======================================================================== E P I C A l e r t ======================================================================== Volume 14.21 October 19, 2007 ------------------------------------------------------------------------ Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org/alert/EPIC_Alert_14.21.html ======================================================================== Table of Contents ======================================================================== [1] House, Senate Mired in Surveillance Reform [2] EPIC, Domestic Violence Groups, Propose DC Court Records Privacy [3] Court Blocks Government Rule on Employment Eligibility Verification [4] French Protest DNA Database Law [5] Security Experts Report on Hazards of New Surveillance Architecture [6] News in Brief [7] EPIC Bookstore: "The Future of Reputation" [8] Upcoming Conferences and Events - Subscription Information - Privacy Policy - About EPIC - Donate to EPIC ======================================================================== [1] House, Senate Mired in Surveillance Reform ======================================================================== The House of Representatives debated, but did not vote on, the RESTORE Act reforms to the Foreign Intelligence Surveillance Act (FISA). The Senate Intelligence Committee reached a deal with the president to grant immunity to telecommunications companies, but Senator Dodd has vowed to block it. An alternative proposal to extend this summer's Protect America Act, legislation that amends the Foreign Intelligence Surveillance Act, failed to pass House Committees. The Protect America Act removes some surveillance from the limited FISA court review, allows the government to create more surveillance programs with limited review, and immunizes from lawsuits telecommunications companies who participate in these programs. The Protect America Act is set to expire in February 2008. The RESTORE Act provides more avenues for FISA court review. The FISA court will review the procedures used to target people abroad. Further it narrows the scope of new surveillance authorities to include only terrorism and national security, and not broader foreign intelligence information. The RESTORE Act increases the size of the FISA court from 11 to 15 judges; allows the court to sit together in an en-banc review of individual judges; and authorizes more expenditures on administration staff to handle surveillance applications Intelligence officials must report their surveillance orders to Congress, as well as perform regular audits every 3 months. Congress also requests an audit of all warrantless surveillance programs. The new provisions of the RESTORE Act are set to expire in December of 2009. The RESTORE Act does not include immunity for those who participated or continue to participate in illegal surveillance. The president has promised to veto any bill which does not include immunity. Any bill that passes the House will have to be reconciled with a Senate bill, yet to be introduced. RESTORE Act, H.R. 3773: http://thomas.loc.gov/cgi-bin/query/z?c110:H.R.3773: EPIC's page on Foreign Intelligence Surveillance Act: http://www.epic.org/privacy/terrorism/fisa/ ======================================================================== [2] EPIC, Domestic Violence Groups, Propose DC Court Records Privacy ======================================================================== In a response to a request from District of Columbia Superior Court judges, EPIC and domestic violence groups filed comments on privacy in court records. The Court asked for input on a proposal to place domestic violence and domestic relations docket information online for public access. The comments point to the 2005 Violence Against Women Act (VAWA), which prohibits the Internet publication of certain domestic violence protection order information. VAWA protects the identity and location of protected persons. Information contained in the docket could reveal the identity and location of a protected person. The name of an abuser, and the location from which the abuser is restrained all reveal information about the protected party. Domestic violence survivors face privacy risks from all sections of the court docket. The mere existence of a public record discloses their location to an abuser. The existence of a domestic violence or a domestic relations record can lead to reputation harms and stigma. Public records facilitate identity theft, and this loss of privacy may lead individuals to wish to avoid the court system. All of these risks are magnified by the fact that data brokers mine public records, commodify and resell them for purposes other than government oversight. Brokers use these records for profiling, direct marketing, and building dossiers on individuals. The comments recommend a policy that follows VAWA, respects well-established privacy principles, and still permits convenient online access. Individuals should have control over whether their records are placed online. Data brokers should be restricted from accessing records via legal and technical measures. Online record usage should be for limited uses and be accessible only via a password-based login system. Comments of EPIC and Domestic Violence Groups (pdf): http://www.epic.org/privacy/dv/DC_court_records.pdf EPIC's page on Domestic Violence and Privacy: http://www.epic.org/privacy/dv/ EPIC's page on Privacy and Public Records: http://www.epic.org/privacy/publicrecords/ ======================================================================== [3] Court Blocks Government Rule on Employment