======================================================================== E P I C A l e r t ======================================================================== Volume 14.17 August 24, 2007 ------------------------------------------------------------------------ Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org/alert/EPIC_Alert_14.17.html ======================================================================== Table of Contents ======================================================================== [1] EPIC Urges Court to Consider Privacy Interest in De-Identified Data [2] Iraq Database a Potential "Hit List," Acknowledges Program Officer [3] Spy Chief Opens Up On Surveillance [4] Pentagon to End Threat Database [5] Electronic Voting System Identifies Voters [6] News in Brief [7] EPIC Bookstore: "Information Security and Privacy" [8] Upcoming Conferences and Events ======================================================================== [1] EPIC Urges Court to Consider Privacy Interest in De-Identified Data ======================================================================== EPIC and 16 experts in privacy law and technology filed a "friend of the court" brief on Monday in a case concerning a New Hampshire state law banning the sale of prescriber-identifiable prescription drug data for marketing purposes. The experts urged the First Circuit Court of Appeals to reverse the ruling of the lower court, which held that the New Hampshire Prescription Confidentiality Act violated the free speech rights of data mining companies IMS Health Inc. and Verispan LLC. On June 30, 2006, the New Hampshire legislature unanimously passed the Prescription Confidentiality Act, which prohibits prescription information records that contain patient- or prescriber-identifiable data from being transferred, licensed, sold, or used for most commercial purposes. This includes marketing, advertising, and other forms of promotion. The Act specifically bars the use of prescriber-identifiable data for "physician detailing," which involves the sale of patient prescription records to datamining firms that generate sales leads for pharmaceutical companies. The Act explicitly permitted the use of this data for such non-commercial purposes as research and education. The Plaintiffs-Appellees, IMS Health and Verispan, are both data mining companies which purchase and compile prescription information in order to sell the data. In the District Court, IMS Health and Verispan alleged that the new Act violated their First Amendment right to free speech, claiming that: 1) the law was subject to strict scrutiny because it provided a content-based restriction on non-commercial free speech; 2) the law violated the First Amendment because it was not narrowly tailored to serve compelling state interests; and 3) if the judge determined that the law was subject to intermediate scrutiny because it only restricted commercial speech, it still did not advance a substantial government interest in a narrowly tailored way. In the State's defense, the Attorney General argued: 1) that the law did not implicate the First Amendment because it did not regulate speech; and even if the Act did implicate speech, 2) the law should survive intermediate scrutiny because it advanced the State's substantial interests in promoting public health, controlling health care costs and protecting the privacy of patients and doctors, while still allowing the data to be used for non-commercial purposes. The District Court rejected all of the Attorney General's arguments, finding that the government did not have an interest in "preventing the dissemination of truthful commercial information" and that the law was more expansive than necessary to promote the State's interests. The District Court held that the Act did not advance a substantial interest in protecting the privacy of patients and health care providers. New Hampshire appealed to the First Circuit Court of Appeals, which will soon hear the case. There are approximately 1.4 million health care providers in the United States. These providers write billions of prescriptions each year for more than 8,000 different pharmaceutical products, which are filled at 54,000 retail pharmacies throughout the country. For every prescription they fill, the retail pharmacies acquire records, which include: patient name; prescriber identification; drug name; dosage requirement; quantity; and date filled. In order to comply with federal and state privacy laws, patient-identifying information is encrypted and de-identified, often with software installed by the datamining companies themselves. The rest of the prescription record remains intact. Thus, a patient's entire drug history is correlated, and each provider can be identified along with its prescribing habits. This practice raises privacy concerns for both patients and health care providers, said EPIC and the 16 experts in their brief. EPIC and the experts said the lower court should be reversed, because it failed to consider the substantial privacy interest in de-identified patient data. Although de-identification measures are increasingly innovative and computationally complex, patient data is still vulnerable to attacks because sophisticated re-identification programs are also being developed,ù the experts said. Individuals can be re-identified using information such as zip code, date of birth, and gender and then comparing that data to publicly available information. Such information is easily accessible via birth and death records, incarceration reports, voter registration files, and driver's license information. This privacy interest in part flows from the reality that data may not be, in fact, truly de-identified, and also because de-identified data does impact actual individuals. The experts explained that (1) the information is not truly anonymized; (2) as