EPIC logo

                              E P I C  A l e r t
Volume 15.10                                                May 15, 2008

                               Published by the
                  Electronic Privacy Information Center (EPIC)
                               Washington, D.C.


Table of Contents
[1] EPIC, Groups Urge Supreme Court: Uphold Accuracy In Police Databases
[2] EPIC Supports Opt-In for Telephone Services
[3] .ORG to consider secure DNS
[4] EPIC Report: REAL ID Implementation: Few Benefits, Staggering Costs 
[5] EPIC Prevails in Virginia Fusion Center FOIA Case 
[6] News in Brief
[7] EPIC Bookstore: Guiding Life's Dark Secrets 
[8] Upcoming Conferences and Events
    - EPIC launches Privacy'08 campaign
    - Subscription Information
    - Privacy Policy
    - About EPIC
    - Donate to EPIC
    - Support Privacy '08

[1] EPIC, Groups Urge Supreme Court: Uphold Accuracy In Police Databases

Today, EPIC filed a "friend of the court" brief in the United States
Supreme Court, urging the Justices to ensure the accuracy of police
databases. The brief was filed on behalf of 27 legal scholars and
technical experts and 13 privacy and civil liberty groups.

In Herring v. US, the Court will be asked to determine whether an arrest
based on inaccurate information in a criminal justice database should be
upheld. EPIC explained how government databases are becoming
increasingly unreliable; according to the government's own studies. EPIC
also urged the Court to "ensure an accuracy obligation on law
enforcement agents who rely on criminal justice information systems."

Amici said that the technology of government databases has changed
dramatically since 1995, when the Court upheld the use of evidence
obtained from an erroneous arrest record that was the product of a
clerical mistake. In recent years, there has been an increase in
information sharing not just among government agencies but also among
federal, state, local, tribal and commercial entities.

The policies and practices of modern-day policing have been changed by
the federal governments Information Sharing Environment as well as state
and local fusion centers. These developments allow broad data gathering
and sharing. "Today, the police have within their electronic reach
access to an extraordinary range of databases including: the National
Crime Information Center, systems associated with the federal
government's employment eligibility verification system, terrorist watch
lists and various commercial databases," amici said.

These government and commercial databases are filled with errors;
according to the federal government's own reports. "Yet the government
has further compounded the problems with record inaccuracies with two
decisions: first, the increased distribution of the data not just among
government agencies but among federal, state, local, tribal and
commercial entities; and second, the exemption of database systems from
important privacy and accuracy requirements set out in federal laws."

The amici warned that, "to permit a good faith reliance on data that is
inaccurate, incomplete, or out of date will actually exacerbate the
problem and increase the likelihood of unfair treatment in the criminal
justice system."

"Friend-of-the-court," Brief by EPIC, 27 Legal Scholars and Technical
Experts and 13 Privacy and Civil Liberty Groups (pdf) (May 16, 2008):

US Supreme Court Docket page for Herring v. US:

EPIC page on Herring v. US 


EPIC's page on the 2003 online petition urging the reestablishment of
accuracy requirements for the FBI's National Crime Information Center,
the nation's largest criminal justice database:


[2] EPIC Supports Opt-In for Telephone Services

On May 6, 2008, EPIC filed a "friend of the court" brief in federal
appellate court urging support for opt-in safeguards for telephone
customers. The brief was filed on behalf of consumer and privacy
organizations, technical experts, and legal scholars. At issue is an
April 2, 2007 Federal Communications Commission Order that protects
consumers' telephone record information.  "Consumers have a legitimate
expectation of privacy with respect to sensitive personal information
such as whom they call on a telephone," the brief said. "An opt-out
policy would provide neither adequate protection for consumer data nor
sufficient notice to consumers."  The National Cable and
Telecommunications Association challenged the FCC rule, which requires
companies to obtain consumers' opt-in consent before they reveal
personal data regarding telephone calls.  The case is presently pending
before the U.S. Court of Appeals for the District of Columbia Circuit.

