EPIC logo

                           E P I C  A l e r t
Volume 13.17                                             August 25, 2006

                            Published by the
               Electronic Privacy Information Center (EPIC)
                            Washington, D.C.


Table of Contents
[1] Federal Court Finds NSA Wiretaps Illegal
[2] AOL Releases Users' Search Queries 
[3] DHS Inspector General: More Security Needed for RFID
[4] Government to Require Cars Warn of "Black Box" Recording
[5] DHS Seeks Expanded Access to Travelers' Data
[6] News in Brief
[7] EPIC Bookstore: David Lazer's "DNA and the Criminal Justice System"
[8] Upcoming Conferences and Events

[1] Federal Court Finds NSA Wiretaps Illegal

On August 17, a federal court in Detroit held that the government's
program or warrantless eavesdropping was illegal and unconstitutional.
The court then ordered the government to halt the program.

The program, operated by the National Security Agency, taps into the
phone conversations of "US persons" (citizens and permanent residents)
without first obtaining a warrant, either from a criminal court or even
the secretive Foreign Intelligence Surveillance Court. After the
program's existence was made public, a coalition of civil liberties
organizations and individuals sued to keep the wiretap program from

The government, citing the secret nature of the program, argued that the
suit should be dismissed, since the existence of the program was a
"state secret." The court, however, refused to throw out the case,
noting that the government had admitted enough about the existence of
the program publicly to allow the suit.

The court not only allowed the suit to proceed, however, but also found
that the warrantless surveillance program violated the Foreign
Intelligence Surveillance Act (FISA), which regulates the wiretapping of
foreign intelligence, and Title III of the Omnibus Crime Control and
Safe Streets Act, which regulates domestic surveillance. The court also
found that the Fourth Amendment had been violated, since no warrants had
been sought, either before or after surveillance had begun. The program
also violated the First Amendment, the court held, since the wiretapping
program would chill the speech of those groups and individuals who
thought themselves likely to be wiretapped.

The decision also addressed the arguments that the president's inherent
powers and the 2001 Authorization for Use of Military Force granted the
administration the ability to conduct the wiretapping program, contrary
to existing laws. "First, this court must note that the AUMF says
nothing whatsoever of intelligence or surveillance. . . Next it must be
noted that FISA and Title III are together by their terms denominated by
Congress as the exclusive means by which electronic surveillance may be
conducted." The court dismissed the inherent powers argument, noting
that the military powers granted to the president to not allow the
violation of existing laws.

The plaintiffs had also sued to halt another NSA program, which trawls
through a massive database of phone call records.  However, the court
dismissed that claim, saying that, without any admission of the
program's existence, the state secrets privilege would bar the suit.

This is the latest of three judicial opinions on government surveillance
programs to be issued in recent months. In July, a federal judge in
Illinois dismissed a lawsuit against AT&T for its participation in the
call records data mining, citing the state secrets doctrine. A federal
court in San Francisco, however, allowed another suit against AT&T's
participation in the eavesdropping program to proceed, though it did not
make a final ruling on the case. Both the Congressional Research Service
and a team of legal scholars have issued reports concluding that the
eavesdropping program is illegal.

Opinion in ACLU v. NSA (pdf):


Congressional Research Service Report on Domestic Surveillance Program


Legal Scholars' Report on the Domestic Surveillance Program (pdf):


EPIC's Spotlight on Surveillance on the NSA Program:


[2] AOL Releases Users' Search Queries 

AOL's Chief Technology Officer has resigned and two staff have been
fired two weeks after researchers released the search terms used by
650,000 users of AOL's search engine over a three month period. The data
includes a unique identifier for each user, the terms searched for, the
time and date of the search, and the result the user clicked on. It was
intended to be a tool for researchers trying to design better search

