======================================================================== E P I C A l e r t ======================================================================== Volume 15.01 January 11, 2008 ------------------------------------------------------------------------ Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org/alert/EPIC_Alert_15.01.html ======================================================================== Table of Contents ======================================================================== [1] Supreme Court Hears Voter ID Case [2] Privacy International, EPIC Publish "State of Privacy" Survey [3] President Bush Signs into Law OPEN Government Act [4] Commission Allows Google-DoubleClick Merger Without Conditions [5] EPIC Testifies on Data Breach Legislation [6] News in Brief [7] EPIC Bookstore: "Nation of Secrets" [8] Upcoming Conferences and Events - Subscription Information - Privacy Policy - About EPIC - Donate to EPIC http://www.epic.org/donate ======================================================================== [1] Supreme Court Hears Voter ID Case ======================================================================== On January 9, the Supreme Court heard arguments over whether to strike down Indiana's voter ID law. In front of a packed courtroom, the attorney for Indiana, Mr. Fisher, defended the strict voting requirements on the grounds that verifying voters' photo ID is necessary to prevent voter fraud. The law, passed in 2005, requires individuals to present government-issued photo identification at polling stations before they can cast their votes. Before the passage of the 2005 law, Indiana identified voters by comparing signatures collected at the polling locations with photocopied signatures on file. Under the 2005 law, individuals without photo IDs may cast a provisional ballot but must, within 10 days, either produce a government-issued photo ID, or file an affidavit that they are indigent and cannot afford a government-issued photo ID. In a "friend of the court" brief in support of the petitioners, EPIC pointed out two serious flaws in the Indiana legislation. The first problem is that the Indiana law does not actually address the issue of voter fraud. Under the current rules, ineligible individuals may still cast absentee ballots without ever having to provide photographic identification but eligible voters may be turned away on election day because they do not have the proper identification. The second problem is that by requiring Indiana residents to obtain photo ID to meet the strict new voting requirements the state is, in effect, forcing individuals to participate in the controversial REAL ID program. The most likely type of identification that Indiana voters will present at the polls is a state driver's license and the Indiana Department of Motor Vehicles has already begun to implement REAL ID. Technical and legal experts have stated that REAL ID is, in fact, a fundamentally flawed national identification system that puts individuals' privacy and security at risk; integrating Indiana's voter ID system with REAL ID-based databases means that voter identification will depend on a faulty system that is prone to serious errors. At the Supreme Court hearing, the Justices grilled all parties extensively on the issues of voter fraud. Chief Justice Roberts and Justice Souter questioned Mr. Fisher extensively on the fairness of imposing a extra burden on voters when Indiana does a "lousy job" maintaining voter records. The court also touched on the REAL ID issue when questioning Mr. Fisher on how a voter could comply with the strict requirements. Whether the concerns about REAL ID's negative impact on individuals' privacy and control over their person data are reflected in the Court's decision remain to be seen. What is certain is that Indiana's current law creates a barrier for marginalized people and discourages many from exercising their fundamental democratic and constitutional right to vote. A decision in the case is expected by the end of June. Transcript of Supreme Court Hearing, Crawford v. Marion County Election Board: http://www.epic.org/redirect/sctrscpt.html EPIC's Amicus Brief (pdf): http://www.epic.org/privacy/voting/crawford/epic_sc_111307.pdf EPIC's page on the Indiana Voting ID Law Case: http://epic.org/privacy/voting/crawford/ EPIC's page on Voting and Privacy: http://epic.org/privacy/voting/ EPIC's page on REAL ID: http://epic.org/privacy/id-cards/ ======================================================================== [2] Privacy International, EPIC Publish "State of Privacy" Survey ======================================================================== The London-based Privacy International and Washington-based Electronic Privacy Information Center (EPIC) have published the 2007 International Privacy Rankings, surveying the state of privacy in 47 countries. The survey of leading surveillance societies in the European Union and the World is based on the annual Privacy and Human Rights 2006 report. The 1,100 page report is the most comprehensive global privacy survey ever published and the rankings are supported by extensive research and reporting, including consultations with experts, regulators, and policy-makers around the world. The United States ranked amongst the worst countries for privacy protection as an "endemic surveillance society" alongside the UK, China and Russia. Greece ranked at the top of the list as having "adequate safeguards against abuse." Canada ranked close to the top as well, with "some safeguards but weakened protection." No country was awarded the highest possible ranking of "consistently upholds human