The FCC rule prohibits companies from sharing "customer proprietary
network information" with third parties without a consumer's opt-in
consent.  Customer proprietary network information (CPNI) is the data
collected by telecommunications corporations about a consumer's
telephone calls.  It includes the time, date, duration and destination
number of each call, the type of network a consumer subscribes to, and
any other information that appears on the consumer's telephone bill. 
EPIC has detailed the privacy violations that have resulted from
unauthorized disclosure of CPNI.  Such violations include pretexting
(unlawful impersonation to get access to data), stalking, and the sale
of individuals' phones records on the Internet.

The Telecommunications Act of 1996 required telecommunications companies
to obtain customers' approval prior to sharing their CPNI with third
parties. However, there was a difference of opinion on the
interpretation of "approval."  EPIC and other privacy advocates and
consumer rights groups argued that "approval" required that a consumer
gives positive, express consent to the sharing of information. That is,
consumers should "opt-in" to the marketing scheme.  Telecommunications
industry entities supported a presumption of consent - an opt-out
system. The FCC rule clarified that the law requires "opt-in consent." 
The National Cable and Telecommunications Association challenged the FCC
rule, alleging that corporations had a First Amendment right to share
CPNI with third parties for marketing purposes.  Similar arguments were
rejected by federal courts in Trans Union v. FTC, 245 F.3d 809 (D.C.
Cir. 2001) and IRSG v. FTC, 145 F. Supp. 2d 6, No. 00-1828 (D.D.C.

EPIC has a long history of supporting privacy safeguards in this area. 
In August 2005, EPIC filed a petition urging the FCC to require security
measures to protect access to CPNI from pretexters and other
unauthorized parties.  On July 9, 2007, EPIC filed detailed comments
asking the FCC to implement additional safeguards for consumer
telecommunications data.  EPIC's proposals included encryption of CPNI,
the implementation of audit trails, and limitations on data retention.

EPIC's "friend of the court" brief:


EPIC's NCTA v. FCC Web Page:


FCC Order Regarding CPNI opt-in:


EPIC's 2005 FCC Petition to the FCC:


EPIC's July 9, 2007 Comments to the FCC:


[3] .ORG to Pursue DNS Security Standard

ICANN (The Internet Corporation for Assigned Names and Numbers) will
soon vote on adding a significant security layer to the domain name
service system for .org domain names. The DNS security extension
(DNSSEC) will primarily protect users from attempts by hackers to spoof,
masquerade and hijack websites, attacks that users of wireless networks
are particularly vulnerable to.

DNSSEC adds cryptographic information to the domain name system, which
will make such redirection and spoof attacks exceedingly difficult. It
will provide DNS clients with origin authentication of data, data
integrity and authenticated denial of existence. Under the existing
system, network operators (the owner of an Internet cafe, an ISP, or a
group of hackers) can redirect requests for one site (www.mybank.com) to
a totally different website, which may be masquerading as a legitimate
site (www.evilhacker.com), without the end user noticing. This may be
used to collect account information from the user. With DNSSEC,
unauthorized redirecting of DNS requests will become much harder.

If approved, .org would adopt the technology that is already in use by
the top-level country code domains of Sweden, Bulgaria, Brazil and
Puerto Rico. Results in Sweden were favorable, where DNSSEC ran at
servers at the largest LAN party in Sweden, without any complications. A
survey amongst top-level domain owners in Sweden showed that the biggest
barrier for DNSSEC is adoption. Only 14% of the top-level domain owners
said that DNSSEC is very interesting as a commercial service and 54%
indicated that a 50-euro annual charge was rather high. Furthermore, the
biggest Swedish ISP pointed out that DNSSEC adoption could hamper if the
hosting of websites is DNSSEC but the pointers to those websites (the
DNS resolvers) are not supporting DNSSEC. As most Internet users only
use the resolvers provided by their (domestic) ISPs this means that
adoption by these ISPs forms a bottleneck.

