EPIC logo

  

========================================================================
                           E P I C  A l e r t
========================================================================
Volume 13.23                                            November 16, 2006
------------------------------------------------------------------------

                            Published by the
               Electronic Privacy Information Center (EPIC)
                            Washington, D.C.

             http://www.epic.org/alert/EPIC_Alert_13.23.html


========================================================================
Table of Contents
========================================================================
[1] EPIC FOIA Documents: Commerce's Privacy Officer Is Out to Lunch
[2] President Seeks OK for Domestic Surveillance Program
[3] Privacy International Publishes Global Privacy Report
[4] Electronic Voting Technology Problems Hamper Elections
[5] EPIC Files Brief Urging Supreme Court to Review Secret Law
[6] News in Brief
[7] EPIC Bookstore: David Holtzman's "Privacy Lost"
[8] Upcoming Conferences and Events

========================================================================
[1] EPIC FOIA Documents: Commerce's Privacy Officer Is Out to Lunch
========================================================================

Documents obtained by EPIC under the Freedom of Information Act reveal
that Deputy Under Secretary Robert C. Cresanti, Chief Privacy Officer
for the Department of Commerce, made time in 2006 for many meetings with
business groups but was unable to attend one scheduled meeting with
privacy advocates.

The documents were provided in response to a FOIA request from EPIC
regarding the various meetings scheduled by the Chief Privacy Officer
for the Department of Commerce from the time of his appointment in
mid-July through September 8. Mr. Cresanti attended more than 25
meetings with business lobbyists and corporate representatives across
the country, including business lunches and dinners with
DaimlerChrysler, Pitney Bowes and the Council on Competitiveness, whose
members include executives from Wal-Mart and IBM. He also attended
day-long business meetings in Detroit, Michigan; Elyria, Ohio, and
Chicago, Illinois.

However, the top privacy official at the Commerce Department did not
attend one pre-scheduled meeting with privacy advocates in Washington,
DC. Cresanti had accepted an invitation to speak to the Privacy
Coalition, a network of privacy experts and advocates based in
Washington, DC.

Cresanti had agreed to speak with the Privacy Coalition on September 8
at 1:15 p.m., after another meeting at the National Institute of
Standards and Technology. But his appointment at NIST, scheduled to end
at noon, was completed earlier than anticipated and he went back to his
office. When Cresanti did not arrive at the privacy meeting, the
coalition was informed that he had made an impromptu decision to have
lunch instead. Cresanti has not rescheduled.

The Department of Commerce is responsible for a wide range of privacy
issues of concern to the American public. For example, the Commerce
Department is responsible for the decennial census and the data
collected by the federal government. Questions have also been raised
about security of the data the agency maintains on American citizens. In
September, the Commerce Department disclosed the loss of 1,137 laptops
-- many of which contained personal information on Americans. The agency
also disclosed that, since 2003, about 297 electronic devices containing
sensitive data had gone missing.

The Department of Commerce also establishes policy that affects privacy
rights in other countries. In September 2005, EPIC urged Commerce
Secretary Carlos M. Gutierrez to restrict the export of high-tech
surveillance equipment to China. While U.S, law limits the export of
tear gas, handcuffs, and shotguns to China, high-tech equipment that is
used for communications surveillance and censorship is exported to the
country without restrictions. EPIC's letter cited the 2005 US State
Department report and the Privacy and Human Rights report, which
document the role that surveillance and censorship technology play in
political repression.

In announcing the appointment of Cresanti to the position of Chief
Privacy officer for the Department, Commerce Secretary Gutierrez said,
"Information privacy and security is of primary importance to us here at
Commerce, and we are fortunate to have Robert Cresanti's expertise to
call upon," said Secretary Gutierrez. "I am confident that Robert's
background, experience, and concern for privacy and security make him
well suited to take on the role of Chief Privacy Officer for the
Department of Commerce."

EPIC's FOIA Note, "Government Privacy Official: Out to Lunch When it
Comes to Privacy":

     http://www.epic.org/foia_notes/note13.html

Privacy Coalition:

     http://privacycoalition.org/

Department of Commerce:

     http://www.commerce.gov/
 
Press Release Announcing Cresanti's Appointment:

     http://www.technology.gov/GovReleases/DOC_060713.htm

EPIC's Letter to the Department of Commerce (pdf):

     http://www.epic.org/privacy/intl/doc_china_letter.pdf

U.S. Census:

     http://www.census.gov/

News Article about the Loss of Laptops at Commerce: 

     http://www.govexec.com/dailyfed/0906/092206p1.htm

========================================================================
[2] President Seeks OK for Domestic Surveillance Program
========================================================================

Following the election of a Democratic Congress last week, President
Bush said that the current Congress, still under the control of the
Republicans, should try to pass legislation that would ratify his
domestic surveillance program before adjourning later this year. That
program is facing legal challenges in courts across the United States.

