EPIC logo

  
========================================================================
                              E P I C  A l e r t
========================================================================
Volume 15.06                                            March 21, 2008
------------------------------------------------------------------------

                               Published by the
                  Electronic Privacy Information Center (EPIC)
                               Washington, D.C.

                http://www.epic.org/alert/EPIC_Alert_15.06.html


========================================================================
Table of Contents
========================================================================
[1] House Passes Wiretap Bill, Rejects Telecom Immunity
[2] EPIC Sues FTC for Merger Review Documents
[3] EC Approves Google-Doubleclick Merger; European Privacy Laws Apply
[4] EPIC Testifies Before the DC Council on Spam Legislation
[5] EPIC Urges the FTC to Shut Down, Investigate Stalker Spyware
[6] News in Brief
[7] EPIC Bookstore: "Privacy in Peril"
[8] Upcoming Conferences and Events
     - Subscription Information
     - Privacy Policy
     - About EPIC
     - Donate to EPIC
       http://www.epic.org/donate

========================================================================
[1] House Passes Wiretap Bill, Rejects Telecom Immunity
========================================================================

This week the House passed another version of a bill amending the
Foreign Intelligence Surveillance Act (FISA).  The bill, H.R. 3773,
rejects administration demands for automatic retroactive Telecom
immunity, establishes a bipartisan commission to investigate the
President's warrantless wiretapping, and provides for greater oversight
of surveillance targeted against persons overseas. The House leadership
had previously rejected attempts to strong-arm it into accepting
wholesale a Senate bill, which provided for telecom immunity and had
weaker oversight of surveillance. This bill marks the second house
version of FISA reform, a previous one -- the RESTORE Act -- having been
passed last fall and rejected by the Senate. FISA establishes a separate
legal regime for "foreign intelligence" surveillance distinct from
ordinary law enforcement surveillance. FISA can also be used to obtain
some business records.

The House version contains some steps towards and accountability and
eases the progress of lawsuits concerning the president's warrantless
surveillance program. It allows telecommunications companies to attempt
to exonerate themselves by providing classified evidence to a court.
Proponents of immunity had argued that the state secrets privilege
prevented the telecommunications companies from adequately defending
themselves. The bill also creates a bipartisan commission to investigate
warrantless wiretapping. The commission would have the power to inspect
federal agency documents, and issue subpoenas. The commission would be
able to enforce the subpoenas in federal courts. The passage of the
House bill followed a secret session of the House, which administration
proponents had demanded.  Only five such sessions have occurred, the
last taking place 25 years ago.

The FISA debates spring from a continued attempt to expand the
president's wiretapping powers. FISA was amended last summer by the
Protect America Act (PAA), which expired in February. The PAA removed
some surveillance from the limited FISA court review, allowed the
government to create more surveillance programs with limited review, and
immunized from lawsuits telecommunications companies that participated
in these programs. Both the Senate and House have passed bills
continuing PAA authorities, but they differ in how much oversight is
granted and in whether there will be retroactive immunity for
telecommunication companies that participated in the president's
warrantless surveillance program.

The President has vowed to veto any legislation that does not include
retroactive immunity for telecommunications companies.

House Bill, H.R. 3773:

     http://thomas.loc.gov/cgi-bin/bdquery/z?d110:h.r.03773:

Secret Sessions of Congress: A Brief Historical Overview

     http://opencrs.com/document/RS20145/2007-05-30%2000:00:00

Comparison of RESTORE Act, Senate bill, and Revised House bill

     http://majorityleader.house.gov/docUploads/side-by-side-10Mar08.pdf

EPIC's Page on FISA:

     http://epic.org/privacy/terrorism/fisa/


========================================================================
[2] EPIC Sues FTC for Merger Review Documents
========================================================================

On March 14, 2008, EPIC filed a Freedom of Information Act lawsuit
challenging the Federal Trade Commission's failure to make public
documents relating to the role of the Jones Day law firm in the
Google-Doubleclick merger review. The lawsuit follows EPIC's original
request and subsequent administrative appeal.   EPIC's request sought
the expedited release of all documents concerning Jones Day's
participation in the Commission's merger review, as well as Jones Day's
involvement in other matters regarding consumer privacy.  The Commission
failed to produce the documents within the statutorily prescribed time.

During the FTC's review of the Google-Doubleclick merger, Jones Day
publicly stated that it represented Doubleclick regarding the merger. 
EPIC learned that FTC Chairman Deborah Platt Majoras' spouse, John M.
Majoras, is a Jones Day partner, and sought Chairman Majoras' recusal
from the merger review.  Jones Day then contradicted its previous public
statements, and deleted a web page detailing the firm's representation
of Doubleclick from the Jones Day web site.