Eligibility Verification ======================================================================== A federal judge has issued a temporary restraining order in a lawsuit filed by the AFL-CIO, ACLU, and National Immigration Law Center that prohibits the federal government from enforcing a new rule connected to its employment eligibility verification system (now called "E-Verify"). The rule requires employers to fire employees if they are unable to resolve "no match" discrepancies within 90 days. The federal government is restricted from issuing 140,000 "no match" letters to employers, which would affect about 8 million workers nationwide. The Department of Homeland Security (DHS) had hoped to expand its employment eligibility verification system, previously called "Basic Pilot," to encompass 6 million employers and 143.6 million workers nationwide. But Congress rejected such legislation this summer, so DHS is attempting to make changes through administrative regulation. DHS seeks to require more than 200,000 federal contractors to check the agency databases before hiring employees. This is an increase of more than 1,076 percent over the 17,000 employers currently registered in E-Verify. Also, the system would use an "enhanced photograph capability" that would allow employers to check photographs in E-Verify databases. DHS also would expand the number of databases E-Verify checks to include visa and passport databases; and the agency is asking states to "voluntarily" allow DHS access to their motor vehicle databases. DHS would also require employers to fire employees if they are unable to resolve "no match" discrepancies within 90 days. If the employers do not terminate the workers' employment, the businesses would face fines of $11,000 or more. DHS also would raise fines against employers by 25 percent and increasingly use criminal action against employers, as opposed to administrative action. This "no match" portion is the subject of the lawsuit filed by the AFL-CIO, ACLU and National Immigration Law Center. They seek a permanent ban against implementation by the federal government. EPIC has repeatedly detailed the myriad of security and privacy problems inherent in the E-Verify system. At a House Subcommittee on Social Security hearing on June 7, EPIC urged the strengthening of privacy safeguards associated with employment eligibility verification systems and said existing agency database problems should be corrected before a nationwide expansion is considered. Federal reviews have deemed the system "seriously flawed in content and accuracy." For example, the Social Security Administration database is estimated to include 18 million incorrect records. The federal government is also battling Illinois over E-Verify by filing suit in a federal court seeking to block a new Illinois law, claiming it preempts federal law. However, the state law does not place an outright ban on employer use of the voluntary employment eligibility verification system called E-Verify. Instead, the Illinois law prohibits employers from using the system until the federal databases used can be certified as 99 percent accurate. Temporary Restraining Order Issued on October 10, 2007 (pdf): http://www.epic.org/redirect/nilc.html EPIC Spotlight on Surveillance About Problems in E-Verify: "E-Verify System: DHS Changes Name, But Problems Remain for U.S. Workers" (July 2007): http://www.epic.org/privacy/surveillance/spotlight/0707/ U.S. v. Illinois, U.S. District Court for the Central District of Illinois, Springfield Division (Sept. 24, 2007) (pdf): http://www.epic.org/privacy/ssn/usvill_gov_092407.pdf Illinois's Right to Privacy in the Workplace Act (2007): http://www.epic.org/redirect/rpwa.html EPIC's Testimony on Employment Verification Systems before the House Committee on Ways and Means (June 6, 2007) (pdf): http://www.epic.org/privacy/ssn/eevs_test_060707.pdf ======================================================================== [4] French Protest DNA Database Law ======================================================================== Last week, thousands of French citizens attended a concert organized by SOS Racisme to protest a new proposed law authorizing DNA tests for immigrants. The law authorizes the use of DNA testing to determine whether foreigners applying for visas are actually related to family members they seek to join in France. Critics of the proposal claim it infringes basic human rights. The main argument against the amendment is that the notion of family in French law is not based on blood, but on recognition of a child as one's own. DNA testing would set up a double standard - one for the French, another for immigrants. The testing could also prejudice the immigration status of stepchildren and adopted children. Another recent amendment to the proposal has limited the testing only to maternity, leaving aside the “potentially embarrassing” question of paternity. The new legislation also stirs up memories of the collaborationist Vichy government during the Nazi occupation of France. While the legislation states that the tests are voluntary until 2010, and the President has said that the tests “would be used only where there were no clear records 'to prove that children are really your own',” opponents of the proposal claim that applicants will be pressured to submit to DNA testing whenever French embassy authorities question the credibility of their birth certificates, marriage licenses and other documents. Ironically, the DNA debates coincide with the opening of the new French immigration museum, which is intended to showcase the contributions