EPIC logo

                            E P I C  A l e r t
Volume 15.01                                           January 11, 2008

                             Published by the
                Electronic Privacy Information Center (EPIC)
                             Washington, D.C.

Table of Contents
[1] Supreme Court Hears Voter ID Case
[2] Privacy International, EPIC Publish "State of Privacy" Survey
[3] President Bush Signs into Law OPEN Government Act
[4] Commission Allows Google-DoubleClick Merger Without Conditions
[5] EPIC Testifies on Data Breach Legislation
[6] News in Brief
[7] EPIC Bookstore: "Nation of Secrets"
[8] Upcoming Conferences and Events
    - Subscription Information
    - Privacy Policy
    - About EPIC
    - Donate to EPIC

[1] Supreme Court Hears Voter ID Case

On January 9, the Supreme Court heard arguments over whether to strike
down Indiana's voter ID law. In front of a packed courtroom, the
attorney for Indiana, Mr. Fisher, defended the strict voting
requirements on the grounds that verifying voters' photo ID is necessary
to prevent voter fraud. The law, passed in 2005, requires individuals to
present government-issued photo identification at polling stations
before they can cast their votes.

Before the passage of the 2005 law, Indiana identified voters by
comparing signatures collected at the polling locations with photocopied
signatures on file. Under the 2005 law, individuals without photo IDs
may cast a provisional ballot but must, within 10 days, either produce a
government-issued photo ID, or file an affidavit that they are indigent
and cannot afford a government-issued photo ID. In a "friend of the
court" brief in support of the petitioners, EPIC pointed out two serious
flaws in the Indiana legislation.

The first problem is that the Indiana law does not actually address the
issue of voter fraud. Under the current rules, ineligible individuals
may still cast absentee ballots without ever having to provide
photographic identification but eligible voters may be turned away on
election day because they do not have the proper identification. The
second problem is that by requiring Indiana residents to obtain photo ID
to meet the strict new voting requirements the state is, in effect,
forcing individuals to participate in the controversial REAL ID program.
The most likely type of identification that Indiana voters will present
at the polls is a state driver's license and the Indiana Department of
Motor Vehicles has already begun to implement REAL ID. Technical and
legal experts have stated that REAL ID is, in fact, a fundamentally
flawed national identification system that puts individuals' privacy and
security at risk; integrating Indiana's voter ID system with REAL
ID-based databases means that voter identification will depend on a
faulty system that is prone to serious errors.

At the Supreme Court hearing, the Justices grilled all parties
extensively on the issues of voter fraud. Chief Justice Roberts and
Justice Souter questioned Mr. Fisher extensively on the fairness of
imposing a extra burden on voters when Indiana does a "lousy job"
maintaining voter records. The court also touched on the REAL ID issue
when questioning Mr. Fisher on how a voter could comply with the strict
requirements. Whether the concerns about REAL ID's negative impact on
individuals' privacy and control over their person data are reflected in
the Court's decision remain to be seen. What is certain is that
Indiana's current law creates a barrier for marginalized people and
discourages many from exercising their fundamental democratic and
constitutional right to vote.

A decision in the case is expected by the end of June.

Transcript of Supreme Court Hearing, Crawford v. Marion County Election


EPIC's Amicus Brief (pdf):


EPIC's page on the Indiana Voting ID Law Case:


EPIC's page on Voting and Privacy:


EPIC's page on REAL ID:


[2] Privacy International, EPIC Publish "State of Privacy" Survey

The London-based Privacy International and Washington-based Electronic
Privacy Information Center (EPIC) have published the 2007 International
Privacy Rankings, surveying the state of privacy in 47 countries. The
survey of leading surveillance societies in the European Union and the
World is based on the annual Privacy and Human Rights 2006 report. The
1,100 page report is the most comprehensive global privacy survey ever
published and the rankings are supported by extensive research and
reporting, including consultations with experts, regulators, and
policy-makers around the world.

The United States ranked amongst the worst countries for privacy
protection as an "endemic surveillance society" alongside the UK, China
and Russia. Greece ranked at the top of the list as having "adequate
safeguards against abuse." Canada ranked close to the top as well, with
"some safeguards but weakened protection." No country was awarded the
highest possible ranking of "consistently upholds human rights

The first ranking of countries for privacy protection was published in
2006, enabling a comparison with the 2007 findings. The publication of
the privacy rankings has prompted some countries to evaluate the impact
of increased surveillance and question the erosion of privacy rights.
The Globe and Mail, a leading Canadian national newspaper, highlighted
the deterioration of privacy protection in Canada over the past year.