In its recusal petition, EPIC noted that Chairman Majoras had previously
recused herself in other matters involving apparent conflicts of
interest with the Jones Day firm.  Further, John Majoras is Jones Day's
“global coordinator of competition law litigation” - the very practice
area implicated by the Google-Doubleclick merger. However, Chairman
Majoras declined to recuse herself.  Instead, Chairman Majoras continued
to participate in the Google-Doubleclick review and voted to approve the
merger without conditions, despite privacy groups' warnings that the
merger would threaten consumer privacy.  The European Commission later
approved the merger, but reaffirmed that the merged company must comply
with European privacy laws.

Before learning of Chairman Majoras' apparent conflict of interest, EPIC
urged the FTC to conduct a comprehensive review of the merger's consumer
privacy implications.  EPIC warned that the merger posed serious privacy
threats, and recommended that the Commission impose conditions on the
merger.  Numerous privacy groups and government leaders echoed EPIC's
request that the Commission address the merger's privacy implications. 
For example, Senators Herb Kohl and Orrin Hatch, Chairman and Ranking
Member of the Senate Judiciary Committee's Subcommittee on Antitrust,
Competition Policy and Consumer Rights, stated that “[the
Google-Doubleclick] deal raises fundamental consumer privacy concerns
worthy of serious scrutiny.”

EPIC's lawsuit comes on the eve of National Sunshine Week (March 16-22),
a national initiative to promote dialogue about the importance of open
government and freedom of information.  Sunshine Week features a variety
of events across the country, and government officials have taken steps
to observe the initiative.  Senators Patrick Leahy and John Cornyn,
co-sponsors of the OPEN Government Act of 2007, introduced another bill
intended to strengthen open government: the OPEN FOIA Act.  The bill
would require that any future exemptions to FOIA be stated “explicitly
and clearly” by Congress, rather than buried in complex legislation.  In
a dispatch from the campaign trail, Senator Hillary Rodham Clinton
stated that, if elected President, she would nominate “an attorney
general who has a proven commitment to open government.”

EPIC's Freedom of Information Act Lawsuit (PDF):

     http://epic.org/privacy/ftc/google/FTC_Complaint031408.pdf

EPIC's Freedom of Information Act Appeal (PDF):

     http://epic.org/privacy/ftc/google/FTC_ad_appeal021208.pdf

EPIC's Freedom on Information Act Request (PDF):

     http://www.democraticmedia.org/files/EPIC_FTC_FOIA.pdf

EPIC's Complaint Requesting FTC Chairman Majoras' Recusal (PDF):

     http://www.epic.org/privacy/ftc/google/recusal_121207.pdf

Jones Day's Statement Regarding Representation of DoubleClick (archived
document - since deleted from the Jones Day web site) (PDF):

     http://epic.org/privacy/ftc/google/JonesDay_Google_Page.pdf

European Commission on the Google-Doubleclick Merger:
 
     http://epic.org/redirect/eu_google_dc.html 

EPIC's “Privacy? Proposed Google/Doubleclick Deal” web page:
 
     http://epic.org/privacy/ftc/google/

Sunshine Week Information:

     http://www.sunshineweek.org/

Senator Hillary Rodham Clinton on Open Government:

     http://www.sunshineweek.org/sunshineweek/clintonsurvey


========================================================================
[3] EC Approves Google-Doubleclick Merger; European Privacy Laws Apply
========================================================================

On March 11, the European Commission approved the proposed
Google-Doubleclick merger under its competition authority. Though the
Commission did not consider privacy in the merger review, it did
reaffirm the obligation of Google-Doubleclick to comply with European
privacy laws. 

"The Commission's decision to clear the proposed merger is based
exclusively on its appraisal under the EU Merger Regulation. It is
without prejudice to the merged entity's obligations under EU
legislation in relation to the protection of individuals and the
protection of privacy with regard to the processing of personal data and
the Member States' implementing legislation," the Commission said.

Last year, EPIC, CDD, and US PIRG filed a complaint with the US Federal
Trade Commission, urging the FTC to open an investigation into the
proposed acquisition, specifically with regard to the ability of Google
to record, analyze, track, and profile the activities of Internet users
with data that is both personally identifiable and data that is not
personally identifiable.