The legislation that the President favors would prevent traditional
federal judges from considering whether the domestic surveillance
program violates the Constitution or federal privacy laws. It would also
establish a new immunity provision for telephone companies that would
allow them to disclose confidential information about their customers to
the federal government without legal authority. Several bills are under
consideration in the Senate, and one bill has passed the House.

Congress goes on recess this week and is expected to return to
Washington on December 5. The first session of the new Congress is
scheduled to begin on January 4, 2007.

EPIC's Resources on Domestic Surveillance:

     http://epic.org/features/surveillance.html

Wikipedia, NSA Warrantless Surveillance Controversy:

     http://www.epic.org/redirect/wikinsa1106.html

Marc Rotenberg, EPIC Executive Director, "Congress is legislating in the
dark: Lawmakers need more information before OKing Bush surveillance
program":

     http://www.msnbc.msn.com/id/15199819/

Schedule of the U.S. Senate:

     http://www.epic.org/redirect/sensched1106.html

========================================================================
[3] Privacy International Publishes Global Privacy Report
========================================================================

A new report from Privacy International ranked the state of privacy
protection in 37 countries around the world. The survey, based on the
joint EPIC and Privacy International "2005 Privacy and Human Rights
Report," found wide disparities in the levels of privacy protection and
enforcement.

Privacy International derived each country's ranking from the average of
scores received in 13 categories of privacy protection, which ranged
from the extensiveness of countries' statutory and constitutional
protections to their practices on particular privacy issues, such as
biometrics, data sharing and surveillance. The survey also evaluated
countries' leadership on privacy issues. Germany and Canada topped the
survey, while Malaysia, China, Russia, Singapore and the United Kingdom
received the lowest rankings, placing them in the category of 'endemic
surveillance societies.'

The report was simultaneously released at the UN's Internet Governance
Forum in Athens and the 28th annual International Data Protection and
Privacy Commissioners' Conference in London. The London conference
included 58 data protection and privacy authorities, as well as a number
of legal scholars and NGOs from around the world. The privacy
commissioners expressed concern about the rapid growth of surveillance.
While surveillance activities can bring benefits, uncontrolled or
excessive surveillance poses substantial privacy and security risks, the
commissioners said. More sophisticated regulatory schemes beyond privacy
and data protection safeguards are needed to address these risks.

"A Report on the Surveillance Society," was also presented at the
conference, discussed the operation and consequences of the surveillance
society as well as some of the regulatory challenges that it poses. The
incorporation of societal impacts into the assessment of surveillance
activities will enhance current privacy impact assessment models, which
tend to focus on the effect to the individual, the report said.

The privacy commissioners issued three resolutions at the conference,
which accredit eight new national and regional data protection
authorities and clarify future conference organization arrangements. The
third resolution recommended an increase in transparency, data
minimization, and consent-based storage of personal data by Internet
Service Providers. It also urged providers to abide by the
internationally recognized standards for privacy protection, such as the
1980 OECD Privacy Guidelines.

Privacy International's 2006 National Privacy Ranking:

    http://www.privacyinternational.org/survey/phr2005/phr2005spread.jpg

Privacy and Human Rights 2005: An International Survey of Privacy Laws
and Developments:

     http://www.epic.org/bookstore/phr2005/phr2005.html

Twenty-eighth Annual International Data Protection and Privacy
Commissioners' Conference:

     http://www.privacyconference2006.co.uk/

A Report on the Surveillance Society (pdf):

     http://www.privacyconference2006.co.uk/files/report_eng.pdf

========================================================================
[4] Electronic Voting Technology Problems Hamper Elections
========================================================================

Many instances of electronic voting machine failures marred the voting
experience for voters in the states of Arkansas, Florida, Maryland,
Pennsylvania and Virginia. The problems ranged from electronic poll-book
failures to insufficient numbers of voting machines to serve polling
locations. The most notable problem was the failure of Election Systems
& Software's iVotronic touch-screen voting system, which resulted a 13%
undervote in the race in the 13th Congressional District in Florida.
About 18,000 votes were lost due to the failure.

