EPIC logo

                            E P I C  A l e r t
Volume 14.16                                             August 10, 2007

                             Published by the
                Electronic Privacy Information Center (EPIC)
                             Washington, D.C.

Table of Contents
[1] Congress Enacts Sweeping Changes to Federal Wiretap Laws
[2] New Law Strengthens Privacy Oversight
[3] Canadian Group Urges Investigation of Google-DoubleClick Merger
[4] Homeland Security Revamps Traveler Profiling Programs
[5] Senate Passes Leahy-Cornyn Open Government Bill
[6] News in Brief
[7] EPIC Bookstore: "Complete Guide to Security and Privacy Metrics"
[8] Upcoming Conferences and Events

[1] Congress Enacts Sweeping Changes to Federal Wiretap Laws

Congress passed the "Protect America Act of 2007," making significant
changes to the Foreign Intelligence Surveillance Act (FISA).  FISA was
enacted in 1978 to regulate intelligence gathering following revelations
of abusive uses of covert intelligence powers.  The 1978 law created a
secret FISA court to oversee this intelligence gathering. The new law
removes some surveillance from the limited FISA court review, allows the
government to create more surveillance programs with limited review, and
immunizes from lawsuits telecommunications companies who participate in
these programs. These powers are temporary, as the new law expires in 6

The law does not focus on "terrorists," but on communications when one
of the parties is outside of the United States. The law amends the legal
definition of "electronic surveillance," as monitored by the FISA court,
"Electronic surveillance" no longer encompasses surveillance of people
reasonably believed to be outside of the United States.

The law allows the Director of National Intelligence and the Attorney
General to approve surveillance on a program-wide, rather than
individual basis. These officials must certify that, among other
conditions, these programs have as "a significant purpose" the obtaining
of foreign intelligence information.  Instead of individually reviewing
each application for surveillance, the FISA court may only review the
proposed program to determine whether Executive branch officials are
"clearly erroneous" in how they design and certify a given program.

Lastly, the law forces information holders, such as telecommunications
companies and Internet service providers, to turn information over to
the government, or face the criminal penalty of contempt of court.

Protect America Act of 2007:


EPIC's FISA page:


EPIC Resources on Domestic Surveillance:


[2] New Law Strengthens Privacy Oversight

Last week, the President signed the Implementing Recommendations of the
9/11 Commission Act of 2007. The law is a compromise between a Senate
bill (S. 4) passed in March and a House bill (H.R. 1) passed in January.
Both houses of Congress passed the harmonized version in July.

The law implements certain recommendations of the 9/11 Commission,
including improving privacy and civil liberties protections in agencies
that perform law enforcement or anti-terrorism functions. The bill also
provides for establishing regional law enforcement "fusion centers" for
information sharing.

The law strengthens the Privacy and Civil Liberties Oversight Board.
Previously, members of the Board served at "the pleasure of the
President." The House bill, H.R. 1, originally proposed to make the
Oversight Board into an independent agency, but the new Act allows the
Oversight Board to remain in the Executive Office of the President. The
new Act also implements fixed 6-year terms, and limits the number of
members from the same political party as the President to three.
Although the members of the Board are still appointed by the President,
the new law mandates that all members be subject to Senate approval. 
The new Board may request attorney general-issued subpoenas in the
course of their investigations. The attorney general is required to
submit a written explanation of any denials of or modifications to the
subpoena request to the Board as well as the House and Senate Judiciary

The Act also strengthens privacy oversight in individual agencies. The
new Act directs several specific agencies to appoint privacy and civil
liberties officers. The law also contains some whistleblower
protections, preventing reprisals against employees who disclose
possible privacy and civil liberties violations to privacy officers or
the Board. Furthermore, the Privacy Officer of the Department of
Homeland Security is given the power to access records of DHS components
and may, with the permission of the Secretary, issue subpoenas for DHS

