======================================================================== E P I C A l e r t ======================================================================== Volume 15.06 March 21, 2008 ------------------------------------------------------------------------ Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org/alert/EPIC_Alert_15.06.html ======================================================================== Table of Contents ======================================================================== [1] House Passes Wiretap Bill, Rejects Telecom Immunity [2] EPIC Sues FTC for Merger Review Documents [3] EC Approves Google-Doubleclick Merger; European Privacy Laws Apply [4] EPIC Testifies Before the DC Council on Spam Legislation [5] EPIC Urges the FTC to Shut Down, Investigate Stalker Spyware [6] News in Brief [7] EPIC Bookstore: "Privacy in Peril" [8] Upcoming Conferences and Events - Subscription Information - Privacy Policy - About EPIC - Donate to EPIC http://www.epic.org/donate ======================================================================== [1] House Passes Wiretap Bill, Rejects Telecom Immunity ======================================================================== This week the House passed another version of a bill amending the Foreign Intelligence Surveillance Act (FISA). The bill, H.R. 3773, rejects administration demands for automatic retroactive Telecom immunity, establishes a bipartisan commission to investigate the President's warrantless wiretapping, and provides for greater oversight of surveillance targeted against persons overseas. The House leadership had previously rejected attempts to strong-arm it into accepting wholesale a Senate bill, which provided for telecom immunity and had weaker oversight of surveillance. This bill marks the second house version of FISA reform, a previous one -- the RESTORE Act -- having been passed last fall and rejected by the Senate. FISA establishes a separate legal regime for "foreign intelligence" surveillance distinct from ordinary law enforcement surveillance. FISA can also be used to obtain some business records. The House version contains some steps towards and accountability and eases the progress of lawsuits concerning the president's warrantless surveillance program. It allows telecommunications companies to attempt to exonerate themselves by providing classified evidence to a court. Proponents of immunity had argued that the state secrets privilege prevented the telecommunications companies from adequately defending themselves. The bill also creates a bipartisan commission to investigate warrantless wiretapping. The commission would have the power to inspect federal agency documents, and issue subpoenas. The commission would be able to enforce the subpoenas in federal courts. The passage of the House bill followed a secret session of the House, which administration proponents had demanded. Only five such sessions have occurred, the last taking place 25 years ago. The FISA debates spring from a continued attempt to expand the president's wiretapping powers. FISA was amended last summer by the Protect America Act (PAA), which expired in February. The PAA removed some surveillance from the limited FISA court review, allowed the government to create more surveillance programs with limited review, and immunized from lawsuits telecommunications companies that participated in these programs. Both the Senate and House have passed bills continuing PAA authorities, but they differ in how much oversight is granted and in whether there will be retroactive immunity for telecommunication companies that participated in the president's warrantless surveillance program. The President has vowed to veto any legislation that does not include retroactive immunity for telecommunications companies. House Bill, H.R. 3773: http://thomas.loc.gov/cgi-bin/bdquery/z?d110:h.r.03773: Secret Sessions of Congress: A Brief Historical Overview http://opencrs.com/document/RS20145/2007-05-30%2000:00:00 Comparison of RESTORE Act, Senate bill, and Revised House bill http://majorityleader.house.gov/docUploads/side-by-side-10Mar08.pdf EPIC's Page on FISA: http://epic.org/privacy/terrorism/fisa/ ======================================================================== [2] EPIC Sues FTC for Merger Review Documents ======================================================================== On March 14, 2008, EPIC filed a Freedom of Information Act lawsuit challenging the Federal Trade Commission's failure to make public documents relating to the role of the Jones Day law firm in the Google-Doubleclick merger review. The lawsuit follows EPIC's original request and subsequent administrative appeal. EPIC's request sought the expedited release of all documents concerning Jones Day's participation in the Commission's merger review, as well as Jones Day's involvement in other matters regarding consumer privacy. The Commission failed to produce the documents within the statutorily prescribed time. During the FTC's review of the