======================================================================== E P I C A l e r t ======================================================================== Volume 13.17 August 25, 2006 ------------------------------------------------------------------------ Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org/alert/EPIC_Alert_13.17.html ======================================================================== Table of Contents ======================================================================== [1] Federal Court Finds NSA Wiretaps Illegal [2] AOL Releases Users' Search Queries [3] DHS Inspector General: More Security Needed for RFID [4] Government to Require Cars Warn of "Black Box" Recording [5] DHS Seeks Expanded Access to Travelers' Data [6] News in Brief [7] EPIC Bookstore: David Lazer's "DNA and the Criminal Justice System" [8] Upcoming Conferences and Events ======================================================================== [1] Federal Court Finds NSA Wiretaps Illegal ======================================================================== On August 17, a federal court in Detroit held that the government's program or warrantless eavesdropping was illegal and unconstitutional. The court then ordered the government to halt the program. The program, operated by the National Security Agency, taps into the phone conversations of "US persons" (citizens and permanent residents) without first obtaining a warrant, either from a criminal court or even the secretive Foreign Intelligence Surveillance Court. After the program's existence was made public, a coalition of civil liberties organizations and individuals sued to keep the wiretap program from continuing. The government, citing the secret nature of the program, argued that the suit should be dismissed, since the existence of the program was a "state secret." The court, however, refused to throw out the case, noting that the government had admitted enough about the existence of the program publicly to allow the suit. The court not only allowed the suit to proceed, however, but also found that the warrantless surveillance program violated the Foreign Intelligence Surveillance Act (FISA), which regulates the wiretapping of foreign intelligence, and Title III of the Omnibus Crime Control and Safe Streets Act, which regulates domestic surveillance. The court also found that the Fourth Amendment had been violated, since no warrants had been sought, either before or after surveillance had begun. The program also violated the First Amendment, the court held, since the wiretapping program would chill the speech of those groups and individuals who thought themselves likely to be wiretapped. The decision also addressed the arguments that the president's inherent powers and the 2001 Authorization for Use of Military Force granted the administration the ability to conduct the wiretapping program, contrary to existing laws. "First, this court must note that the AUMF says nothing whatsoever of intelligence or surveillance. . . Next it must be noted that FISA and Title III are together by their terms denominated by Congress as the exclusive means by which electronic surveillance may be conducted." The court dismissed the inherent powers argument, noting that the military powers granted to the president to not allow the violation of existing laws. The plaintiffs had also sued to halt another NSA program, which trawls through a massive database of phone call records. However, the court dismissed that claim, saying that, without any admission of the program's existence, the state secrets privilege would bar the suit. This is the latest of three judicial opinions on government surveillance programs to be issued in recent months. In July, a federal judge in Illinois dismissed a lawsuit against AT&T for its participation in the call records data mining, citing the state secrets doctrine. A federal court in San Francisco, however, allowed another suit against AT&T's participation in the eavesdropping program to proceed, though it did not make a final ruling on the case. Both the Congressional Research Service and a team of legal scholars have issued reports concluding that the eavesdropping program is illegal. Opinion in ACLU v. NSA (pdf): http://www.epic.org/privacy/terrorism/fisa/acluvnsaop081706.pdf Congressional Research Service Report on Domestic Surveillance Program (pdf): http://www.epic.org/privacy/terrorism/fisa/crs_analysis.pdf Legal Scholars' Report on the Domestic Surveillance Program (pdf): http://www.epic.org/privacy/terrorism/fisa/dojreply.pdf EPIC's Spotlight on Surveillance on the NSA Program: http://epic.org/privacy/surveillance/spotlight/0106/default.html ======================================================================== [2] AOL Releases Users' Search Queries ======================================================================== AOL's Chief Technology Officer has resigned and two staff have been fired two weeks after researchers released the search terms used by 650,000 users of AOL's search engine over a three month period. The data includes a unique identifier for each user, the terms searched for, the time and date of the search, and the result the user clicked on. It was intended to be a tool for researchers trying to design better search engines. While AOL initially claimed the search data had been anonymized, since the users' names had been replaced with numeric identifiers, many of the search terms included personally identifiably information such as names, addresses, and even e-mail messages. This