Final Text of Implementing Recommendations of the 9/11 Commission Act of


EPIC's Report on Privacy Oversight (September 2006):


EPIC Spotlight on Fusion Centers:


EPIC's Privacy Oversight page:


EPIC's 9/11 Commission page:


[3] Canadian Group Urges Investigation of Google-DoubleClick Merger

In a complaint to the Canadian Commissioner of Competition, the Canadian
Internet Policy and Public Interest Clinic (CIPPIC) at the University of
Ottawa last week requested an investigation into the proposed $3.1
billion merger between Google and Internet advertising company
DoubleClick. CIPPIC said the merger should be reviewed "on the grounds
that it is likely to prevent or lessen competition substantially in the
targeted online advertising industry."

"Through the merger, Google-DoubleClick will gain unprecedented market
power, with which they can manipulate online advertising prices.
Advertisers and web publishers will have no real choice but to choose
Google's advertisement platforms in order to remain visible in the
e-commerce market," said CIPPIC Director Philippa Lawson. CIPPIC cited
the US Federal Trade Commission complaint and supplement filed by EPIC,
the Center for Digial Democracy and the US Public Interest Research
Group, as well as the ongoing European investigations into the merger.
The Federal Trade Commission has made a "second request" to Google
concerning the merger, which means the FTC is closely scrutinizing the
proposed deal under antirust and privacy issues.

In July, the European Commission Directorate on Competition announced
that it would review the merger. The decision was made shortly after
European consumer group BEUC sent a letter urging the Commission to
investigate the merger, noting that the European Commission has
considered consumer choice as an element in its review of past mergers.
BEUC also reminded the Commission that it has publicly defined its role
as preventing mergers that would deprive consumers of "high quality
products, a wide selection of goods and services, and innovation."

The Article 29 Data Protection Working Party also recently expanded an
investigation of Google's data retention policies after receiving
Google's response to their initial inquiry. The initial review focused
on Google's storage periods of server logs, whereas the Working Party
has indicated that its new investigation will evaluate the previous
analysis in addition to the data protection issues at stake with other
search engines.

Canadian Internet Policy and Public Interest Clinic, Section 9
Application for an Inquiry into the Proposed Merger of Google, Inc. and
DoubleClick Inc. (Aug. 2, 2007) (pdf):


The European Commission Directorate on Competition:


BEUC's letter on Proposed Acquisition of DoubleClick by Google (pdf):


Article 29 Data Protection Working Party Press Release (pdf):


EPIC's page on Proposed Google/DoubleClick Merger:


Federal Trade Commission, Press Release: FTC to Host Town Hall to
Examine Privacy Issues and Online Behavioral Advertising (Aug. 6, 2007):


[4] Homeland Security Revamps Traveler Profiling Programs

The Department of Homeland Security announced revisions to two passenger
profiling programs this week: the Automated Targeting System and Secure
Flight. However, privacy and security threats remain in both programs.
DHS also announced a final rule on the Advance Passenger Information

The Advance Passenger Information System final rule "enables DHS to
collect manifest information for international flights departing from or
arriving in the United States prior to boarding," DHS said. The rule
requires air carriers to transmit manifests 30 minutes before departure
or "provide manifest information on passengers as each passenger checks
in for the flight, up to the time when aircraft doors are secured." For
vessels departing from foreign ports to the United States, the rule does
not change current requirements to transmit passenger and crew arrival
manifest data between 24 to 96 hours prior to arrival, "but requires
vessel carriers to transmit [Advance Passenger Information System] data
60 minutes prior to departure from the United States."

In response to a November rulemaking, DHS announced changes to the
Automated Targeting System, a federal database that created secret,
terrorist ratings on tens of millions of American citizens. The system
was originally established to assess cargo that might pose a threat to
the United States. Since 1999, ATS was used to assign a "risk
assessment," which is essentially a terrorist risk rating, to all people
"seeking to enter or exit the United States," "engag[ing] in any form of
trade or other commercial transaction related to the importation or
exportation of merchandise," "employed in any capacity related to the
transit of merchandise intended to cross the United States border," and
"serv[ing] as operators, crew, or passengers on any vessel, vehicle,
aircraft, or train who enters or exits the United States."