On Election Day, Rice University and the National Committee for Voting
Integrity conducted a survey of voters in Jefferson County, Texas, to
learn more about the adoption of new voting systems. Jefferson County
used the optical scan and direct recording electronic (DRE, also called
touch-screen) voting system. The survey was conducted because of
interest in how voters and election administrators are being affected by
changes in voting technology after the enactment of the 2002 Help
America Vote Act. The research involved timing how long it took for
voters to use either the optical scan or touch screen voting system and
collection of voter opinions about the system that they used. The
results of the surveys will take several weeks to analyze.

With the enactment of the Act, Congress for the first time created a
role for the federal government in the administration of local elections
when federal offices are on the ballot. Many changes made by the Act
will impact all elections, not just federal ones. The Act created a new
federal government agency to provide guidance to states and instituted
requirements for access by those with disabilities.

The result has been a historic shift from lever, paper, and punch card
voting systems to optical scan and DRE systems. According to Election
Data Services, a political consulting firm specializing in election
administration, the transformation to electronic systems is nearly
complete. The numbers of registered voters in counties using optical
scan voting systems has increased from 46.7 million (29.5%) to 84
million (48.9%). The number of registered voters in counties using DRE
systems have increased from 19.7 million (12.4%) to 65.9 million (38.4%)
within two federal election cycles. Less than 15% of registered voters
are in counties that do not use either system.

National Committee for Voting Integrity:

    http://www.votingintegrity.org/default.html

EPIC's September 2006 Spotlight on Surveillance: With Some Electronic
Voting Systems, Not All Votes Count:

     http://www.epic.org/privacy/surveillance/spotlight/0906/

EPIC's page on Voting and Privacy:

     http://www.epic.org/privacy/voting/

========================================================================
[5] EPIC Files Brief Urging Supreme Court to Review Secret Law
========================================================================

EPIC joined with other organizations in urging the Supreme Court to
review Gilmore v. Gonzales. The case concerns a secret rule that allows
airport personnel to require travelers in the United States to produce
identification. EPIC wrote in its "friend of the court" brief that the
secret agency rule violates the constitutional right of due process. The
secrecy prevents meaningful review and allows for arbitrary enforcement.

John Gilmore is challenging the government's unpublished law or
regulation requiring passengers to present identification to fly on
commercial airlines. Gilmore argues that the requirement violates
numerous constitutional protections, including the rights to travel,
petition and freely assemble, be free from unreasonable search and
seizure, and have access to due process of law. Gilmore is petitioning
to the Supreme Court after the Ninth Circuit Court of Appeals ruled for
the government earlier this year.

"The secret identification directive acts as a legal obligation that
directly affects millions of travelers while providing no public notice
or allowing for the traditional checks on arbitrary or prejudicial
enforcement,” EPIC wrote in its brief. "Unpublished, secret laws
undermine the very essence of self-government. Central to the American
form of government has been a longstanding commitment to public trials
and to openness in government decisionmaking."

EPIC urged the Supreme Court to grant Gilmore's petition for a writ of
certiorari so that it could review a "secret agency rule that offends
the Constitution and implicates the rights of millions of American
travelers who are presently subject to arbitrary and unaccountable
governmental authority."

Gilmore v. Gonzales site:

     http://www.papersplease.org/gilmore/

EPIC's amicus brief to the Supreme Court:

     http://www.epic.org/privacy/airtravel/gilmore_amicus2.pdf

EPIC's page on Passenger Profiling:

     http://www.epic.org/privacy/airtravel/profiling.html

========================================================================
[6] News in Brief
========================================================================

EPIC Welcomes Three Members to Board of Directors

Three new members have joined EPIC's board of directors: Consumer
attorney Philip Friedman, security expert Bruce Schneier, and .ORG
manager Edward Viltz. The EPIC board of directors also elected Deborah
Hurley as Chair, Peter Neumann as Treasurer, and Jerry Kang as
Secretary. Anita Allen, Whitfield Diffie, and Marc Rotenberg continue
their service to EPIC as members of its board. Rotenberg thanked Barbara
Simons for her long service to EPIC. She recently stepped down from the
board of directors after serving as chair and treasurer.

EPIC's Board and Staff: 

     http://www.epic.org/epic/staff_and_board.html


EPIC Debuts Page on Violence Against Women Act

EPIC's has prepared a Web page reviewing the provisions of the Violence
Against Women Act that affect privacy. Since 1994, the Act has been the
premier way to set federal sexual assault and domestic violence policy.
The Act affects privacy in its regulation of federal rules of evidence;
confidentiality requirements in grant conditions; collection of data
from homeless shelter; definitions of cyberstalking; and provisions
authorizing DNA collection into federal databases. The page is a part of
EPIC's recently launched Privacy and Domestic Violence Project.

