======================================================================== E P I C A l e r t ======================================================================== Volume 13.18 September 6, 2006 ------------------------------------------------------------------------ Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org/alert/EPIC_Alert_13.18.html ======================================================================== Table of Contents ======================================================================== [1] EPIC, Privacy International Launch "Privacy and Human Rights 2005" [2] House Holds Hearing on Domestic Surveillance [3] IRS to Outsource Tax Collecting [4] EPIC Argues in Appeal of DNA Dragnet Case [5] California RFID Bill Nears Approval [6] News in Brief [7] EPIC Bookstore: Spencer Overton's "Stealing Democracy" [8] Upcoming Conferences and Events ======================================================================== [1] EPIC, Privacy International Launch "Privacy and Human Rights 2005" ======================================================================== On Friday, September 8, EPIC and Privacy International release the 8th Privacy and Human Rights Report, which covers privacy laws and developments around the world. This annual report provides an overview of key privacy topics and reviews the state of privacy in over 70 countries around the world. It singles out a number of trends, including new anti-terrorism laws that provide for increased search capabilities and sharing of information among law enforcement authorities; and new traveler pre-screening and profiling systems. Privacy and Human Rights documents the continued expansion of government surveillance authority, from the pursuit of new identification schemes in certain countries, and the expanded monitoring of communications, to weakened data protection laws, and intensified data transfers between the public and private sectors. The report also finds continuing public opposition to identification systems, secret video surveillance, DNA databases, and radio frequency identification (RFID) technologies. By publishing this report annually, EPIC and Privacy International seek to make readers aware of recent developments and emerging issues. The report also marks the success of many human rights advocacy groups around the world in promoting the rule of law, and making governments more accountable to the public. For example, Malaysian citizens and the Human Rights Caucus of the Parliament pressed for additional oversight when state Islamic departments wished to conduct raids against "immoral acts." In Thailand, civil liberties groups successfully opposed a police proposal that would have enabled warrantless wiretapping. Privacy and Human Rights, which was written with the collaboration of more than 200 privacy experts, academics, government officials, and advocates. The 2005 edition survey tracks the adoption of new data protection and open government laws, and includes new country reports for Africa, Asia, Europe and Latin America. Privacy and Human Rights: An International Survey of Privacy Laws and Developments will be officially launched on the occasion of the U.S. hearings of the Eminent Jurists Panel on Terrorism, Counter-terrorism and Human Rights. This panel was established by the International Commission of Jurists (ICJ), and the hearings take place at the American University Washington College of Law, in Washington DC, over the 5th, 6th, and 7th of September 2006. PHR 2005 at the EPIC Bookstore: http://www.epic.org/bookstore/phr2005/phr2005.html PHR 2005 Executive Summary in Spanish: http://www.epic.org/bookstore/phr2005/phr05_execsum_sp.pdf PHR 2005 Executive Summary in Russian: http://www.epic.org/bookstore/phr2005/phr05_execsum_ru.pdf PHR 2005 Executive Summary in Arabic: http://www.epic.org/bookstore/phr2005/phr05_execsum_AR.pdf The Eminent Jurists Panel, U.S. Hearings: http://ejp.icj.org/hearing.php3?id_rubrique=10 ======================================================================== [2] House Holds Hearing on Domestic Surveillance ======================================================================== On September 6, the House Subcommittee on Crime, Terrorism, and Homeland Security held a hearing to consider proposed changes to the Foreign Intelligence Surveillance Act (FISA). Several members of Congress have proposed bill to amend FISA in the wake of last year's revelations that President Bush had authorized the National Security Agency to conduct warrantless wiretaps on calls where one party was present within the United States. FISA requires that law enforcement needs a warrant to wiretap conversations that include a US citizen or permanent resident. Proposals ranged widely, from those that would authorize or even expand the NSA program, to bills that would require additional investigation and study of the current program's legality. The most discussed proposal during the hearing was H.R. 5825, the "Electronic Surveillance Modernization Act," put forward by Representative Wilson (R-NM). This proposal would allow the warrantless wiretapping program to continue, reduce the types of surveillance that need court orders, and would allow the Attorney General to demand, with "written certification," that communications providers give the government any requested information, facilities, or technical assistance. Lawyers for the Justice Department and the NSA testified in support of the program and of proposals that would