The intention behind the ranking system is to recognize countries in
which privacy protection is exemplary and to identify countries in which
governments and privacy regulators have failed to create a healthy
privacy environment. The continuation of the rankings enables an
evaluation of trends and allows countries to assess their status and
compare trajectories of mass surveillance.

The Privacy and Human Rights 2006 report is available for purchase at
the EPIC bookstore.

Privacy and Human Rights report:


2007 International Privacy Ranking: 


2006 International Privacy Ranking:


[3] President Bush Signs into Law OPEN Government Act

On the last day of 2007, the President signed into law the Openness
Promotes Effectiveness in our National Government Act of 2007, S. 2488.
The Act promotes accessibility, accountability, and openness in
government by strengthening the Freedom of Information Act (FOIA).

The OPEN Government Act amends FOIA for the first time in a decade by:
(1) establishing a clear definition of "a representative of the news
media" and "news" for purposes of request processing fees; (2) directing
that required attorney fees be paid from an agency's own appropriation
rather than from a Judgment Fund; (3) prohibiting an agency from
assessing certain fees if it fails to comply with any deadlines set out
in the FOIA; and (4) establishing an Office of Government Information
Services in the National Archives and Records Administration to review
and regulate agency compliance with FOIA.

Senator Patrick Leahy led the effort in Congress to enact the new open
government law with the support of the Open the Government coalition.
Following the signing of the bill by the President, Senator Leahy
emphasized that the OPEN Government Act would bring greater transparency
and accountability to a government that has recently increased its
efforts to conceal important information from the American people.

EPIC published the book, Litigation Under the Federal Open Government
Laws, which is a comprehensive guide to FOIA and open government. The
book has been praised as being an essential and indispensable tool for
anyone interested in open access laws.

Senator Patrick Leahy on the OPEN Government Act:


Open the Government Coalition Website:


EPIC's FOIA Notes:


Litigation Under the Federal Open Government Laws (2006):


[4] Commission Allows Google-DoubleClick Merger Without Conditions

The Federal Trade Commission approved the proposed merger between Google
and DoubleClick without conditions in a 4-1 opinion released on December
20.  According to the FTC, the $3.1 billion proposed merger between the
Internet's largest search profiling company and the Internet's largest
targeted advertising company is "Unlikely to lessen competition." The
decision granting the merger without conditions is surprising following
the Second Request, which the Chairman previously said, is done in cases
where the FTC believes "there is a strong possibility that some aspect
of a transaction would violate the antitrust laws." In a detailed
statement issued the same day, EPIC said that the unique circumstances
of the online advertising industry required the FTC to impose privacy
safeguards as a condition of the Google-DoubleClick merger.

On April 20, 2007, EPIC, CDD, and US PIRG filed a complaint with the
Federal Trade Commission, requesting that the Commission open an
investigation into the proposed acquisition, specifically with regard to
the ability of Google to record, analyze, track, and profile the
activities of Internet users with data that is both personally
identifiable and data that is not personally identifiable.

The groups also urged the FTC to require Google to publicly present a
plan to comply with well-established government and industry privacy
standards, such as the OECD Privacy Guidelines. Pending the resolution
of these and other issues, EPIC encouraged the FTC to halt the
acquisition. The three groups filed a supplement to the complaint with
the Commission in June and a second supplement in September.

EPIC said that the Commission "had reason to act and authority to act,
and failed to do so." EPIC pointed out that the Commission ignored
similar assessments from leaders in Congress and consumer protection

Commissioner Pamela Jones Harbour stated, "If the Commission closes its
investigation at this time, without imposing any conditions on the
merger, neither the competition nor the privacy interests of consumers
will have been adequately addressed."

Commissioner Jonathan Leibowitz, in a concurring opinion, warned that
"industry participants must stop being coy and start being more
forthcoming about their practices, the consumer information they
collect, and how they use it" and recommended the adoption of opt-in for
online services.