EPIC's Privacy and Domestic Violence Project:

     http://www.epic.org/privacy/dv/

EPIC's page on the Violence Against Women Act and Privacy:

     http://www.epic.org/privacy/dv/vawa.html


Dynamic Privacy Coalition Launched at Internet Governance Forum

In early November, more than 1,200 government, private, academic and
civil society representatives discussed issues of Web governance at the
Internet Governance Forum's first meeting. Attendees agreed to launch
"dynamic coalitions," multi-stakeholder groups that work together on a
common issue through the use of online collaboration tools and meetings.
Almost 50 groups, including EPIC, France's Foreign Ministry, Privacy
International and the World Bank, jointed to create the Dynamic
Coalition on Privacy. The group aims to further develop and clarify the
public policy aspects of privacy in Internet governance. The group will
focus on the issues of digital identities, the link between privacy and
development, and the importance of privacy and anonymity for freedom of
expression. The French government has offered to host a Dynamic
Coalition on Privacy meeting in Paris in early 2007.

European Digital Rights: "IGF Outcome: Dynamic Coalition on Privacy":

     http://www.edri.org/edrigram/number4.21/coalition_privacy


European Experts Reject Use of RFID in ID Documents

European experts on identity management have released a declaration
warning against the use of radio frequency identification (RFID)
technology in identification documents. "By failing to implement an
appropriate security architecture, European governments have effectively
forced citizens to adopt new international Machine Readable Travel
Documents which dramatically decrease their security and privacy and
increases risk of identity theft," according to the declaration. This
comes soon after the release of a draft report by the Department of
Homeland Security Data Privacy and Integrity Advisory Committee also
recommending against the use of RFID in identification documents. "RFID
appears to offer little benefit when compared to the consequences it
brings for privacy and data integrity," the committee said.

"Budapest Declaration" is available in several languages:

    http://www.fidis.net/press-events/press-releases/

Department of Homeland Security Data Privacy and Integrity Advisory
Committee: The Use of RFID for Human Identification (pdf):

     http://www.epic.org/redirect/dpiac1106.html


Almost 450 IRS Laptops Either Stolen or Lost Since 2003

The Internal Revenue Service is the latest federal agency to admit it
has lost or had stolen many laptop computers. Documents obtained by WTOP
through the Freedom of Information Act, show that from 2002 till now,
the agency had 478 laptops either lost or stolen. The personal data of
taxpayers, including Social Security numbers, were in 112 computers. The
IRS has announced that, beginning in January, it "will be installing an
automatic encryption system that will encrypt all information on the
hard drives." Other federal agencies have reported such security
breaches. The largest was revealed in May, when the Department of
Veterans Affairs announced that a hard drive and laptop containing
sensitive data on 26.5 million veterans, active duty military personnel,
and family members had been stolen from an employee's home.

Internal Revenue Service:

     http://www.irs.gov/

EPIC's page on the Veterans Affairs Data Theft:

     http://www.epic.org/privacy/vatheft/

========================================================================
[7] EPIC Bookstore: David Holtzman's "Privacy Lost"
========================================================================

"Privacy Lost: How Technology Is Endangering Your Privacy" by David H.
Holtzman (Jossey-Bass 2006).

     http://www.powells.com/partner/24075/biblio/0787985112

"While other books in the field focus on specific aspects of privacy or
how to avoid invasions, David H. Holtzman—a master technologist,
internet pioneer, security analyst, and former military
codebreaker—presents a comprehensive insider's exposé of the world of
invasive technology, who's using it, and how our privacy is at risk.
Holtzman starts out by categorizing privacy violations into "The 7 Sins
Against Privacy" and then goes on to explain in compelling and easy to
understand language exactly how privacy is being eroded in every aspect
of our lives.

"Holtzman vividly reveals actual invasions and the dangers associated
with the loss of privacy, and he takes a realistic look at the trade
offs between privacy and such vital issues as security, rights, and
economic development."
	 
================================

EPIC Publications:

"Information Privacy Law: Cases and Materials, Second Edition" Daniel J.
Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98.
http://www.epic.org/redirect/aspen_ipl_casebook.html

This clear, comprehensive introduction to the field of information
privacy law allows instructors to enliven their teaching of fundamental
concepts by addressing both enduring and emerging controversies. The
Second Edition addresses numerous rapidly developing areas of privacy
law, including: identity theft, government data mining and electronic
surveillance law, the Foreign Intelligence Surveillance Act,
intelligence sharing, RFID tags, GPS, spyware, web bugs, and more.
Information Privacy Law, Second Edition, builds a cohesive foundation
for an exciting course in this rapidly evolving area of law.