Google-Doubleclick merger, Jones Day publicly stated that it represented Doubleclick regarding the merger. EPIC learned that FTC Chairman Deborah Platt Majoras' spouse, John M. Majoras, is a Jones Day partner, and sought Chairman Majoras' recusal from the merger review. Jones Day then contradicted its previous public statements, and deleted a web page detailing the firm's representation of Doubleclick from the Jones Day web site. In its recusal petition, EPIC noted that Chairman Majoras had previously recused herself in other matters involving apparent conflicts of interest with the Jones Day firm. Further, John Majoras is Jones Day's “global coordinator of competition law litigation” - the very practice area implicated by the Google-Doubleclick merger. However, Chairman Majoras declined to recuse herself. Instead, Chairman Majoras continued to participate in the Google-Doubleclick review and voted to approve the merger without conditions, despite privacy groups' warnings that the merger would threaten consumer privacy. The European Commission later approved the merger, but reaffirmed that the merged company must comply with European privacy laws. Before learning of Chairman Majoras' apparent conflict of interest, EPIC urged the FTC to conduct a comprehensive review of the merger's consumer privacy implications. EPIC warned that the merger posed serious privacy threats, and recommended that the Commission impose conditions on the merger. Numerous privacy groups and government leaders echoed EPIC's request that the Commission address the merger's privacy implications. For example, Senators Herb Kohl and Orrin Hatch, Chairman and Ranking Member of the Senate Judiciary Committee's Subcommittee on Antitrust, Competition Policy and Consumer Rights, stated that “[the Google-Doubleclick] deal raises fundamental consumer privacy concerns worthy of serious scrutiny.” EPIC's lawsuit comes on the eve of National Sunshine Week (March 16-22), a national initiative to promote dialogue about the importance of open government and freedom of information. Sunshine Week features a variety of events across the country, and government officials have taken steps to observe the initiative. Senators Patrick Leahy and John Cornyn, co-sponsors of the OPEN Government Act of 2007, introduced another bill intended to strengthen open government: the OPEN FOIA Act. The bill would require that any future exemptions to FOIA be stated “explicitly and clearly” by Congress, rather than buried in complex legislation. In a dispatch from the campaign trail, Senator Hillary Rodham Clinton stated that, if elected President, she would nominate “an attorney general who has a proven commitment to open government.” EPIC's Freedom of Information Act Lawsuit (PDF): http://epic.org/privacy/ftc/google/FTC_Complaint031408.pdf EPIC's Freedom of Information Act Appeal (PDF): http://epic.org/privacy/ftc/google/FTC_ad_appeal021208.pdf EPIC's Freedom on Information Act Request (PDF): http://www.democraticmedia.org/files/EPIC_FTC_FOIA.pdf EPIC's Complaint Requesting FTC Chairman Majoras' Recusal (PDF): http://www.epic.org/privacy/ftc/google/recusal_121207.pdf Jones Day's Statement Regarding Representation of DoubleClick (archived document - since deleted from the Jones Day web site) (PDF): http://epic.org/privacy/ftc/google/JonesDay_Google_Page.pdf European Commission on the Google-Doubleclick Merger: http://epic.org/redirect/eu_google_dc.html EPIC's “Privacy? Proposed Google/Doubleclick Deal” web page: http://epic.org/privacy/ftc/google/ Sunshine Week Information: http://www.sunshineweek.org/ Senator Hillary Rodham Clinton on Open Government: http://www.sunshineweek.org/sunshineweek/clintonsurvey ======================================================================== [3] EC Approves Google-Doubleclick Merger; European Privacy Laws Apply ======================================================================== On March 11, the European Commission approved the proposed Google-Doubleclick merger under its competition authority. Though the Commission did not consider privacy in the merger review, it did reaffirm the obligation of Google-Doubleclick to comply with European privacy laws. "The Commission's decision to clear the proposed merger is based exclusively on its appraisal under the EU Merger Regulation. It is without prejudice to the merged entity's obligations under EU legislation in relation to the protection of individuals and the protection of privacy with regard to the processing of personal data and the Member States' implementing legislation," the Commission said. Last year, EPIC, CDD, and US PIRG filed a complaint with the US Federal Trade Commission, urging the FTC to open an investigation into the proposed acquisition, specifically with regard to the ability of Google to record, analyze, track, and profile the activities of Internet users with data that is both personally identifiable and data that is not personally identifiable. The groups also urged the FTC to require Google to publicly present a plan to comply