The groups also urged the FTC to require Google to publicly present a
plan to comply with well-established government and industry privacy
standards, such as the OECD Privacy Guidelines. Pending the resolution
of these and other issues, EPIC encouraged the FTC to halt the
acquisition. The three groups filed a supplement to the complaint with
the Commission in June and a second supplement in September.

On December 21, the FTC approved the proposed merger without conditions
in a 4-1 opinion. EPIC responded, stating that the unique circumstances
of the online advertising industry required the FTC to impose privacy
safeguards as a condition of the Google- Doubleclick merger. EPIC said
that the FTC "had reason to act and authority to act, and failed to do
so." 

In January testimony before the European Parliament, EPIC Executive
Director Marc Rotenberg highlighted the increased risk of individual
user identification associated with database consolidation, storage of
search queries, user IP addresses, and information on user online
activity. Rotenberg also stated that Google was beginning to reveal the
characteristics of an "information monopolist" and that it was important
for governments to act to preserve the rights of citizens and to
safeguard competition and innovation in the information economy. He
urged the European Commission to establish privacy safeguards as a
condition of the Google-Doubleclick merger. 

The Article 29 Data Protection Working Party began investigating Google's
data retention policies in June, but soon expanded the investigation to
include the policies of all search engines. The Working Party said it
will scrutinize the activities of search engines “from a data protection
point of view, because this issue affects an ever growing number of
users.” The investigation is expected to be completed this year.

European Commission Directorate on Competition, Press Release, Mergers:
Commission clears proposed acquisition of DoubleClick by Google, March
11, 2008:

     http://epic.org/redirect/ec_pr_google_dc.html 

Article 29 Working Party, Press release concerning its 61st meeting,
June 21, 2007 (pdf):

     http://www.epic.org/redirect/article290607.html 
     
EPIC's Testimony before the European Parliament (pdf):

     http://epic.org/privacy/ftc/google/EPIC_LIBE_Submission.pdf 
     
Federal Trade Commission, 4-1 Opinion Approving the Google-DoubleClick Proposed
Merger (December 21, 2007) (pdf):

     http://www.ftc.gov/os/caselist/0710170/071220statement.pdf 
     
Commissioner Pamela Jones Harbour, Dissent from FTC Opinion Approving the
Google-DoubleClick Proposed Merger (December 21, 2007) (pdf):

     http://www.ftc.gov/os/caselist/0710170/071220harbour.pdf 
     
EPIC's page on the proposed Google/Doubleclick Deal: 

     http://epic.org/privacy/ftc/google/

========================================================================
[4] EPIC Testifies Before the DC Council on Spam Legislation
========================================================================

On March 11, 2008, EPIC testified before the District of Columbia
Council on Bill 17-34, the District of Columbia Spam Deterrence Act of
2007.  The bill would prohibit the transmission of false or misleading
commercial email, create a civil cause of action and criminal penalties,
and establish a private right of action for consumers. EPIC discussed
the increasing volume of spam, and supported the legislation.  EPIC
noted that the proposed law provides stronger consumer privacy
protections than the federal CAN-SPAM Act.

Despite the implementation of the federal CAN-SPAM law, unsolicited
commercial email continues to plague Internet users.  Recent analyses of
spam volume indicate that spam accounts for approximately 80% of email
traffic, and consumers receive more spam now than when the federal
CAN-SPAM law was passed in 2003.  Spam has also become increasingly
dangerous.  Recent reports estimate that more than 83% of spam sent in
2007 directed users to websites that serve “malware,” malicious
software, including computer viruses.  In contrast, earlier spam was
typically promotional and commercial.

The proposed District of Columbia Spam Deterrence Act of 2007 would
prohibit the transmission of false or misleading commercial email, and
further enjoin the transmission of commercial email that appears to
originate from a third-party, rather than the real sender.  The Act
would also require that all unsolicited commercial email contain an
“opt-out” mechanism that would remove the recipient from the sender's
mailing list at the recipient's request.  The Act would provide for
civil liability, liquidated damages, and increased damages when a
spammer violates the Act willfully and knowingly.  Under the Act,
consumers would be given a private right of action.  Finally, the bill
would impose criminal penalties for the transmittal of large volumes of
spam.

In its testimony, EPIC supported the Act's inclusion of a private right
of action for consumers and email providers.  This improves upon federal
law, which lacks a private right of action for consumers, thus providing
a right without an accessible remedy.  EPIC also recognized the
difficulty in proving damages caused by spam, and supported the Act's
inclusion of liquidated damages provisions as a means of estimating
consumer damages.