immigrants have made to France. President Sarkozy was not present at the museum's opening ceremony. Members of the President's Cabinet have threatened to resign over the proposal. Also, both the chief executive of the African Union and the president of Senegal have publicly criticized the legislation. US House Representative Tom Tancredo has introduced legislation similar to the French proposal in the US Congress this week. EPIC's page on Genetic Privacy: http://www.epic.org/privacy/genetic/ Privacy and Human Rights 2006: http://www.epic.org/phr06 ======================================================================== [5] Security Experts Report on Hazards of New Surveillance Architecture ======================================================================== This summer's Protect America Act (PAA) temporarily authorized warrantless surveillance of communications that Americans have with individuals abroad. The use of this authority will require the deployment of new interception technologies. These new technologies raise several significant security risks. The report identified the three most serious security risks. The experts pointed to the danger that the system could be exploited by unauthorized users. A Greek wiretapping system was exploited by an as yet unknown party to listen in on government conversations. FBI documents of the DCS 3000 telephone wiretap system revealed several problems in the system's implementation. This risk turns a surveillance system on its head. Another risk is the misuse by a trusted insider. Someone with access to the system could use it for improper purposes. Robert Hanssen abused his access to FBI systems to steal information and to track investigations of him. Recently a treasury agent was indicted for using the Treasury Enforcement Communications System (TECS) in order to stalk his former girlfriend The third major risk is misuse by the US government. Watergate era investigations revealed wiretaps of Congressional staff, supreme court justices. These abuses also targeted non-violent activists such as Martin Luther King, the American Friends Service Committee and the National Association for the Advancement of Colored People. The security experts provide key recommendations to guard against these risks. First is minimization. Decreasing the number of interception points simplifies security problems. Experts also recommend that architecture be developed with communications carriers, maintaining them as a check on government activity. Finally they recommend independent oversight, with regular detailed reporting. Risking Communications Security: Potential Hazards of the "Protect America Act" (pdf): http://www.crypto.com/papers/paa-comsec-draft.pdf A Gateway For Hackers -- Susan Landau: http://www.epic.org/redirect/landau.html Privacy On the Line: The Politics of Wiretapping and Encryption, Updated and Expanded Edition: http://www.powells.com/biblio/9780262042406?&PID=24075 ======================================================================== [6] News in Brief ======================================================================== EPIC Hosts Book Discussion with Charlie Savage, Whitfield Diffie EPIC hosted a discussion on Friday, October 5th, with Charlie Savage, Pulitzer Prize winner and author of "Takeover: The Return of the Imperial Presidency and the Subversion of American Democracy," and Whitfield Diffie, EPIC Board Member and co-author of "Privacy on the Line, The Politics of Wiretapping and Encryption." The authors discussed the power of signing statements, the Bush administration's concerted effort to expand presidential power, and the future of privacy. Book Discussion Event Page: http://www.epic.org/events/oct05/ EPIC Bookstore: http://www.epic.org/bookstore/ TSA Broadens Use of 'Backscatter X-Rays' Allowing 'Virtual Strip Searches' The Transportation Security Administration is expanding the use of "backscatter X-ray" systems to screen passengers before boarding airplanes to more airports, including New York's Kennedy and Los Angeles International. The $100,000 refrigerator-size machines use "backscatter" technology, which bounces low-radiation X-rays off of a passenger to produce photo-quality images of metal, plastic and organic materials underneath clothes. These devices reveal not only prohibited items but also medical details such as prosthetic devices. TSA states that the machines will use software that blurs images of passengers, so screeners will see weapons but only fuzzy images of people's bodies. However, backscatter X-ray machines are designed to record and store naked pictures of U.S. travelers. TSA states that operators would delete the raw images, but there the machines do not prevent them from saving the detailed images. Until there is such a prohibition, funding for the program should be canceled. EPIC's Page on Backscatter X-ray: http://www.epic.org/privacy/airtravel/backscatter/ Canada Criticizes U.S. Passenger Screening Program The governments of Canada and the U.S. are negotiating proposed requirements under the U.S. Secure Flight program, a passenger prescreening program. Canada is objecting to the proposal to require all airlines to send all passenger lists and detailed personal data for travelers on flights that do not land in the U.S. but merely cross U.S. airspace en route to countries such as Mexico. Canada states that this requirement would violate its privacy laws. Secure Flight was revamped and reintroduced in August after being suspended for more than year because of privacy and security vulnerabilities, but the program remains riddled with such problems. Comments on