rights standards." The first ranking of countries for privacy protection was published in 2006, enabling a comparison with the 2007 findings. The publication of the privacy rankings has prompted some countries to evaluate the impact of increased surveillance and question the erosion of privacy rights. The Globe and Mail, a leading Canadian national newspaper, highlighted the deterioration of privacy protection in Canada over the past year. The intention behind the ranking system is to recognize countries in which privacy protection is exemplary and to identify countries in which governments and privacy regulators have failed to create a healthy privacy environment. The continuation of the rankings enables an evaluation of trends and allows countries to assess their status and compare trajectories of mass surveillance. The Privacy and Human Rights 2006 report is available for purchase at the EPIC bookstore. Privacy and Human Rights report: http://epic.org/phr06/ 2007 International Privacy Ranking: http://www.epic.org/redirect/pi07.html 2006 International Privacy Ranking: http://www.epic.org/redirect/pi06.html ======================================================================== [3] President Bush Signs into Law OPEN Government Act ======================================================================== On the last day of 2007, the President signed into law the Openness Promotes Effectiveness in our National Government Act of 2007, S. 2488. The Act promotes accessibility, accountability, and openness in government by strengthening the Freedom of Information Act (FOIA). The OPEN Government Act amends FOIA for the first time in a decade by: (1) establishing a clear definition of "a representative of the news media" and "news" for purposes of request processing fees; (2) directing that required attorney fees be paid from an agency's own appropriation rather than from a Judgment Fund; (3) prohibiting an agency from assessing certain fees if it fails to comply with any deadlines set out in the FOIA; and (4) establishing an Office of Government Information Services in the National Archives and Records Administration to review and regulate agency compliance with FOIA. Senator Patrick Leahy led the effort in Congress to enact the new open government law with the support of the Open the Government coalition. Following the signing of the bill by the President, Senator Leahy emphasized that the OPEN Government Act would bring greater transparency and accountability to a government that has recently increased its efforts to conceal important information from the American people. EPIC published the book, Litigation Under the Federal Open Government Laws, which is a comprehensive guide to FOIA and open government. The book has been praised as being an essential and indispensable tool for anyone interested in open access laws. Senator Patrick Leahy on the OPEN Government Act: http://leahy.senate.gov/press/200801/010208a.html Open the Government Coalition Website: http://openthegovernment.org EPIC's FOIA Notes: http://epic.org/foia_notes/ Litigation Under the Federal Open Government Laws (2006): http://epic.org/bookstore/foia2006/ ======================================================================== [4] Commission Allows Google-DoubleClick Merger Without Conditions ======================================================================== The Federal Trade Commission approved the proposed merger between Google and DoubleClick without conditions in a 4-1 opinion released on December 20. According to the FTC, the $3.1 billion proposed merger between the Internet's largest search profiling company and the Internet's largest targeted advertising company is "Unlikely to lessen competition." The decision granting the merger without conditions is surprising following the Second Request, which the Chairman previously said, is done in cases where the FTC believes "there is a strong possibility that some aspect of a transaction would violate the antitrust laws." In a detailed statement issued the same day, EPIC said that the unique circumstances of the online advertising industry required the FTC to impose privacy safeguards as a condition of the Google-DoubleClick merger. On April 20, 2007, EPIC, CDD, and US PIRG filed a complaint with the Federal Trade Commission, requesting that the Commission open an investigation into the proposed acquisition, specifically with regard to the ability of Google to record, analyze, track, and profile the activities of Internet users with data that is both personally identifiable and data that is not personally identifiable. The groups also urged the FTC to require Google to publicly present a plan to comply with well-established government and industry privacy standards, such as the OECD Privacy Guidelines. Pending the resolution of these and other issues, EPIC encouraged the FTC to halt the acquisition. The three groups filed a supplement to the complaint with the Commission in June and a second supplement in September. EPIC said that the Commission "had reason to act and authority to act, and failed to do so." EPIC pointed out that the Commission ignored similar assessments from leaders in Congress and consumer protection agencies. Commissioner Pamela Jones Harbour stated, "If the Commission closes its investigation at this time, without imposing any conditions on the merger, neither the competition nor the privacy interests of consumers will have been adequately addressed." Commissioner Jonathan Leibowitz, in a concurring opinion, warned that "industry participants must stop being coy and start being more forthcoming about their practices, the consumer information they