In 2003, EPIC, in its leadership role in the Privacy Coalition, proposed
a multi-part policy framework for effective spam legislation.  Also in
2003, EPIC testified before the Senate Committee on Commerce, Science,
and Transportation regarding the CAN-SPAM Act, the then-proposed federal
bill intended to regulate spam.  After CAN-SPAM was enacted, EPIC
submitted detailed comments to the Federal Trade Commission regarding
the Commission's implementation of the law.

EPIC's Testimony Before the DC Council: 

     http://epic.org/privacy/junk_mail/spam/DC_Council_Spam.pdf

The Spam Deterrence Act of 2007:

     http://www.dccouncil.washington.dc.us/lims/getleg1.asp?legno=B17-0034

The CAN-SPAM Act:

     http://www.ftc.gov/bcp/conline/pubs/buspubs/canspam.shtm

Ironport on 2008 Internet Security Trends and Spam: 

     http://www.ironport.com/securitytrends/

Privacy Coalition Proposed Policy Framework for Effective Spam Legislation:

     http://www.privacycoalition.org/2003/07/privacy_coalition_members_prop.php

EPIC - SPAM - Unsolicited Commercial E-Mail:

     http://epic.org/privacy/junk_mail/spam/

Federal Trade Commission on SPAM:

     http://www.ftc.gov/spam/


========================================================================
[5] EPIC Urges the FTC to Shut Down, Investigate Stalker Spyware
========================================================================

Earlier this month EPIC filed a complaint with the Federal Trade
Commission against several purveyors of stalker spyware, alleging unfair
and deceptive practices. Stalker spyware is software that is marketed
for use by individuals to spy on other individuals. The complaint
alleges that these companies promote illegal surveillance activities
promote the use of "Trojan Horse" email attacks, and fail to warn their
customers against illegal uses of the software. The technologies are
variously promoted as being capable of spying on email and instant
message exchanges; recording websites visited; capturing passwords and
logins; browsing of local file systems; capturing screenshots; and
capturing all keystrokes typed. These activites violate the Electronic
Communications Privacy Act and the Computer Fraud and Abuse Act.

Of particular importance is the marketing of a "remote deployment"
feature which resembles a well-known form of hacking -- the Trojan horse
attack. The companies advertise that their software can be deployed by
email and will not be detected by the recipient. One claims that "it can
be sent remotely via email secretly. Once the RemoteSpy file (you
create) is executed on a computer, it will continuously record log data
on the computer you are monitoring secretly." This is effectively a
Trojan horse attack -- a program that appears to do something good, but
in effect does something malicious.

The use of spyware for illegal surveillance has led to civil and
criminal punishments. The companies are failing to adequately warn their
customers of the legal danger they face when they use this software as
advertised. Thus the companies are not just endangering victims, but
also endangering their customers.

EPIC asks the FTC to shut down these practices, seek compensation for
victims, and further investigate the harms of these businesses. Further
investigation is required concerning the harms that this software may
cause, including the disabling of firewalls, anti-virus / anti-spyware,
and the opening of unsecured points of entry into computers which may be
exploited by hackers.

EPIC's Complaint, Request for Investigation, Injunction, and Other Relief:

     http://epic.org/privacy/dv/spy_software.pdf

FTC Spyware Website:

     http://www.ftc.gov/spyware

EPIC's Page on Personal Surveillance Technologies:

     http://epic.org/privacy/dv/personal_surveillance.html


========================================================================
[6] News in Brief
========================================================================


Government Audit Reveals Continued FBI Privacy Abuses

For the fourth consecutive year the Inspector General found privacy
breaches by FBI agents using National Security Letters, which permit the
FBI to compel the disclosure of records held by banks, telephone
companies, and others without judicial oversight. A second report found
abuses of Patriot Act Section 215 orders that allow the FBI to demand
business records and other "tangible things" from any company or
individual. "[W]e found that the FBI had issued [NSLs] for information
about [redacted] after the FISA court, citing First Amendment concerns,
had twice declined to sign Section 215 orders in the same
investigation," the Inspector General said. Sen. Patrick Leahy, Chairman
of the Judiciary Committee, plans an oversight hearing. "Legislative
action may be necessary to correct these abuses. I intend to seek
accountability and advertence to the rule of law," he said.