establish its legality, though the Justice Department insisted that, even without any legislative changes, the program was legal under the President's inherent authority and under the 2001 Authorization of the use of Military Force. This was met with skepticism from some members. Representative Flake (R-AZ) suggested that these justifications meant that the President would be free to ignore any laws dealing with foreign surveillance. Testifying against the wiretapping program and its expansion was James Dempsey of the Center for Democracy and Technology, who pointed out that proposals to amend FISA by Representative Wilson and Senator Specter would actually "gut" existing safeguards, without any showing of how the NSA program, or any new surveillance powers, would help protect national security. Representative Delahunt (D-MA) noted that many debates about the NSA program were an "academic exercise," since the secret nature of the program prevents legislators and the public alike from knowing its contours or efficacy. Hearing Notice, House Subcommittee on Crime, Terrorism, and Homeland Security (pdf): http://judiciary.house.gov/media/pdfs/FISAmedadv9506.pdf Testimony of James Dempsey, CDT (pdf): http://www.cdt.org/testimony/20060906dempsey.pdf EPIC's FISA Page: http://www.epic.org/privacy/terrorism/fisa/ EPIC's Resources on Domestic Surveillance: http://www.epic.org/features/surveillance.html ======================================================================== [3] IRS to Outsource Tax Collecting ======================================================================== Beginning September 7, the IRS will share information with private debt collectors who will pursue those behind on their taxes. Currently, three private companies are approved to contact taxpayers who owe $25,000 or less in back taxes. The debt collection companies will have access to the taxpayers' records. EPIC has criticized similar proposals in the past, noting that private debt collectors would be less likely to follow federal privacy laws for taxpayer information and that consumers would be at greater risk of identity theft if sensitive IRS information were disclosed to private collection agencies. The IRS downplayed the privacy and security vulnerabilities involved in allowing private access to taxpayer information, saying that the IRS will provide training for the three firms, and that each firm will be responsible for conducting background checks on its employees. The IRS plans to expand the number of firms involved to 10 by 2008. The plan has also been criticized for the additional risk that taxpayer may succumb to fraud. Earlier this year, the IRS warned taxpayers to beware identity thieves who posed as private debt collectors for the IRS in order to gain access to sensitive personal and financial information. Others have noted that private companies, who will keep a portion of the back taxes owed, will have a much stronger incentive to pursue increased penalties to taxpayers, while being less likely to safeguard taxpayer rights. The program is estimated to increase net revenues by 1 billion dollars, though employing additional IRS agents was estimated to increase net revenues by about 87 billion. IRS Page on Private Tax Collection: http://www.irs.gov/newsroom/article/0,,id=161179,00.html EPIC's Comments on the 1995 IRS Compliance 2000 Proposal: http://www.epic.org/privacy/databases/irs/epic_compliance_2000.html EPIC's Spotlight on Poor IRS Security: http://www.epic.org/privacy/surveillance/spotlight/0306/ ======================================================================== [4] EPIC Argues in Appeal of DNA Dragnet Case ======================================================================== On September 7, the Fifth Circuit Court of Appeals in New Orleans, Louisiana will hear arguments in an appeal challenging the use of DNA dragnets in finding suspects. EPIC has filed a "friend of the court" brief in the case, and Executive Director Marc Rotenberg will argue EPIC's position before the court. In 2002, police investigating a series of rapes and murders near Baton Rouge, Louisiana, conducted a DNA dragnet, collecting DNA samples from more than 1,200 men in an attempt to match someone's DNA with that found at the crime scenes. Shannon Kohler was one of the men approached by police. When he refused to provide one, he was served with a seizure warrant, forcing him to provide a sample. Kohler was later identified by police and news media as a suspect in the search for the serial killer. After Kohler was cleared of wrongdoing in the investigation, he filed a suit against the Baton Rouge police, claiming that they lacked probable cause to obtain the warrant and that his DNA sample should be destroyed. In February 2005, a federal district court ruled against him, saying that police had probable cause based on two anonymous tips and the fact that Mr. Kohler met "certain elements of an FBI profile," which the court itself characterized as "so broad and vague that it cast a net of suspicion over thousands of citizens." EPIC's amicus brief points out that DNA dragnets have been extremely ineffective in catching criminals, while the widespread collection of DNA samples erodes the privacy rights of thousands. The brief urges that clear guidelines be established before the police engage in this investigative practice. Kohler's attorney in the appeal has ceded time to EPIC to make its argument before the court. EPIC's Kohler v. Englade Page: http://www.epic.org/privacy/kohler/default.html EPIC's Amicus Brief in Kohler v. Englade (pdf): http://www.epic.org/privacy/kohler/amicus.pdf EPIC's Genetic Privacy Page: http://www.epic.org/privacy/genetic/ ======================================================================== [5] California RFID Bill Nears Approval ======================================================================== The California legislature has recently passed the Identity Information Protection Act, which requires that state-issued IDs that contain remotely-readable RFID chips must contain adequate security features to prevent them from being read by unauthorized parties. RFID chips are designed to store unique identifiers that will be broadcast in response to a particular radio signal. The technology has already been rolled out for US passports and a number of other identification documents. The California law, introduced by State Senator Joe Simitian, was sparked by concerns that RFID embedded within identification cards and documents could be remotely read without the user's knowledge, revealing personal information that could be used to commit fraud, identity theft, or gain unauthorized access. Bill proponents note that the technology has valid uses, but that the state needs to include protections when it compels citizens to carry a technology capable of broadcasting their personal information. Recently, security experts have shown the vulnerabilities of RFID chips, "cloning" the data on them using commonly available technology. Specifically, the bill requires that RFID documents issued by state or local governments include tamper-resistant features, a authentication process by which both the card and the reader are recognized as legitimate, and a means for a holder of the document to directly control whether or not the chip can be read. Citizens would also have to be notified of the locations of RFID readers. However, the bill does not apply to RFID programs instituted before 2007. The bill also criminalizes intentional unauthorized reading of an RFID identification document. The bill now goes to Governor Schwarzenegger for approval. California civil liberties groups are urging residents to write the governor, encouraging him to sign the bill. The Identity Information Protection Act (pdf): http://www.epic.org/redirect/ca_rfid_sb768.html ACLU of Northern California's Page on the Act: http://www.aclunc.org/privacy/technology/yes768/index.html EPIC's RFID page: http://www.epic.org/privacy/rfid ======================================================================== [6] News in Brief ======================================================================== Senate Subcommittee Holds Hearings on Airline Passenger Screening On September 7, the Senate Subcommittee on Terrorism, Technology, and Homeland Security held a hearing on pre-screening international travelers who are flying into the United States. A Homeland Security program that acquired European passenger name records for pre-screening was opposed for its privacy violations by the European Parliament, and struck down by the European Court of Justice earlier this year. Homeland Security Secretary Chertoff has announced plans not only to revive the program, but also to expand certain aspects of it. Hearing Notice: http://judiciary.senate.gov/hearing.cfm?id=2049 EPIC's Passenger Name Records Page: http://www.epic.org/privacy/intl/passenger_data.html European Parliament Opposition to Passenger Record Sharing: http://www.epic.org/redirect/ep_resolution.html European Court of Justice Ruling on Record Sharing: http://www.epic.org/redirect/ec_court_passenger.html Education Department Shared Student Data with FBI The Department of Education has been sharing personal information on students with the Federal Bureau of Investigation as part of a program called "Project Strikeback," the New York Times reports. Through the program, the records of students named by the FBI were shared and examined for evidence of fraud or identity theft, which the FBI says can be linked to terrorism. The agencies refused to say whether any investigations resulted from the program, which ran for five years after the September 11 attacks, but is now closed. Generally, only permanent residents and U.S. citizens are eligible for federal student financial aid. In related news, the Department of Education is considering a proposal to create a detailed national student database. New York Times on Project Strikeback: http://www.nytimes.com/2006/09/01/washington/01educ.html?ref=us EPIC's Student Privacy page: http://www.epic.org/privacy/student/ Disney World Collecting Fingerprints Walt Disney World in Florida announced that it would be installing fingerprint scanning technology at its park entrances. The units will collect fingerprint information to control entry to the theme parks to prevent ticket resales. In 2005, Disney first announced the expansion of a more limited biometric system that would include all visitors to its theme park. At that time Disney reported that all visitors age 10 or over would be processed through the biometric recording system. EPIC's Theme Park and Privacy Page: http://www.epic.org/privacy/themepark/ Hewlett-Packard Pretexted Info on its Directors An internal investigation into boardroom leaks at Hewlett-Packard recently drew the attention of law enforcement. The tech company hired investigators who tracked the phone calls of its directors through a method called "pretexting." Pretexting is a