds by the
European Court of Justice recently, is likely to be renegotiated in a
different format in accordance with the court's ruling. The new
framework for the program, however, is likely to expand, not limit, the
data airlines must provide the U.S., according to Homeland Security
Secretary Michael Chertoff.
Ruling by the European Court of Justice:
http://www.epic.org/redirect/ec_court_passenger.html
========================================================================
[7] EPIC Bookstore: Stanton and Stam: The Visible Employee
========================================================================
Jeffrey M. Stanton and Kathryn R. Stam. The Visible Employee: Using
Workplace Monitoring and Surveillance to Protect Information
Assets--Without Compromising Employee Privacy or Trust. Information
Today, 2006.
http://www.powells.com/partner/24075/biblio/0910965749
"For business owners, managers, and IT staff interested in learning how
to effectively and ethically monitor and influence workplace behavior,
this guide is a roadmap to ensuring security without risking employee
privacy or trust. The misuse of information systems by wired
workers—either through error or by intent—is discussed in detail, as are
possible results such as leaked or corrupted data, crippled networks,
lost productivity, legal problems, or public embarrassment. This
analysis of an extensive four-year research project conducted by the
authors covers not only a range of security solutions for at-risk
organizations but also the perceptions and attitudes of employees toward
workplace surveillance."
================================
EPIC Publications:
"Information Privacy Law: Cases and Materials, Second Edition" Daniel J.
Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98.
http://www.epic.org/redirect/aspen_ipl_casebook.html
This clear, comprehensive introduction to the field of information
privacy law allows instructors to enliven their teaching of fundamental
concepts by addressing both enduring and emerging controversies. The
Second Edition addresses numerous rapidly developing areas of privacy
law, including: identity theft, government data mining,and electronic
surveillance law, the Foreign Intelligence Surveillance Act,
intelligence sharing, RFID tags, GPS, sypware, web bugs, and more.
Information Privacy Law, Second Edition, builds a cohesive foundation
for an exciting course in this rapidly evolving area of law.
================================
"Privacy & Human Rights 2004: An International Survey of Privacy Laws
and Developments" (EPIC 2004). Price: $50.
http://www.epic.org/bookstore/phr2004
This annual report by EPIC and Privacy International provides an
overview of key privacy topics and reviews the state of privacy in over
60 countries around the world. The report outlines legal protections,
new challenges, and important issues and events relating to privacy.
Privacy & Human Rights 2004 is the most comprehensive report on privacy
and data protection ever published.
================================
"FOIA 2004: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price:
$40.
http://www.epic.org/bookstore/foia2004
This is the standard reference work covering all aspects of the Freedom
of Information Act, the Privacy Act, the Government in the Sunshine Act,
and the Federal Advisory Committee Act. The 22nd edition fully updates
the manual that lawyers, journalists and researchers have relied on for
more than 25 years. For those who litigate open government cases (or
need to learn how to litigate them), this is an essential reference
manual.
================================
"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.
http://www.epic.org/bookstore/pvsourcebook
This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS). This
reference guide provides the official UN documents, regional and
issue-oriented perspectives, and recommendations and proposals for
future action, as well as a useful list of resources and contacts for
individuals and organizations that wish to become more involved in the
WSIS process.
================================
"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:
$40.
http://www.epic.org/bookstore/pls2004/
The Privacy Law Sourcebook, which has been called the "Physician's Desk
Reference" of the privacy world, is the leading resource for students,
attorneys, researchers, and journalists interested in pursuing privacy
law in the United States and around the world. It includes the full
texts of major privacy laws and directives such as the Fair Credit
Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well
as an up-to-date section on recent developments. New materials include
the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the
CAN-SPAM Act.
================================
"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.
http://www.epic.org/bookstore/filters2.0
A collection of essays, studies, and critiques of Internet content
filtering. These papers are instrumental in explaining why filtering
threatens free expression.
================================
EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:
EPIC Bookstore http://www.epic.org/bookstore
"EPIC Bookshelf" at Powell's Books
http://www.powells.com/features/epic/epic.html
================================
EPIC also publishes EPIC FOIA Notes, which provides brief summaries of
interesting documents obtained from government agencies under the
Freedom of Information Act.
Subscribe to EPIC FOIA Notes at:
https://mailman.epic.org/cgi-bin/control/foia_notes
========================================================================
[8] Upcoming Conferences and Events
========================================================================
7th Annual Institute on Privacy Law: Evolving Laws and Practices in a
Security-Driven World. Practising Law Institute. June 19-20, New York,
New York. July 17-18, Chicago, Illinois. Live webcast available. For
more information:
www.pli.edu
identitymashup: Who Controls and Protects the Digital Me? Berkman Center
for Internet & Society, Harvard Law School. June 19-21, 2006. Cambridge,
Massachusetts. For more information:
http://www.identitymash-up.org/
Call for papers for Identity and Identification in a Networked World.
Submissions due by July 5. New York University. Symposium on September
29-30, 2006. New York, New York. For more information:
http://www.easst.net/node/976
Infosecurity New York. Reed Exhibitions. September 12-14, 2006. New
York, New York. For more information:
http://www.infosecurityevent.com
34th Research Conference on Communication, Information, and Internet
Policy. Telecommunications Policy Research Conference. September
29-October 1, 2006. Arlington, Virginia. For more information:
http://www.tprc.org/TPRC06/2006.htm
6th Annual Future of Music Policy Summit. Future of Music Coalition.
October 5-7, 2006. Montreal, Canada. For more information:
http://www.futureofmusic.org/events/summit06/
The IAPP Privacy Academy 2006. International Association of Privacy
Professionals. October 18-20, 2006. Toronto, Ontario, Canada. For more
information:
www.privacyassociation.org
International Conference on Privacy, Security, and Trust (PST 2006).
University of Ontario Institute of Technology. October 20-November 1,
2006. Markham, Ontario, Canada. For more information:
http://www.businessandit.uoit.ca/pst2006/
BSR 2006 Annual Conference. Business for Social Responsibility. November
7-10, 2006. New York, New York. For more information:
http://www.bsr.org/BSRConferences/index.cfm
CFP2007: Computers, Freedom, and Privacy Conference. Association for
Computing Machinery. May 2007. Montreal, Canada. For more information:
http://www.cfp2007.org
======================================================================
Subscription Information
======================================================================
Subscribe/unsubscribe via web interface:
https://mailman.epic.org/cgi-bin/mailman/listinfo/epic_news
Back issues are available at:
http://www.epic.org/alert
The EPIC Alert displays best in a fixed-width font, such as Courier.
========================================================================
Privacy Policy
========================================================================
The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities. We do not sell, rent or share our
mailing list. We also intend to challenge any subpoena or other legal
process seeking access to our mailing list. We do not enhance (link to
other databases) our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe your e-mail address
from this list, please follow the above instructions under "subscription
information."
========================================================================
About EPIC
========================================================================
The Electronic Privacy Information Center is a public interest research
center in Washington, DC. It was established in 1994 to focus public
attention on emerging privacy issues such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale of personal information. EPIC publishes the
EPIC Alert, pursues Freedom of Information Act litigation, and conducts
policy research. For more information, see http://www.epic.org or write
EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202
483 1140 (tel), +1 202 483 1248 (fax).
If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible. Checks
should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW,
Suite 200, Washington, DC 20009. Or you can contribute online at:
http://www.epic.org/donate
Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation of encryption and
expanding wiretapping powers.
Thank you for your support.
------------------------- END EPIC Alert 13.12 -------------------------
.