EPIC logo

  
========================================================================
                            E P I C  A l e r t
========================================================================
Volume 14.12                                              June 14, 2007
------------------------------------------------------------------------

                             Published by the
                Electronic Privacy Information Center (EPIC)
                             Washington, D.C.

              http://www.epic.org/alert/EPIC_Alert_14.12.html


========================================================================
Table of Contents
========================================================================
[1] Commission Adopts Rule on Phone Record Privacy
[2] House Passes Law on Caller ID Spoofing
[3] EPIC Testifies on Worker ID Systems
[4] Privacy Groups File Amended Google/DoubleClick Merger Complaint
[5] Trade Commission Adopts Rule on Security Breaches
[6] News in Brief
[7] EPIC Bookstore: "European Data Protection Law"
[8] Upcoming Conferences and Events

========================================================================
[1] Commission Adopts Rule on Phone Record Privacy
========================================================================

As a result of a 2005 petition filed by EPIC, the Federal Communications
Commission (FCC) adopted new rules last week to strengthen the security
of consumers' phone records. The FCC also published a Notice of Proposed
Rulemaking, stating that it is seeking comments on further privacy
protections for customer information. Comments are due July 9, 2007.

The new rules relate to customer proprietary network information (CPNI),
which is the data collected by telecommunications corporations about a
consumer's telephone calls. CPNI includes the time, date, duration and
destination number of each call, the type of network a consumer
subscribes to, and any other information that appears on the consumer's
telephone bill. Currently, the use of CPNI data is protected by the 1996
Telecommunications Act.

The FCC announced the formal rulemaking in February 2006 after EPIC
petitioned the Commission to protect phone users' privacy. EPIC's
petition sought to heighten security standards, including the
implementation of encryption of records, the requirement of audit logs
to track who accesses account information and why, and limitation on the
period of time that the data is retained. Some of EPIC's proposals on
specific security measures, such as passwords, were adopted in the new
rules; other proposals in EPIC's petition will be considered during the
new proposed rule comment period.

The new rules require customers to provide a password when a customer
calls a carrier before the carrier can release customers' phone call
records.  The new regulations also require carriers to notify customers
of account changes, and establish a notification process for both law
enforcement and customers in the event of a CPNI breach.  Other changes
include requiring carriers to file an annual report of all actions and
consumer complaints related to CPNI and extending CPNI rules to cover
providers of interconnected voice over Internet Protocol (VoIP) service
(which allows people to make phone calls over broadband Internet
connections).

The FCC seeks comments on possible additional steps it should take to
further protect the privacy of consumers.  In particular, the FCC seeks
comments on whether to extend password protection beyond the newly
adopted rules, whether to require audit trails of CPNI disclosure and
whether to limit data retention periods.

The FCC regulation addresses some of the issues that are considered in
legislation pending in Congress. The Prevention of Fraudulent Access to
Phone Records Act, H.R. 936 has been referred to the House Energy and
Commerce Committee for consideration.

EPIC Executive Director Marc Rotenberg testified on March 9 in support
of this legislation, stressing that action in this area was overdue. The
Act calls for several of the same measures as the FCC regulations, such
as opt-in requirements for third party disclosure, periodic audits of
telecommunications carriers by the FCC, and the use of customer-specific
identifiers in order to access call detail information.

In several areas, the Act provides stronger privacy protections than the
regulations.  The Act would require telecommunications carriers to keep
a record of each time that a customer's call detail information was
requested, if access was granted, and how the person's identity or
authority to access the information was verified.  Such records would
provide customers with knowledge of how their information was improperly
accessed, giving them a greater ability to prevent another breach.
Furthermore, the Act requires timely notice to a customer if there is an
unauthorized disclosure of his or her information. The Act also requires
the FCC to consider making regulations to require deletion of call
detail information after "a reasonable period of time if such data is no
longer necessary for the purpose for which it was collected.

