EPIC logo

                           E P I C  A l e r t
Volume 14.03                                            February 9, 2007

                            Published by the
               Electronic Privacy Information Center (EPIC)
                            Washington, D.C.


Table of Contents
[1] Personal Data Privacy and Security Act Of 2007 Introduced
[2] Homeland Security Budget Request Includes Eight Percent Increase
[3] Maine Rejects Real ID, Other States to Follow
[4] White House to Release Documents Detailing Secret Spy Program
[5] Florida Governor Proposes and End to Paperless Touch Screen Voting
[6] News in Brief
[7] EPIC Bookstore: "Proskauer on Privacy"
[8] Upcoming Conferences and Events

[1] Personal Data Privacy and Security Act Of 2007 Introduced

On February 6, Senators Leahy and Specter introduced the Personal Data
Privacy and Security Act of 2007 (S. 495).  The bipartisan bill, which
is substantially similar to one introduced in 2005, requires government
and commercial entities to ensure that the personal data they collect is
protected by adequate security.

The bill aims to prevent and mitigate identity theft, ensure privacy,
provide notice of security breaches, and enhance criminal penalties, law
enforcement assistance, and other protections against security breaches,
fraudulent access, and misuse of personally identifiable information.

The bill adds “unauthorized access to sensitive personally identifiable
information” to the criminal prohibition against computer fraud under
the Criminal Code.  It also provides a criminal penalty for intentional
and willful concealment of a security breach involving personal data,
and increases criminal penalties for identity theft involving electronic
personal data.

The bill also requires the government to establish rules protecting
privacy and security when it uses information from commercial data
brokers. Among other protections, agencies would have to regularly audit
the security measure of their vendors, and the General Services
Administration would be required to review all government contracts to
make sure that vendors have appropriate security programs in place and
that they don't provide information to the government that they know to
be inaccurate. Government contractors that fail to meet data privacy and
security requirements would be subject to penalties.

Commercial data brokers, in addition to establishing internal policies
to protect personal data, are required to allow individuals access to,
and the opportunity to correct, any personal information that they hold.
 Entities that maintain personal data must give notice to law
enforcement, consumers and credit reporting agencies when they
experience a breach involving sensitive personal data that demonstrates
a “significant risk of harm.” In the spirit of creating a national
standard, the bill preempts state legislation that governs these issues
for interstate commerce. Unfortunately, this preemption has the effect
of lessening protections in jurisdiction with more stringent standards.
Currently, over 35 states have enacted or pending security breach
legislation that provide varying standards of notification requirements.

Personal Data Privacy and Security Act Of 2007 (pdf):

Comments of Senator Leahy on the Personal Data Privacy and Security Act
Of 2007:

[2] Homeland Security Budget Request Includes Eight Percent Increase

President Bush's $2.9 trillion budget proposal for Fiscal Year 2008 is a
4.2 percent increase over Fiscal Year 2007's budget. Agencies other than
State, Defense and Homeland Security will receive increases of about 1
percent, less than the rate of inflation. The budget includes
significant cuts for spending on health care, education, housing and
other domestic programs, such as Medicare and the State Children's
Health Insurance Program.

However, the Department of Homeland Security is seeking an 8 percent
increase over last year's request for several expensive surveillance

According to the Department, the agency is seeking:

- $252 million for the Western Hemisphere Travel Initiative, which
creates new identification requirements for US citizens traveling to
Canada, Mexico, and the Caribbean

- An increase of $146.2 million for the "Unique Identity initiative"
that will put in place a 10-Print identification system and link the
Automated Biometric Identification System (IDENT) at the Department of
Homeland Security with the Integrated Automated Fingerprint
Identification System (IAFIS) at the Department of Justice.

- An increase of $38 million in funding for the Secure Flight system, a
program that was suspended by Congress following a government report
that found an inconclusive risk assessment and 144 security

- An increase of $16.5 million for the Transportation Worker
Identification Credential (TWIC), a credential-based, identity
verification program that uses biometric technology.

- $30 million for the Employment Eligibility Verification (EEV) program
to expand government enforcement of workplace credentials.

Some of the $13 billion requested for border security and immigration
enforcement will be spent on the Automated Targeting System, a federal
database that creates secret terrorist ratings on tens of millions of
American citizens that will be secret, unreviewable, and maintained by
the government for 40 years. A recent EPIC Spotlight on Surveillance
report, "Customs and Border Protection's Automated System Targets U.S.
Citizens," detailed the problems with the system, originally established
to assess cargo that may pose a threat to the United States.