Some positive changes to ATS include a significant reduction in the data
retention period (from 40 years to 15 years) and the elimination of a
routine use that was unnecessary and far too broad (it allowed data to
be used for hiring decisions). However, there remain many of the
security and privacy risks outlined in comments previously filed by
EPIC, 29 organizations and 16 privacy and technology experts that urged
the agency to suspend the program and to fully enforce Privacy Act
obligations. Most importantly, the Automated Targeting System still
creates terrorist risk profiles that are secret and unreviewable.

DHS released a Response to Public Comments to the November 2006 ATS
Rulemaking, new Notice of Proposed Rulemaking, System of Records Notice
and Privacy Impact Assessment concerning the revised Automated Targeting
System. Comments on this new rulemaking are due on September 5.

More than a year after Secure Flight was suspended for a comprehensive
review, the Department of Homeland Security has announced major
revisions to the program. Previously, DHS sought to use Secure Flight to
assess possibilities for criminal behavior from travelers. The new
program will "determine if passenger data matches the information on
government watch lists, and transmit matching results to aircraft
operators," according to DHS. Currently, the airlines run passenger
names against the watch lists.

Secure Flight was grounded in February 2006 after government
investigations found numerous security and privacy vulnerabilities. One
report said the program had inconclusive risk assessments and 144 known
security vulnerabilities. In February 2007, the head of the
Transportation Security Administration said full implementation of
Secure Flight would be delayed until 2010, at least five years behind

There are ongoing concerns about the secrecy and accuracy of watch lists
and adequacy of redress procedures. In February comments to the
Department of Homeland Security, EPIC urged the agency to fully apply
Privacy Act requirements of notice, access, and correction to the new
traveler redress program and its underlying system of watch lists. EPIC
noted that the federal watch lists are full of errors. In December 2005,
the director of TSA's redress office revealed that more than 30,000
people who are not terrorists have asked TSA to remove their names from
the lists since September 11, 2001. Earlier this year, the head of the
Transportation Security Administration said that the watchlists were
being reviewed, and he expected to cut the list of names in half.

The Secure Flight Notice of Proposed Rulemaking has not yet been
published in the Federal Register; comments will be due 60 days after
publication. DHS has posted a copy of the notice on its site.

Department of Homeland Security, Press Release: Statement by Homeland
Security Chief Privacy Officer Hugo Teufel III on the Privacy Act System
of Records Notice for the Automated Targeting System (Aug. 3, 2007)
(including links to the Response to Public Comments to the November 2006
ATS Rulemaking, Current Notice of Proposed Rulemaking, System of Records
Notice and Privacy Impact Assessment):


Department of Homeland Security, Press Release: DHS Announces
Predeparture Screening of International Passengers and First Step Toward
Secure Flight (Aug. 9, 2007) (including link to the Notice of Proposed


Comments on ATS of EPIC, 29 organizations and 16 privacy and technology
experts (Dec. 4, 2006) (pdf):


EPIC's Comments to the Department of Homeland Security about TRIP (Feb.
20, 2007) (pdf):


EPIC's page on the Automated Targeting System:


EPIC's page on Secure Flight:


[5] Senate Passes Leahy-Cornyn Open Government Bill

The Senate has passed a freedom of information bill introduced by
Senators Leahy and Cornyn. The Openness Promotes Effectiveness in our
National Government Act (OPEN Government Act), S.849, ensures that
anyone who gathers information to inform the public, including freelance
journalists and bloggers, may seek a fee waiver when they request
information under FOIA. The bill also clarifies that the definition of
news media, for purposes of FOIA fee waivers, includes free newspapers
and individuals performing a media function who do not necessarily have
a prior history of publication.