often makes the correlation of a user's search results with the user's real identity possible. For instance, the New York Times was able to identify user 4417749 as Thelma Arnold of Lilburn, Georgia. Her searches included queries about medical conditions of some of her friends. She also searched for landscapers in her area and other interests like traveling. Other users in the disclosed data searched for a wide range of topics, including relationship advice, escort services, and other personal queries. Because a user is consistently identified by an identifying number, the user's searches can be seen over time covering a variety of subjects, and connections can be drawn between queries. As the New York Times found, multiple queries can be used to narrow down the identity of a searcher even without directly personally identifiable information being given. However, many users apparently entered personally identifiable information into their searches, including credit card and Social Security numbers. AOL quickly took the data off its web site and later apologized, but other people who had downloaded the data have made it available. AOL has said it will review its privacy policies to prevent future disclosures like this one, but it and other major search engines plan to continue recording users' search terms. The breach has led to calls for the Federal Trade Commission to investigate AOL for unfair and deceptive trade practices, since AOL's privacy policy states that personal information and search queries would not be disclosed without user consent. AOL's breach of information would also likely trigger the security breach laws of many states, requiring AOL to notify those customers whose information has been published. World Privacy Forum's FTC Complaint (pdf): http://www.epic.org/redirect/wpf_aol_complaint.html Electronic Frontier Foundation's FTC Complaint (pdf): http://www.eff.org/Privacy/AOL/aol_ftc_complaint_final.pdf World Privacy Forum Search Privacy Tips: http://www.worldprivacyforum.org/searchengineprivacytips.html ======================================================================== [3] DHS Inspector General: More Security Needed for RFID ======================================================================== According to a report recently released by the Department of Homeland Security's Office of the Inspector General, the Department's use of radio frequency identification (RFID) technology leaves critical information open to unauthorized access. RFID chips store data and broadcast it via radio waves in response to another radio signal. The small, remotely-readable chips are being placed in immigration documents, passports, and are may soon be used to track cargo and passenger baggage. The report also found a lack of systematic inventories of RFID technology and consistent policies, and identified security concerns regarding user access permissions, password management, and auditing in the Department's RFID databases. The specific database problems, found within US Customs and Border Protection and the US Visitor and Immigrant Status Indicator Technology Program, have been redacted from the report released to the public. In addition to database security concerns, the Inspector General's report highlighted that data on a tag, in the absence of adequate security measures, can be read by a variety of authorized and unauthorized readers. The report also found that security controls were not always present in developing systems, creating the risk that many systems under development would not be adequately tested prior to their application in the real world. The State Department has begun using RFID technology in new e-passports, which it rolled out in Colorado earlier this month. However, a security researcher in Las Vegas announced before the rollout that he was able, with readily available technology, to clone the RFID tags that are to be placed in passports. Other privacy concerns that have been raised over e-passports are unauthorized reading of the tag's data and use of the tags to identify US citizens. Both the Department of Homeland Security and the Government Accountability Office have recently issued reports highlighting their concerns over RFID's increased risks to privacy and paucity of the touted security benefits. DHS Inspector General's Report (pdf): http://www.epic.org/redirect/dhs_ig_rfid.html GAO Report on RFID (pdf): http://www.gao.gov/new.items/d05551.pdf EPIC's RFID Page: http://www.epic.org/privacy/rfid/ ======================================================================== [4] Government to Require Cars Warn of "Black Box" Recording ======================================================================== Car buyers will have to be notified if their car contains an Event Data Recorder (EDR), according to a new rule proposed by the National Highway Traffic Safety Administration (NHTSA). EDRs, like “black boxes” used in airplanes, record information about a car's operation in the moments before a crash. The position of the steering wheel, the amount the brake pedal was depressed, the speed of the car, whether seat belts are fastened, and other information recorded by the cigarette pack-sized EDR can be used by law enforcement and in court to recreate car's state at the time of a crash. NHTSA says that 64% of model 2005 cars came equipped with EDRs. Some car manuals acknowledge the use of the EDR in the car, and some states require disclosure of the presence of the EDR. In 2004, EPIC argued in comments to the agency that all car owners should not only