with well-established government and industry privacy standards, such as the OECD Privacy Guidelines. Pending the resolution of these and other issues, EPIC encouraged the FTC to halt the acquisition. The three groups filed a supplement to the complaint with the Commission in June and a second supplement in September. On December 21, the FTC approved the proposed merger without conditions in a 4-1 opinion. EPIC responded, stating that the unique circumstances of the online advertising industry required the FTC to impose privacy safeguards as a condition of the Google- Doubleclick merger. EPIC said that the FTC "had reason to act and authority to act, and failed to do so." In January testimony before the European Parliament, EPIC Executive Director Marc Rotenberg highlighted the increased risk of individual user identification associated with database consolidation, storage of search queries, user IP addresses, and information on user online activity. Rotenberg also stated that Google was beginning to reveal the characteristics of an "information monopolist" and that it was important for governments to act to preserve the rights of citizens and to safeguard competition and innovation in the information economy. He urged the European Commission to establish privacy safeguards as a condition of the Google-Doubleclick merger. The Article 29 Data Protection Working Party began investigating Google's data retention policies in June, but soon expanded the investigation to include the policies of all search engines. The Working Party said it will scrutinize the activities of search engines “from a data protection point of view, because this issue affects an ever growing number of users.” The investigation is expected to be completed this year. European Commission Directorate on Competition, Press Release, Mergers: Commission clears proposed acquisition of DoubleClick by Google, March 11, 2008: http://epic.org/redirect/ec_pr_google_dc.html Article 29 Working Party, Press release concerning its 61st meeting, June 21, 2007 (pdf): http://www.epic.org/redirect/article290607.html EPIC's Testimony before the European Parliament (pdf): http://epic.org/privacy/ftc/google/EPIC_LIBE_Submission.pdf Federal Trade Commission, 4-1 Opinion Approving the Google-DoubleClick Proposed Merger (December 21, 2007) (pdf): http://www.ftc.gov/os/caselist/0710170/071220statement.pdf Commissioner Pamela Jones Harbour, Dissent from FTC Opinion Approving the Google-DoubleClick Proposed Merger (December 21, 2007) (pdf): http://www.ftc.gov/os/caselist/0710170/071220harbour.pdf EPIC's page on the proposed Google/Doubleclick Deal: http://epic.org/privacy/ftc/google/ ======================================================================== [4] EPIC Testifies Before the DC Council on Spam Legislation ======================================================================== On March 11, 2008, EPIC testified before the District of Columbia Council on Bill 17-34, the District of Columbia Spam Deterrence Act of 2007. The bill would prohibit the transmission of false or misleading commercial email, create a civil cause of action and criminal penalties, and establish a private right of action for consumers. EPIC discussed the increasing volume of spam, and supported the legislation. EPIC noted that the proposed law provides stronger consumer privacy protections than the federal CAN-SPAM Act. Despite the implementation of the federal CAN-SPAM law, unsolicited commercial email continues to plague Internet users. Recent analyses of spam volume indicate that spam accounts for approximately 80% of email traffic, and consumers receive more spam now than when the federal CAN-SPAM law was passed in 2003. Spam has also become increasingly dangerous. Recent reports estimate that more than 83% of spam sent in 2007 directed users to websites that serve “malware,” malicious software, including computer viruses. In contrast, earlier spam was typically promotional and commercial. The proposed District of Columbia Spam Deterrence Act of 2007 would prohibit the transmission of false or misleading commercial email, and further enjoin the transmission of commercial email that appears to originate from a third-party, rather than the real sender. The Act would also require that all unsolicited commercial email contain an “opt-out” mechanism that would remove the recipient from the sender's mailing list at the recipient's request. The Act would provide for civil liability, liquidated damages, and increased damages when a spammer violates the Act willfully and knowingly. Under the Act, consumers would be given a private right of action. Finally, the bill would impose criminal penalties for the transmittal of large volumes of spam. In its testimony, EPIC supported the Act's inclusion of a private right of action for consumers and email providers. This improves upon federal law, which lacks a private right of action for consumers, thus providing a right without an accessible remedy. EPIC also recognized the difficulty in proving damages