A resolved issue with DNSSEC is that is was designed to return a
pre-signed report of names that are not assigned. This information is
less easily available. Hackers could benefit from this information. A
solution has been proposed for this problem, and has been implemented
with succes in a pilot with VeriSign.

Important security is provided by the root zone, which is used to
validate the public keys that lower zones use. This is why Bernard
Turcotte (president of the Canadian Internet Registration Authority)
drew attention to the proposal of the U.S. Department of Homeland
Security that the key to sign the DNS root zone be placed in the hands
of the U.S. government. Heise online reports that "this ultimate master
key would then allow authorities to track DNS Security Extensions all
the way back to the servers that represent the name system's root zone
on the Internet." That level of control could potentially have allowed
DHS (or whoever has the keys) to spoof large portions of the Internet.

ICANN opened a public comment period on the proposal on April 23 2008,
and will accept comments until May 24 2008.

ICANNs announcement of the RFC for Public Interest Registry (PIR)'s
proposed implementation of DNS Security Extensions (DNSSEC):

EPIC page on DNSSEC:


Department of Homeland and Security wants master key for DNS:


Paul Vixie on DNSSEC:


[4] EPIC Report: REAL ID Implementation: Few Benefits, Staggering Costs

At a REAL ID workshop at the Berkman Center on May 13, EPIC released a
new report on the Department of Homeland Security's national
identification proposal, the REAL ID system. The REAL ID Act mandates
that State driver's licenses and ID cards follow federal technical
standards and verification procedures issued by Homeland Security. REAL
ID also enables tracking, surveillance, and profiling of the American

Last year, EPIC submitted detailed comments to the Department of
Homeland Security on the draft proposal for REAL ID. With the assistance
of many experts, EPIC attempted to address the enormous challenge in the
project proposal. In this report, EPIC detailed the many problems with
the final plan to implement this vast national identification system.
Ultimately, "the REAL ID system remains filled with threats to privacy,
security and civil liberties that have not been resolved."

"May 11, 2008 is the statutory deadline for implementation of the REAL
ID system. Yet on this date, not one State is in compliance with the
federal law creating a national identification system. In fact, 19
States have passed resolutions or laws rejecting the national ID
program," EPIC said. "The final rule includes few protections for
individual privacy and security in its massive national identification
database. It harms national security by creating yet another "trusted"
credential for criminals to exploit." In fact, "[t]he Department of
Homeland Security has faced so many obstacles with the REAL ID system
that the agency now plans an implementation deadline of 2017."

Homeland Security claims that it is making strides in implementing the
national ID program and Homeland Security Secretary Michael Chertoff
encourages the use of the REAL ID system for a wide variety of purposes
unrelated to the law that authorized the system. In an opinion column
written by Secretary Chertoff after the publication of the final rule in
January, he said, "embracing REAL ID" would mean it would be used to
"cash a check, hire a baby sitter, board a plane or engage in countless
other activities." However, "[n]one of these uses for the REAL ID have a
legal basis," EPIC explained.

Each one of these uses creates a new risk for Americans who are already
confronting the staggering problem of identity theft. Instead, EPIC
recommended a system of decentralized identification. "If you are
banking, you should have a bank account number. If go to the library,
you should have a library card number. If you rent videos from a store,
you should have a video rental store card number. Utility bills,
telephone bills, insurance, the list goes on. These context-dependent
usernames and passwords enable authentication without the risk of a
universal identification system. That way, if one number is compromised,
all of the numbers are not spoiled and identity thieves cannot access
all of your accounts."