While AOL initially claimed the search data had been anonymized, since
the users' names had been replaced with numeric identifiers, many of the
search terms included personally identifiably information such as
names, addresses, and even e-mail messages. This often makes the
correlation of a user's search results with the user's real identity
possible. For instance, the New York Times was able to identify user
4417749 as Thelma Arnold of Lilburn, Georgia. Her searches included
queries about medical conditions of some of her friends. She also
searched for landscapers in her area and other interests like traveling.
Other users in the disclosed data searched for a wide range of topics,
including relationship advice, escort services, and other personal

Because a user is consistently identified by an identifying number, the
user's searches can be seen over time covering a variety of subjects,
and connections can be drawn between queries. As the New York Times
found, multiple queries can be used to narrow down the identity of a
searcher even without directly personally identifiable information being
given. However, many users apparently entered personally identifiable
information into their searches, including credit card and Social
Security numbers.

AOL quickly took the data off its web site and later apologized, but
other people who had downloaded the data have made it available. AOL has
said it will review its privacy policies to prevent future disclosures
like this one, but it and other major search engines plan to continue
recording users' search terms.

The breach has led to calls for the Federal Trade Commission to
investigate AOL for unfair and deceptive trade practices, since AOL's
privacy policy states that personal information and search queries would
not be disclosed without user consent. AOL's breach of information would
also likely trigger the security breach laws of many states, requiring
AOL to notify those customers whose information has been published.

World Privacy Forum's FTC Complaint (pdf):


Electronic Frontier Foundation's FTC Complaint (pdf):


World Privacy Forum Search Privacy Tips:


[3] DHS Inspector General: More Security Needed for RFID

According to a report recently released by the Department of Homeland
Security's Office of the Inspector General, the Department's use of
radio frequency identification (RFID) technology leaves critical
information open to unauthorized access. RFID chips store data and
broadcast it via radio waves in response to another radio signal. The
small, remotely-readable chips are being placed in immigration
documents, passports, and are may soon be used to track cargo and
passenger baggage.

The report also found a lack of systematic inventories of RFID
technology and consistent policies, and identified security concerns
regarding user access permissions, password management, and auditing in
the Department's RFID databases. The specific database problems, found
within US Customs and Border Protection and the US Visitor and Immigrant
Status Indicator Technology Program, have been redacted from the report
released to the public.

In addition to database security concerns, the Inspector General's
report highlighted that data on a tag, in the absence of adequate
security measures, can be read by a variety of authorized and
unauthorized readers.  The report also found that security controls were
not always present in developing systems, creating the risk that many
systems under development would not be adequately tested prior to their
application in the real world.

The State Department has begun using RFID technology in new e-passports,
which it rolled out in Colorado earlier this month. However, a security
researcher in Las Vegas announced before the rollout that he was able,
with readily available technology, to clone the RFID tags that are to be
placed in passports. Other privacy concerns that have been raised over
e-passports are unauthorized reading of the tag's data and use of the
tags to identify US citizens. Both the Department of Homeland Security
and the Government Accountability Office have recently issued reports
highlighting their concerns over RFID's increased risks to privacy and
paucity of the touted security benefits.

DHS Inspector General's Report (pdf):


GAO Report on RFID (pdf):




[4] Government to Require Cars Warn of "Black Box" Recording

Car buyers will have to be notified if their car contains an Event Data
Recorder (EDR), according to a new rule proposed by the National Highway
Traffic Safety Administration (NHTSA). EDRs, like “black boxes” used in
airplanes, record information about a car's operation in the moments
before a crash. The position of the steering wheel, the amount the brake
pedal was depressed, the speed of the car, whether seat belts are
fastened, and other information recorded by the cigarette pack-sized EDR
can be used by law enforcement and in court to recreate car's state at
the time of a crash.

NHTSA says that 64% of model 2005 cars came equipped with EDRs. Some car
manuals acknowledge the use of the EDR in the car, and some states
require disclosure of the presence of the EDR. In 2004, EPIC argued in
comments to the agency that all car owners should not only be made aware
that information about their driving is being recorded, but that
consumers should have the right to control the collection and
dissemination of their driving data.