caused by spam, and supported the Act's inclusion of liquidated damages provisions as a means of estimating consumer damages. In 2003, EPIC, in its leadership role in the Privacy Coalition, proposed a multi-part policy framework for effective spam legislation. Also in 2003, EPIC testified before the Senate Committee on Commerce, Science, and Transportation regarding the CAN-SPAM Act, the then-proposed federal bill intended to regulate spam. After CAN-SPAM was enacted, EPIC submitted detailed comments to the Federal Trade Commission regarding the Commission's implementation of the law. EPIC's Testimony Before the DC Council: http://epic.org/privacy/junk_mail/spam/DC_Council_Spam.pdf The Spam Deterrence Act of 2007: http://www.dccouncil.washington.dc.us/lims/getleg1.asp?legno=B17-0034 The CAN-SPAM Act: http://www.ftc.gov/bcp/conline/pubs/buspubs/canspam.shtm Ironport on 2008 Internet Security Trends and Spam: http://www.ironport.com/securitytrends/ Privacy Coalition Proposed Policy Framework for Effective Spam Legislation: http://www.privacycoalition.org/2003/07/privacy_coalition_members_prop.php EPIC - SPAM - Unsolicited Commercial E-Mail: http://epic.org/privacy/junk_mail/spam/ Federal Trade Commission on SPAM: http://www.ftc.gov/spam/ ======================================================================== [5] EPIC Urges the FTC to Shut Down, Investigate Stalker Spyware ======================================================================== Earlier this month EPIC filed a complaint with the Federal Trade Commission against several purveyors of stalker spyware, alleging unfair and deceptive practices. Stalker spyware is software that is marketed for use by individuals to spy on other individuals. The complaint alleges that these companies promote illegal surveillance activities promote the use of "Trojan Horse" email attacks, and fail to warn their customers against illegal uses of the software. The technologies are variously promoted as being capable of spying on email and instant message exchanges; recording websites visited; capturing passwords and logins; browsing of local file systems; capturing screenshots; and capturing all keystrokes typed. These activites violate the Electronic Communications Privacy Act and the Computer Fraud and Abuse Act. Of particular importance is the marketing of a "remote deployment" feature which resembles a well-known form of hacking -- the Trojan horse attack. The companies advertise that their software can be deployed by email and will not be detected by the recipient. One claims that "it can be sent remotely via email secretly. Once the RemoteSpy file (you create) is executed on a computer, it will continuously record log data on the computer you are monitoring secretly." This is effectively a Trojan horse attack -- a program that appears to do something good, but in effect does something malicious. The use of spyware for illegal surveillance has led to civil and criminal punishments. The companies are failing to adequately warn their customers of the legal danger they face when they use this software as advertised. Thus the companies are not just endangering victims, but also endangering their customers. EPIC asks the FTC to shut down these practices, seek compensation for victims, and further investigate the harms of these businesses. Further investigation is required concerning the harms that this software may cause, including the disabling of firewalls, anti-virus / anti-spyware, and the opening of unsecured points of entry into computers which may be exploited by hackers. EPIC's Complaint, Request for Investigation, Injunction, and Other Relief: http://epic.org/privacy/dv/spy_software.pdf FTC Spyware Website: http://www.ftc.gov/spyware EPIC's Page on Personal Surveillance Technologies: http://epic.org/privacy/dv/personal_surveillance.html ======================================================================== [6] News in Brief ======================================================================== Government Audit Reveals Continued FBI Privacy Abuses For the fourth consecutive year the Inspector General found privacy breaches by FBI agents using National Security Letters, which permit the FBI to compel the disclosure of records held by banks, telephone companies, and others without judicial oversight. A second report found abuses of Patriot Act Section 215 orders that allow the FBI to demand business records and other "tangible things" from any company or individual. "[W]e found that the FBI had issued [NSLs] for information about [redacted] after the FISA court, citing First Amendment concerns, had twice declined to sign Section 215 orders in the same investigation," the Inspector General said. Sen. Patrick Leahy, Chairman of the Judiciary Committee, plans an oversight hearing. "Legislative action may be necessary to correct these abuses. I intend to seek accountability and advertence to the rule of law," he said. Inspector General's Report on FBI Use of National Security Letters (pdf) http://www.usdoj.gov/oig/special/s0803b/final.pdf