EPIC Report: "REAL ID Implementation Review: Few Benefits, Staggering
Costs" (pdf) (May 2008):


Department of Homeland Security, Final Rule for Implementation of REAL
ID Act (January 11, 2008):


Op-Ed by DHS Secretary Chertoff, "National ID security," published in
Sacramento Bee (January 16, 2008):


EPIC's page on National ID Cards and the REAL ID Act (including
information on State anti-REAL ID legislation):


[5] EPIC Prevails in Virginia Fusion Center FOIA Case 

On May 8, 2008, the Richmond General District Court held that EPIC
"substantially prevailed" on the merits of its freedom of information
lawsuit against the Virginia State Police.  EPIC filed the case after
the State Police refused to disclose documents regarding the federal
government's involvement in efforts to limit Virginia's transparency and
privacy laws.  The court's letter opinion requires the State Police to
pay EPIC's litigation costs, but not its attorneys' fees.  The opinion
affirms that the State Police failed to comply with Virginia's open
government laws in response to EPIC's February 12, 2008 freedom of
information request.

EPIC has broadened its investigation of the federal government's role in
limiting state transparency and privacy laws.  On April 18, 2008, EPIC
filed an open government request with the Texas Department of Public
Safety.  This request seeks documents about the federal government's
role in the Texas Fusion Center's transparency and privacy policies, and
is presently pending.  The Texas Fusion Center is a database that
collects information on ordinary citizens.  The White House's official
position requires all fusion centers to respect state open government
and privacy laws. However, EPIC obtained documents, through the Virginia
FOI lawsuit, that reveal federal involvement in limiting Virginia's open
government and privacy protections.

Through the Virginia litigation, EPIC uncovered a Memorandum of
Understanding - a secret contract - between the State Police and the FBI
concerning the Virginia Fusion Center.  The Memorandum was signed in
early 2008, and limits the rights of Virginia citizens to learn what
information the State Police collect about them. The agreement requires
the State Police to comply with federal regulations that restrict the
disclosure of records to the public.  The federal regulations (28 CFR
Part 16) cited in the Memorandum contain at least thirty-seven
exemptions from open government and privacy laws. The Memorandum also
requires the State Police to refer open government requests to federal
agents if the requests relate to information shared by the FBI with the
fusion center.   EPIC's lawsuit also caused the State Police to disclose
other documents, including the Virginia Fusion Center's draft Privacy

EPIC sued the State Police to compel the disclosure of public records
relating to the role of federal agencies in the Virginia Fusion Center. 
Of particular interest to EPIC is federal involvement in recent
legislative efforts to limit Virginia's open government and privacy
laws. EPIC's requests and lawsuit sought to determine whether the U.S.
Dept. of Justice or the U.S. Dept. of Homeland Security participated in
the development of the legislation, HB 1007.  The legislation, signed on
April 2, 2008, limits Virginia's open government and privacy statutes,
as well as Virginia's common law right of privacy, for the Virginia
Fusion Center.

The Virginia Fusion center is one of several similar entities
established by state governments throughout the United States.  Fusion
centers are intelligence databases that collect information from
federal, state, municipal, and private sources.  Privacy advocates have
criticized the non-transparent operation of fusion centers, and their
lack of meaningful civilian oversight.  Federal guidelines call for
fusion centers to accumulate and retain information about citizens from
sources such as: financial records, credit reports, medical records,
internet and email data, video surveillance from retail stores and
sporting facilities, data from preschools, and welfare records.

Richmond General District Court Opinion:


EPIC v. Virginia Department of State Police - Fusion Center Secrecy


Memorandum of Understanding:


EPIC - Information Fusion Centers and Privacy:


[6] News in Brief

DOJ's 2007 FISA Report Increases in Government Searches

The Department of Justice released the 2007 FISA report, which reports
the annual figures on the applications made by the federal government
for electronic surveillance and physical searches. According to the 2007
FISA report, the Foreign Intelligence Surveillance Court approved 2,370
applications to conduct electronic surveillance and physical searches in
the United States.  The numbers show an increase over the 2006 figure of
2,176. For the first time, the report includes information regarding the
total number of requests made by the Department of Justice with National
Security Letter authority for information concerning U.S. persons. The
report said that in 2006, the government made approximately 12,583 NSL
requests for information concerning 4,790 U.S. persons.