practice of illicitly obtaining information by impersonating someone who should have access to the information sought. EPIC highlighted this practice last year in complaints to the Federal Trade Commission and the Federal Communications Commission and recommended new safeguards to protect the privacy of personal information. The California Attorney General's office has announced an initial investigation of the matter. Hewlett-Packard revealed the surveillance in disclosures to the federal Securities and Exchange Commission relating to the resignation of one of its board members. EPIC's Pretexting Page: http://www.epic.org/privacy/iei/ Google Gives User Data to Brazilian Court Google's social networking service Orkut was ordered by a Brazilian court to hand over user data, including IP addresses and login times. The court sought this data in connection with investigations of online communities encouraging pedophilia, racism, and homophobia. Google at first argued that it would respond only to a subpoena by a US court, since the data resides in US based servers. Faced with a fine, however, Google handed over the data. Previously, Google has resisted a US Justice Department request for billions of its search queries. A federal judge in California ruled that the search queries, which were not sought in regard to a criminal investigation, need not be disclosed. Text of the California Ruling in Gonzales v. Google (pdf): http://www.epic.org/privacy/gmail/doj_court_order.pdf ======================================================================== [7] EPIC Bookstore: Spencer Overton's "Stealing Democracy" ======================================================================== "Stealing Democracy: the New Politics of Voter Suppression" by Spencer Overton. (W. W. Norton & Company, 2006). http://www.powells.com/partner/24075/biblio/2-0393061590-1 This is a wonderful read both for political season junkies and those who would like to take a peek behind the curtain of our nation's most fundamental democratic institution--the public election. The book's first chapter is an eye-opening tour of the election process that will dissuade you of any notion that "one person, one vote" has ever been the goal of public elections. Beyond just the messy conclusion of the 2000 Florida presidential election, "Stealing Democracy" instills a greater appreciation of the efforts of inside political partisans to prevent change from happening, and the monumental efforts that voting rights advocates have made to expand the franchise to minorities, women, youth, and new residents. By the end of Professor Overton's book you will have a better understanding of why Florida was not an isolated event, and why things have not improved much since that election. The book does do something that may surprise the reader, though: it is humorous, hopeful, insightful, balanced, and intuitive about the conflicting arguments surrounding redistricting, voter ID requirements, felon voting rights, the cost of election administration, Section 5 of the Voting Rights Act, and the role of federal, state, and local government in election administration. For example, Professor Overton details the delicate mating ritual that takes place during the drawing of new district lines following each decennial census. The process is controlled from beginning to end by partisan powers-that-be seeking to maintain the status quo. Every possible tactic is deployed to keep the language and tone of the process such that no one will question the assumption that this is the only acceptable method for drawing the lines for elected offices. Professor Overton also points out the little discussed problems of administering public elections: cost and shortages of election workers. Neglect of election administration meant voting systems became antiquated or left in disrepair, and poll workers who, although much appreciated, were little more than volunteers. He concedes that the process of election related decision-making will likely always be political, but he insists that it can be fair, provided there is a national discussion about a formula that would encompass federal, state, local, and citizen roles to provide an appropriate level of checks and balances for public election administration. According to Professor Overton, the machinations behind our elections serve to keep in power those who are currently in power by any means available. The book makes valuable observations and offers some foundations to begin a national discussion on reforming our most cherished democratic institution. Public elections should not be a matter of making sure that one party wins, but that every voter wins the right to equal access to participate in public elections. Now that would be a new experience. Happy Political Season! ----Lillie Coney ================================ EPIC Publications: "Information Privacy Law: Cases and Materials, Second Edition" Daniel J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98. http://www.epic.org/redirect/aspen_ipl_casebook.html This clear, comprehensive introduction to the field of information privacy law allows instructors to enliven their teaching of fundamental concepts by addressing both enduring and emerging controversies. The Second Edition addresses numerous rapidly developing areas of privacy law, including: identity theft, government data mining and electronic surveillance law, the Foreign Intelligence Surveillance Act, intelligence sharing, RFID tags, GPS, spyware, web