Further, the bill imposes a 20-day time frame for responding to
requests, and allows FOIA requesters to obtain attorneys' fees when they
file a lawsuit to obtain records from the government and the government
releases those records before the court orders them to do so. The bill
also creates an Office of Government Information Services in the
National Archives, an ombudsman to mediate agency-level FOIA disputes,
and a Chief FOIA Officer in every federal agency. The bill also creates
a hotline service for all federal agencies, so that requesters can track
their requests.

Finally, the bill also clarifies that FOIA applies to agency records
that are held by outside private contractors, no matter where these
records are located. The OPEN Government Act, the first major FOIA
reform in over a decade, “will help to reverse the troubling trends of
excessive delays and lax FOIA compliance in our government and help to
restore the public's trust in their government.  This bill will also
improve transparency in the Federal Government's FOIA process,”
according to Senator Leahy.

Openness Promotes Effectiveness in our National Government Act (the
“OPEN Government Act”), S.849:


Senator Leahy Statement, "Bipartisan Leahy-Cornyn Bill Passes Senate,
On Course To Increase Government Transparency" (Aug. 6, 2007)


EPIC's FOIA page:


[6] News in Brief

EPIC Warns Federal Agencies About RFID in US Travel Cards

In comments to the departments of State and Homeland Security, EPIC
recommended against the use of "long-range" RFID technology (which
transmits personal data to remote tracking devices) in the proposed
"PASS card" for travel between the United States, Canada, Mexico, and
the Caribbean. EPIC explained that the tracking technology would
jeopardize the privacy and security of US travelers, and urged the
agencies to delay the implementation of the passport card requirement
until solutions can be found for the extraordinary delays, problems,
costs and privacy risks. Earlier this year, Homeland Security abandoned
a similar proposal for US-VISIT travel documents, following criticisms
from EPIC and the Government Accountability Office. EPIC also noted
that, although the PASS card notice was released on June 26, 2007 and
comments are due on or before August 27, the Privacy Impact Assessment
for the proposed long-range tracking program was not released until
August 10. In the last two fiscal years, DHS has only published 45 of
the 189 required Privacy Impact Assessments.

EPIC's Comments on the Western Hemisphere Travel Initiative (August 1,
2007) (pdf):


EPIC's page on RFID:


Border Security Computer System Plagued With Problems

The computer system for border control program US-VISIT is riddled with
security vulnerabilities, according to a new report from the Government
Accountability Office, which outlined security risks in the system last
year. "Weaknesses existed in all control areas and computing device
types reviewed," the GAO said. Security flaws in the network used at 400
entry points nationwide increase the risk of theft or manipulation of
tens of millions of identity records, which include passport, visa,
Social Security and biometric data. In 2005, a computer virus crashed
the US-VISIT system. According to documents released to Wired News under
the Freedom of Information Act, DHS knew of the software vulnerability,
but deliberately chose to leave more than 1,300 sensitive US-VISIT
workstations vulnerable to attack. EPIC has repeatedly criticized many
security and privacy flaws in the US-VISIT system.

Government Accountability Office, "Information Security: Homeland
Security Needs to Immediately Address Significant Weaknesses in Systems
Supporting the US-VISIT Program GAO-07-870" (July 2007) (pdf):


EPIC's page on US-VISIT:


FTC Seeks Public Comments on SSN Uses

The Federal Trade Commission (FTC) is requesting public comments on
private sector Social Security Number uses. This follows the President's Identity
Theft Task Force's April recommendation that agencies develop a record on the
extent and necessity of privacy sector SSN use. The FTC is requesting
that industry, academics, consumer advocates and law enforcement submit
comments on private sector Social Security Number uses; the necessity of
these uses; what alternatives are available and how to transition to
alternative identifiers; and how Social Security Numbers are gathered by
identity thieves.