In related news, the 2007 Wiretap report, said that federal and state
courts issued 2,208 orders for the interception of wire, oral or
electronic communications in 2007, compared to 1,839 in 2006.

Statistics on FISA Reports:


EPIC Page on FISA:


Wiretap Report:


EPIC Wiretap Page:


EPIC Urges FTC to Impose Civil Penalties in Data Breach Settlements

On April 28, 2008, EPIC filed comments with the Federal Trade Commission
urging the FTC to include civil penalties in settlements with TJX, Reed
Elsevier, and Seisint. The Commission recently concluded investigations
of the companies' weak security policies.  The companies' weak security
policies resulted in data breaches involving hundreds of thousands of
consumers, and the Commission reached preliminary settlements with TJX,
Reed Elsevier, and Seisint.  The proposed settlements would impose
security and audit responsibilities, but no financial penalties.  EPIC
noted that civil penalties were necessary to provide incentives for
companies to better safeguard personal consumer data in the future. 
EPIC further observed that the FTC imposed $10 million in civil
penalties in the Choicepoint case - a similar case that affected fewer

The FTC's investigations arose from TJX, Reed Elsevier, and Seisint's
2004-2005 data breaches, which exposed the sensitive personal
information of over 500,000 consumers and resulted in millions of
dollars in alleged financial fraud.  As a result of the 2005 TJX data
breach, between 45 million and 100 million credit card numbers were
exposed to fraud.  As a result of the 2004 data breach involving both
Reed Elsevier and Seisint, personal information regarding several
hundred thousand people was exposed in a scheme involving stolen
computer logins and passwords.  The proposed settlements do not include
civil penalties.  In comparison, in 2006, the FTC imposed $10 million in
civil penalties on Choicepoint as a result of a data breach that
affected approximately half as many consumers.

Agency Announces Settlement of Separate Actions Against Retailer TJX,
and Data Brokers Reed Elsevier and Seisint for Failing to Provide
Adequate Security for Consumers' Data:


EPIC's Comments to the FTC:


Canadian Privacy Commissioner: Social Networking Sites Biggest Threat

Jennifer Stoddard, the Canadian Privacy Commissioner, singled out social
networking sites as the biggest threat to the security of personal
information. The information on Social Networking Sites can be collected
and used lawlessly.  Though sites may offer privacy settings, many users
do not update these from the permissive defaults.  Employers and law
enforcement are also accessing social networking sites.

Fear the 'web' of deceit: expert; Social-networking sites expose
personal data, privacy boss says:


Canadian Privacy Commission Social Networking and Privacy:


EPIC Social Networking Privacy Page:


New Trend: Data 'portability' in Social Networking Sites

Google, Facebook and Myspace have all recently announced new initiatives
to facilitate social information sharing on the web.  Websites will be
able to add social networking features to their own offerings, using the
social information that users have provided to their social networking
sites. Myspace users will be able to import their profile information to
sites like Yahoo, Ebay and Photobucket. Facebook users will be able to
log into sites such as Digg.com with their Facebook identities, thus
importing their friend relationships into those interactions.  The
announcements do not discuss how much user information from these third
party sites will be available to third party provider, but at least some
information will have to flow as incidents of providing the service. The
features are similar to a system that Microsoft introduced in 2001,
named Passport. The system aimed to be a single sign-in and user
registration feature that would store personal information and then be
used to log in to several websites on the Internet.  Microsoft aimed to
"create the largest and most leverage able database of profiles on the
planet." EPIC and a coalition of consumer groups filed a complaint with
the FTC alleging that Microsoft was unfair and deceptive in its claims
of protecting consumer privacy and keeping information secure. 
Microsoft eventually settled FTC charges the personal information
collection in its Passport service.