be made aware that information about their driving is being recorded, but that consumers should have the right to control the collection and dissemination of their driving data. The new rule, which goes into effect 2010, requires that cars equipped with EDRs must mention the usage in the owner's manual. The new rule also requires that all EDRs must record the same information and that they be made to be more durable, but NHTSA has stopped short of requiring them in all new vehicles. NHTSA rules also do not prevent a car owner from disabling the EDR, but the devices are often wired into safety systems likes airbags and are difficult to disconnect. In addition to law enforcement and trial use of the information, auto manufacturers and NHTSA use information from EDRs to study whether a car's safety features functioned in a crash and how drivers react. NHTSA Final Rule on EDRs (pdf): http://www.epic.org/redirect/nhtsa_edr_rule.html EPIC's Comments on EDRs: http://www.epic.org/privacy/drivers/edr_comm81304.html ======================================================================== [5] DHS Seeks Expanded Access to Travelers' Data ======================================================================== The Department of Homeland Security recently proposed expanding a program that would share detailed airline passenger records between European airlines and the US government. In 2003, the Department secretly entered into an agreement with European governments in which personal information about travelers to the US would be transmitted to the government before they arrived in the country. The European Court of Justice found that the agreement violated European law, and ruled that the program should be struck down unless amended by September 30, 2006. Now, the department has expressed interest not only in amending the old program to meet the court's requirements, but expanding the length of time that data is stored and reducing safeguards on sharing the information with other agencies. The passenger name record (PNR) system contains, at a minimum, specific information on a passenger and travel plans, including name, contact information, billing information, itinerary, and booking information for the trip. However, the records will frequently include much more sensitive information, such as date of birth, credit card details, names and contact information of relatives, and even religious, health or dietary considerations. In initial negotiations with the EU, the US government originally sought access to all of the information in the PNR, and to store the transferred data for up to fifty years. In the end, the agreement allowed access to fewer fields of information, and allowed storage for three and a half years. DHS officials stated that, while they do not wish to gain access to more types of data than the 2003 agreement allowed, they would like to allow more sharing of the data with other agencies and retain the data for a longer time. DHS officials have claimed that the existing agreement "handcuffs" their ability to share PNR data with law enforcement, though the existing agreement already provides for such sharing in order to prevent serious crimes. 2004 Document Clarifying the 2003 PNR Agreement (pdf): http://www.epic.org/redirect/2004pnr_agreement.html EPIC's PNR Disclosure Page: http://www.epic.org/privacy/intl/passenger_data.html ======================================================================== [6] News in Brief ======================================================================== German State Finds SWIFT Data Transfers Violated German and EU Law The Data Protection Commission for the German state of Schleswig-Holstein has found that the transfer of banking data to the US government violated German and European data protection law. Privacy International, a London-based human rights organization, has filed complaints regarding the surveillance program in 33 European countries, and the European Parliament has passed a resolution objecting to the program. Privacy International, German Commission Condemns SWIFT Transfers: http://www.epic.org/redirect/pi_swift_germany.html Resolution of the European Parliament on SWIFT Transfers: http://www.epic.org/redirect/pi_ep_swift.html Privacy International Campaign Against SWIFT: http://www.epic.org/redirect/pi_swift.html Transportation Department Laptop Lost A Department of Transportation laptop containing the unencrypted personal information of 133,000 individuals was lost earlier this month, putting thousands of drivers and pilots at risk for identity theft. The laptop was stolen from a department vehicle in Florida. The data included the names, Social Security numbers, and dates of birth for 9,500 Tampa area drivers, 80,000 commercial drivers based in the Miami area, and 42,800 pilots issued liceses in Florida. The Department has sent letters to affected individuals. Transportation Department Page on the Breach: http://www.oig.dot.gov/datasecurity.jsp Alltel Fined $100,000 for Call Record Violations Communications company Alltel was fined $100,000 by the Federal Communications Commission in connection with poor security practices that put customers' call records data at risk. In response to a complaint by EPIC that data brokers were fraudulently obtaining customers' calling habits from phone companies with poor security, the FCC found that Alltel was not adhering to basic rules regarding security for customer records. The FCC continues to pursue a broader rulemaking that would increase phone record security requirements. FCC Order: http://www.fcc.gov/eb/Orders/2006/DA-06-1641A1.html EPIC's FCC Complaint on Phone Security: http://www.epic.org/privacy/iei/cpnipet.html EPIC's Phone Records Page: http://www.epic.org/privacy/iei/ US Sues Maine Officials for Investigating NSA The U.S. Department of Justice filed suit against state officials in Maine who were investigating whether or not Verizon handed over customer information to a secret NSA data mining program. Federal lawyers sought to block the Maine Public Utilities Commission from demanding information from the company. The federal government has previously sued state officials in New Jersey and Missouri to prevent similar investigations of the domestic spying program. EPIC's Resources on Domestic Surveillance: http://www.epic.org/features/surveillance.html Casino Security Used Cameras to Spy on Guests A security supervisor at a casino in Atlantic City, NJ had his license suspended after a state review board found that he had used the casino's security cameras to observe women instead of the state of security on the floor. Caesars Atlantic City Hotel Casino also paid a $185,000 fine and fired three employees due to allegations that security personnel were abusing surveillance cameras in the casino. EPIC has previously called attention to the potential for security cameras being abused to invade individuals' privacy. EPIC's Spotlight on Surveillance on Security Camera Abuses: http://epic.org/privacy/surveillance/spotlight/1205/default.html NYC Proposes Cameras at Nightclub Exits New York City Council member Christine Quinn recently proposed that New York place security cameras aimed at the entrances and exits of nightclubs, in response to recent murders at clubs in the city. The plan has met with opposition by civil liberties and gay groups, who objected to the fact that the cameras could invade privacy and eliminate patrons' anonymity. Though individuals in public may be observed, their presence is not necessarily associated with an identity. Recording their image, however, easily leads to the loss of anonymity. EPIC has commented on similar proposals in Washington D.C. EPIC's Comments on Increased CCTV Surveillance in Washington (pdf): http://www.epic.org/privacy/surveillance/cctvcom062906.pdf ======================================================================== [7] EPIC Bookstore: David Lazer's "DNA and the Criminal Justice System" ======================================================================== "DNA and the Criminal Justice System: The Technology of Justice" by David Lazer (MIT Press 2004) http://www.powells.com/partner/24075/biblio/17-026262186x-1 In the long history of criminal justice, no technology has had the impact of DNA collection and analysis. According to the FBI, there are now over three and half million profiles in the national Combined DNA Index System. Fifteen years ago, CODIS was a pilot project involving only twelve forensic laboratories. Experts say that DNA analysis offers a unique ability to determine guilt and innocence. Prosecutors increasingly rely on DNA evidence to make their case and to solve unsolved crimes. DNA evidence has also been used by criminal defense attorneys to prove the innocence of those who have been wrongly convicted. DNA testing has been used successfully by groups such as the Innocence Project to exonerate more than 170 wrongly convicted individuals, some of whom were on death row and imprisoned for decades. Still, DNA analysis also reveals race, paternity, propensity to develop certain diseases, and other information that falls far outside the criminal justice realm. There is, on the horizon, the very real possibility that DNA use may dramatically expand into decisions about employment, hiring, housing, and citizenship. And even within the criminal justice system, there are ongoing concerns about the scope of collection, the reliability of testing, and the possible use of DNA to predict future criminal acts. David Lazer's excellent collection of essays looks squarely at the emerging policy concerns for DNA in the criminal justice system. A balanced, thoughtful, and informative volume, "DNA and the Criminal Justice System" should be required reading for policymarkers, jurists, researchers and others seeking to understand the dramatic transformation now taking place. As Justice Breyer explains in his contribution to the volume, there must be "extensive, informed development of the relevant legal and policy issues *prior* to decision." For example, the increased reliance on DNA databases in criminal justice raises controversial ethical questions in the realms of civil liberties, privacy, surveillance, and forensic error. Do police laboratories need more rigorous standards for DNA testing? Will law enforcement DNA databases expand to include millions not convicted of any crime? Does mandatory DNA testing provide the ultimate threat to civil liberties and privacy? Does it in fact increase the likelihood of genetic or racial profiling? These are pressing questions that Congress, the courts, and the public will increasingly confront. - Marc Rotenberg ================================ EPIC Publications: "Information Privacy Law: Cases and Materials, Second Edition" Daniel J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98. http://www.epic.org/redirect/aspen_ipl_casebook.html This clear, comprehensive introduction to the field of information privacy law allows instructors to enliven their teaching of fundamental concepts by addressing both enduring and emerging controversies. The Second Edition addresses