FCC's Report and Order and Further Notice of Proposed Rulemaking (pdf):

     http://hraunfoss.fcc.gov/edocs_public/attachmatch/FCC-07-22A1.pdf

EPIC's 2005 Petition to the FCC on CPNI:

     http://www.epic.org/privacy/iei/cpnipet.html

EPIC's 2005 Letter to the FTC on CPNI:

     http://epic.org/privacy/iei/ftcupdate.html

EPIC's CPNI page:

     http://www.epic.org/privacy/cpni

EPIC's page on Phone Record Security:

     http://www.epic.org/privacy/iei

Prevention of Fraudulent Access to Phone Records Act, H.R. 936:

     http://thomas.loc.gov/cgi-bin/bdquery/z?d110:h.r.00936:

========================================================================
[2] House Passes Law on Caller ID Spoofing
========================================================================

The Truth in Caller ID Act of 2007, H.R. 251, passed the House this
week. The Act makes it illegal to defraud or cause harm to people using
misleading or inaccurate caller identification. The Act applies to any
telecommunications service or VoIP service. (VoIP allows people to make
phone calls over broadband Internet connections.) Penalties for
violations of the Act are established in the 1934 Communications Act,
which provides for a fine of up to $10,000 or one year in prison.
Testifying on similar legislation last year, EPIC recommended the
inclusion of a requirement of an “intent to defraud or cause harm,”
which distinguishes between appropriate and inappropriate uses of caller
ID spoofing. EPIC's recommended language was accepted, and adopted in
this session's bill, H.R. 251.

In its testimony on H.R. 251, EPIC stated that while spoofing caller ID
numbers can create a real risk to individuals who might be defrauded or
harmed by illegitimate uses of this technology, there are also several
legitimate uses of spoofing that allow callers to limit the disclosure
of their phone numbers in order to protect their privacy and in some
cases their safety. This includes domestic violence survivors who are
trying to reach family members and do not want their location revealed.
Survivors may also need to use caller ID spoofing when calling companies
that may have permissive data-sharing policies and sell information to
brokers. Caller ID spoofing can also protect right of call recipients to
be free from pretexting and other fraud that can lead to the loss of
their privacy, and the threats of stalking, identity theft, and
harassment.

The bill as passed included two new amendments. The first provides an
exemption for law enforcement and intelligence agencies, for “activities
performed in connection with official duties.” EPIC testified that a
blanket exemption for law enforcement is not necessary because the
law's intent requirement distinguishes between appropriate and
inappropriate Caller ID spoofing; this distinction preserves legitimate
law enforcement techniques while punishing harmful or fraudulent acts.

The second amendment requires the Federal Communications Commission to
consider whether it should require “non-commercial calls to residential
telephone lines using an artificial or pre-recorded voice to deliver a
message to transmit caller identification information that is not
misleading or inaccurate.”

The Truth in Caller ID Act of 2007:

     http://thomas.loc.gov/cgi-bin/query/z?c110:H.R.251:

EPIC's Testimony before the House Committee on Energy and Commerce on
the Truth in Caller ID Act of 2007 (pdf):

     http://www.epic.org/privacy/iei/hr251test.pdf

EPIC's page on Domestic Surveillance:

     http://www.epic.org/features/surveillance.html

========================================================================
[3] EPIC Testifies on Worker ID Systems
========================================================================

At a House Subcommittee on Social Security hearing on June 7, EPIC
Executive Director Marc Rotenberg urged the strengthening privacy
safeguards associated with employment eligibility verification systems
and said existing agency database problems should be corrected before a
nationwide expansion is considered. The Subcommittee is reviewing an
immigration bill that would establish a national employment eligibility
verification systems; a similar bill is pending in the Senate.

EPIC recently scrutinized the proposed employment verification systems
in its "Spotlight on Surveillance." Under both H.R. 1150 and S.AMDT
1645, every employer in the country would be required to submit detailed
personal information on every employee to the Department of Homeland
Security (DHS). This information would then be cross-referenced with
that retained by the Social Security Administration. Should a
discrepancy arise, workers would have to appeal to DHS and SSA to prove
their identity. The appeals process could last as long as two and a half
months, and if the appeal is ultimately denied the individual would not
be able to work legally in the United States until the discrepancy was
somehow corrected. The House bill would also transform all Social
Security Cards to include biometric and machine-readable features.