bugs, and more. Information Privacy Law, Second Edition, builds a cohesive foundation for an exciting course in this rapidly evolving area of law. ================================ "Privacy & Human Rights 2005: An International Survey of Privacy Laws and Developments" (EPIC 2006). Price: $60. http://www.epic.org/bookstore/phr2005/phr2005.html This annual report by EPIC and Privacy International provides an overview of key privacy topics and reviews the state of privacy in over 70 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy & Human Rights 2005 is the most comprehensive report on privacy and data protection ever published. ================================ "FOIA 2004: Litigation Under the Federal Open Government Laws," Harry Hammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price: $40. http://www.epic.org/bookstore/foia2004 This is the standard reference work covering all aspects of the Freedom of Information Act, the Privacy Act, the Government in the Sunshine Act, and the Federal Advisory Committee Act. The 22nd edition fully updates the manual that lawyers, journalists and researchers have relied on for more than 25 years. For those who litigate open government cases (or need to learn how to litigate them), this is an essential reference manual. ================================ "The Public Voice WSIS Sourcebook: Perspectives on the World Summit on the Information Society" (EPIC 2004). Price: $40. http://www.epic.org/bookstore/pvsourcebook This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, and recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process. ================================ "The Privacy Law Sourcebook 2004: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price: $40. http://www.epic.org/bookstore/pls2004/ The Privacy Law Sourcebook, which has been called the "Physician's Desk Reference" of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act. ================================ "Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20. http://www.epic.org/bookstore/filters2.0 A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at: EPIC Bookstore http://www.epic.org/bookstore "EPIC Bookshelf" at Powell's Books http://www.powells.com/features/epic/epic.html ================================ EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act. Subscribe to EPIC FOIA Notes at: https://mailman.epic.org/cgi-bin/control/foia_notes ======================================================================== [8] Upcoming Conferences and Events ======================================================================== Infosecurity New York. Reed Exhibitions. September 12-14, 2006. New York, New York. For more information: http://www.infosecurityevent.com Preventing and Responding to Security Breaches. Privacy Journal. September 28-29. New York, New York. For more information: www.aciresources.com Identity and Identification in a Networked World. New York University. September 29-30, 2006. New York, New York. For more information: http://www.easst.net/node/976 34th Research Conference on Communication, Information, and Internet Policy. Telecommunications Policy Research Conference. September 29-October 1, 2006. Arlington, Virginia. For more information: http://www.tprc.org/TPRC06/2006.htm 6th Annual Future of Music Policy Summit. Future of Music Coalition. October 5-7, 2006. Montreal, Canada. For more information: http://www.futureofmusic.org/events/summit06/ The IAPP Privacy Academy 2006. International Association of Privacy Professionals. October 18-20, 2006. Toronto, Ontario, Canada. For more information: www.privacyassociation.org International Conference on Privacy, Security, and Trust (PST 2006). University of Ontario Institute of Technology. October 20-November 1, 2006. Markham, Ontario, Canada. For more information: http://www.businessandit.uoit.ca/pst2006/ Internet Governance Forum (IGF) October 30-November 2, 2006. Athens, Greece. For more information: http://www.igfgreece2006.gr/ 28th International Data Protection and Privacy Commissioners' Conference. November 2-3, 2006. London, United Kingdom. For more information: http://www.privacyconference2006.co.uk/ BSR 2006 Annual Conference. Business for Social Responsibility. November 7-10, 2006. New York, New York. For more information: http://www.bsr.org/BSRConferences/index.cfm CFP2007: Computers, Freedom, and Privacy Conference. Association for Computing Machinery. May 2007. Montreal, Canada. For more information: http://www.cfp2007.org ====================================================================== Subscription Information ====================================================================== Subscribe/unsubscribe via web interface: https://mailman.epic.org/cgi-bin/mailman/listinfo/epic_news Back issues are available at: http://www.epic.org/alert The EPIC Alert displays best in a fixed-width font, such as Courier. ======================================================================== Privacy Policy ======================================================================== The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information." ======================================================================== About EPIC ======================================================================== The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at: http://www.epic.org/donate Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ------------------------- END EPIC Alert 13.18 ------------------------- .