a result, there are real dangers to patient privacy in having this data trade, and therefore (3) the state interest in protecting patient privacy, ignored by the court below, requires reversal. Amicus Brief of EPIC and 16 Experts in Privacy Law and Technology (August 20, 2007) (pdf): http://www.epic.org/privacy/imshealth/epic_ims.pdf Opinion of the District Court (April 30, 2007) (pdf): http://www.epic.org/privacy/imshealth/dist_ct_op.pdf New Hampshire Prescription Confidentiality Act: http://www.gencourt.state.nh.us/legislation/2006/HB1346.html EPIC's page on IMS Health v. Ayotte: http://www.epic.org/privacy/imshealth/ ======================================================================== [2] Iraq Database a Potential "Hit List," Acknowledges Program Officer ======================================================================== This week, the biometrics program manager in Iraq expressed concern that the database containing biometrics and secret files on thousand of Iraqis could "become a hit list if it gets in the wrong hands." According to Lt. Col. Velliquette, the Iraqi system has approximately 750,000 records in its database. Currently, the U.S. military administers the database of Iraqis' personal information. According to reports, U.S. troops are using mobile scanners to take fingerprints, eye scans, and input other personal data from Iraqis at checkpoints, workplaces, the sites of attacks, and door-to-door canvasses. The database information is tied to other Iraq biometric databases at the Biometric Fusion Center in West Virginia. There are at least 31 U.S. officials who have access to the database, but this number is likely much higher. Further, the idea of the U.S. military turning over the database system to the Iraqi government is already under discussion. In July, EPIC, Privacy International, and Human Rights Watch wrote to the US Defense Secretary to warn that the system will lead to reprisals and further killings. The letter draws attention to international privacy obligations, including Article 12 of the Universal Declaration of Human Rights, a document that the United States has endorsed. As the USA Today article notes, "Many Iraqis carry fake IDs with last names that suggest a sectarian background other than their own - a method of survival in a country where violence between Sunnis and Shiites have killed thousands since the war began." There is as yet no indication of any privacy safeguards protecting against the risk that this information will be used to fuel the ethnic cleansing. A 2007 report from the Pentagon's Defense Science Board stated that military use of biometric data raises substantial privacy concerns. Letter from privacy groups to Robert Gates, Secretary of Defense, July 27, 2007 (pdf): http://www.epic.org/privacy/biometrics/epic_iraq_dtbs.pdf Council on Foreign Relations, "A National ID Program for Iraq?": http://www.cfr.org/publication/13463/ EPIC's Iraqi Biometric ID page: http://www.epic.org/privacy/biometrics/iraq.html Human Rights Watch's page on Iraq: http://www.hrw.org/doc?t=mideast&c=iraq EPIC's page on Biometric Identifiers: http://www.epic.org/privacy/biometrics/ ======================================================================== [3] Spy Chief Opens Up On Surveillance ======================================================================== In an on the record discussion with the El Paso Times, Director of National Intelligence Michael McConnell revealed past and current surveillance activities and border security. For the first time, an administration official confirmed that private sector companies illegally assisted with the President's domestic spying program. Several telecommunication companies are being sued for this, and McConnell says these lawsuits will bankrupt them. McConnell argued that these companies should have immunity for any past violations of privacy laws, not just the going forward immunity that the new Foreign Intelligence Surveillance Act (FISA) provides. McConnell also added details to the impetus behind the recent revisions in FISA. A FISA court judge refused to authorize certain interceptions of wired communications without a warrant. Complaining that it took 200 man-hours to craft a warrant, McConnell argued that surveillance of a foreigner in a foreign country should not be restricted. The new FISA law removes from the jurisdiction of the FISA court surveillance that is "directed at" a person "reasonably believed to be outside of the United States." The bill, passed in July at the end of the legislative session, was first submitted by the administration in April. While the administration's original proposal was 66 pages, the final document was only 11 pages in length. McConnell discussed that he had problems with one alternative proposal, because of language concerning minimization, but he did not elaborate. McConnell stated that under 100 US persons -- citizens or foreigners in the United States -- are monitored. Foreign numbers range in the thousands. McConnell described the surveillance program as "surgical.” According to the Department of Justice, there were 2,181 applications to the Foreign Intelligence Surveillance Court for authority to conduct electronic surveillance and physical searches for foreign intelligence purposes. Of the 2,181 applications submitted, 2,176 applications were granted. Transcript: Debate on Foreign Intelligence Surveillance Act: http://www.elpasotimes.com/news/ci_6685679 EPIC's Page on Foreign Intelligence Surveillance Act: http://www.epic.org/privacy/terrorism/fisa/ ======================================================================== [4] Pentagon to End Threat Database ======================================================================== The Pentagon will end its Threat and Local Observation Notices (TALON) Program. The program collects reports of activities that