Proposed Federal Budget for Fiscal Year 2008:

Fact Sheet: U.S. Department of Homeland Security Announces Eight Percent
Increase in Fiscal Year 2008 Budget Request:

Government Accountability Office Testimony on Secure Flight on Feb. 9,
2006 (pdf):

EPIC's Spotlight on Surveillance on the Automated Targeting System (Oct.

EPIC's page on Secure Flight:

[3] Maine Rejects Real ID, Other States to Follow

Last week, the Maine House and Senate registered nearly unanimous
opposition to the federal REAL ID Act, which mandates federal
requirements for state driver's licenses. Another dozen states are
reviewing legislation against REAL ID, including Arizona, Georgia,
Hawaii, Massachusetts, Missouri, New Hampshire, New Mexico, Oklahoma,
Utah and Wyoming.

The resolution passed in Maine stated that, "Maine State Legislature
refuses to implement the REAL ID Act and thereby protest the treatment
by Congress and the President of the states as agents of the federal
government." The resolution also asks Congress to repeal the law. Sen.
Daniel Akaka (D-HI) and Sen. John Sununu (R-NH) introduced legislation,
the Identification Security Enhancement Act, on December 8, 2006, to
repeal REAL ID and replace it with language that includes strong
security and privacy protections. Sen. Sununu expects to introduce
similar legislation in this Congressional session.

Congress passed REAL ID without a hearing even though legislators in
both parties urged debate. The senators said they believe REAL ID
"places an unrealistic and unfunded burden on state governments and
erodes Americans' civil liberties and privacy rights." The National
Conference of State Legislatures has released a report estimating REAL
ID's cost to the states would be more than $11 billion over five years.

Under the REAL ID Act, state DMVs will have to verify identification
documents and the legal status of immigrants. States are mandated to
link their databases so that all information collected by each DMV can
be accessed. State DMV offices are often the targets of identity
thieves. If the Department of Homeland Security Secretary doesn't grant
states an extension to meet the certification requirements, then by May
11, 2008 (three years after passage of the REAL ID Act) states must meet
federal standards to be accepted for federal use (entrance into a
courthouse, onto a plane; receiving federal benefits, such as Social
Security or Medicare). The Department of Homeland Security has yet to
issue the guidelines explaining how the states can meet these standards.

Maine Legislature's Resolution Against the REAL ID Act:

National Conference of State Legislatures Report: The Real ID Act:
National Impact Analysis (pdf):

The Identification Security Enhancement Act (S. 4117):

Text of the REAL ID Act (pdf):

EPIC's page on National ID Cards and REAL ID Act:

[4] White House to Release Documents Detailing Secret Spy Program

The Department of Justice will turn over secret documents detailing the
government's domestic spying program, Attorney General Alberto Gonzales
said last week. The warrantless program, run by the National Security
Agency, monitors phone calls and e-mails between individuals in the
United States and other countries that have suspected links to terrorist
organizations. A federal judge in Detroit last August declared the
program unconstitutional.

The Attorney General's announcement came the day after the Bush
administration announced it had agreed to put the program under the
authority of the Foreign Intelligence Surveillance Court. The package of
documents the Bush administration is giving to lawmakers is expected to
include investigators' applications for permission to eavesdrop, the
legal briefs submitted to the Foreign Intelligence Surveillance Court,
and judges' orders. The documents will be given to Senate Judiciary
Chairman Patrick Leahy and Ranking Member Arlen Specter. Gonzales stated
that the documents would not be released publicly, because of their
“highly classified nature.”

At a committee hearing two weeks ago, senators criticized Gonzales for
refusing to release the documents even though the Foreign Intelligence
Surveillance Court's presiding judge had no objections to making them
available to lawmakers who have been cleared to receive details about

In his testimony at the committee hearing, Leahy stressed that “only
with an understanding of the contours of the wiretapping program and the
scope of the Court's orders can the Judiciary Committee determine
whether the Administration has reached the proper balance to protect
Americans while following the law and the principles of checks and
balances.” He went on to say that he looks forward to “reviewing the
Court's orders and then deciding what further oversight or legislative
action is necessary.”

US Senate Committee on the Judiciary hearing on “Oversight of the U.S.
Department of Justice”:

Comment of Sen. Leahy on the Bush Administration's Announcement That It
Will Make FISA Court Orders Available

EPIC's page on the Foreign Intelligence Surveillance Act

EPIC Feature: Resources on Domestic Surveillance

[5] Florida Governor Proposes End to Paperless Touch Screen Voting

Florida's new Governor Charlie Crist proposed spending $32.5 million in
state funds to replace all paperless touch screening voting systems with
Optical Scan ballots, which would move Florida away from paperless
voting to paper based voting.  This decision follows 86 days after the
controversial end of the race to fill the seat for the 13th
Congressional District, an election contest in which 18,000 ballots or
13% of votes cast on the Election Systems & Software's iVotronic
paperless touch-screen voting systems did not register a vote. Typically
a 2.5 percent under-vote can be expected in an election.