Inspector General's Report on FBI's Use of Section 215 Orders for Business Records (pdf) http://www.usdoj.gov/oig/special/s0803a/final.pdf EPIC Page on National Security Letters http://epic.org/privacy/nsl/ GAO Reports on Government Security and Use of Data Brokers Two recent GAO reports critique agencies for their information security and data collection practices. A report on information security finds that major agencies have significant information security deficiencies. These "limit the effectiveness" of efforts to protect the confidentiality and integrity of data. Most agencies are not sufficiently preventing, limiting, or detecting access to information systems. A report in agency use of information brokers finds that Fair Information Practices are not always followed. Fair Information Practices are widely believed to be key guides to privacy protection. Agencies fail to specify the purposes that information will be used for, fail to provide individual participation in the data collection, fail to be open about it, and fail to provide accountability to data subjects. Information Security: Progress Reported but Weaknesses at Federal Agencies Remain http://www.gao.gov/new.items/d08571t.pdf Privacy: Government Use of Data from Information Resellers Could Include Better Protections http://www.gao.gov/new.items/d08543t.pdf DOJ audit reveals lack of uniform policy for placing names on watchlists On March 17, 2008, the Department of Justice (DOJ), in collaboration with other Offices of Inspector General in the intelligence sector, released an audit regarding the nomination process used by the FBI and other partner agencies in placing names on terrorism watchlist. The audit highlighted the inconsistencies in methodology between the FBI and other agencies in selecting names to place on watchlists and the problems of data accuracy. According to the audit, “[a]ccurate and current identifying information is critical for identifying suspected terrorists during screening practices, lowering the risk to frontline screening personnel, and reducing misidentifications of innocent individuals who are not suspected terrorists. Moreover, watchlist records on individuals determined to have no nexus to terrorism should be removed from the database to improve the accuracy of the list and to reduce the risk that innocent individuals will be stopped or detained as a result of outdated watchlist records.” Audit of the U.S. Department of Justice Terrorist Watchlist Nomination Process (PDF): http://www.usdoj.gov/oig/reports/plus/a0816/final.pdf EPIC's page on Passenger Profiling: http://epic.org/privacy/airtravel/profiling.html EPIC's page on Domestic Surveillance: http://epic.org/features/surveillance.html EPIC Urges Alaska Senate to Protect Consumers From RFID Misuse In testimony to the Alaska Senate Judiciary Committee on March 17, EPIC Senior Counsel Melissa Ngo supported Alaska's SB 293, which included prohibitions against unauthorized scanning and reading of RFID tags and against allowing RFID technology users' to require continued activation of RFID tags in order for consumers “to exchange, return, repair, or service an item that” contain RFID tags. However, EPIC recommended four changes to the bill: “(1) including regulations on the use of unique identifiers and the profiles that can be created; (2) including an enforcement provision with a private right of action; (3) stronger provisions on deactivation of tags, including the possibility of permanent deactivation; and (4) clearly and prominently labeling RFID readers or transponders.” These additions would strengthen protections for consumers against misuse or abuse of data collected through RFID tags, EPIC said. EPIC, Testimony on SB 293, Before the Senate Judiciary Committee (March 17, 2008) (pdf): http://www.epic.org/privacy/rfid/ngo_test_031708.pdf Alaska SB 293: Electronic Communications Devices: http://www.legis.state.ak.us/basis/get_bill.asp?session=25&bill=SB293 EPIC's page on RFID System: http://epic.org/privacy/rfid/ EPIC Opposes Expanded Camera Surveillance of DC Residents In a statement to the DC Council, EPIC urged a careful evaluation of the cost and effectiveness of camera surveillance systems. Council members are debating a bill that would require all gas station owners in the District to purchase and install camera systems. However, no studies have shown a significant drop in violent crime when camera systems are used. The Metropolitan Police Department has suggested a drop in crime in some parts of the city, but Councilmember Mary Cheh noted that MPD did not analyze whether the crimes were merely displaced to other areas of the city. As for helping to solve crimes, in the MPD's annual report on cameras, police showed no convictions and a handful of arrests based on evidence from the 73 cameras throughout the District. EPIC, Statement to the DC Council Opposing Expanded Camera Surveillance Under Bill 17-438 (pdf): http://www.epic.org/privacy/surveillance/epic_dc17-438_031108.pdf