are alleged to be threats to the Defense Department. The program will be shut down as of September 17, 2007. The Pentagon promises to propose a new program for threat reporting. In the interim, information that the Pentagon collects will be forwarded to the FBI's Guardian database. Earlier this spring the Pentagon's intelligence chief, James Clapper, had recommended that the program be shut down. At that time Clapper said that the department would continue "to document and assess potential threats to Defense Department resources." The TALON program was heavily criticized, and the Pentagon had to apologize, after documents revealed that TALON collected data on peaceful anti-war and anti-nuclear meetings and protests. The documents revealing this surveillance were obtained pursuant to the Freedom of Information Act by the Servicemembers Legal Defense Network and the ACLU. The department admitted that it had maintained the information after it was determined that there was no threat from the protests past the 90 days its guidelines provided for. The department also monitored student speech and e-mails at several universities across the country, tracking students involved in protesting military policies. The interim replacement is the FBI-run Guardian Threat Tracking System. The Guardian system follows all threats that FBI field offices choose to enter into it. As of 2005, Guardian contained 40,000 threats. Future phases are planned where Guardian data is shared via a web-based application with state and local law enforcement officials. Guardian contains threats classified up to a "secret" level. Federal and state law enforcement also shares data via Joint Terrorism Task Forces and Information Fusion Centers. DoD to Implement Interim Threat Reporting Procedures: http://www.defenselink.mil/releases/release.aspx?releaseid=11251 Pentagon to shut down controversial database: http://www.msnbc.msn.com/id/20375361/ EPIC's page on Information Fusion Centers and Privacy: http://www.epic.org/privacy/fusion/ ======================================================================== [5] Electronic Voting System Identifies Voters ======================================================================== Research undertaken by The Public Ballot, a voter privacy organization, and reported on by CNET.com revealed that Ohio voter privacy is threatened by the Election Systems and Software's voting machines. The method of affixing a time stamp to each voter-verified paper audit record is cited as the source of the voter privacy problem. The state of Ohio, along with retaining these records, also retains the poll registration logs, which note the time each voter enters the voting process. Both types of information are treated as public information and are available upon request. Federal and state courts and legislatures have historically taken measures to protect the right of voters to vote their conscience without fear of retaliation. United States law requires that "All votes for Representatives in Congress must be by written or printed ballot, or voting machine, the use of which has been duly authorized by the State law; and all votes received or recorded contrary to this section shall be of no effect." The statute defines "ballot" in election provisions to mean a "method which will insure, so far as possible, secrecy and integrity of popular vote," and interprets the Congressional requirement that elections be conducted by written or printed ballots or by machine to include the notion that ballots must be secret. EPIC's project the National Committee for Voting Integrity has testified before the Election Assistance Commission and submitted testimony to House and Senate Committees with jurisdiction in this area on the problems associated with electronically produced ballots and the need to protect voter privacy. EPIC's Voting Privacy page: http://www.epic.org/privacy/voting/ National Committee for Voting Integrity: http://votingintegrity.org/ ======================================================================== [6] News in Brief ======================================================================== FISA Court to Review Disclosure of Documents The Foreign Intelligence Surveillance Court required the Government to respond to an ACLU request for the release of legal opinions concerning the secret surveillance of Americans. The ACLU requested documents on the legal reasoning on the scope of the government's wiretap authorities. The government must respond by August 31, 2007. The 9th Circuit Court of Appeals heard arguments in the case of Hepting v. AT&T. In the class action lawsuit, customers accuse AT&T of violating privacy laws by participating in government surveillance programs. The government argued for the dismissal of the lawsuit because it threatened to expose state secrets. The Electronic Frontier Foundation, lawyers for Hepting, argued that the courts can adequately protect state secrets while enforcing the law. EPIC, in cooperation with the Stanford Constitutional Law Center, filed a friend-of-the-court brief in "Hepting v. AT&T." The EPIC brief states, "The statutes and constitutional provisions relied upon in the complaint are designed to interpose the courts between citizens and the government when government conducts surveillance that it naturally would prefer to conduct in secret and wholly at its own discretion . . . This litigation should thus proceed, lest the privacy claims here be made effectively unreviewable." EPIC's Hepting v. AT&T page: http://www.epic.org/privacy/hepting/ EPIC's Resources on Domestic Surveillance: http://www.epic.org/features/surveillance.html DHS Warns States to Implement REAL ID In a speech to the National Conference of State Legislatures earlier this month, DHS Secretary Michael Chertoff told states that citizens in states that do not implement REAL ID will have to use passports for federal purposes, such as entering courthouses or flying domestically. Passports currently cost $97 each, and the State Department admitted in July that there is a significant backlog in processing passports because of, among other things, "inept planning, underfunded preparations, and popular misunderstanding of poorly crafted government advertising.”