Although Election Day 2006 saw many instances of electronic voting
machine failures that affected races in the states of Arkansas, Florida,
Maryland, Pennsylvania and Virginia, attention came to the Florida
election because the under-vote involved a Congressional race with a
369-vote margin of victory.  Several legal challenges were launched
following the outcome of the election with some still awaiting court
rulings on appeal. Sarasota County officials conducted post election
investigations of the technology and attributed the under-vote to a
ballot design problem.

Post election analyses of 2000 and 2004 and the legal challenges which
followed these presidential elections have identified many obstacles to
reliable public elections, which include problems with: voter
registration, voter roll purges, poll place practices, accessible
polling locations, and voting technology, usability of voting
mechanisms, absentee ballot problems, and vote tabulation. As a result
of election problems, the Help America Vote Act of 2002 became law. This
law began a historic shift from lever, paper, and punch card voting
systems to optical scan and DRE systems. According to Election Data
Services, a political consulting firm specializing in election
administration, the transformation to electronic systems is nearly
complete. The numbers of registered voters in counties using optical
scan voting systems has increased from 46.7 million (29.5%) to 84
million (48.9%). The number of registered voters in counties using DRE
systems has increased from 19.7 million (12.4%) to 65.9 million (38.4%)
within two federal election cycles. Less than 15% of registered voters
are in counties that do not use either system.

This week Congressman Rush Holt introduced H.R. 811, a bill that would
amend the Help America Vote Act of 2002 to require a voter-verified
permanent paper ballot.

Florida's Governor's Web Page:

Governor Crist's Press Release: http://www.flgov.com/release/8585
Help America Vote Act 2002:

National Committee for Voting Integrity:

EPIC's page on Voting:

[6] News in Brief

Rule on Phone Record Privacy Expected Soon

The FCC is expected to issue a rule to protect telephone record privacy
from pretexters. Legislation passed by Congress last year made
pretexting a crime but did nothing to improve security standards for
telephone companies that often release customer information to those
engaging in fraud. Expected changes include requirements that telephone
companies: use passwords before giving out telephone records; only mail
the records to home addresses; and call back at the registered service
number to verify requests for disclosure. EPIC filed a petition with the
FCC calling for the establishment of strong security standards for
customer information in August 2005. EPIC Executive Director Marc
Rotenberg and FCC Chairman Kevin Martin testified on the need for
stronger security standards before a House Committee in February 2006.

EPIC's page on Illegal Sale of Phone Records:

EPIC's comments on the FCC notice of proposed rulemaking:

House Commerce Committee Report, "Prevention of Fraudulent Access to
Phone Records Act"

European Union Pressure on SWIFT and Passenger Name Records Grows

Members of EU Parliament have become increasingly vocal in their
disapproval of what many view as disregard for EU data protection laws
in international data transfers. In a January 31, 2007 joint debate of
the European Parliament, speakers criticized the Commission and the
Council for the institutions' handling of two EU-US data protection
issues: the transfer of financial data by SWIFT banking consortium to US
authorities, and the transfer of passenger name records by European
airlines to the US Department of Homeland Security. French liberal
deputy Jean-Marie Cavada referred to both the passenger name record
agreements and to the case of SWIFT when he stated that "the EU's
sovereignty has not been respected." On February 1, 2007, EU Privacy
Commissioner Peter Hustinx issued an opinion blaming the European
Central Bank, along with other Banks who are SWIFT members, for
neglecting its oversight of the co-operative.

European Data Protection Supervisor Opinion on SWIFT (pdf):

EPIC's Spotlight on Surveillance on SWIFT:

EPIC's page on EU-US Airline Passenger Data Disclosure:

Accountability Office Criticizes Federal Agency Over Security of Health

In a report issued on February 1, the US Government Accountability
Office criticized the Department of Health and Human Services (HHS) for
issuing contracts to develop initiatives for health information
technology records-sharing without setting up adequate privacy
guidelines. The report recommends that HHS “define and implement an
overall privacy approach that identifies milestones for integrating the
outcomes of its initiatives, ensures that key privacy principles are
fully addressed, and addresses challenges associated with the nationwide
exchange of health information.” In its comments, HHS disagreed with
this recommendation and stated that it has established a comprehensive
privacy approach, and that rigid benchmarks would impede its dialogue
with stakeholders.