Inspector General's Report on FBI Use of National Security Letters (pdf)

     http://www.usdoj.gov/oig/special/s0803b/final.pdf

Inspector General's Report on FBI's Use of Section 215 Orders for
Business Records (pdf)

     http://www.usdoj.gov/oig/special/s0803a/final.pdf

EPIC Page on National Security Letters 

     http://epic.org/privacy/nsl/


GAO Reports on Government Security and Use of Data Brokers

Two recent GAO reports critique agencies for their information security
and data collection practices.  A report on information security finds
that major agencies have significant information security deficiencies. 
These "limit the effectiveness" of efforts to protect the
confidentiality and integrity of data.  Most agencies are not
sufficiently preventing, limiting, or detecting access to information
systems. A report in agency use of information brokers finds that Fair
Information Practices are not always followed. Fair Information
Practices are widely believed to be key guides to privacy protection.
Agencies fail to specify the purposes that information will be used for,
fail to provide individual participation in the data collection, fail to
be open about it, and fail to provide accountability to data subjects.

Information Security: Progress Reported but Weaknesses at Federal
Agencies Remain

     http://www.gao.gov/new.items/d08571t.pdf

Privacy: Government Use of Data from Information Resellers Could Include
Better Protections

     http://www.gao.gov/new.items/d08543t.pdf


DOJ audit reveals lack of uniform policy for placing names on watchlists

On March 17, 2008, the Department of Justice (DOJ), in collaboration
with other Offices of Inspector General in the intelligence sector,
released an audit regarding the nomination process used by the FBI and
other partner agencies in placing names on terrorism watchlist. The
audit highlighted the inconsistencies in methodology between the FBI and
other agencies in selecting names to place on watchlists and the
problems of data accuracy. According to the audit, “[a]ccurate and
current identifying information is critical for identifying suspected
terrorists during screening practices, lowering the risk to frontline
screening personnel, and reducing misidentifications of innocent
individuals who are not suspected terrorists.  Moreover, watchlist
records on individuals determined to have no nexus to terrorism should
be removed from the database to improve the accuracy of the list and to
reduce the risk that innocent individuals will be stopped or detained as
a result of outdated watchlist records.”

Audit of the U.S. Department of Justice Terrorist Watchlist Nomination
Process (PDF): 

     http://www.usdoj.gov/oig/reports/plus/a0816/final.pdf 

EPIC's page on Passenger Profiling:

     http://epic.org/privacy/airtravel/profiling.html

EPIC's page on Domestic Surveillance:

     http://epic.org/features/surveillance.html 


EPIC Urges Alaska Senate to Protect Consumers From RFID Misuse

In testimony to the Alaska Senate Judiciary Committee on March 17, EPIC
Senior Counsel Melissa Ngo supported Alaska's SB 293, which included
prohibitions against unauthorized scanning and reading of RFID tags and
against allowing RFID technology users' to require continued activation
of RFID tags in order for consumers “to exchange, return, repair, or
service an item that” contain RFID tags. However, EPIC recommended four
changes to the bill: “(1) including regulations on the use of unique
identifiers and the profiles that can be created; (2) including an
enforcement provision with a private right of action; (3) stronger
provisions on deactivation of tags, including the possibility of
permanent deactivation; and (4) clearly and prominently labeling RFID
readers or transponders.” These additions would strengthen protections
for consumers against misuse or abuse of data collected through RFID
tags, EPIC said.

EPIC, Testimony on SB 293, Before the Senate Judiciary Committee (March
17, 2008) (pdf):

     http://www.epic.org/privacy/rfid/ngo_test_031708.pdf

Alaska SB 293: Electronic Communications Devices: 

    http://www.legis.state.ak.us/basis/get_bill.asp?session=25&bill=SB293
      
EPIC's page on RFID System:

     http://epic.org/privacy/rfid/


EPIC Opposes Expanded Camera Surveillance of DC Residents

In a statement to the DC Council, EPIC urged a careful evaluation of the
cost and effectiveness of camera surveillance systems. Council members
are debating a bill that would require all gas station owners in the
District to purchase and install camera systems. However, no studies
have shown a significant drop in violent crime when camera systems are
used. The Metropolitan Police Department has suggested a drop in crime
in some parts of the city, but Councilmember Mary Cheh noted that MPD
did not analyze whether the crimes were merely displaced to other areas
of the city. As for helping to solve crimes, in the MPD's annual report
on cameras, police showed no convictions and a handful of arrests based
on evidence from the 73 cameras throughout the District.