the proposed Secure Flight requirements are due October 22. Department of Homeland Security, "Secure Flight Plan; Proposed Rule" (August 23, 2007): http://edocket.access.gpo.gov/2007/E7-15960.htm EPIC's page on Secure Flight: http://www.epic.org/privacy/airtravel/secureflight.html New Online Resource for Obtaining Personal FBI File A new website offers free help to individuals applying for access to their FBI files. The website generates the letters needed to apply to the FBI to get a copy of an individual's own FBI file from FBI headquarters or any of the agency's field offices. The site can also generate letters to a number of other federal agencies, including the Central Intelligence Unit, the US Marshals Service, the Defense Intelligence Agency, and the National Security Agency. Name, address and place of birth fields can be automatically inserted by the program using information provided by the individual, or the individual can handwrite this information into blanks in the letter. The website includes an FAQ page that provides information on application fees payable to the government agencies, and how to obtain the FBI file of deceased individuals. Get My FBI File: http://www.GetMyFBIfile.com EPIC's FOIA page http://www.epic.org/open_gov Report: Security Risks Remain at Transportation Security Administration The Transportation Security Administration continues to significant problems with aviation security, according to two new reports from the Government Accountability Office. "TSA has also not yet effectively deployed checkpoint technologies to address key existing vulnerabilities, and has not yet developed and implemented technologies needed to screen air cargo," the GAO said. The GAO also reported TSA is plagued with problems such as "not always implementing effective strategic planning or fully adopting and applying a risk management approach with respect to commercial aviation security." EPIC has detailed security and privacy problems in such programs, including passenger prescreening programs Secure Flight and Registered Traveler. Government Accountability Office, "Aviation Security: DHS Has Made Progress in Securing the Commercial Aviation System, but Key Challenges Remain GAO-08-139T," October 16, 2007 (pdf): http://www.gao.gov/new.items/d08139t.pdf Government Accountability Office, "Transportation Security: Efforts to Strengthen Aviation and Surface Transportation Security are Under Way, but Challenges Remain GAO-08-140T," October 16, 2007 (pdf): http://www.gao.gov/new.items/d08140t.pdf EPIC's page on Passenger Profiling: http://www.epic.org/privacy/airtravel/profiling.html ======================================================================== [7] EPIC Bookstore: "The Future of Reputation" ======================================================================== "The Future of Reputation: Gossip, Rumor, and Privacy on the Internet" by Daniel J. Solove (Yale University Press 2007 http://www.powells.com/partner/24075/biblio/9780300124989 Professor Solove's new book examines how the Internet-enabled world is being shaped by human nature and social norms. Solove does a very good job at helping the reader to reflect objectively on today's society - no easy task. The Internet's enabling technology has quickly become part of the fabric of everyday life. In the past, integration of new technologies and applications have taken decades, which allowed the law, and, more importantly, social norms to create the rules that would govern the novel technology's use within a society. The Internet is unique in that, unlike past forms of mass communication, participation of the audience is not limited to that of consumer. On the Internet, participants can also be content producers. In addition, the Internet has no scarcity: there is always more room for another blog, web page, or advertisement. Solove makes the case that the Internet's structure is a very good thing, but that rules of the game need to be established. Solove describes the Internet as being a teenager - any parent with a teenager can appreciate the need to maintain space while attempting to keep their children safe as they navigate from childhood into adults. As with teenagers, we really do not understand how the Internet creates or sustains the social network of users. Solove identifies what he calls the "mob" nature of the Internet to explain how one item on a blog or web site can gain so much popularity, and indeed grow to be an entity unto itself, capable of inciting unrelenting punishment or revenge that spills over into other facets of life. What is clear according to Solove is that the harm that can be inflicted by violations of privacy or confidences should be addressed by new laws that increase protection of confidentiality, give people greater control over their personal information, and establish a formal process for dispute resolution. The fundamental goal of the courts should be to restore balance rather than awarding damages. The full content that is available online has not been mapped so there is dark matter still to be found. (Please excuse the astrophysics term, but it is probably the best approximation of the unknown Internet. It's not hiding, it has not been found and catalogued by search engines.) Solove states that employers, friends, co-workers, potential partners, and dates are "Googling" you, and the opinions reached can harm relationships whether or not the information is divulged. Information on the Internet can follow individuals around the globe and throughout time. The Internet never forgets, and it seems that it has yet to learn to forgive. Solove