The new rule, which goes into effect 2010, requires that cars equipped
with EDRs must mention the usage in the owner's manual. The new rule
also requires that all EDRs must record the same information and that
they be made to be more durable, but NHTSA has stopped short of
requiring them in all new vehicles. NHTSA rules also do not prevent a
car owner from disabling the EDR, but the devices are often wired into
safety systems likes airbags and are difficult to disconnect. In
addition to law enforcement and trial use of the information, auto
manufacturers and NHTSA use information from EDRs to study whether a
car's safety features functioned in a crash and how drivers react.

NHTSA Final Rule on EDRs (pdf):


EPIC's Comments on EDRs:


[5] DHS Seeks Expanded Access to Travelers' Data

The Department of Homeland Security recently proposed expanding a
program that would share detailed airline passenger records between
European airlines and the US government.

In 2003, the Department secretly entered into an agreement with European
governments in which personal information about travelers to the US
would be transmitted to the government before they arrived in the
country. The European Court of Justice found that the agreement violated
European law, and ruled that the program should be struck down unless
amended by September 30, 2006. Now, the department has expressed
interest not only in amending the old program to meet the court's
requirements, but expanding the length of time that data is stored and
reducing safeguards on sharing the information with other agencies.

The passenger name record (PNR) system contains, at a minimum, specific
information on a passenger and travel plans, including name, contact
information, billing information, itinerary, and booking information for
the trip.  However, the records will frequently include much more
sensitive information, such as date of birth, credit card details, names
and contact information of relatives, and even religious, health or
dietary considerations.

In initial negotiations with the EU, the US government originally sought
access to all of the information in the PNR, and to store the
transferred data for up to fifty years. In the end, the agreement
allowed access to fewer fields of information, and allowed storage for
three and a half years.  DHS officials stated that, while they do not
wish to gain access to more types of data than the 2003 agreement
allowed, they would like to allow more sharing of the data with other
agencies and retain the data for a longer time.

DHS officials have claimed that the existing agreement "handcuffs" their
ability to share PNR data with law enforcement, though the existing
agreement already provides for such sharing in order to prevent serious

2004 Document Clarifying the 2003 PNR Agreement (pdf):


EPIC's PNR Disclosure Page:


[6] News in Brief

German State Finds SWIFT Data Transfers Violated German and EU Law

The Data Protection Commission for the German state of
Schleswig-Holstein has found that the transfer of banking data to the US
government violated German and European data protection law. Privacy
International, a London-based human rights organization, has filed
complaints regarding the surveillance program in 33 European countries,
and the European Parliament has passed a resolution objecting to the

Privacy International, German Commission Condemns SWIFT Transfers:


Resolution of the European Parliament on SWIFT Transfers:


Privacy International Campaign Against SWIFT:


Transportation Department Laptop Lost

A Department of Transportation laptop containing the unencrypted
personal information of 133,000 individuals was lost earlier this month,
putting thousands of drivers and pilots at risk for identity theft. The
laptop was stolen from a department vehicle in Florida. The data
included the names, Social Security numbers, and dates of birth for
9,500 Tampa area drivers, 80,000 commercial drivers based in the Miami
area, and 42,800 pilots issued liceses in Florida. The Department has
sent letters to affected individuals.

Transportation Department Page on the Breach:


Alltel Fined $100,000 for Call Record Violations

Communications company Alltel was fined $100,000 by the Federal
Communications Commission in connection with poor security practices
that put customers' call records data at risk. In response to a
complaint by EPIC that data brokers were fraudulently obtaining
customers' calling habits from phone companies with poor security, the
FCC found that Alltel was not adhering to basic rules regarding security
for customer records. The FCC continues to pursue a broader rulemaking
that would increase phone record security requirements.

FCC Order:


EPIC's FCC Complaint on Phone Security:


EPIC's Phone Records Page:


US Sues Maine Officials for Investigating NSA

The U.S. Department of Justice filed suit against state officials in
Maine who were investigating whether or not Verizon handed over customer
information to a secret NSA data mining program. Federal lawyers sought
to block the Maine Public Utilities Commission from demanding
information from the company. The federal government has previously sued
state officials in New Jersey and Missouri to prevent similar
investigations of the domestic spying program.