collect, and how they use it" and recommended the adoption of opt-in for online services. EPIC said the FTC's decision "does not end the discussion about competition and privacy protection in the context of merger review. Consumers around the world will be impacted by the business practices of the combined entity, and the consequences will have to be addressed." Attention turns next to a hearing before the European Parliament on January 21. EPIC Executive Director Marc Rotenberg has been invited to testify. Federal Trade Commission, 4-1 Opinion Approving the Google-DoubleClick Proposed Merger (December 21, 2007) (pdf): http://www.ftc.gov/os/caselist/0710170/071220statement.pdf Commissioner Pamela Jones Harbour, Dissent from FTC Opinion Approving the Google-DoubleClick Proposed Merger (December 21, 2007) (pdf): http://www.ftc.gov/os/caselist/0710170/071220harbour.pdf Marc Rotenberg, EPIC, Statement in Response to FTC Opinion Approving the Google-DoubleClick Proposed Merger (December 21, 2007) (pdf): http://epic.org/privacy/ftc/google/EPIC_statement122007.pdf Senators Herb Kohl and Orrin Hatch, Chairman and Ranking Member of the Subcommittee on Antitrust, Competition Policy and Consumer Rights of the Senate Judiciary Committee, Letter urging FTC to give "serious scrutiny" to privacy and antitrust aspects of proposed Google-DoubleClick merger (November 19, 2007) (pdf): http://www.epic.org/privacy/ftc/google/sen_anti_111907.pdf European Commission Directorate on Competition, Press Release, Mergers: Commission opens in-depth investigation into Google's proposed take over of DoubleClick (November 13, 2007): http://www.epic.org/redirect/ec_release2.html EPIC's page on Privacy? Proposed Google/DoubleClick Deal: http://www.epic.org/privacy/ftc/google/ ======================================================================== [5] EPIC Testifies on Data Breach Legislation ======================================================================== On December 18, 2007, EPIC Associate Director Lillie Coney testified before the House Judiciary Committee on the Privacy and Cybercrime Enforcement Act of 2007 (H.R. 417). The bill strengthens penalties for identity theft, requires notices for security breaches, provides additional funding for the investigation and pursues criminal activity involving computers, and requires that agency rulemaking take into consideration impacts on individual privacy via privacy impact assessments. EPIC highlighted the Act's importance given the failings of private actors to manage the personally identifiable information entrusted to their care. While the bill also addresses the challenging issue of defining personally identifiable information, EPIC noted that the definition was too narrow as it did not adequately recognize the ever-evolving definition of "personally identifiable" information. Drawing on such examples as the risks flowing from biometric data, Internet addresses and information consolidation initiatives, EPIC recommended that the bill address the privacy implications of emerging technologies for identification. Commending the Act's creation of an important federal baseline, EPIC noted the Act did not preempt stronger state laws. EPIC applauded Congress' attempt to address the serious problems of security breaches and identity theft. Recognizing the benefits of new technology, EPIC noted that more must be done to address the problems when technology breaks down or creates new risk to personal privacy. The Privacy and Cybercrime Enforcement Act of 2007 contains many important provisions that begin to address this problem. EPIC's Testimony on Privacy and Cybercrime Enforcement Act of 2007 (pdf): http://www.epic.org/privacy/idtheft/coney_test_121807.pdf Privacy and Cybercrime Enforcement Act of 2007: http://thomas.loc.gov/cgi-bin/query/z?c110:H.R.4175: EPIC's page on Identity Theft: http://epic.org/privacy/idtheft/ ======================================================================== [6] News in Brief ======================================================================== EPIC, Privacy Groups Urge Ask.com to Fix Ask Eraser Following the announcement of Ask Eraser, a new search tool that Ask.com claimed will "offer its searchers unmatched control over their privacy," EPIC and several other privacy organizations wrote Ask.com's CEO Jim Lazone and urged the company to modify some of the functions of this new product. After a detailed study of the new search tool, EPIC found that Ask Eraser (1) requires a confusing and misleading opt-out cookie, where once deleted, the privacy setting is lost and Ask.com no longer honors the user's privacy setting; (2) creates a quasi-unique identifier, where Ask.com inserts the exact time (down to the second) that the user enabled Ask Eraser; and (3) will be disabled without notice. All three of these attributes create substantial privacy risks for Internet users and therefore, must be addressed. EPIC's letter to Ask.com (December 20, 2007) (pdf): http://epic.org/privacy/ask/EPIC_%20AskEraser.pdf Ask.com's Ask Eraser's FAQ Page: http://sp.ask.com/en/docs/about/askeraser.shtml New Procedure for Handling WHOIS Conflicts To Be Implemented On January 17, new procedures from the Internet Corporation for Assigned Names and Numbers (ICANN) will be implemented. The procedure describes how ICANN will respond to a situation where a registrar or registry indicates that it is legally prevented by local or national privacy laws or regulations from complying with the provisions of its ICANN contract regarding the collection, display and distribution of personal data in the WHOIS database. EPIC has pointed out in comments and publications how