Government databases upon which the verification systems would rely
already contain many errors, Rotenberg said. The current, little-used
employment verification system, Basic Pilot, is plagued by problems
resulting from these errors. A 2002 independent study of Basic Pilot
undertaken by the Immigration and Naturalization Service found that
almost half of those employees deemed ineligible for work were in fact
eligible. The same study also found that, while employees navigated the
Basic Pilot appeals process, almost half experienced a reduction in pay
or responsibilities, or were terminated from employment altogether,
despite the illegality of such action. Expanding the Basic Pilot program
to a nationwide system without addressing existing database inaccuracies
would result in these burdensome consequences 143.6 million authorized
workers nationwide, Rotenberg said. In addition to dealing with a
dramatically increased number of verification requests, the proposed
Social Security Card additions would cost the Social Security
Administration at least $9.5 billion, Rotenberg said.

Rotenberg also highlighted the dangers of massive data aggregation in
centralized databases under the proposed verification systems. Such a
large collection of personal information increases the possibility that
the information could be used for unintended purposes, such as long-term
tracking of individuals, misuse by authorized users and identity theft.
“As currently planned, these systems greatly diminish employee privacy
and make personal information vulnerable to theft and misuse. The
proposed verification systems would also grant to the federal government
unprecedented control over the livelihoods of American citizens,”
Rotenberg said. The sensitive nature of the retained information
augments the seriousness of a security breach when it occurs. The
dangers of security breaches were demonstrated last month when the
Transportation Security Administration lost a hard drive containing the
personal and financial information of 100,000 of its employees,
including federal air marshals, Rotenberg said.

Hearing of the House Subcommittee on Social Security (June 7, 2007):

     http://www.epic.org/redirect/house0607.html

EPIC's Testimony on Employment Verification Systems before the House
Committee on Ways and Means (pdf):

     http://www.epic.org/privacy/ssn/eevs_test_060707.pdf

EPIC Spotlight on Surveillance on EEVS:

     http://www.epic.org/privacy/surveillance/spotlight/0507/

H.R. 1645 (pdf):

     http://www.epic.org/privacy/surveillance/spotlight/0507/hr1645.pdf

S.AMDT. 1150 (pdf):

     http://www.epic.org/redirect/samdt1150.html

EPIC Testimony on Social Security Numbers before the House
Committee on Ways and Means, March 16, 2007 (pdf):

     http://www.epic.org/privacy/ssn/mar_16test.pdf

========================================================================
[4] Privacy Groups File Amended Google/DoubleClick Merger Complaint
========================================================================

On June 6, EPIC, the Center for Digital Democracy, and U.S. PIRG filed a
supplement to their initial complaint concerning Google's proposed
acquisition of DoubleClick. In the initial complaint, filed on April 20,
2007 with the Federal Trade Commission, these consumer advocacy groups
requested that the Commission open an investigation into the proposed
acquisition, specifically with regard to Google's ability to collect,
record, and analyze personally identifiable information about Internet
users and, through use of this information, to track the Internet
activity of these users.

The June 6 supplement provides further detail on the information that
Google collects about its users, the ways in which Google uses that
information, and the privacy impacts of Google's many commonly used
services. In addition, the June 6 supplement describes similar aspects
of DoubleClick's business model and operations. EPIC, CDD, and U.S. PIRG
explain that there are unique privacy issues raised by the proposed
combination of the Internet's largest search engine and the Internet's
largest advertising company. Allowing the merger to proceed as it is
currently constructed would allow a single company to have an
unprecedented level of access to information about Internet users, the
groups said.

Although Google currently chooses not to sell its users' information,
DoubleClick's business is based on building profiles of Internet users
in order to market advertisements accurately targeted to users who are
likely to be interested in the products they are offered. If the merger
proceeds, personal user information collected by Google could be used to
enhance DoubleClick's preexisting user profiles and would therefore be
sold, by proxy, to those seeking to purchase advertising.