EPIC, Statement to the DC Council Opposing Expanded Camera Surveillance
Under Bill 17-438 (pdf):

      http://www.epic.org/privacy/surveillance/epic_dc17-438_031108.pdf

Washington Metropolitan Police Department, Closed Circuit Television
(CCTV) Annual Report 2007 (pdf):

      http://epic.org/mpdc_cctv_annual_report.html 

EPIC's page on Video Surveillance:

      http://epic.org/privacy/surveillance/


Congressional Research Service Issues New Reports

The Congressional Research Service has published a report on the Privacy
and Civil Liberties Oversight Board. Recent changes have expanded the
authority and independence of the agency. A second CRS report examines
the practice of inspecting laptops at the US border.

"Privacy and Civil Liberties Oversight Board: New Independent
Agency Status"  Harold C. Relyea (March  2008)

     http://assets.opencrs.com/rpts/RL34385_20080220.pdf

"Border Searches of Laptops ,  and Other Electronic Storage
Devices," Yule Kim (March 2008)

     http://assets.opencrs.com/rpts/RL34404_20080305.pdf


Social Networking Site Facebook Expands Privacy Controls

The popular social networking site Facebook has released a significant
update to the privacy options available to its millions of users. Users
of the site can now specify which of their individual "friends" can see
specific parts of their profile. The site also now allows users to
permit "friends of friends" who are not in the same "network" (a
university, an employer, or a town) as a user to view that person's
profile. This is not enabled by default. Prior to the new changes,
Facebook's users were restricted to either permitting anyone in their
network to see parts of their profile, or to only allowing their friends
to see it. Facebook now permits users to select, on a person-by-person
basic, which friends can see individual aspects of a profile.

Facebook's controls also permit a user to restrict the viewing of a
profile to specific "types" of strangers in a user's network – for
example, undergraduates, graduate students, alumni or staff. This status
is unverifiable by Facebook, and can be easily changed by a user (for
example, a professor can change his status to that of an undergraduate
to view restricted profiles). This feature has recently drawn criticism
from members of the press, which one journalist dubbed "privacy control
theater."

EPIC’s page on Social Networking Privacy:

     http://epic.org/privacy/socialnet/default.html


Invitation to participate in survey on 'Privacy harms in Social
Networking Sites'

EPIC is hosting Dutch Masters student David Riphagen of Delft University
of Technology, department of Technology, Policy and Management, from
February until July 2008. Riphagen is conducting research on 'Privacy Harms
for Users of Social Networking Sites by Making Use of Their Identity
Relevant Information'.

An important part of the research consists of identifying and
classifying specific privacy harms in Social Networking Sites by
conducting a survey amongst more than 100 American experts on privacy
and the Internet. Privacy experts are invited to participate in this
survey. Input for this research will contribute to better understanding
of the challenges to privacy in the social networking environment. 
Usage of information that is provided by participants will be in
accordance with Fair Information Practices. The survey answers will be
retained for 30 days and destroyed afterwards. Aggregated data will only
be used for the research.

For other questions about the research, please contact David Riphagen,
d.a.riphagen@mac.com or call 202-483-1140, extension at 207.

Survey link (PDF):

     http://epic.org/redirect/david_riphagen_survey.html


========================================================================
[7] EPIC Bookstore: “Privacy in Peril”
========================================================================

Privacy in Peril: How We Are Sacrificing a Fundamental Right in Exchange
for Security and Convenience by James B. Rule 

     http://www.powells.com/partner/24075/biblio/1-9780195307832-0

James B. Rule, a leading privacy expert, describes the contemporary
factors that threaten privacy in “Privacy in Peril.”  Rule, a long-time
privacy researcher, also compares the state of privacy in the United
States, the United Kingdom, Canada, Australia, and France.  Further,
Rule draws lessons from the comparisons, and concludes that: 1)
technological and institutional pressures will continue to reduce
privacy unless human-created limits are imposed; and 2) privacy
advocates are best served by acknowledging that privacy protections
often come at the cost of other values, but are nevertheless desirable.

The United States, the United Kingdom, Canada, Australia, and France all
engage in government surveillance programs that intrude on individual
privacy.  Furthermore, all have recently expanded their surveillance in
response to actual or perceived threats from terrorism.  However, Rule's
survey of the countries' respective surveillance and privacy regimes
reveals important differences.  For example, the scope of the United
Kingdom's video camera surveillance of people and vehicles dwarfs
programs in the other nations, though the United States is making
strides to narrow the disparity.  In addition, France conducts a
long-standing national ID card program, and the United States is slowly
moving forward with its own national ID plan (REAL ID).  In stark
contrast, national ID cards have been political poison in Australia
since overwhelming public sentiment forced the withdrawal of a national
ID card plan in 1987.