ù In May, EPIC and 24 experts in privacy and technology submitted comments on DHS's draft implementation regulations for the REAL ID Act warning the federal agency not to go forward with the proposal. The group said that the ill-conceived plan would create new security risks for the American public, such as increasing the risk of and the damage caused by identity theft. "DHS has the obligation to protect the privacy of citizens affected by this system and must do more than the feeble attempts set out in the draft regulations," the group said. Seventeen states have passed legislation against REAL ID. There also are bills to repeal REAL ID in both the U.S. House and Senate. Department of Homeland Security's Rulemaking on REAL ID: http://www.dhs.gov/xprevprot/laws/gc_1172765386179.shtm EPIC's page on National ID Cards and the REAL ID Act: http://www.epic.org/privacy/id_cards/ US Broadens Use of Domestic Satellites The Director of National Intelligence, Michael McConnell, authorized the sharing of spy satellite information with non-intelligence state, local and federal agencies. The Department of Homeland Security, via its new National Applications Office, will be coordinating access to the information. It is expected that these entities will have access not just to imagery, but also to the intelligence agencies' analysis and production capabilities. These spy systems provide real time capabilities, have more detail, and detect more information than commercially available satellite imagery. US To Expand Domestic Use of Spy Satellites: http://online.wsj.com/article/SB118714764716998275.html EPIC's Video Surveillance page: http://www.epic.org/privacy/surveillance/ China Creates Vast Program for Surveillance and Identification of Its Citizens At least 20,000 police surveillance cameras are being installed along streets here in southern China and will soon be guided by sophisticated computer software from an American-financed company to recognize automatically the faces of police suspects and detect unusual activity. Starting this month in a port neighborhood and then spreading across Shenzhen, a city of 12.4 million people, residency cards fitted with powerful computer chips programmed by the same company will be issued to most citizens. Data on the chip will include not just the citizen's name and address but also work history, educational background, religion, ethnicity, police record, medical insurance status and landlord's phone number. Even personal reproductive history will be included, for enforcement of China's controversial “one child” policy. EPIC's Video Surveillance page: http://www.epic.org/privacy/surveillance/ Privacy and Human Rights Report 2006: http://www.epic.org/phr06/ OECD Public Consultation Open The OECD has launched an online public consultation process to receive input on the proposed themes and issues of the upcoming OECD Ministerial to be held in Seoul, Korea on June 17-18, 2008. The theme of the Ministerial is the “Future of the Internet Economy.” The Ministerial represents an opportunity for high-level stakeholders from government, business, the technical community, and civil society to consider broad social, economic and technical trends shaping the development of the Internet Economy, and to discuss policies that can respond to evolving societal needs. The Online Public Consultation is one of a series of initiatives aimed at involving non-governmental stakeholders in the OECD Ministerial meeting and in its preparation. The public consultation will be open until Friday, September 14, 2007. OECD Online Public Consultation: http://www.oecd.org/document/9/0,3343,en_21571361_38415463_38985417 _1_1_1_1,00.html The Public Voice: http://www.thepublicvoice.org ======================================================================== [7] EPIC Bookstore: "Information Security and Privacy" ======================================================================== Information Security and Privacy: A Practical Guide to Federal, State and International Law by Andrew Serwin (Thomson West, 2007) http://west.thomson.com/store/product.aspx?r=138790&product_id=40540966 California lawyer Andrew Serwin's new privacy and information security text provides a comprehensive understanding of the issues surrounding the collection of information, the regulatory schemes currently in place, and the steps that are required for compliance with privacy legislation. The author provides detailed coverage of a wide range of subjects in the ever-expanding field of data privacy and security. The main focus of the reference book is on US federal and state law, but it also includes two chapters on international privacy law, which describe the legal frameworks of select EU countries as well as Argentina, Canada and Japan. Each section provides an overview of the topic, followed by relevant federal laws and specific state provisions. Topics include general privacy restrictions, including Internet and telecom privacy laws, financial privacy, medical privacy, unauthorized access to networks, wiretapping and privacy in electronic communications including employee monitoring, data security and data destruction. It also covers state laws regarding security breaches, Social Security number restrictions, identity theft, Internet privacy, and phishing and pharming laws. As noted by the publisher, Serwin's text “not only provides the pertinent regulations in a user-friendly reference, but also offers analysis and practical advice.” -- Allison Knight ================================ EPIC Publications: "Information Privacy Law: Cases and Materials, Second Edition" Daniel J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98. http://www.epic.org/redirect/aspen_ipl_casebook.html This clear, comprehensive introduction to the field of information privacy law allows instructors to enliven their teaching of fundamental concepts by addressing both enduring and emerging controversies. The Second Edition addresses numerous rapidly developing areas of privacy law, including: identity theft, government data mining and electronic surveillance law, the Foreign Intelligence Surveillance Act, intelligence sharing, RFID tags, GPS, spyware, web bugs, and more. Information Privacy Law, Second Edition, builds a cohesive foundation for an exciting course in this rapidly evolving area of law. ================================ "Privacy & Human Rights 2005: An International Survey of Privacy Laws and Developments" (EPIC 2006). Price: $60. http://www.epic.org/bookstore/phr2005/phr2005.html This annual report by EPIC and Privacy International provides an overview of key privacy topics and reviews the state of privacy in over 70 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy & Human Rights 2005 is the most comprehensive report on privacy and data protection ever published. ================================ "FOIA 2004: Litigation Under the Federal Open Government Laws," Harry Hammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price: $40. http://www.epic.org/bookstore/foia2004 This is the standard reference work covering all aspects of the Freedom of Information Act, the Privacy Act, the Government in the Sunshine Act, and the Federal Advisory Committee Act. The 22nd edition fully updates the manual that lawyers, journalists and researchers have relied on for more than 25 years. For those who litigate open government cases (or need to learn how to litigate them), this is an essential reference manual. ================================ "The Public Voice WSIS Sourcebook: Perspectives on the World Summit on the Information Society" (EPIC 2004). Price: $40. http://www.epic.org/bookstore/pvsourcebook This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, and recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process. ================================ "The Privacy Law Sourcebook 2004: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price: $40. http://www.epic.org/bookstore/pls2004/ The Privacy Law Sourcebook, which has been called the "Physician's Desk Reference" of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act. ================================ "Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20. http://www.epic.org/bookstore/filters2.0 A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at: EPIC Bookstore http://www.epic.org/bookstore "EPIC Bookshelf" at Powell's Books http://www.powells.com/features/epic/epic.html ================================ EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act. Subscribe to EPIC FOIA Notes at: https://mailman.epic.org/cgi-bin/control/foia_notes ======================================================================== [8] Upcoming Conferences and Events ======================================================================== 7th Annual Future of Music Policy Summit. September 17-18, 2007. Washington, DC. For more information http://www.futureofmusic.org/events/summit07/ PIPA Conference: Private Sector Privacy in a Changing World. September 20-21, 2007. Vancouver, Canada. For more information: http://www.verney.ca/pipa2007/ Civil Society Privacy Conference: Privacy Rights in a World Under Surveillance. September 25, 2007. Montreal, Canada. For more information: http://www.thepublicvoice.org/events/montreal07/default.html 29th International Conference of Data Protection and Privacy Commissioners. September 25-28, 2007. Montreal, Canada. For more information: http://www.privacyconference2007.gc.ca/Terra_Incognita_home_E.html Internet Bill of Rights meeting. September 27, 2007. Rome, Italy. For more information: http://www.internet-bill-of-rights.org/en/ OECD and Industry Canada: Shaping Policies for Creativity, Confidence and Convergence in the Digital World. October 3, 2007. Ottawa, Canada. For more information: http://www.oecd.org/futureinternet/participativeweb University of Ottawa Faculty of Law: The Revealed "I". October 25-27, 2007. Ottawa, Canada. For more information: http://www.idtrail.org/content/section/11/95/ Computer Professionals for Social Responsibility: Technology in Wartime Conference. AJanuary 26, 2008. Stanford University. For more information: http://cpsr.org/news/compiler/2007/Compiler200707#twc Future of the Internet Economy - OECD Ministerial Meeting. June 14-18, 2008. Seoul, Korea. For more information: http://www.oecd.org/document/19/0,2340,en_2649_37441_38051667 _1_1_1_37441,00.html ====================================================================== Subscription Information ====================================================================== Subscribe/unsubscribe via web interface: https://mailman.epic.org/cgi-bin/mailman/listinfo/epic_news Back issues are available at: http://www.epic.org/alert The EPIC Alert displays best in a fixed-width font, such as Courier. ======================================================================== Privacy Policy ======================================================================== The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information." ======================================================================== About EPIC ======================================================================== The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at: http://www.epic.org/donate Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ------------------------- END EPIC Alert 14.17 ------------------------- .