In response to the initial complaint, Nicole Wong, Google's deputy
general counsel, asserted that "EPIC utterly fails to identify any
practice that does not comply with accepted privacy standards." Since
the filing of the supplement, however, Google has announced that it will
change its privacy policy and reduce to 18 months the time it retains a
user's full IP-address in connection with search logs. EPIC, CDD and
U.S. PIRG note, however, that this time frame is still unnecessarily
long and that the anoymization protocols does not satisfactorily guard
against linking search logs to small groups of individual users.

Supplemental Complaint (June 6, 2007) (pdf):

     http://epic.org/privacy/ftc/google/supp_060607.pdf

EPIC's FTC Google Complaint page:

     http://epic.org/privacy/ftc/google/

Google's announcement concerning changes to their privacy policy (June
11, 2007):

     http://www.epic.org/redirect/google0607.html

========================================================================
[5] Trade Commission Adopts Rule on Security Breaches
========================================================================

On June 7, the Federal Trade Commission (FTC) issued a final rule,
effective immediately, that allows the agency to disclose records in the
event of a data breach.  Specifically, the agency sought an exemption
from the requirements the Privacy Act of 1974 by amending its “routine
use” provision. The agency said that disclosure of FTC records in the
event of a data breach is justified to ensure that the “appropriate
persons and entities” are able to respond to the event. EPIC was the
only entity to supply comments to the agency during the public comment
period of this rule.

In its comments, EPIC raised the issue of “customer first notification”,
and stated that affected consumers should be notified of a data breach
as soon as possible after its occurrence, and no later than 7 days after
the incident transpires.  Timely notification is imperative to ensure
that individuals can monitor their personal information and mitigate
damages as quickly as possible after a breach, EPIC said.  The FTC,
however, declined to adopt this recommendation, and explained that such
notifications fall “outside the scope of a routine use notice under the
Privacy Act.” Instead, the FTC decided to follow guidance provided by
the OMB and the President's Identity Theft Task Force regarding the
appropriateness of informing affected individuals.  The FTC also stated
that the routine use amendment will authorize disclosures to others who
are in a position to assist in response efforts, either by assisting in
notification to affected individuals or otherwise playing a role in
preventing, minimizing, or remedying harms from the breach.

EPIC also questioned the extensive disclosure scheme in the FTC's
proposed rule, especially the potential disclosure of individuals'
sensitive personal information, such as social security numbers and
financial information across the federal government.  The disclosure of
sensitive personal information could cause additional damage for
affected individuals. EPIC recommended the development of a fixed tier
of access that would allow only certain individuals and entities limited
access to breached data as necessary to further investigations.

While the FTC agreed with EPIC that “disclosure of Privacy Act records
in order to investigate or remedy a breach disclosure remedy a breach
must be necessary and narrowly tailored to the circumstances,” it did
not support adoption of “fixed categories of access.”  Instead, the FTC
decided to limit disclosures to people that are “reasonably necessary”
and to grant access on a case-by-case basis.  The FTC believes this will
provide adequate protection to consumers while also allowing for rapid
investigation of a data breach.

FTC Federal Register Final Rule Notice:

     http://www.epic.org/redirect/FTC0607.html

EPIC Comments to the FTC:

     http://www.ftc.gov/os/comments/Privacy%20Act%201974/index.shtm

EPIC's Social Security Number Privacy page:

     http://www.epic.org/privacy/ssn/


========================================================================
[6] News in Brief
========================================================================

FBI Data Mining Proposal Questioned

Representatives Brad Miller and James Sensenbrenner have asked the
Government Accountability Office to investigate the FBI's proposal for a
National Security Branch Analysis Center. The FBI intends to use the
Center to “leverage existing data-mining tools to help identify
relationships between individuals, locations and events that may be
indicators of terrorist or other activities of interest." The Department
of Justice predicts that the Center will hold 6 billion records by the
year 2012.

Reps. Mill and Sensenbrenner state that the program resembles the
Pentagon's Total Information Awareness anti-terror data-mining research
program. Congress ended TIA in 2003 out of privacy concerns. In addition
to the high cost and questionable value of such a system, the
representatives also pointed to the FBI's recent abuse of National
Security Letter powers to show that the FBI may not be capable of
handling the center.