will have a book signing at Borders Bookstore, 18th & L, Washington, DC, on Monday, November 5th, at 6:30 PM. -- Lillie Coney ================================ EPIC Publications: "Information Privacy Law: Cases and Materials, Second Edition" Daniel J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98. http://www.epic.org/redirect/aspen_ipl_casebook.html This clear, comprehensive introduction to the field of information privacy law allows instructors to enliven their teaching of fundamental concepts by addressing both enduring and emerging controversies. The Second Edition addresses numerous rapidly developing areas of privacy law, including: identity theft, government data mining and electronic surveillance law, the Foreign Intelligence Surveillance Act, intelligence sharing, RFID tags, GPS, spyware, web bugs, and more. Information Privacy Law, Second Edition, builds a cohesive foundation for an exciting course in this rapidly evolving area of law. ================================ "Privacy & Human Rights 2005: An International Survey of Privacy Laws and Developments" (EPIC 2006). Price: $60. http://www.epic.org/bookstore/phr2005/phr2005.html This annual report by EPIC and Privacy International provides an overview of key privacy topics and reviews the state of privacy in over 70 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy & Human Rights 2005 is the most comprehensive report on privacy and data protection ever published. ================================ "FOIA 2004: Litigation Under the Federal Open Government Laws," Harry Hammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price: $40. http://www.epic.org/bookstore/foia2004 This is the standard reference work covering all aspects of the Freedom of Information Act, the Privacy Act, the Government in the Sunshine Act, and the Federal Advisory Committee Act. The 22nd edition fully updates the manual that lawyers, journalists and researchers have relied on for more than 25 years. For those who litigate open government cases (or need to learn how to litigate them), this is an essential reference manual. ================================ "The Public Voice WSIS Sourcebook: Perspectives on the World Summit on the Information Society" (EPIC 2004). Price: $40. http://www.epic.org/bookstore/pvsourcebook This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, and recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process. ================================ "The Privacy Law Sourcebook 2004: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price: $40. http://www.epic.org/bookstore/pls2004/ The Privacy Law Sourcebook, which has been called the "Physician's Desk Reference" of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act. ================================ "Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20. http://www.epic.org/bookstore/filters2.0 A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at: EPIC Bookstore http://www.epic.org/bookstore "EPIC Bookshelf" at Powell's Books http://www.powells.com/features/epic/epic.html ================================ EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act. Subscribe to EPIC FOIA Notes at: https://mailman.epic.org/cgi-bin/control/foia_notes ======================================================================== [8] Upcoming Conferences and Events ======================================================================== Voter ID Laws: Preventing Fraud or Suppressing the Vote? October 23, 2007. Washington DC. For more information: http://www.acslaw.org University of Ottawa Faculty of Law: The Revealed "I". October 25-27, 2007. Ottawa, Canada. For more information: http://www.idtrail.org/content/section/11/95/ Seattle Technology Law Conference. December 13-14, 2007. Seattle, WA. For more information: http://www.lawseminars.com/seminars/07COMWA.php ACI’s 7th National Symposium on Privacy & Security of Consumer and Employee Information. January 23-24, 2008. Philadelphia, PA. For more information: http://www.americanconference.com/privacy Computer Professionals for Social Responsibility: Technology in Wartime Conference. January 26, 2008. Stanford University. For more information: http://cpsr.org/news/compiler/2007/Compiler200707#twc Future of the Internet Economy - OECD Ministerial Meeting. June 14-18, 2008. Seoul, Korea. For more information: http://www.oecd.org/document/19/0,2340,en_2649_37441_38051667 _1_1_1_37441,00.html ====================================================================== Subscription Information ====================================================================== Subscribe/unsubscribe via web interface: https://mailman.epic.org/cgi-bin/mailman/listinfo/epic_news Back issues are available at: http://www.epic.org/alert The EPIC Alert displays best in a fixed-width font, such as Courier. ======================================================================== Privacy Policy ======================================================================== The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information." ======================================================================== About EPIC ======================================================================== The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). ======================================================================== Donate to EPIC ======================================================================== If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at: http://www.epic.org/donate Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ------------------------- END EPIC Alert 14.21 ------------------------- .