current WHOIS policies conflict with national privacy laws. ICANN's Press Release: http://www.icann.org/announcements/announcement-18dec07.htm Revised Draft ICANN Procedure: http://www.epic.org/redirect/icann08.htm EPIC's Page on WHOIS Privacy: http://epic.org/privacy/whois/ EPIC, ACLU Demand Disclosure of Memos Justifying Illegal Spying Post 9/11, the National Security Agency launched a secret surveillance program to intercept the telephone and Internet communications of people within the United States without prior judicial authorization. EPIC requested the legal opinions and related documents that were prepared to justify and monitor the program immediately following a New York Times report on the program in December 2005. The American Civil Liberties Union and the National Security Archive also submitted FOIA requests. Nearly two years after the initial disclosure of the program, EPIC and other civil liberties groups ask that the court deny the government's request to dismiss the case, and instead review the documents in private, releasing those that the law entitles the public to view. The groups have filed court papers to obtain documents related to the warrantless surveillance program. EPIC v. Department of Justice, No. 06-cv-0096 (HHK) (pdf): http://epic.org/privacy/nsa/foia/EPIC_v_DOJ_12_18_07.pdf EPIC's page on Warrantless Surveillance FOIAs: http://epic.org/privacy/nsa/foia/ Spotlight: 'Enhanced' Licenses Drive Backwards on Security, Privacy EPIC's Spotlight on Surveillance Project turns to Homeland Security's plan to transform several states' driver's licenses into federal identification cards, so-called "enhanced" driver's licenses containing RFID chips. Such cards would contain more data and different technology than current licenses and ID cards. Speaking on Vermont's proposed cards, Bonnie Rutledge, Director of the Vermont Department of Motor Vehicles, stated that wireless radio frequency identification ("RFID") technology chips added to the cards will contain "at the minimum, the issue date, the citizens [sic] date of birth, gender, address, signature, Vermont license number and a full color facial photograph" and "citizenship status will be depicted." Costing more than current licenses, the new cards are capable of transmitting data to remote readers. The Government Accountability Office recommended against RFID chips in ID cards, stating that this could allow for the "tracking and profiling" of individuals. Spotlight: 'Enhanced' Licenses Drive Backwards on Security, Privacy: http://epic.org/privacy/surveillance/spotlight/0907/ FBI Creates Enormous Biometrics Database This month, the FBI expects to award a 10-year contract that will significantly expand the amount and type of biometric information that is stored in its Next Generation Identification database. The FBI is spending $1 billion to build the world's largest computer database of people's physical characteristics, a project that will give the government unprecedented abilities to identify individuals in the United States and abroad. Digital images of faces, fingerprints, and palm patterns are already being added to the database at an unprecedented rate. Marc Rotenberg, Executive Director of the Electronic Privacy Information Center, has pointed out that the accuracy of the information stored in the developing system is problematic. "You're giving the federal government access to an extraordinary amount of information linked to biometric identifiers that is becoming increasingly inaccurate," he said. EPIC's page on Biometrics: http://epic.org/privacy/biometrics/ ======================================================================== [7] EPIC Bookstore: "Nation of Secrets" ======================================================================== "Nation of Secrets: The Threat to Democracy and the American Way of Life" by Ted Gup (Doubleday 2007). http://www.powells.com/partner/24075/biblio/9780385514750 "In The Book of Honor, Ted Gup uncovered some of the CIA's closest-held secrets: the names and stories of the seventy-one undercover operatives who were killed in the line of duty. Now he turns his attention to a broader range of American institutions, exposing how and why they keep secrets from the very people they are supposed to serve. Drawing on original reporting and startling analysis, Gup argues that a preoccupation with secrets has undermined the very values-security, patriotism, privacy, the national interest - in whose name secrecy is so often invoked." "Gup shows how the expanding thicket of classified information leads to the devaluation of the secrets we most need to keep, and that journalists have become pawns in the government's internal conflicts over access to information. He explores the blatant exploitation of privacy and confidentiality in academia, business, and the courts, and concludes that in case after case, these principles have been twisted to allow the emergence of a shadow system of justice, unaccountable to the public." "Drawing on Gup's decades of work as an investigative reporter, Nation of Secrets will shake our faith in some of our most trusted institutions, piercing the veil of secrecy to reveal an alarming new threat to democracy in America. Gup presents a vision radical in its clarity, conservative in its roots, of a country teetering on the brink of losing its identity." "Ted Gup is an investigative reporter who has been a staff writer for the Washington Post and a correspondent at Time magazine. He is the author of The Book of Honor and the recipient of a George Polk Award and a Worth Bingham Prize. A professor of journalism at Case Western Reserve University, he lives in Pepper