Letter of Reps. Miller and Sensenbrenner to the GAO (June 5) (pdf):

     http://www.epic.org/redirect/letter0607.html

EPIC's Total (Terrorism) Information Awareness page:

     http://www.epic.org/privacy/profiling/tia/


Privacy International Ranks Online Companies' Privacy Practices

On June 9, London-based human rights research and campaign organization
Privacy International issued an interim privacy ranking of 23 Internet
service companies. The report did not give any of the companies it
looked at the highest grade of “privacy-friendly and privacy enhancing.”
However, Google's “vague, incomplete and possible deceptive privacy
policy,” lack of responsiveness to customer complaints, its ability to
match data gathered by its search engine with information collected from
its other services, and its merger with DoubleClick earned Google the
lowest possible privacy ranking, reserved for those companies with
“comprehensive consumer surveillance and entrenched hostility to
privacy.”

Privacy International has stated that the current report is a
preliminary ranking. The organization will consider any new and relevant
information for the next two months before publishing a full report in
September. This report comes on the heels of the Federal Trade
Commission's second request looking into antitrust concerns raised by
its proposed merger with DoubleClick, and the European Union's
investigation into Google's compliance with EU privacy law.

Privacy International's Interim Privacy Ranking of Internet Services
Companies

     http://www.epic.org/redirect/PI0607.html

EPIC's Gmail Privacy FAQ

     http://www.epic.org/privacy/gmail/faq.html

EPIC's FTC Google Complaint page:

     http://epic.org/privacy/ftc/google/


ChoicePoint Settles With 43 States, D.C, Over 2004 Database Breach

In a settlement with various attorneys general, data broker Choicepoint
agreed to implement stronger data security measures and to pay $500,000.
 Choicepoint sells personal information on individuals to businesses and
government. In the 2004 breach, which was the subject of the settlement,
data on over 140,000 individuals had been divulged to identity thieves.
The identity thieves had signed up as subscribers to Choicepoint's
information services, and accessed data necessary to carry out thefts of
at least 750 identities. The 43 states alleged that Choicepoint had
failed to properly screen the buyers of its data files, and that the
transactions should have raised "red flags."

CT Attorney General Announces Nationwide Settlement with Choicepoint:

     http://www.ct.gov/ag/cwp/view.asp?A=2341&Q=382400 

EPIC's Choicepoint Page:

     http://www.epic.org/privacy/choicepoint/


Fifteen States Pass Anti-REAL ID Legislation

As the deadline for compliance draws closer, more states are opting out
of the controversial REAL ID national identification system. Arkansas,
Colorado, Georgia, Hawaii, Idaho, Illinois, Maine, Missouri, Montana,
Nebraska, Nevada, New Hampshire, North Dakota, South Carolina, and
Washington have all passed anti-REAL ID legislation. Public resistance
to REAL ID is also growing. In May, more than 60 organizations and 215
blogs joined a campaign to submit comments against REAL ID. There are
bills in both the U.S. House and Senate to repeal the national
identification scheme. EPIC and 24 experts in privacy and technology
submitted detailed comments explaining the many privacy and security
threats raised by the REAL ID Act. The Department of Homeland Security's
Data Privacy and Integrity Advisory Committee refused to endorse the
draft regulations, stating that they did not resolve problems with
privacy, redress, management controls, and more.

Stop REAL ID Campaign:

     http://www.privacycoalition.org/stoprealid/

EPIC Page on National ID Cards and REAL ID Act:

     http://www.epic.org/privacy/id_cards/


Information Security: Agencies Report Progress, but Sensitive Data
Remain at Risk

In testimony before Congress, the General Accountability Office's
Director of Information Security Issues reported on federal government
agencies' efforts to protect personal data. Director Gregory C.
Wilshusen found that almost all of the major federal agencies had
weaknesses in one or more areas of information security controls.
Problems included inadequate access controls, not enough management of
software patches, lack of encryption, and insufficient restrictions on
physical access to information access. Performance metrics showed that
agencies are improving security in terms of training and education, but
failures to implement agency-wide information security systems still
persist.