US Government Accountability Office Report on Health Information
Technology (pdf):

EPIC's page on Medical Privacy:

EPIC Joins Civil Liberties Brief in Newsletter Subscriber Privacy Case

EPIC has joined six civil liberties groups to submit a "friend of the
court" brief in Forensic Advisors, Inc. v. Matrixx Initiatives, Inc.,
which is currently before the Maryland Court of Appeals, the highest
court in the state. In this case, pharmaceutical company Matrixx is
attempting to force Timothy Mulligan, a newsletter publisher, to
disclose his subscriber list so that Matrixx can use it in connection
with a lawsuit filed against unidentified people who posted derogatory
comments about the company on Internet discussion boards. The brief
argues that the subscriber list is protected under the First Amendment,
since disclosure of the list would deter readership and violate
constitutionally established privacy rights. A lower state court held
that Mulligan is a member of the news media under Maryland law. The
brief argues, therefore, Mulligan is covered by a state law protecting
journalists' sources. EPIC previously joined a "friend of the court"
brief for the case when it was before a lower state court.

January 2007 Amicus Brief Submitted by EPIC, et. al (pdf):

June 2005 Amicus Brief Submitted by EPIC, et. al (pdf):

Homeland Security Secretary Outlines Policy on Information Sharing

In a memo dated February 1, Department of Homeland Security (DHS)
Secretary Michael Chertoff outlined his policy for information exchange
and sharing, which calls for all DHS components to share “potential
terrorism, homeland security, law enforcement and related information”
with each other.  According to the memo, all DHS components are
considered one agency under the Privacy Act, and “the presumption is
that information will be shared, not hoarded.” Each component agency is
required to amend any information-sharing agreements that are
inconsistent with the new policy, and to submit copies of all agreements
to the DHS Executive Secretariat by February 15.

Department of Homeland Security memo (February 1, 2007) (pdf):

Congressional Reports on FISA, Electronic Surveillance, Made Available

The Federation of American Scientists has made available two
Congressional Research Service reports, which are not usually released
to the general public. The first report provides an overview of the
Foreign Intelligence Surveillance Court, its history, structure and
jurisdiction.  The second report analyses a bill passed by the House in
the last Congress in response to the President's domestic surveillance

"The U.S. Foreign Intelligence Surveillance Court and the U.S. Foreign
Intelligence Surveillance Court of Review: An Overview," (January 24,
2007) (pdf):

"Electronic Surveillance Modernization Act, as Passed by the House of
Representatives," (January 18, 2007) (pdf):

[7] EPIC Bookstore: "Proskauer on Privacy"

"Proskauer on Privacy" edited by Christopher Wolf
(Practising Law Institute 2006).


“An essential tool for attorneys, businesses, and public agencies that
must secure personal data. Government surveillance of private citizens
is challenging the limits of the law. Businesses are bound by more data
security standards as ID theft soars. Globalization is triggering more
privacy directives impacting U.S. multinationals. Out of all these
often-intertwined laws, what privacy and data security standards do you
have to satisfy? How can you comply with them and avoid sanctions and
penalties? You'll get the crucial answers you need when you turn to
PLI's new PROSKAUER ON PRIVACY - today's most comprehensive and current
guide to privacy and data security laws in the U.S. and around the
globe. Essential reading for legal and business practitioners, Proskauer
on Privacy provides today's most exhaustive and up-to-date analysis of
the staggering array of domestic and international privacy and data
security laws governing the public and private sectors. Covering
everything from the Foreign Intelligence Surveillance Act to the Fair
Credit Reporting Act to the CAN-SPAM Act, PROSKAUER ON PRIVACY helps:
Federal agencies satisfy provisions of the Privacy Act of 1974 and
related law. Employers observe the privacy-related provisions of the
Americans with Disabilities Act. Website and online services comply with
the Children's Online Privacy Protection Act. U.S. businesses deal
effectively with Canada's complex patchwork of privacy laws. At the same
time, PROSKAUER ON PRIVACY sheds light on privacy standards in Japan,
China, Hong Kong, India, Australia, Russia, and other nations -- privacy
laws in California and other vanguard states -- the intense legal debate
over warrantless wiretapping -- the payment card industry's bold data
security initiatives -- and a lot more.”


EPIC Publications:

"Information Privacy Law: Cases and Materials, Second Edition" Daniel J.
Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98.

This clear, comprehensive introduction to the field of information
privacy law allows instructors to enliven their teaching of fundamental
concepts by addressing both enduring and emerging controversies. The
Second Edition addresses numerous rapidly developing areas of privacy
law, including: identity theft, government data mining and electronic
surveillance law, the Foreign Intelligence Surveillance Act,
intelligence sharing, RFID tags, GPS, spyware, web bugs, and more.
Information Privacy Law, Second Edition, builds a cohesive foundation
for an exciting course in this rapidly evolving area of law.


