======================================================================== E P I C A l e r t ======================================================================== Volume 13.15 July 27, 2006 ------------------------------------------------------------------------ Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org/alert/EPIC_Alert_13.15.html ======================================================================== Table of Contents ======================================================================== [1] Courts, Congress Ponder NSA Surveillance Issues [2] EPIC Testifies on WHOIS Privacy and Phishing [3] House Committees Hold Joint Hearing on E-voting [4] House Nears Vote on Data Breach Bill [5] D.C. Council Approves Temporary Expansion of Camera Use [6] News in Brief [7] EPIC Bookstore: Yochai Benkler's "The Wealth of Networks" [8] Upcoming Conferences and Events ======================================================================== [1] Courts, Congress Ponder NSA Surveillance Issues ======================================================================== The legal battles over two different warrantless surveillance programs conducted by the NSA continue, with a one private suit against AT&T continuing in California and another being dismissed in Illinois. The federal government has also sued the state of Missouri to prevent state officials from investigating one of the NSA programs. A federal district court judge in California allowed a suit against AT&T to go forward, against the federal government's argument that the state secrets privilege prevented the suit from being brought in the first place. The lawsuit, brought on behalf of clients represented by the Electronic Frontier Foundation, alleges that AT&T gave the government access to its facilities to wiretap all of the calls and emails traveling over AT&T's network. The judge held that the suit could continue, noting that AT&T and the government had both disclosed involvement in the clandestine surveillance program. A federal judge in Illinois, however, dismissed a lawsuit challenging AT&T's cooperation with the NSA in a related surveillance program. This program allegedly resulted in the phone records of millions of Americans being delivered to the NSA for data mining. The suit, brought by private plaintiffs represented by the Illinois ACLU, was dismissed on the state secrets doctrine. The federal government also continues to block state investigations into the NSA phone records program, with the Department of Justice suing the Missouri Public Service Commission from investigating whether telecommunications companies in their state turned over information to the federal government in violation of law. In June, the Justice Department sued the state of New Jersey to prevent the state attorney general fro conducting a similar investigation. In May, EPIC wrote to Kevin Martin, chairman of the Federal Communications Commission, and urged the FCC to undertake an investigation into the various reports that customer information was improperly disclosed to the NSA. The EPIC letter stated, "If telecommunication carriers disclosed customer information to the NSA in the manner described in press reports, then violations of section 222 of the Communications Act have occurred." However, if a law pending in Congress is enacted, all these various legal disputes may be rendered irrelevant. Senator Arlen Specter, Chairman of the Senate Judiciary Committee, has, with the backing of the White House, proposed a bill that would allow warrantless surveillance programs to continue subject to the approval of the secretive Foreign Intelligence Surveillance Court. Specter's bill would allow the court to approve entire surveillance programs. The court currently reviews applications for foreign surveillance and wiretaps. In the period from 2001 to 2005, the government has applied for 7,729 surveillance warrants from the court. Of these, only four were denied. Specter's bill has been severely criticized by civil liberties groups, who say that it grants "Congressional authorization to the President's unconstitutional conduct" and that it makes compliance with well-established privacy safeguards "merely optional." Order Denying the Government's Motion to Dismiss the EFF Suit (pdf): http://www.eff.org/legal/cases/att/308_order_on_mtns_to_dismiss.pdf Opinion Dismissing the Illinois Suit Against AT&T (pdf): http://www.epic.org/privacy/surveillance/terkel_op.pdf EPIC Letter to the FCC on Domestic Surveillance: http://www.epic.org/privacy/phone/fcc-letter5-06.html Senator Specter's Bill to Authorize Warrantless Domestic Surveillance: http://thomas.loc.gov/cgi-bin/bdquery/z?d109:s.02453: Statement by Civil Liberties Groups Citicizing Specter Bill (pdf): http://www.cdt.org/security/20060719nsastatement.pdf EPIC Resources on Domestic Surveillance: http://www.epic.org/features/surveillance.html ======================================================================== [2] EPIC Testifies on WHOIS Privacy and Phishing ======================================================================== EPIC Executive Director Marc Rotenberg testified in support of new privacy safeguards for the WHOIS database before a subcommittee of the House Financial Services Committee. Currently anyone with an Internet connection, including spammers, phishers, and stalkers, can access information in the WHOIS database. Citing the growing risk of identity theft, EPIC supported proposals to limit public access to personal information. The WHOIS database