GAO Testimony (June 7, 2007) (pdf):

     http://www.gao.gov/new.items/d07935t.pdf

EPIC's Page on Veteran's Affairs Data Breach:

     http://www.epic.org/privacy/vatheft/


========================================================================
[7] EPIC Bookstore: "Understanding Surveillance Technologies"
========================================================================

European Data Protection Law, Corporate Compliance and Regulation,
Second Edition by Christopher Kuner (Oxford Press, 2007)

     http://www.powells.com/partner/24075/biblio/9780199283859

In the updated edition of his text, Kuner sets out the difficulty of
expansion into EU markets for US businesses that have not taken the
message of data privacy protection seriously. US businesses intent on
exploiting the information age through new EU markets or creating more
efficiency in existing European markets must effectively convert their
business models to comply with EU data protection laws. The various EU
data directives create minimum standards that each member state must
then adopt though the passage of new laws.  However, this model does
allow member states to adopt stronger measures for data protection.
There is a process for industries to establish self-regulatory codes
under Article 27(1) of the General Directive, but according to the
author the process is so cumbersome that few industries have created
them.  He sees the process as taking too long to complete, and the
"uncertain legal status" of the measures once adopted.

Additional complexity of EU data protection law comes from the range of
European entities that have jurisdiction over its enforcement. These
bodies are not equal in their ability to directly impact the bottom line
prospects for businesses, but exert some level of influence in the
shaping of data protection policy in Europe. Some might speculate that
in the new information age it would be easier to just offshore all data
collection, processing, and storage of data, but the author warns that
the Europeans have thought of that as well and the rules have a number
of pitfalls for those who attempt this approach.

Basic EU data protection requirements include: informing data subjects
of the purpose that information is being requested, justifying the need
to retain the information, making information on the data subject
available to them, protecting the information collected, and only using
the information for the purpose for which it was collected. In short,
the road to success in data protection is paved with a lot of planning,
thought, care, and well-established means of protecting the data
obtained on European Union citizens.

-- Lillie Coney


================================


EPIC Publications:

"Information Privacy Law: Cases and Materials, Second Edition" Daniel J.
Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98.
http://www.epic.org/redirect/aspen_ipl_casebook.html

This clear, comprehensive introduction to the field of information
privacy law allows instructors to enliven their teaching of fundamental
concepts by addressing both enduring and emerging controversies. The
Second Edition addresses numerous rapidly developing areas of privacy
law, including: identity theft, government data mining and electronic
surveillance law, the Foreign Intelligence Surveillance Act,
intelligence sharing, RFID tags, GPS, spyware, web bugs, and more.
Information Privacy Law, Second Edition, builds a cohesive foundation
for an exciting course in this rapidly evolving area of law.

================================

"Privacy & Human Rights 2005: An International Survey of Privacy Laws
and Developments" (EPIC 2006). Price: $60.
http://www.epic.org/bookstore/phr2005/phr2005.html

This annual report by EPIC and Privacy International provides an
overview of key privacy topics and reviews the state of privacy in over
70 countries around the world. The report outlines legal protections,
new challenges, and important issues and events relating to privacy.
Privacy & Human Rights 2005 is the most comprehensive report on privacy
and data protection ever published.

================================

"FOIA 2004: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price:
$40.
http://www.epic.org/bookstore/foia2004

This is the standard reference work covering all aspects of the Freedom
of Information Act, the Privacy Act, the Government in the Sunshine Act,
and the Federal Advisory Committee Act.  The 22nd edition fully updates
the manual that lawyers, journalists and researchers have relied on for
more than 25 years.  For those who litigate open government cases (or
need to learn how to litigate them), this is an essential reference
manual.

================================

"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.
http://www.epic.org/bookstore/pvsourcebook

This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS).  This
reference guide provides the official UN documents, regional and
issue-oriented perspectives, and recommendations and proposals for
future action, as well as a useful list of resources and contacts for
individuals and organizations that wish to become more involved in the
WSIS process.