================================

"Privacy & Human Rights 2005: An International Survey of Privacy Laws
and Developments" (EPIC 2006). Price: $60.
http://www.epic.org/bookstore/phr2005/phr2005.html

This annual report by EPIC and Privacy International provides an
overview of key privacy topics and reviews the state of privacy in over
70 countries around the world. The report outlines legal protections,
new challenges, and important issues and events relating to privacy.
Privacy & Human Rights 2005 is the most comprehensive report on privacy
and data protection ever published.

================================

"FOIA 2004: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price:
$40.
http://www.epic.org/bookstore/foia2004

This is the standard reference work covering all aspects of the Freedom
of Information Act, the Privacy Act, the Government in the Sunshine Act,
and the Federal Advisory Committee Act.  The 22nd edition fully updates
the manual that lawyers, journalists and researchers have relied on for
more than 25 years.  For those who litigate open government cases (or
need to learn how to litigate them), this is an essential reference
manual.

================================

"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.
http://www.epic.org/bookstore/pvsourcebook

This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS).  This
reference guide provides the official UN documents, regional and
issue-oriented perspectives, and recommendations and proposals for
future action, as well as a useful list of resources and contacts for
individuals and organizations that wish to become more involved in the
WSIS process.

================================

"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:
$40.
http://www.epic.org/bookstore/pls2004/

The Privacy Law Sourcebook, which has been called the "Physician's Desk
Reference" of the privacy world, is the leading resource for students,
attorneys, researchers, and journalists interested in pursuing privacy
law in the United States and around the world. It includes the full
texts of major privacy laws and directives such as the Fair Credit
Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well
as an up-to-date section on recent developments. New materials include
the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the
CAN-SPAM Act.

================================

"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.
http://www.epic.org/bookstore/filters2.0

A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.

================================

EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:

EPIC Bookstore http://www.epic.org/bookstore

"EPIC Bookshelf" at Powell's Books
http://www.powells.com/features/epic/epic.html

================================

EPIC also publishes EPIC FOIA Notes, which provides brief summaries of
interesting documents obtained from government agencies under the
Freedom of Information Act.

Subscribe to EPIC FOIA Notes at:
https://mailman.epic.org/cgi-bin/control/foia_notes


========================================================================
[8] Upcoming Conferences and Events
========================================================================

FACEBOOK, What It Is, How It Works, Why It Matters to You, Audio
Conference. International Association of Privacy Professionals. December
7, 2006. For more information:
https://www.privacyassociation.org/index.php?option=com_content&task=
view&id=8&Itemid=70

Assessing Current Privacy Issues. Riley Information Services, Inc.
February 21, 2007. Ottawa, Ontario, Canada. For more information:
http://www.rileyis.com/seminars/

5th Conference on Privacy and Public Access to Court Records. Center for
Legal and Court Technology and Administrative Office of the United
States Courts. March 22-23, 2007. Williamsburg, Virginia. For more
information:
http://www.courtaccess.org/

CFP2007: Computers, Freedom, and Privacy Conference. Association for
Computing Machinery. May 2007. Montreal, Canada. For more information:
http://www.cfp2007.org

======================================================================
Subscription Information
======================================================================

Subscribe/unsubscribe via web interface:

https://mailman.epic.org/cgi-bin/mailman/listinfo/epic_news

Back issues are available at:

http://www.epic.org/alert

The EPIC Alert displays best in a fixed-width font, such as Courier.

========================================================================
Privacy Policy
========================================================================

The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities.  We do not sell, rent or share our
mailing list.  We also intend to challenge any subpoena or other legal
process seeking access to our mailing list.  We do not enhance (link to
other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail address
from this list, please follow the above instructions under "subscription
information."

========================================================================
About EPIC
========================================================================

The Electronic Privacy Information Center is a public interest research
center in Washington, DC.  It was established in 1994 to focus public
attention on emerging privacy issues such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale of personal information. EPIC publishes the
EPIC Alert, pursues Freedom of Information Act litigation, and conducts
policy research.  For more information, see http://www.epic.org or write
EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202
483 1140 (tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible.  Checks
should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW,
Suite 200, Washington, DC 20009.  Or you can contribute online at:

http://www.epic.org/donate

Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation of encryption and
expanding wiretapping powers.

Thank you for your support.

------------------------- END EPIC Alert 13.23 -------------------------

.