contains the personal contact information of anyone who registers a domain name. When a user decides to register a domain name, he is usually asked for his name, address, email address, and phone and fax numbers. The user must also provide the complete contact information for a technical contact and an administrative contact. In the case of individuals or small organizations, the registrant himself is often the administrative contact, providing his own home address and telephone number. If a user does not provide his name or address, or complete contact information for the technical and administrative contacts, his domain name may be taken away. All of this information is then published in the WHOIS database for anyone to access. Rotenberg said, "This means that both the law enforcement agent with legal authority to investigate crime and a person with the intent to commit crime has the same access to the WHOIS database. This represents a significant privacy and security risk for a domain name registrant." While witnesses for the Department of Commerce and the financial services companies argued for continuing unrestricted access to WHOIS data, the witness for the Federal Trade Commission said that privacy protection was necessary to protect consumers. Eileen Harrington, Deputy Director of the Bureau of Consumer Protection, said, "The FTC, as the primary enforcement agency for U.S. consumer privacy and data security laws, is very concerned about protecting consumers' privacy. Thus, the Commission has always recognized that registrants engaged in non-commercial activity may require some privacy protection from public access to their contact information, without compromising appropriate real-time access by law enforcement agencies." Rotenberg noted that the proposals to protect domain name owners' personal information would not affect the ability of law enforcement to access the database. There have been several cases of spammers and fraudsters using the WHOIS database to target victims, including one of the most prolific spammers in the United Kingdom. A comprehensive review of privacy practices around the world, conducted by EPIC, found that the current ICANN WHOIS data policy has "failed to resolve the privacy risks faced by Internet users that result directly from ICANN’s own data practices." House Financial Services Hearing on Phishing and the WHOIS Database: http://www.epic.org/redirect/fs_whois.html EPIC's Testimony on WHOIS (pdf): http://www.epic.org/privacy/whois/phishing_test.pdf EPIC's WHOIS Page: http://www.epic.org/privacy/whois EPIC's Privacy and Human Rights 2004 Report on WHOIS: http://www.epic.org/redirect/phr2004_whois.html Privacy and Human Rights 2005 Edition: http://www.epic.org/bookstore/phr2005/phr2005.html ======================================================================== [3] House Committees Hold Joint Hearing on E-voting ======================================================================== The House Committee on Science and the Committee on Administration held a joint hearing on the effectiveness of electronic voting machines. The hearing investigated the changes made in federal law by the Help America Vote Act (HAVA) to voting technology certification and voting technology guidance given to states. Witnesses for the hearing included Mary Kiffmeyer, the Secretary of State of Minnesota and David Wagner, a computer science professor at the University of California, Berkeley who advised the state of California on securing electronic voting systems. These witnesses agreed that the current guidance to states recently released by the Election Assistance Commission is not sufficient and that more needs to be done to protect votes cast in public elections. The National Committee for Voting Integrity also participated in the hearing by providing a written statement, which recommended greater security for e-voting systems. NCVI also criticized the guidelines' lack of focus on auditing, saying that the current review process for ensuring that e-voting systems properly count votes is insufficient. NCVI also noted that the Commission's guidelines, despite warning that the use of wireless technology is risky, still provide recommendations for implementing wireless technology in voting machines. In related news, the National Research Council recently issued its "Letter Report on Electronic Voting." The report indicated that many jurisdictions may be unprepared for the 2006 general elections in November. The report also emphasized the need for improved security, transparency in vendor certification, and auditability of cast ballots. Joint Hearing of the House Science and Administration Committees on Electronic Voting: http://www.house.gov/science/hearings/full06/July%2019/index.htm NCVI Statement for the Hearing (pdf): http://www.epic.org/privacy/voting/pdf_files/ncvi_706.pdf Text of the Help America Vote Act: http://www.fec.gov/hava/law_ext.txt National Research Council Report on Electronic Voting: http://darwin.nap.edu/books/0309102790/html/1.html EPIC Voting Page: http://www.epic.org/privacy/voting/ ======================================================================== [4] House Nears Vote on Data Breach Bill ======================================================================== The House Financial Services Committee is pressing for a floor vote on its version of a data breach bill, despite the concerns of state law enforcement and consumer groups. State attorneys general have urged Congress to pass a bill that preserves