FTC Request for Comments on Social Security Numbers:


President's Identity Theft Task Force:


EPIC Comments to Identity Theft Task Force (pdf):


OECD Communications Outlook 2007 Now Available

The biannual OECD Communications Outlook is now available. The 2007
edition provides an extensive range of indicators on the development of
different communications networks and compares performance indicators
such as revenue, investment, employment and prices for services
throughout the OECD area. These indicators are essential for industry
participants and for regulators who use benchmarking to evaluate policy
performance. This book is based on the data from the OECD
Telecommunications Database 2007, which provides time series of
telecommunications and economic indicators, such as network dimension,
revenues, investment and employment, for OECD countries from 1980 to

OECD Communications Outlook 2007:


EPIC Files Comments on E911, Proposes Greater Location Privacy

EPIC filed comments to the Federal Communications Commission on proposed
rules for Enhanced 911 location information. Wireless telephone
providers are required to meet certain standards for location accuracy.
The FCC requested comments on location accuracy standards as well as
extending the rules to VOIP services. EPIC reminded the FCC that current
privacy rules do not adequately protect location information. EPIC
proposed that location privacy rules should improve with location
accuracy, and that there should be consistent privacy rules for VOIP and
other services.

EPIC's Comments on E911 (pdf):


EPIC's CPNI page:


Cable Industry Opposes Consumer Privacy Safeguards

The National Cable and Telecommunications Association has filed a
complaint with a federal appeals court challenging the FCC's rule  that
would protect the protect of consumers telephone record information.
EPIC petitioned the FCC to establish these safeguards after mounting
evidence of "pretexting" and identity theft, based on the misuse of
telephone records. The industry groups claim a First Amendment right to
disclose customer information. Courts have typically rejected that

FCC, "Telecommunications Carriers’ Use of Customer  Proprietary
Network Information and Other Customer Information" (Apr. 2, 2007):




[7] EPIC Bookstore: "Complete Guide to Security and Privacy Metrics"

Complete Guide to Security and Privacy Metrics by Debra S. Herrman
(Auerbach Publications, 2007)


Measuring compliance with privacy and security standards has never been
an easy task. Many privacy principles are vague ("collection
limitation") and many well defined security requirements are largely
unrelated to significant privacy concerns. The law has also thrown up
its hands when it comes to measuring privacy harms. Privacy statues
typically designate a fixed amount for a privacy violation. Not
surprisingly, privacy and security do not fair well under a cost benefit
analysis. As a consequence, security breeches are widespread and
identity theft is, according to the Federal Trade Commission, the number
one concern of American consumers.

Enter this remarkably comprehensive, clearly written, and well organized
manual. Debra Herman has broad experience in IT development and system
evaluation in the federal government, and a deep regard for privacy
protection. Though the book is primarily directed toward IT managers, it
is well informed by privacy law and policy. The guide offers plenty of
checklists to evaluate key security factors. It also touches upon
several of the hot button privacy concerns, including problems with RFID
tags and the battles over the use of encryption.

For agency officials who are preparing a privacy impact assessment or
privacy experts who want to learn more about the hard work of system
security, the Complete Guide to Security and Privacy Metrics is an
unbeatable resource.

-- Marc Rotenberg


EPIC Publications:

"Information Privacy Law: Cases and Materials, Second Edition" Daniel J.
Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98.

This clear, comprehensive introduction to the field of information
privacy law allows instructors to enliven their teaching of fundamental
concepts by addressing both enduring and emerging controversies. The
Second Edition addresses numerous rapidly developing areas of privacy
law, including: identity theft, government data mining and electronic
surveillance law, the Foreign Intelligence Surveillance Act,
intelligence sharing, RFID tags, GPS, spyware, web bugs, and more.
Information Privacy Law, Second Edition, builds a cohesive foundation
for an exciting course in this rapidly evolving area of law.