EPIC said the FTC's decision "does not end the discussion about
competition and privacy protection in the context of merger review.
Consumers around the world will be impacted by the business practices of
the combined entity, and the consequences will have to be addressed."
Attention turns next to a hearing before the European Parliament on
January 21. EPIC Executive Director Marc Rotenberg has been invited to

Federal Trade Commission, 4-1 Opinion Approving the Google-DoubleClick
Proposed Merger (December 21, 2007) (pdf):


Commissioner Pamela Jones Harbour, Dissent from FTC Opinion Approving
the Google-DoubleClick Proposed Merger (December 21, 2007) (pdf):


Marc Rotenberg, EPIC, Statement in Response to FTC Opinion Approving the
Google-DoubleClick Proposed Merger (December 21, 2007) (pdf):


Senators Herb Kohl and Orrin Hatch, Chairman and Ranking Member of the
Subcommittee on Antitrust, Competition Policy and Consumer Rights of the
Senate Judiciary Committee, Letter urging FTC to give "serious scrutiny"
to privacy and antitrust aspects of proposed Google-DoubleClick merger
(November 19, 2007) (pdf):


European Commission Directorate on Competition, Press Release, Mergers:
Commission opens in-depth investigation into Google's proposed take over
of DoubleClick (November 13, 2007):


EPIC's page on Privacy? Proposed Google/DoubleClick Deal:


[5] EPIC Testifies on Data Breach Legislation

On December 18, 2007, EPIC Associate Director Lillie Coney testified
before the House Judiciary Committee on the Privacy and Cybercrime
Enforcement Act of 2007 (H.R. 417). The bill strengthens penalties for
identity theft, requires notices for security breaches, provides
additional funding for the investigation and pursues criminal activity
involving computers, and requires that agency rulemaking take into
consideration impacts on individual privacy via privacy impact
assessments. EPIC highlighted the Act's importance given the failings of
private actors to manage the personally identifiable information
entrusted to their care.

While the bill also addresses the challenging issue of defining
personally identifiable information, EPIC noted that the definition was
too narrow as it did not adequately recognize the ever-evolving
definition of "personally identifiable" information. Drawing on such
examples as the risks flowing from biometric data, Internet addresses
and information consolidation initiatives, EPIC recommended that the
bill address the privacy implications of emerging technologies for
identification. Commending the Act's creation of an important federal
baseline, EPIC noted the Act did not preempt stronger state laws.

EPIC applauded Congress' attempt to address the serious problems of
security breaches and identity theft. Recognizing the benefits of new
technology, EPIC noted that more must be done to address the problems
when technology breaks down or creates new risk to personal privacy. The
Privacy and Cybercrime Enforcement Act of 2007 contains many important
provisions that begin to address this problem.

EPIC's Testimony on Privacy and Cybercrime Enforcement Act of 2007


Privacy and Cybercrime Enforcement Act of 2007:


EPIC's page on Identity Theft:


[6] News in Brief

EPIC, Privacy Groups Urge Ask.com to Fix Ask Eraser

Following the announcement of Ask Eraser, a new search tool that Ask.com
claimed will "offer its searchers unmatched control over their privacy,"
EPIC and several other privacy organizations wrote Ask.com's CEO Jim
Lazone and urged the company to modify some of the functions of this new
product. After a detailed study of the new search tool, EPIC found that
Ask Eraser (1) requires a confusing and misleading opt-out cookie, where
once deleted, the privacy setting is lost and Ask.com no longer honors
the user's privacy setting; (2) creates a quasi-unique identifier, where
Ask.com inserts the exact time (down to the second) that the user
enabled Ask Eraser; and (3) will be disabled without notice. All three
of these attributes create substantial privacy risks for Internet users
and therefore, must be addressed.

EPIC's letter to Ask.com (December 20, 2007) (pdf):


Ask.com's Ask Eraser's FAQ Page:


New Procedure for Handling WHOIS Conflicts To Be Implemented

On January 17, new procedures from the Internet Corporation for Assigned
Names and Numbers (ICANN) will be implemented. The procedure describes
how ICANN will respond to a situation where a registrar or registry
indicates that it is legally prevented by local or national privacy laws
or regulations from complying with the provisions of its ICANN contract
regarding the collection, display and distribution of personal data in
the WHOIS database. EPIC has pointed out in comments and publications
how current WHOIS policies conflict with national privacy laws.
ICANN's Press Release:


Revised Draft ICANN Procedure:


EPIC's Page on WHOIS Privacy:


EPIC, ACLU Demand Disclosure of Memos Justifying Illegal Spying

Post 9/11, the National Security Agency launched a secret surveillance
program to intercept the telephone and Internet communications of people
within the United States without prior judicial authorization. EPIC
requested the legal opinions and related documents that were prepared to
justify and monitor the program immediately following a New York Times
report on the program in December 2005. The American Civil Liberties
Union and the National Security Archive also submitted FOIA requests.
Nearly two years after the initial disclosure of the program, EPIC and
other civil liberties groups ask that the court deny the government's
request to dismiss the case, and instead review the documents in
private, releasing those that the law entitles the public to view. The
groups have filed court papers to obtain documents related to the
warrantless surveillance program.