state protections and state enforcement, while the Financial Services bill preempts state law. The bill also drew harsh criticisms from a coalition of consumer groups, who said that existing state laws are more effective at protecting consumers. In a letter to House leadership signed by 48 state attorneys general, the National Association of Attorneys General asked Congress to pass data breach bills that would allow for states to retain their own consumer protections and also let state law enforcement supplement federal enforcement efforts. The state officials also urged Congress to pass a law that required breached companies to notify users in all cases, not merely those that the company felt created a particular risk of identity theft. The bill, however, does not allow for state enforcement and requires that a breached entity find it "reasonably likely" that breached data could be used to commit identity theft. Consumer groups have heavily criticized the Financial Services bill lacking, stating that it actually made it more likely that companies who have lost consumer data will be able to hide the breaches from consumers. A coalition of consumer groups has issued a statement calling the bill's notification policy a "don't know, don't tell" system. The groups also criticized the bill's preemption of state law, saying that it "does nothing for consumers and rolls back existing state consumer protection laws." A number of federal data breach bills have been proposed in Congress this year, though few have implemented all of the proposals urged by state governments and consumer groups. At least 33 states already have data breach notification laws. H.R. 3997, the Financial Data Protection Act: http://thomas.loc.gov/cgi-bin/bdquery/z?d109:h.r.03997: Statement by Consumer Groups on the Financial Services Bill (pdf): http://www.epic.org/privacy/choicepoint/consumer_3997.pdf Statement by State Attorneys General on Data Breach Bills (pdf): http://www.epic.org/redirect/state_ag_breach.html US PIRG's List of State Data Breach and Credit Freeze Laws: http://www.pirg.org/consumer/credit/statelaws.htm EPIC's Data Brokers Page: http://www.epic.org/privacy/choicepoint ======================================================================== [5] D.C. Council Approves Temporary Expansion of Camera Use ======================================================================== The D.C. Council agreed last week to install 23 surveillance cameras in residential neighborhoods for the first time. This action, along with an earlier curfew and police access to confidential juvenile information, was taken in response to a proposal from Mayor Anthony Williams for emergency legislation. EPIC, the ACLU-National Capital Area and the Justice 4 D.C. Youth Coalition were among the groups that protested in front of D.C. Council headquarters against the measures. EPIC has repeatedly warned the Council that the use of closed circuit television systems (CCTV) are ineffective and prone to abuse. Studies have shown that it is more effective to place more officers on the streets and improve lighting in high-crime areas than to use CCTV, and that black males are disproportionately scrutinized when camera surveillance systems are used. The D.C. Metropolitan Police Department (MPD) currently has a wireless network of 19 cameras mounted on the rooftops of various buildings throughout the city at strategic vantage points such as the Smithsonian Institution Castle, Dupont Circle, Union Station, and outside the city in Arlington, Va. The cameras feed into the MPD's Joint Operations Command Center, located at police headquarters. The cameras are only turned on during major events and emergencies, which is an important limitation that many other cities do not have. Also important in protecting privacy are the city's policies governing the use of the camera systems. They limit the time the data can be retained. The new legislation changes this limited, specialized surveillance of major events and emergencies into 24-hour surveillance of daily life in D.C. neighborhoods. Cameras can range in price from $40,000 to $100,000 each, and D.C. will spend $2.3 million to buy 23 cameras. Mayoral candidate and Ward 4 representative Adrian Fenty was the only Council member to vote against the bill. He pointed out that not one part of the emergency legislation was new; each proposal had been rejected by the Council in previous sessions. Mayor Williams had proposed an expansion of CCTV in April, but the Council did not approve it. The measures will be in force for 90 days. The Council has scheduled an October hearing to review use of surveillance cameras. EPIC's Comments to the D.C. Council on the April CCTV proposal (pdf): http://www.epic.org/privacy/surveillance/cctvcom062906.pdf EPIC's December 2005 Spotlight on Surveillance about D.C.'s CCTV system: http://www.epic.org/privacy/surveillance/spotlight/1205/ D.C. Council Home Page: http://www.dccouncil.washington.dc.us/ The Observing Surveillance Project: http://observingsurveillance.org/ EPIC's Video Surveillance page: http://www.epic.org/privacy/surveillance/ ======================================================================== [6] News in Brief ======================================================================== Homeland Security Selects New Privacy Officer The Department Homeland Security chose its associate general counsel, Hugo Teufel III, as its new chief privacy officer. He will replace acting privacy officer Maureen Cooney, who resigned on July 