Rule also describes the governments' use of commercial data, as well as
non-governmental use of this information by corporations.  Such data
includes cell phone records, financial data, and travel-related
information, and its collection varies between the United States, the
United Kingdom, Canada, Australia, and France.  For example, Rule
demonstrates how the American model of consumer credit reporting, which
reports data from all accounts held by a consumer, is more intrusive
than necessary.  French law effectively prevents the widespread
collection of an individual's financial information, with the exception
of information regarding delinquent accounts.  Delinquency information
must be reported to a central entity, thus creating credit files that
include only negative information.  If a consumer has only positive
credit information, his file remains empty.  A similar system developed
in Australia, where, as in France, citizens enjoy access to a standard
range of consumer credit accounts, mortgages, and loans.  This
“delinquency reporting” model collects less personal consumer
information than the American system, and therefore provides greater
privacy protection.

Although Rule presents several examples of laws and systems that protect
privacy (e.g. Australia's resistance to national ID cards and the
“delinquency reporting” model for consumer credit reporting), most of
“Privacy in Peril” describes frameworks and circumstances that have
conspired to dramatically reduce privacy over recent decades.  From
technology that allows the government to record and scan the license
plates of every vehicle entering central London, to post-9/11 government
surveillance programs that evaded traditional oversight in the U.S.,
Rule paints a gloomy picture of recent developments in the privacy
field.

Rather than despair, Rule notes that recent developments serve as strong
evidence in support of the proposition that human-created limits are
required to protect privacy.  Advances in technological and analytical
sophistication have reduced or eliminated most artificial boundaries to
the disclosure and collection of personal information.  The most
successful privacy measures result from affirmative human-created laws
and regulations.  For example, laws in the United States, the United
Kingdom, Canada, Australia, and France provide citizens with a general
right to access and correct information that governments hold about
them.  In the United States, the Privacy Act of 1974 serves this
purpose, and continues to provide recourse to citizens despite recent,
and somewhat successful, attempts to curtail its application.  Rule
asserts that, conversely, technological progress and market mechanisms
have resulted in weaker privacy protections.  Therefore, Rule argues,
privacy rights must be protected primarily by law and regulation, and
not technology or market forces.

Rule also argues that most privacy enhancing measures come at a cost to
some other value.  For example, a prohibition on unlimited, unsupervised
surveillance of citizens by law enforcement agencies may hinder a
government's ability to investigate crime.  A requirement that
government revenue agents correct inaccurate information about citizens'
finances may hamper tax collection.  Rule further counsels that privacy
advocates should engage, rather than deny, these costs, and convince
policymakers and the public that privacy protections are worth the
associated costs.  The alternative is to argue that privacy and other
values (e.g. security, efficiency) can always be reconciled, without
costs to either value.  Rule contends that this framework fails when
privacy proponents are unable to fashion clever compromises between
competing values.

Rule, who has worked with privacy issues since he published “Private
Lives and Public Surveillance” in 1973, has written an important and
thoughtful exploration that acknowledges privacy as a critical social
issue.  “Privacy in Peril” is an excellent resource for privacy
advocates, policymakers, and anyone who is interested in exploring the
impact of contemporary privacy developments.

- John Verdi




================================


EPIC Publications:

"Information Privacy Law: Cases and Materials, Second Edition" Daniel J.
Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98.
http://www.epic.org/redirect/aspen_ipl_casebook.html

This clear, comprehensive introduction to the field of information
privacy law allows instructors to enliven their teaching of fundamental
concepts by addressing both enduring and emerging controversies. The
Second Edition addresses numerous rapidly developing areas of privacy
law, including: identity theft, government data mining and electronic
surveillance law, the Foreign Intelligence Surveillance Act,
intelligence sharing, RFID tags, GPS, spyware, web bugs, and more.
Information Privacy Law, Second Edition, builds a cohesive foundation
for an exciting course in this rapidly evolving area of law.

================================

"Privacy & Human Rights 2006: An International Survey of Privacy Laws
and Developments" (EPIC 2007). Price: $75.
http://www.epic.org/phr06/

This annual report by EPIC and Privacy International provides an
overview of key privacy topics and reviews the state of privacy in over
75 countries around the world. The report outlines legal protections,
new challenges, and important issues and events relating to privacy.
Privacy & Human Rights 2006 is the most comprehensive report on privacy
and data protection ever published.