================================

"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:
$40.
http://www.epic.org/bookstore/pls2004/

The Privacy Law Sourcebook, which has been called the "Physician's Desk
Reference" of the privacy world, is the leading resource for students,
attorneys, researchers, and journalists interested in pursuing privacy
law in the United States and around the world. It includes the full
texts of major privacy laws and directives such as the Fair Credit
Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well
as an up-to-date section on recent developments. New materials include
the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the
CAN-SPAM Act.

================================

"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.
http://www.epic.org/bookstore/filters2.0

A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.

================================

EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:

EPIC Bookstore http://www.epic.org/bookstore

"EPIC Bookshelf" at Powell's Books
http://www.powells.com/features/epic/epic.html

================================

EPIC also publishes EPIC FOIA Notes, which provides brief summaries of
interesting documents obtained from government agencies under the
Freedom of Information Act.

Subscribe to EPIC FOIA Notes at:
https://mailman.epic.org/cgi-bin/control/foia_notes


========================================================================
[8] Upcoming Conferences and Events
========================================================================

2007 ALA Annual Conference. Washington Convention Center. June 23-26,
2007. Washington, DC. For more information:
http://www.ala.org/ala/eventsandconferencesb/annual/2007a/home.htm

National Institute on Computing and the Law: From Steps to Strides into
the New Age. June 25-26, 2007. San Francisco, CA.  For more information:
http://www.abanet.org/cle/programs/n07ctl1.html

Federal Trade Commission: Spam Summit - The Next Generation of Threats
and Solutions. July 11-12, 2007. Washington DC. For more information:
http://www.ftc.gov/bcp/workshops/spamsummit/index.shtml

Harvard University Privacy Symposium. August 21-24, 2007. Cambridge, MA.
For more information http://www.privacysummersymposium.com

7th Annual Future of Music Policy Summit. September 17-18, 2007.
Washington, DC. For more information
http://www.futureofmusic.org/events/summit07/

Civil Society Privacy Conference: Privacy Rights in a World Under
Surveillance. September 25, 2007. Montreal, Canada. For more
information:
http://www.thepublicvoice.org/events/montreal07/default.html

29th International Conference of Data Protection and Privacy
Commissioners. September 25-28, 2007.  Montreal, Canada. For more
information:
http://www.privacyconference2007.gc.ca/Terra_Incognita_home_E.html

OECD and Industry Canada: Shaping Policies for Creativity, Confidence
and Convergence in the Digital World. October 3, 2007. Ottawa, Canada.
For more information:
http://www.oecd.org/futureinternet/participativeweb

University of Ottawa Faculty of Law: The Revealed "I". October 25-27,
2007. Ottawa, Canada. For more information:
http://www.idtrail.org/content/section/11/95/

Future of the Internet Economy - OECD Ministerial Meeting. June 14-18,
2008. Seoul, Korea. For more information:
http://www.oecd.org/document/19/0,2340,en_2649_37441_38051667
_1_1_1_37441,00.html

======================================================================
Subscription Information
======================================================================

Subscribe/unsubscribe via web interface:

https://mailman.epic.org/cgi-bin/mailman/listinfo/epic_news

Back issues are available at:

http://www.epic.org/alert

The EPIC Alert displays best in a fixed-width font, such as Courier.

========================================================================
Privacy Policy
========================================================================

The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities.  We do not sell, rent or share our
mailing list.  We also intend to challenge any subpoena or other legal
process seeking access to our mailing list.  We do not enhance (link to
other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail address
from this list, please follow the above instructions under "subscription
information."

========================================================================
About EPIC
========================================================================

The Electronic Privacy Information Center is a public interest research
center in Washington, DC.  It was established in 1994 to focus public
attention on emerging privacy issues such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale of personal information. EPIC publishes the
EPIC Alert, pursues Freedom of Information Act litigation, and conducts
policy research.  For more information, see http://www.epic.org or write
EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202
483 1140 (tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible.  Checks
should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW,
Suite 200, Washington, DC 20009.  Or you can contribute online at:

http://www.epic.org/donate

Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation of encryption and
expanding wiretapping powers.

Thank you for your support.

------------------------- END EPIC Alert 14.12 -------------------------

.