17th. Cooney had replaced Nuala O'Connor Kelly, who resigned from the position in September 2005 to become chief privacy officer at General Electric. Privacy advocates questioned the appointment, citing Teufel's lack of experience. Homeland Security Press Release Announcing Teufel's Appointment: http://www.dhs.gov/dhspublic/display?content=5752 House Bill Would Protect SSN Privacy A bill giving the Federal Trade Commission the power to prohibit sales of Social Security Numbers was approved by the House Energy and Commerce Committee. The Social Security Number Protection Act, sponsored by Representative Ed Markey, was first introduced in 2000, in response to the stalking and murder of Amy Boyer, whose killer was able to locate a wider variety of information about her after first purchasing her Social Security number online. Social Security numbers, improperly misused as a means of identification by many businesses, also act as a key for identity thieves to access their victims' information. Text of H.R. 1078, the Social Security Number Protection Act: http://thomas.loc.gov/cgi-bin/bdquery/z?d109:h.r.01078: Indian Authorities Censor Blogs Thousands of blogs were rendered inaccessible in India for a period of several days. Entire domains, including blogspot.com and typepad.com, each of which hosts thousands of blogs, were rendered inaccessible. The Indian Department of Telecommunications issued a press release stating that the censorship was targeted only at 17 particular websites, and that the overblocking was the fault of Internet service providers. Government Press Release on Blog Censorship: http://pib.nic.in/release/release.asp?relid=18954 National Database to Track College Students Proposed In June, the Department of Education released a draft report endorsing a controversial proposal to create a federal database of college student records. The proposal would, in contrast to existing systems, contain individually identifiable information on particular students. The proposal was heavily criticized by colleges and universities, who objected to the individualized tracking of their students. The Department of Education justified the proposal, saying it wished to have better statistics on part-time, transfer, or other nontraditional students. Initial Version of the Department of Education's Draft Report (see pages 17 and 22) (pdf): http://www.ed.gov/about/bdscomm/list/hiedfuture/reports/report.pdf Latest Version of the Department of Education's Draft Report (see page 11) (pdf): http://www.epic.org/redirect/ed_college_track.html Amnesty International Releases Report on Tech Companies in China Amnesty International has released a report condemning Internet companies for collaborating with the Chinese government in suppressing free speech. Focusing on the actions of Yahoo, Microsoft, and Google, the report makes specific recommendations as to how Internet companies operating in China might work to protect free speech and human rights while doing business in the country. Yahoo has reportedly turned over information on dissidents using its services to authorities, while Microsoft and Google have respectively censored blogs and search results that are critical of the Chinese government. Amnesty Internationl Report on Tech Companies in China (pdf): http://www.epic.org/redirect/amnesty_tech_china.html ======================================================================== [7] EPIC Bookstore: Yochai Benkler's "The Wealth of Networks" ======================================================================== The Wealth of Networks: How Social Production Transforms Markets and Freedom. Yochai Benkler. Yale University Press, 2006. http://www.powells.com/partner/24075/biblio/4-0300110561-0 "With the radical changes in information production that the Internet has introduced, we stand at an important moment of transition, says Yochai Benkler in this thought-provoking book. The phenomenon he describes as social production is reshaping markets, while at the same time offering new opportunities to enhance individual freedom, cultural diversity, political discourse, and justice. But these results are by no means inevitable: a systematic campaign to protect the entrenched industrial information economy of the last century threatens the promise of today's emerging networked information environment. In this comprehensive social theory of the Internet and the networked information economy, Benkler describes how patterns of information, knowledge, and cultural production are changing, and shows that the way information and knowledge are made available can either limit or enlarge the ways people can create and express themselves. He describes the range of legal and policy choices that confront us and maintains that there is much to be gained, or lost, by the decisions we make today." ================================ EPIC Publications: "Information Privacy Law: Cases and Materials, Second Edition" Daniel J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98. http://www.epic.org/redirect/aspen_ipl_casebook.html This clear, comprehensive introduction to the field of information privacy law allows instructors to enliven their teaching of fundamental concepts by addressing both enduring and emerging controversies. The Second Edition addresses numerous rapidly developing areas of privacy law, including: identity theft, government data mining,and electronic surveillance law, the Foreign Intelligence Surveillance Act, intelligence sharing, RFID tags, GPS, sypware, web bugs, and