EPIC v. Department of Justice, No. 06-cv-0096 (HHK) (pdf):


EPIC's page on Warrantless Surveillance FOIAs:


Spotlight: 'Enhanced' Licenses Drive Backwards on Security, Privacy

EPIC's Spotlight on Surveillance Project turns to Homeland Security's
plan to transform several states' driver's licenses into federal
identification cards, so-called "enhanced" driver's licenses containing
RFID chips. Such cards would contain more data and different technology
than current licenses and ID cards. Speaking on Vermont's proposed
cards, Bonnie Rutledge, Director of the Vermont Department of Motor
Vehicles, stated that wireless radio frequency identification ("RFID")
technology chips added to the cards will contain "at the minimum, the
issue date, the citizens [sic] date of birth, gender, address,
signature, Vermont license number and a full color facial photograph"
and "citizenship status will be depicted." Costing more than current
licenses, the new cards are capable of transmitting data to remote
readers. The Government Accountability Office recommended against RFID
chips in ID cards, stating that this could allow for the "tracking and
profiling" of individuals.

Spotlight: 'Enhanced' Licenses Drive Backwards on Security, Privacy:


FBI Creates Enormous Biometrics Database

This month, the FBI expects to award a 10-year contract that will
significantly expand the amount and type of biometric information that
is stored in its Next Generation Identification database. The FBI is
spending $1 billion to build the world's largest computer database of
people's physical characteristics, a project that will give the
government unprecedented abilities to identify individuals in the United
States and abroad. Digital images of faces, fingerprints, and palm
patterns are already being added to the database at an unprecedented
rate. Marc Rotenberg, Executive Director of the Electronic Privacy
Information Center, has pointed out that the accuracy of the information
stored in the developing system is problematic. "You're giving the
federal government access to an extraordinary amount of information
linked to biometric identifiers that is becoming increasingly
inaccurate," he said.

EPIC's page on Biometrics:


[7] EPIC Bookstore: "Nation of Secrets"

"Nation of Secrets: The Threat to Democracy and the American
Way of Life" by Ted Gup (Doubleday 2007).


"In The Book of Honor, Ted Gup uncovered some of the CIA's closest-held
secrets: the names and stories of the seventy-one undercover operatives
who were killed in the line of duty. Now he turns his attention to a
broader range of American institutions, exposing how and why they keep
secrets from the very people they are supposed to serve. Drawing on
original reporting and startling analysis, Gup argues that a
preoccupation with secrets has undermined the very values-security,
patriotism, privacy, the national interest - in whose name secrecy is so
often invoked."

"Gup shows how the expanding thicket of classified information leads to
the devaluation of the secrets we most need to keep, and that
journalists have become pawns in the government's internal conflicts
over access to information. He explores the blatant exploitation of
privacy and confidentiality in academia, business, and the courts, and
concludes that in case after case, these principles have been twisted to
allow the emergence of a shadow system of justice, unaccountable to the

"Drawing on Gup's decades of work as an investigative reporter, Nation of
Secrets will shake our faith in some of our most trusted institutions,
piercing the veil of secrecy to reveal an alarming new threat to
democracy in America. Gup presents a vision radical in its clarity,
conservative in its roots, of a country teetering on the brink of losing
its identity."

"Ted Gup is an investigative reporter who has been a staff writer for the
Washington Post and a correspondent at Time magazine. He is the author
of The Book of Honor and the recipient of a George Polk Award and a
Worth Bingham Prize. A professor of journalism at Case Western Reserve
University, he lives in Pepper Pike, Ohio."


EPIC Publications:

"Information Privacy Law: Cases and Materials, Second Edition" Daniel J.
Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98.