"Privacy & Human Rights 2005: An International Survey of Privacy Laws
and Developments" (EPIC 2006). Price: $60.

This annual report by EPIC and Privacy International provides an
overview of key privacy topics and reviews the state of privacy in over
70 countries around the world. The report outlines legal protections,
new challenges, and important issues and events relating to privacy.
Privacy & Human Rights 2005 is the most comprehensive report on privacy
and data protection ever published.


"FOIA 2004: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price:

This is the standard reference work covering all aspects of the Freedom
of Information Act, the Privacy Act, the Government in the Sunshine Act,
and the Federal Advisory Committee Act.  The 22nd edition fully updates
the manual that lawyers, journalists and researchers have relied on for
more than 25 years.  For those who litigate open government cases (or
need to learn how to litigate them), this is an essential reference


"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.

This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS).  This
reference guide provides the official UN documents, regional and
issue-oriented perspectives, and recommendations and proposals for
future action, as well as a useful list of resources and contacts for
individuals and organizations that wish to become more involved in the
WSIS process.


"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:

The Privacy Law Sourcebook, which has been called the "Physician's Desk
Reference" of the privacy world, is the leading resource for students,
attorneys, researchers, and journalists interested in pursuing privacy
law in the United States and around the world. It includes the full
texts of major privacy laws and directives such as the Fair Credit
Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well
as an up-to-date section on recent developments. New materials include
the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the


"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.


EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:

EPIC Bookstore http://www.epic.org/bookstore

"EPIC Bookshelf" at Powell's Books


EPIC also publishes EPIC FOIA Notes, which provides brief summaries of
interesting documents obtained from government agencies under the
Freedom of Information Act.

Subscribe to EPIC FOIA Notes at:

[8] Upcoming Conferences and Events

Expanding Access to Criminal History Information and Improving Criminal
Record Backgrounding. SEARCH. Monday, February 12, 2007. Arlington,
Virginia. For more information:

The Centre for Innovation Law & Policy: A Practical Approach to Global
Privacy Compliance. February 13, 2007. Toronto, Canada.  For more
information, contact Jean McNeil at: jean.mcneil@utoronto.ca

Working Group Discussion on Federal Government Outsourcing of
Intelligence Gathering and Law Enforcement Duties. EPIC and Liberty
Coalition. February 14, 2007. Washington DC.  For more information
contact Melissa Ngo at: ngo@epic.org

Assessing Current Privacy Issues. Riley Information Services, Inc.
February 21, 2007. Ottawa, Ontario, Canada. For more information:

Internet Privacy Symposium: Research Findings from the OPC Contributions
Program. Privacy Commissioner of Canada and Law and Technology Group,
University of Ottawa. February 23, 2007. Ottawa, Ontario. For more

RFID and Ubiquitous Computing. Trans Atlantic Consumer Dialogue. March
12, 2007. Brussels, Belgium. For more information:

Consumer Authentication: How Do You Know It Is Really Me? American Bar
Association, Section of Business Law. March 16, 2007. Washington, DC.

National FOI Day Conference. March 16, 2007. Washington DC. For more
information: http://www.firstamendmentcenter.org

5th Conference on Privacy and Public Access to Court Records. Center for
Legal and Court Technology and Administrative Office of the United
States Courts. March 22-23, 2007. Williamsburg, Virginia. For more

CFP2007: Computers, Freedom, and Privacy Conference. Association for
Computing Machinery. May 2007. Montreal, Canada. For more information:

29th International Conference of Data Protection and Privacy
Commissioners. September 25-28, 2007.  Montreal, Canada. For more

Subscription Information

Subscribe/unsubscribe via web interface:


Back issues are available at:


The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities.  We do not sell, rent or share our
mailing list.  We also intend to challenge any subpoena or other legal
process seeking access to our mailing list.  We do not enhance (link to
other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail address
from this list, please follow the above instructions under "subscription

About EPIC

The Electronic Privacy Information Center is a public interest research
center in Washington, DC.  It was established in 1994 to focus public
attention on emerging privacy issues such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale of personal information. EPIC publishes the
EPIC Alert, pursues Freedom of Information Act litigation, and conducts
policy research.  For more information, see http://www.epic.org or write
EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202
483 1140 (tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible.  Checks
should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW,
Suite 200, Washington, DC 20009.  Or you can contribute online at:


Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation of encryption and
expanding wiretapping powers.

Thank you for your support.

------------------------- END EPIC Alert 14.03 -------------------------