================================

"FOIA 2006: Litigation Under the Federal Open Government Laws," Harry
A. Hammitt, Marc Rotenberg, Melissa Ngo, and Mark S. Zaid, editors
(EPIC 2007). Price: $50. http://www.epic.org/bookstore/foia2006

This is the standard reference work covering all aspects of the Freedom
of Information Act, the Privacy Act, the Government in the Sunshine Act,
and the Federal Advisory Committee Act.  The 23nd edition fully updates
the manual that lawyers, journalists and researchers have relied on for
more than 25 years.  For those who litigate open government cases (or
need to learn how to litigate them), this is an essential reference
manual.

================================

"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.
http://www.epic.org/bookstore/pvsourcebook

This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS).  This
reference guide provides the official UN documents, regional and
issue-oriented perspectives, and recommendations and proposals for
future action, as well as a useful list of resources and contacts for
individuals and organizations that wish to become more involved in the
WSIS process.

================================

"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:
$40.
http://www.epic.org/bookstore/pls2004/

The Privacy Law Sourcebook, which has been called the "Physician's Desk
Reference" of the privacy world, is the leading resource for students,
attorneys, researchers, and journalists interested in pursuing privacy
law in the United States and around the world. It includes the full
texts of major privacy laws and directives such as the Fair Credit
Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well
as an up-to-date section on recent developments. New materials include
the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the
CAN-SPAM Act.

================================

"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.
http://www.epic.org/bookstore/filters2.0

A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.

================================

EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:

EPIC Bookstore http://www.epic.org/bookstore

"EPIC Bookshelf" at Powell's Books
http://www.powells.com/bookshelf/epicorg.html

================================

EPIC also publishes EPIC FOIA Notes, which provides brief summaries of
interesting documents obtained from government agencies under the
Freedom of Information Act.

Subscribe to EPIC FOIA Notes at:
https://mailman.epic.org/cgi-bin/control/foia_notes


========================================================================
[8] Upcoming Conferences and Events
========================================================================

Windows Into the Soul: Surveillance and Society in an Age of High
Technology - 2008 Hixon-Riggs Forum on Science, Technology and Society.
March 27-29, 2008. Claremont, California. For more information:
http://www.hmc.edu/newsandevents/hixon08.html

Privacy, Security and Technology - Affirming Our Rights. Monday, March
31, 2008. Ottawa, Canada. For more information:
http://www.rileyis.com/seminars/

"Can Privacy Education Help Consumers?". April 17, 2008. National Press
Club. For more information:
http://annenbergwashingtonseries.org/speakers.html

CFP 2008: Technology Policy 08. New Haven, Connecticut. May 19-23,
2008. For more information http://www.cfp2008.org

Future of the Internet Economy - OECD Ministerial Meeting. June 17-18,
2008. Seoul, Korea. For more information:
http://www.oecd.org/document/19/0,2340,en_2649_37441_38051667_1_1_1_37441,00.html

Second Annual National Institute on Cyberlaw: Expanding the Horizons.
June 18-20, 2008. Washington DC. For more information:
http://www.abanet.org/cle/programs/n08ceh1.html 

Conference on Ethics, Technology and Identity. The Hague. June 18-20,
2008. For more information http://www.ethicsandtechnology.eu/ETI

======================================================================
Subscription Information
======================================================================

Subscribe/unsubscribe via web interface:

https://mailman.epic.org/cgi-bin/mailman/listinfo/epic_news

Back issues are available at:

http://www.epic.org/alert

The EPIC Alert displays best in a fixed-width font, such as Courier.

========================================================================
Privacy Policy
========================================================================

The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities.  We do not sell, rent or share our
mailing list.  We also intend to challenge any subpoena or other legal
process seeking access to our mailing list.  We do not enhance (link to
other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail address
from this list, please follow the above instructions under "subscription
information."

========================================================================
About EPIC
========================================================================

The Electronic Privacy Information Center is a public interest research
center in Washington, DC.  It was established in 1994 to focus public
attention on emerging privacy issues such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale of personal information. EPIC publishes the
EPIC Alert, pursues Freedom of Information Act litigation, and conducts
policy research.  For more information, see http://www.epic.org or write
EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202
483 1140 (tel), +1 202 483 1248 (fax).

========================================================================
Donate to EPIC
========================================================================

If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible.  Checks
should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW,
Suite 200, Washington, DC 20009.  Or you can contribute online at:
http://www.epic.org/donate

Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation of encryption and
expanding wiretapping powers.

Thank you for your support.

------------------------- END EPIC Alert 15.06 -------------------------

.