numerous rapidly developing areas of privacy law, including: identity theft, government data mining and electronic surveillance law, the Foreign Intelligence Surveillance Act, intelligence sharing, RFID tags, GPS, spyware, web bugs, and more. Information Privacy Law, Second Edition, builds a cohesive foundation for an exciting course in this rapidly evolving area of law. ================================ "Privacy & Human Rights 2005: An International Survey of Privacy Laws and Developments" (EPIC 2006). Price: $60. http://www.epic.org/bookstore/phr2005/phr2005.html This annual report by EPIC and Privacy International provides an overview of key privacy topics and reviews the state of privacy in over 70 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy & Human Rights 2005 is the most comprehensive report on privacy and data protection ever published. ================================ "FOIA 2004: Litigation Under the Federal Open Government Laws," Harry Hammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price: $40. http://www.epic.org/bookstore/foia2004 This is the standard reference work covering all aspects of the Freedom of Information Act, the Privacy Act, the Government in the Sunshine Act, and the Federal Advisory Committee Act. The 22nd edition fully updates the manual that lawyers, journalists and researchers have relied on for more than 25 years. For those who litigate open government cases (or need to learn how to litigate them), this is an essential reference manual. ================================ "The Public Voice WSIS Sourcebook: Perspectives on the World Summit on the Information Society" (EPIC 2004). Price: $40. http://www.epic.org/bookstore/pvsourcebook This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, and recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process. ================================ "The Privacy Law Sourcebook 2004: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price: $40. http://www.epic.org/bookstore/pls2004/ The Privacy Law Sourcebook, which has been called the "Physician's Desk Reference" of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act. ================================ "Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20. http://www.epic.org/bookstore/filters2.0 A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at: EPIC Bookstore http://www.epic.org/bookstore "EPIC Bookshelf" at Powell's Books http://www.powells.com/features/epic/epic.html ================================ EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act. Subscribe to EPIC FOIA Notes at: https://mailman.epic.org/cgi-bin/control/foia_notes ======================================================================== [8] Upcoming Conferences and Events ======================================================================== Infosecurity New York. Reed Exhibitions. September 12-14, 2006. New York, New York. For more information: http://www.infosecurityevent.com Identity and Identification in a Networked World. New York University. September 29-30, 2006. New York, New York. For more information: http://www.easst.net/node/976 34th Research Conference on Communication, Information, and Internet Policy. Telecommunications Policy Research Conference. September 29-October 1, 2006. Arlington, Virginia. For more information: http://www.tprc.org/TPRC06/2006.htm 6th Annual Future of Music Policy Summit. Future of Music Coalition. October 5-7, 2006. Montreal, Canada. For more information: http://www.futureofmusic.org/events/summit06/ The IAPP Privacy Academy 2006. International Association of Privacy Professionals. October 18-20, 2006. Toronto, Ontario, Canada. For more information: www.privacyassociation.org International Conference on Privacy, Security, and Trust (PST 2006). University of Ontario Institute of Technology. October 20-November 1, 2006. Markham, Ontario, Canada. For more information: http://www.businessandit.uoit.ca/pst2006/ Internet Governance Forum (IGF) October 30-November 2, 2006. Athens, Greece. For more information: http://www.igfgreece2006.gr/ 28th International Data Protection and Privacy Commissioners' Conference. November 2-3, 2006. London, United Kingdom. For more information: http://www.privacyconference2006.co.uk/ BSR 2006 Annual Conference. Business for Social Responsibility. November 7-10, 2006. New York, New York. For more information: http://www.bsr.org/BSRConferences/index.cfm CFP2007: Computers, Freedom, and Privacy Conference. Association for Computing Machinery. May 2007. Montreal, Canada. For more information: http://www.cfp2007.org ====================================================================== Subscription Information ====================================================================== Subscribe/unsubscribe via web interface: https://mailman.epic.org/cgi-bin/mailman/listinfo/epic_news Back issues are available at: http://www.epic.org/alert The EPIC Alert displays best in a fixed-width font, such as Courier. ======================================================================== Privacy Policy ======================================================================== The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information." ======================================================================== About EPIC ======================================================================== The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at: http://www.epic.org/donate Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ------------------------- END EPIC Alert 13.17 ------------------------- .