Washington Metropolitan Police Department, Closed Circuit Television (CCTV) Annual Report 2007 (pdf): http://epic.org/mpdc_cctv_annual_report.html EPIC's page on Video Surveillance: http://epic.org/privacy/surveillance/ Congressional Research Service Issues New Reports The Congressional Research Service has published a report on the Privacy and Civil Liberties Oversight Board. Recent changes have expanded the authority and independence of the agency. A second CRS report examines the practice of inspecting laptops at the US border. "Privacy and Civil Liberties Oversight Board: New Independent Agency Status" Harold C. Relyea (March 2008) http://assets.opencrs.com/rpts/RL34385_20080220.pdf "Border Searches of Laptops , and Other Electronic Storage Devices," Yule Kim (March 2008) http://assets.opencrs.com/rpts/RL34404_20080305.pdf Social Networking Site Facebook Expands Privacy Controls The popular social networking site Facebook has released a significant update to the privacy options available to its millions of users. Users of the site can now specify which of their individual "friends" can see specific parts of their profile. The site also now allows users to permit "friends of friends" who are not in the same "network" (a university, an employer, or a town) as a user to view that person's profile. This is not enabled by default. Prior to the new changes, Facebook's users were restricted to either permitting anyone in their network to see parts of their profile, or to only allowing their friends to see it. Facebook now permits users to select, on a person-by-person basic, which friends can see individual aspects of a profile. Facebook's controls also permit a user to restrict the viewing of a profile to specific "types" of strangers in a user's network – for example, undergraduates, graduate students, alumni or staff. This status is unverifiable by Facebook, and can be easily changed by a user (for example, a professor can change his status to that of an undergraduate to view restricted profiles). This feature has recently drawn criticism from members of the press, which one journalist dubbed "privacy control theater." EPIC’s page on Social Networking Privacy: http://epic.org/privacy/socialnet/default.html Invitation to participate in survey on 'Privacy harms in Social Networking Sites' EPIC is hosting Dutch Masters student David Riphagen of Delft University of Technology, department of Technology, Policy and Management, from February until July 2008. Riphagen is conducting research on 'Privacy Harms for Users of Social Networking Sites by Making Use of Their Identity Relevant Information'. An important part of the research consists of identifying and classifying specific privacy harms in Social Networking Sites by conducting a survey amongst more than 100 American experts on privacy and the Internet. Privacy experts are invited to participate in this survey. Input for this research will contribute to better understanding of the challenges to privacy in the social networking environment. Usage of information that is provided by participants will be in accordance with Fair Information Practices. The survey answers will be retained for 30 days and destroyed afterwards. Aggregated data will only be used for the research. For other questions about the research, please contact David Riphagen, d.a.riphagen@mac.com or call 202-483-1140, extension at 207. Survey link (PDF): http://epic.org/redirect/david_riphagen_survey.html ======================================================================== [7] EPIC Bookstore: “Privacy in Peril” ======================================================================== Privacy in Peril: How We Are Sacrificing a Fundamental Right in Exchange for Security and Convenience by James B. Rule http://www.powells.com/partner/24075/biblio/1-9780195307832-0 James B. Rule, a leading privacy expert, describes the contemporary factors that threaten privacy in “Privacy in Peril.” Rule, a long-time privacy researcher, also compares the state of privacy in the United States, the United Kingdom, Canada, Australia, and France. Further, Rule draws lessons from the comparisons, and concludes that: 1) technological and institutional pressures will continue to reduce privacy unless human-created limits are imposed; and 2) privacy advocates are best served by acknowledging that privacy protections often come at the cost of other values, but are nevertheless desirable. The United States, the United Kingdom, Canada, Australia, and France all engage in government surveillance programs that intrude on individual privacy. Furthermore, all have recently expanded their surveillance in response to actual or perceived threats from terrorism. However, Rule's survey of the countries' respective surveillance and privacy regimes reveals important differences. For example, the scope of the United Kingdom's video camera surveillance of people and vehicles dwarfs programs in the other nations, though the United States is making strides to narrow the disparity. In addition, France