EPIC's Resources on Domestic Surveillance:


Casino Security Used Cameras to Spy on Guests

A security supervisor at a casino in Atlantic City, NJ had his license
suspended after a state review board found that he had used the casino's
security cameras to observe women instead of the state of security on
the floor. Caesars Atlantic City Hotel Casino also paid a $185,000 fine
and fired three employees due to allegations that security personnel
were abusing surveillance cameras in the casino. EPIC has previously
called attention to the potential for security cameras being abused to
invade individuals' privacy.

EPIC's Spotlight on Surveillance on Security Camera Abuses: 


NYC Proposes Cameras at Nightclub Exits

New York City Council member Christine Quinn recently proposed that New
York place security cameras aimed at the entrances and exits of
nightclubs, in response to recent murders at clubs in the city. The plan
has met with opposition by civil liberties and gay groups, who objected
to the fact that the cameras could invade privacy and eliminate patrons'
anonymity. Though individuals in public may be observed, their presence
is not necessarily associated with an identity. Recording their image,
however, easily leads to the loss of anonymity. EPIC has commented on
similar proposals in Washington D.C.

EPIC's Comments on Increased CCTV Surveillance in Washington (pdf):


[7] EPIC Bookstore: David Lazer's "DNA and the Criminal Justice System"

"DNA and the Criminal Justice System: The Technology of Justice" by
David Lazer (MIT Press 2004)


In the long history of criminal justice, no technology has had the
impact of DNA collection and analysis. According to the FBI, there are
now over three and half million profiles in the national Combined DNA
Index System. Fifteen years ago, CODIS was a pilot project involving
only twelve forensic laboratories.

Experts say that DNA analysis offers a unique ability to determine guilt
and innocence. Prosecutors increasingly rely on DNA evidence to make
their case and to solve unsolved crimes. DNA evidence has also been used
by criminal defense attorneys to prove the innocence of those who have
been wrongly convicted. DNA testing has been used successfully by groups
such as the Innocence Project to exonerate more than 170 wrongly
convicted individuals, some of whom were on death row and imprisoned for

Still, DNA analysis also reveals race, paternity, propensity to develop
certain diseases, and other information that falls far outside the
criminal justice realm. There is, on the horizon, the very real
possibility that DNA use may dramatically expand into decisions about
employment, hiring, housing, and citizenship. And even within the
criminal justice system, there are ongoing concerns about the scope of
collection, the reliability of testing, and the possible use of DNA to
predict future criminal acts.

David Lazer's excellent collection of essays looks squarely at the
emerging policy concerns for DNA in the criminal justice system. A
balanced, thoughtful, and informative volume, "DNA and the Criminal
Justice System" should be required reading for policymarkers, jurists,
researchers and others seeking to understand the dramatic transformation
now taking place.

As Justice Breyer explains in his contribution to the volume, there must
be "extensive, informed development of the relevant legal and policy
issues *prior* to decision." For example, the increased reliance on DNA
databases in criminal justice raises controversial ethical questions in
the realms of civil liberties, privacy, surveillance, and forensic
error. Do police laboratories need more rigorous standards for DNA
testing? Will law enforcement DNA databases expand to include millions
not convicted of any crime? Does mandatory DNA testing provide the
ultimate threat to civil liberties and privacy? Does it in fact increase
the likelihood of genetic or racial profiling?

These are pressing questions that Congress, the courts, and the public
will increasingly confront.

- Marc Rotenberg


EPIC Publications:

"Information Privacy Law: Cases and Materials, Second Edition" Daniel J.
Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98.

This clear, comprehensive introduction to the field of information
privacy law allows instructors to enliven their teaching of fundamental
concepts by addressing both enduring and emerging controversies. The
Second Edition addresses numerous rapidly developing areas of privacy
law, including: identity theft, government data mining and electronic
surveillance law, the Foreign Intelligence Surveillance Act,
intelligence sharing, RFID tags, GPS, spyware, web bugs, and more.
Information Privacy Law, Second Edition, builds a cohesive foundation
for an exciting course in this rapidly evolving area of law.