more. Information Privacy Law, Second Edition, builds a cohesive foundation for an exciting course in this rapidly evolving area of law. ================================ "Privacy & Human Rights 2005: An International Survey of Privacy Laws and Developments" (EPIC 2006). Price: $60. http://www.epic.org/bookstore/phr2005/phr2005.html This annual report by EPIC and Privacy International provides an overview of key privacy topics and reviews the state of privacy in over 70 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy & Human Rights 2005 is the most comprehensive report on privacy and data protection ever published. ================================ "FOIA 2004: Litigation Under the Federal Open Government Laws," Harry Hammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price: $40. http://www.epic.org/bookstore/foia2004 This is the standard reference work covering all aspects of the Freedom of Information Act, the Privacy Act, the Government in the Sunshine Act, and the Federal Advisory Committee Act. The 22nd edition fully updates the manual that lawyers, journalists and researchers have relied on for more than 25 years. For those who litigate open government cases (or need to learn how to litigate them), this is an essential reference manual. ================================ "The Public Voice WSIS Sourcebook: Perspectives on the World Summit on the Information Society" (EPIC 2004). Price: $40. http://www.epic.org/bookstore/pvsourcebook This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, and recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process. ================================ "The Privacy Law Sourcebook 2004: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price: $40. http://www.epic.org/bookstore/pls2004/ The Privacy Law Sourcebook, which has been called the "Physician's Desk Reference" of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act. ================================ "Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20. http://www.epic.org/bookstore/filters2.0 A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at: EPIC Bookstore http://www.epic.org/bookstore "EPIC Bookshelf" at Powell's Books http://www.powells.com/features/epic/epic.html ================================ EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act. Subscribe to EPIC FOIA Notes at: https://mailman.epic.org/cgi-bin/control/foia_notes ======================================================================== [8] Upcoming Conferences and Events ======================================================================== 7th Annual Institute on Privacy Law: Evolving Laws and Practices in a Security-Driven World. Practising Law Institute. June 19-20, New York, New York. July 17-18, Chicago, Illinois. Live webcast available. For more information: www.pli.edu identitymashup: Who Controls and Protects the Digital Me? Berkman Center for Internet & Society, Harvard Law School. June 19-21, 2006. Cambridge, Massachusetts. For more information: http://www.identitymash-up.org/ Call for papers for Identity and Identification in a Networked World. Submissions due by July 5. New York University. Symposium on September 29-30, 2006. New York, New York. For more information: http://www.easst.net/node/976 Infosecurity New York. Reed Exhibitions. September 12-14, 2006. New York, New York. For more information: http://www.infosecurityevent.com 34th Research Conference on Communication, Information, and Internet Policy. Telecommunications Policy Research Conference. September 29-October 1, 2006. Arlington, Virginia. For more information: http://www.tprc.org/TPRC06/2006.htm 6th Annual Future of Music Policy Summit. Future of Music Coalition. October 5-7, 2006. Montreal, Canada. For more information: http://www.futureofmusic.org/events/summit06/ The IAPP Privacy Academy 2006. International Association of Privacy Professionals. October 18-20, 2006. Toronto, Ontario, Canada. For more information: www.privacyassociation.org International Conference on Privacy, Security, and Trust (PST 2006). University of Ontario Institute of Technology. October 20-November 1, 2006. Markham, Ontario, Canada. For more information: http://www.businessandit.uoit.ca/pst2006/ BSR 2006 Annual Conference. Business for Social Responsibility. November 7-10, 2006. New York, New York. For more information: http://www.bsr.org/BSRConferences/index.cfm CFP2007: Computers, Freedom, and Privacy Conference. Association for Computing Machinery. May 2007. Montreal, Canada. For more information: http://www.cfp2007.org ====================================================================== Subscription Information ====================================================================== Subscribe/unsubscribe via web interface: https://mailman.epic.org/cgi-bin/mailman/listinfo/epic_news Back issues are available at: http://www.epic.org/alert The EPIC Alert displays best in a fixed-width font, such as Courier. ======================================================================== Privacy Policy ======================================================================== The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information." ======================================================================== About EPIC ======================================================================== The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at: http://www.epic.org/donate Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ------------------------- END EPIC Alert 13.15 ------------------------- .