conducts a long-standing national ID card program, and the United States is slowly moving forward with its own national ID plan (REAL ID). In stark contrast, national ID cards have been political poison in Australia since overwhelming public sentiment forced the withdrawal of a national ID card plan in 1987. Rule also describes the governments' use of commercial data, as well as non-governmental use of this information by corporations. Such data includes cell phone records, financial data, and travel-related information, and its collection varies between the United States, the United Kingdom, Canada, Australia, and France. For example, Rule demonstrates how the American model of consumer credit reporting, which reports data from all accounts held by a consumer, is more intrusive than necessary. French law effectively prevents the widespread collection of an individual's financial information, with the exception of information regarding delinquent accounts. Delinquency information must be reported to a central entity, thus creating credit files that include only negative information. If a consumer has only positive credit information, his file remains empty. A similar system developed in Australia, where, as in France, citizens enjoy access to a standard range of consumer credit accounts, mortgages, and loans. This “delinquency reporting” model collects less personal consumer information than the American system, and therefore provides greater privacy protection. Although Rule presents several examples of laws and systems that protect privacy (e.g. Australia's resistance to national ID cards and the “delinquency reporting” model for consumer credit reporting), most of “Privacy in Peril” describes frameworks and circumstances that have conspired to dramatically reduce privacy over recent decades. From technology that allows the government to record and scan the license plates of every vehicle entering central London, to post-9/11 government surveillance programs that evaded traditional oversight in the U.S., Rule paints a gloomy picture of recent developments in the privacy field. Rather than despair, Rule notes that recent developments serve as strong evidence in support of the proposition that human-created limits are required to protect privacy. Advances in technological and analytical sophistication have reduced or eliminated most artificial boundaries to the disclosure and collection of personal information. The most successful privacy measures result from affirmative human-created laws and regulations. For example, laws in the United States, the United Kingdom, Canada, Australia, and France provide citizens with a general right to access and correct information that governments hold about them. In the United States, the Privacy Act of 1974 serves this purpose, and continues to provide recourse to citizens despite recent, and somewhat successful, attempts to curtail its application. Rule asserts that, conversely, technological progress and market mechanisms have resulted in weaker privacy protections. Therefore, Rule argues, privacy rights must be protected primarily by law and regulation, and not technology or market forces. Rule also argues that most privacy enhancing measures come at a cost to some other value. For example, a prohibition on unlimited, unsupervised surveillance of citizens by law enforcement agencies may hinder a government's ability to investigate crime. A requirement that government revenue agents correct inaccurate information about citizens' finances may hamper tax collection. Rule further counsels that privacy advocates should engage, rather than deny, these costs, and convince policymakers and the public that privacy protections are worth the associated costs. The alternative is to argue that privacy and other values (e.g. security, efficiency) can always be reconciled, without costs to either value. Rule contends that this framework fails when privacy proponents are unable to fashion clever compromises between competing values. Rule, who has worked with privacy issues since he published “Private Lives and Public Surveillance” in 1973, has written an important and thoughtful exploration that acknowledges privacy as a critical social issue. “Privacy in Peril” is an excellent resource for privacy advocates, policymakers, and anyone who is interested in exploring the impact of contemporary privacy developments. - John Verdi ================================ EPIC Publications: "Information Privacy Law: Cases and Materials, Second Edition" Daniel J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98. http://www.epic.org/redirect/aspen_ipl_casebook.html This clear, comprehensive introduction to the field of information privacy law allows instructors to enliven their teaching of fundamental concepts by addressing both enduring and emerging controversies. The Second Edition addresses numerous rapidly developing areas of privacy law, including: identity theft, government data mining and electronic surveillance law, the Foreign