"Privacy & Human Rights 2005: An International Survey of Privacy Laws
and Developments" (EPIC 2006). Price: $60.

This annual report by EPIC and Privacy International provides an
overview of key privacy topics and reviews the state of privacy in over
70 countries around the world. The report outlines legal protections,
new challenges, and important issues and events relating to privacy.
Privacy & Human Rights 2005 is the most comprehensive report on privacy
and data protection ever published.


"FOIA 2004: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price:

This is the standard reference work covering all aspects of the Freedom
of Information Act, the Privacy Act, the Government in the Sunshine Act,
and the Federal Advisory Committee Act.  The 22nd edition fully updates
the manual that lawyers, journalists and researchers have relied on for
more than 25 years.  For those who litigate open government cases (or
need to learn how to litigate them), this is an essential reference


"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.

This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS).  This
reference guide provides the official UN documents, regional and
issue-oriented perspectives, and recommendations and proposals for
future action, as well as a useful list of resources and contacts for
individuals and organizations that wish to become more involved in the
WSIS process.


"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:

The Privacy Law Sourcebook, which has been called the "Physician's Desk
Reference" of the privacy world, is the leading resource for students,
attorneys, researchers, and journalists interested in pursuing privacy
law in the United States and around the world. It includes the full
texts of major privacy laws and directives such as the Fair Credit
Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well
as an up-to-date section on recent developments. New materials include
the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the


"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.


EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:

EPIC Bookstore http://www.epic.org/bookstore

"EPIC Bookshelf" at Powell's Books


EPIC also publishes EPIC FOIA Notes, which provides brief summaries of
interesting documents obtained from government agencies under the
Freedom of Information Act.

Subscribe to EPIC FOIA Notes at:

[8] Upcoming Conferences and Events

Infosecurity New York. Reed Exhibitions. September 12-14, 2006. New
York, New York. For more information:

Identity and Identification in a Networked World. New York University. 
September 29-30, 2006. New York, New York. For more information:

34th Research Conference on Communication, Information, and Internet
Policy. Telecommunications Policy Research Conference. September
29-October 1, 2006. Arlington, Virginia. For more information:

6th Annual Future of Music Policy Summit. Future of Music Coalition.
October 5-7, 2006. Montreal, Canada. For more information:

The IAPP Privacy Academy 2006. International Association of Privacy
Professionals. October 18-20, 2006. Toronto, Ontario, Canada. For more

International Conference on Privacy, Security, and Trust (PST 2006).
University of Ontario Institute of Technology. October 20-November 1,
2006. Markham, Ontario, Canada. For more information:

Internet Governance Forum (IGF) October 30-November 2, 2006. Athens,
Greece. For more information:

28th International Data Protection and Privacy Commissioners'
Conference. November 2-3, 2006. London, United Kingdom. For more

BSR 2006 Annual Conference. Business for Social Responsibility. November
7-10, 2006. New York, New York. For more information:

CFP2007: Computers, Freedom, and Privacy Conference. Association for
Computing Machinery. May 2007. Montreal, Canada. For more information:

Subscription Information

Subscribe/unsubscribe via web interface:


Back issues are available at:


The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities.  We do not sell, rent or share our
mailing list.  We also intend to challenge any subpoena or other legal
process seeking access to our mailing list.  We do not enhance (link to
other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail address
from this list, please follow the above instructions under "subscription

About EPIC

The Electronic Privacy Information Center is a public interest research
center in Washington, DC.  It was established in 1994 to focus public
attention on emerging privacy issues such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale of personal information. EPIC publishes the
EPIC Alert, pursues Freedom of Information Act litigation, and conducts
policy research.  For more information, see http://www.epic.org or write
EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202
483 1140 (tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible.  Checks
should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW,
Suite 200, Washington, DC 20009.  Or you can contribute online at:


Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation of encryption and
expanding wiretapping powers.

Thank you for your support.

------------------------- END EPIC Alert 13.17 -------------------------