"Privacy & Human Rights 2005: An International Survey of Privacy Laws
and Developments" (EPIC 2006). Price: $60.

This annual report by EPIC and Privacy International provides an
overview of key privacy topics and reviews the state of privacy in over
70 countries around the world. The report outlines legal protections,
new challenges, and important issues and events relating to privacy.
Privacy & Human Rights 2005 is the most comprehensive report on privacy
and data protection ever published.


"FOIA 2004: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price:

This is the standard reference work covering all aspects of the Freedom
of Information Act, the Privacy Act, the Government in the Sunshine Act,
and the Federal Advisory Committee Act.  The 22nd edition fully updates
the manual that lawyers, journalists and researchers have relied on for
more than 25 years.  For those who litigate open government cases (or
need to learn how to litigate them), this is an essential reference


"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.

This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS).  This
reference guide provides the official UN documents, regional and
issue-oriented perspectives, and recommendations and proposals for
future action, as well as a useful list of resources and contacts for
individuals and organizations that wish to become more involved in the
WSIS process.


"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:

The Privacy Law Sourcebook, which has been called the "Physician's Desk
Reference" of the privacy world, is the leading resource for students,
attorneys, researchers, and journalists interested in pursuing privacy
law in the United States and around the world. It includes the full
texts of major privacy laws and directives such as the Fair Credit
Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well
as an up-to-date section on recent developments. New materials include
the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the


"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.


EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:

EPIC Bookstore http://www.epic.org/bookstore

"EPIC Bookshelf" at Powell's Books


EPIC also publishes EPIC FOIA Notes, which provides brief summaries of
interesting documents obtained from government agencies under the
Freedom of Information Act.

Subscribe to EPIC FOIA Notes at:

[8] Upcoming Conferences and Events

7th Annual Future of Music Policy Summit. September 17-18, 2007.
Washington, DC. For more information

PIPA Conference: Private Sector Privacy in a Changing World. September
20-21, 2007. Vancouver, Canada. For more information:

Civil Society Privacy Conference: Privacy Rights in a World Under
Surveillance. September 25, 2007. Montreal, Canada. For more

29th International Conference of Data Protection and Privacy
Commissioners. September 25-28, 2007.  Montreal, Canada. For more

Internet Bill of Rights meeting. September 27, 2007. Rome, Italy. For
more information: http://www.internet-bill-of-rights.org/en/

OECD and Industry Canada: Shaping Policies for Creativity, Confidence
and Convergence in the Digital World. October 3, 2007. Ottawa, Canada.
For more information:

University of Ottawa Faculty of Law: The Revealed "I". October 25-27,
2007. Ottawa, Canada. For more information:

Computer Professionals for Social Responsibility: Technology in Wartime
Conference. AJanuary 26, 2008. Stanford University. For more
information: http://cpsr.org/news/compiler/2007/Compiler200707#twc

Future of the Internet Economy - OECD Ministerial Meeting. June 14-18,
2008. Seoul, Korea. For more information:

Subscription Information

Subscribe/unsubscribe via web interface:


Back issues are available at:


The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities.  We do not sell, rent or share our
mailing list.  We also intend to challenge any subpoena or other legal
process seeking access to our mailing list.  We do not enhance (link to
other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail address
from this list, please follow the above instructions under "subscription

About EPIC

The Electronic Privacy Information Center is a public interest research
center in Washington, DC.  It was established in 1994 to focus public
attention on emerging privacy issues such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale of personal information. EPIC publishes the
EPIC Alert, pursues Freedom of Information Act litigation, and conducts
policy research.  For more information, see http://www.epic.org or write
EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202
483 1140 (tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible.  Checks
should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW,
Suite 200, Washington, DC 20009.  Or you can contribute online at:


Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation of encryption and
expanding wiretapping powers.

Thank you for your support.

------------------------- END EPIC Alert 14.16 -------------------------