Intelligence Surveillance Act, intelligence sharing, RFID tags, GPS, spyware, web bugs, and more. Information Privacy Law, Second Edition, builds a cohesive foundation for an exciting course in this rapidly evolving area of law. ================================ "Privacy & Human Rights 2006: An International Survey of Privacy Laws and Developments" (EPIC 2007). Price: $75. http://www.epic.org/phr06/ This annual report by EPIC and Privacy International provides an overview of key privacy topics and reviews the state of privacy in over 75 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy & Human Rights 2006 is the most comprehensive report on privacy and data protection ever published. ================================ "FOIA 2006: Litigation Under the Federal Open Government Laws," Harry A. Hammitt, Marc Rotenberg, Melissa Ngo, and Mark S. Zaid, editors (EPIC 2007). Price: $50. http://www.epic.org/bookstore/foia2006 This is the standard reference work covering all aspects of the Freedom of Information Act, the Privacy Act, the Government in the Sunshine Act, and the Federal Advisory Committee Act. The 23nd edition fully updates the manual that lawyers, journalists and researchers have relied on for more than 25 years. For those who litigate open government cases (or need to learn how to litigate them), this is an essential reference manual. ================================ "The Public Voice WSIS Sourcebook: Perspectives on the World Summit on the Information Society" (EPIC 2004). Price: $40. http://www.epic.org/bookstore/pvsourcebook This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, and recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process. ================================ "The Privacy Law Sourcebook 2004: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price: $40. http://www.epic.org/bookstore/pls2004/ The Privacy Law Sourcebook, which has been called the "Physician's Desk Reference" of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act. ================================ "Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20. http://www.epic.org/bookstore/filters2.0 A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at: EPIC Bookstore http://www.epic.org/bookstore "EPIC Bookshelf" at Powell's Books http://www.powells.com/bookshelf/epicorg.html ================================ EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act. Subscribe to EPIC FOIA Notes at: https://mailman.epic.org/cgi-bin/control/foia_notes ======================================================================== [8] Upcoming Conferences and Events ======================================================================== Windows Into the Soul: Surveillance and Society in an Age of High Technology - 2008 Hixon-Riggs Forum on Science, Technology and Society. March 27-29, 2008. Claremont, California. For more information: http://www.hmc.edu/newsandevents/hixon08.html Privacy, Security and Technology - Affirming Our Rights. Monday, March 31, 2008. Ottawa, Canada. For more information: http://www.rileyis.com/seminars/ "Can Privacy Education Help Consumers?". April 17, 2008. National Press Club. For more information: http://annenbergwashingtonseries.org/speakers.html CFP 2008: Technology Policy 08. New Haven, Connecticut. May 19-23, 2008. For more information http://www.cfp2008.org Future of the Internet Economy - OECD Ministerial Meeting. June 17-18, 2008. Seoul, Korea. For more information: http://www.oecd.org/document/19/0,2340,en_2649_37441_38051667_1_1_1_37441,00.html Second Annual National Institute on Cyberlaw: Expanding the Horizons. June 18-20, 2008. Washington DC. For more information: http://www.abanet.org/cle/programs/n08ceh1.html Conference on Ethics, Technology and Identity. The Hague. June 18-20, 2008. For more information http://www.ethicsandtechnology.eu/ETI ====================================================================== Subscription Information ====================================================================== Subscribe/unsubscribe via web interface: https://mailman.epic.org/cgi-bin/mailman/listinfo/epic_news Back issues are available at: http://www.epic.org/alert The EPIC Alert displays best in a fixed-width font, such as Courier. ======================================================================== Privacy Policy ======================================================================== The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information." ======================================================================== About EPIC ======================================================================== The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). ======================================================================== Donate to EPIC ======================================================================== If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at: http://www.epic.org/donate Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ------------------------- END EPIC Alert 15.06 ------------------------- .