Pike, Ohio." ================================ EPIC Publications: "Information Privacy Law: Cases and Materials, Second Edition" Daniel J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98. http://www.epic.org/redirect/aspen_ipl_casebook.html This clear, comprehensive introduction to the field of information privacy law allows instructors to enliven their teaching of fundamental concepts by addressing both enduring and emerging controversies. The Second Edition addresses numerous rapidly developing areas of privacy law, including: identity theft, government data mining and electronic surveillance law, the Foreign Intelligence Surveillance Act, intelligence sharing, RFID tags, GPS, spyware, web bugs, and more. Information Privacy Law, Second Edition, builds a cohesive foundation for an exciting course in this rapidly evolving area of law. ================================ "Privacy & Human Rights 2006: An International Survey of Privacy Laws and Developments" (EPIC 2007). Price: $75. http://www.epic.org/phr06/ This annual report by EPIC and Privacy International provides an overview of key privacy topics and reviews the state of privacy in over 75 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy & Human Rights 2006 is the most comprehensive report on privacy and data protection ever published. ================================ "FOIA 2006: Litigation Under the Federal Open Government Laws," Harry A. Hammitt, Marc Rotenberg, Melissa Ngo, and Mark S. Zaid, editors (EPIC 2007). Price: $50. http://www.epic.org/bookstore/foia2006 This is the standard reference work covering all aspects of the Freedom of Information Act, the Privacy Act, the Government in the Sunshine Act, and the Federal Advisory Committee Act. The 23nd edition fully updates the manual that lawyers, journalists and researchers have relied on for more than 25 years. For those who litigate open government cases (or need to learn how to litigate them), this is an essential reference manual. ================================ "The Public Voice WSIS Sourcebook: Perspectives on the World Summit on the Information Society" (EPIC 2004). Price: $40. http://www.epic.org/bookstore/pvsourcebook This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, and recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process. ================================ "The Privacy Law Sourcebook 2004: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price: $40. http://www.epic.org/bookstore/pls2004/ The Privacy Law Sourcebook, which has been called the "Physician's Desk Reference" of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act. ================================ "Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20. http://www.epic.org/bookstore/filters2.0 A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at: EPIC Bookstore http://www.epic.org/bookstore "EPIC Bookshelf" at Powell's Books http://www.powells.com/bookshelf/epicorg.html ================================ EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act. Subscribe to EPIC FOIA Notes at: https://mailman.epic.org/cgi-bin/control/foia_notes ======================================================================== [8] Upcoming Conferences and Events ======================================================================== ACI’s 7th National Symposium on Privacy & Security of Consumer and Employee Information. January 23-24, 2008. Philadelphia, PA. For more information: http://www.americanconference.com/privacy Computer Professionals for Social Responsibility: Technology in Wartime Conference. January 26, 2008. Stanford University. For more information: http://cpsr.org/news/compiler/2007/Compiler200707#twc Mobility, Data Mining And Privacy: Preserving Anonymity in Geographically Referenced Data. February 14, 2008. Rome, Italy. For more information http://wiki.kdubiq.org/mobileDMprivacyWorkshop ALI-ABA, Privacy Law: Developments, Planning, and Litigation. March 13-14, 2008. Washington, D.C. For more information http://www.ali-aba.org/CN090 CFP 2008: Technology Policy 08. New Haven, Connecticut. May 19-23, 2008. For more information http://www.cfp2008.org Future of the Internet Economy - OECD Ministerial Meeting. June 17-18, 2008. Seoul, Korea. For more information: http://www.oecd.org/document/19/0,2340,en_2649_37441_38051667 _1_1_1_37441,00.html Conference on Ethics, Technology and Identity. The Hague. June 18-20, 2008. For more information http://www.ethicsandtechnology.eu/ETI ====================================================================== Subscription Information ====================================================================== Subscribe/unsubscribe via web interface: https://mailman.epic.org/cgi-bin/mailman/listinfo/epic_news Back issues are available at: http://www.epic.org/alert The EPIC Alert displays best in a fixed-width font, such as Courier. ======================================================================== Privacy Policy ======================================================================== The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information." ======================================================================== About EPIC ======================================================================== The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). ======================================================================== Donate to EPIC ======================================================================== If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at: http://www.epic.org/donate Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ------------------------- END EPIC Alert 15.01 ------------------------- .