This clear, comprehensive introduction to the field of information
privacy law allows instructors to enliven their teaching of fundamental
concepts by addressing both enduring and emerging controversies. The
Second Edition addresses numerous rapidly developing areas of privacy
law, including: identity theft, government data mining and electronic
surveillance law, the Foreign Intelligence Surveillance Act,
intelligence sharing, RFID tags, GPS, spyware, web bugs, and more.
Information Privacy Law, Second Edition, builds a cohesive foundation
for an exciting course in this rapidly evolving area of law.


"Privacy & Human Rights 2006: An International Survey of Privacy Laws
and Developments" (EPIC 2007). Price: $75.

This annual report by EPIC and Privacy International provides an
overview of key privacy topics and reviews the state of privacy in over
75 countries around the world. The report outlines legal protections,
new challenges, and important issues and events relating to privacy.
Privacy & Human Rights 2006 is the most comprehensive report on privacy
and data protection ever published.


"FOIA 2006: Litigation Under the Federal Open Government Laws," Harry
A. Hammitt, Marc Rotenberg, Melissa Ngo, and Mark S. Zaid, editors
(EPIC 2007). Price: $50. http://www.epic.org/bookstore/foia2006

This is the standard reference work covering all aspects of the Freedom
of Information Act, the Privacy Act, the Government in the Sunshine Act,
and the Federal Advisory Committee Act.  The 23nd edition fully updates
the manual that lawyers, journalists and researchers have relied on for
more than 25 years.  For those who litigate open government cases (or
need to learn how to litigate them), this is an essential reference


"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.

This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS).  This
reference guide provides the official UN documents, regional and
issue-oriented perspectives, and recommendations and proposals for
future action, as well as a useful list of resources and contacts for
individuals and organizations that wish to become more involved in the
WSIS process.


"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:

The Privacy Law Sourcebook, which has been called the "Physician's Desk
Reference" of the privacy world, is the leading resource for students,
attorneys, researchers, and journalists interested in pursuing privacy
law in the United States and around the world. It includes the full
texts of major privacy laws and directives such as the Fair Credit
Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well
as an up-to-date section on recent developments. New materials include
the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the


"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.


EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:

EPIC Bookstore http://www.epic.org/bookstore

"EPIC Bookshelf" at Powell's Books


EPIC also publishes EPIC FOIA Notes, which provides brief summaries of
interesting documents obtained from government agencies under the
Freedom of Information Act.

Subscribe to EPIC FOIA Notes at:

[8] Upcoming Conferences and Events

ACI’s 7th National Symposium on Privacy & Security of Consumer and
Employee Information. January 23-24, 2008. Philadelphia, PA. For more
information: http://www.americanconference.com/privacy

Computer Professionals for Social Responsibility: Technology in Wartime
Conference. January 26, 2008. Stanford University. For more
information: http://cpsr.org/news/compiler/2007/Compiler200707#twc

Mobility, Data Mining And Privacy: Preserving Anonymity in
Geographically Referenced Data. February 14, 2008. Rome, Italy. For more
information http://wiki.kdubiq.org/mobileDMprivacyWorkshop

ALI-ABA, Privacy Law: Developments, Planning, and Litigation. March
13-14, 2008. Washington, D.C. For more
information http://www.ali-aba.org/CN090

CFP 2008: Technology Policy 08. New Haven, Connecticut. May 19-23,
2008. For more information http://www.cfp2008.org

Future of the Internet Economy - OECD Ministerial Meeting. June 17-18,
2008. Seoul, Korea. For more information:

Conference on Ethics, Technology and Identity. The Hague. June 18-20,
2008. For more information http://www.ethicsandtechnology.eu/ETI

Subscription Information

Subscribe/unsubscribe via web interface:


Back issues are available at:


The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities.  We do not sell, rent or share our
mailing list.  We also intend to challenge any subpoena or other legal
process seeking access to our mailing list.  We do not enhance (link to
other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail address
from this list, please follow the above instructions under "subscription

About EPIC

The Electronic Privacy Information Center is a public interest research
center in Washington, DC.  It was established in 1994 to focus public
attention on emerging privacy issues such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale of personal information. EPIC publishes the
EPIC Alert, pursues Freedom of Information Act litigation, and conducts
policy research.  For more information, see http://www.epic.org or write
EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202
483 1140 (tel), +1 202 483 1248 (fax).

Donate to EPIC

If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible.  Checks
should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW,
Suite 200, Washington, DC 20009.  Or you can contribute online at:


Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation of encryption and
expanding wiretapping powers.

Thank you for your support.

------------------------- END EPIC Alert 15.01 -------------------------