MySpace Introduces 'Data Availability':


Google: A Friend Connected Web:


Announcing Facebook Connect:


EPIC Social Networking Page:


EPIC Microsoft Passport Investigation Docket Page:


EPIC Recommends Privacy Safeguards for Voting System Standards

The Election Assistance Commission closed the first of several comment
periods in the drafting of the 2007 Voluntary Voting System Guidelines.
EPIC submitted comments to the Election Assistance Commission on the
proposed Voluntary Voting System Guidelines. EPIC's comments support the
establishment of Software Independence as a means of assuring that an
error in a voting system's software will not result in an undetectable
change in the information reported to election administrators. The
standards present a number of changes from the earlier version such as
adopting a class and topic organization structure that make it easier to

The document also has expanded its accessibility and usability to the
benefit of voters who will use these features to cast an independent

Although the standards are voluntary, all voting systems certified by
the agency will be under the adopted standard.  The 2007 version will
mark the second federal standard for voting systems developed by the
agency.  The first Voluntary Voting System Guidance drafted by the
agency was released in 2005.

EPIC Voting Page:


EPIC Voting Project:


Election Assistance Committee (EAC):


Comments by EPIC:


D.C. Council Cuts Funding for Video Surveillance System

The D.C. Council has removed $886,000 from the Mayor's proposed homeland
security budget for a system of 5,200 surveillance cameras in the
nation's capital. D.C. Council members and others criticized the "Video
Interoperability for Public Safety" system, which lacks privacy
safeguards. The Council required the Mayor to develop rules for video
surveillance cameras and technology that must be approved by the Council
before future funding is authorized. Last week, EPIC joined the ACLU-NCA
and the Constitution Project in urging de-funding of the surveillance

D.C. Council Report on the Mayor's Proposed Budget:


EPIC's page on Video Surveillance:


Observing Surveillance:


FTC Issues Additional CAN-SPAM Rules

On May 12, 2008, the FTC approved several new rules implementing the
Controlling the Assault of Non-Solicited Pornography and Marketing Act
of 2003 (CAN-SPAM). The Commission stated that consumers couldn't be
charged a fee to opt out of unsolicited bulk commercial email (spam). 
The FTC also clarified several definitions, stating that: CAN-SPAM's
definition of a "person" is not limited to natural persons and a P.O.
box qualifies as a "physical address" under CAN-SPAM. Furthermore, it
clarified that third-party list brokers (companies that sell email lists
to spammers), are not "senders" under CAN-SPAM, and are therefore not
subject to the law's opt-out requirements.  The Commission's rule
regarding list brokers fails to protect consumers, who continue to
suffer from a barrage of spam despite CAN-SPAM.

On May 12, 2005, the FTC issued a notice of proposed rulemaking on these
issues.  On June 27, 2005, EPIC submitted comments supporting the
imposition of opt-out requirements on third-party list brokers.  EPIC
stated that such imposition was consistent with CAN-SPAM's purpose and
legislative mandate.  In addition, such imposition would provide a more
effective remedy for consumers than the present system, which requires
consumers to opt out with individual companies.

FTC Approves New Rule Provision Under The CAN-SPAM Act:


EPIC's Comments to the FTC:


[7] EPIC Bookstore: "Guiding Life's Dark Secrets"

Guarding Life's Dark Secrets: Legal and Social Controls over Reputation,
Propriety, and Privacy by Lawrence M. Friedman (Stanford University
Press, November 2007) ISBN: 978-0-8047-5739-3


Lawrence Friedman, the dean of American Legal history, has written a
wonderful and fact-filled book about the evolving understanding of
privacy, defamation, and reputation in the United States. With a keen
eye for both the obscure news articles from a small town and the broad
themes that have transformed American law, Professor Friedman helps
explain how in the present day the private has become the public.

Reputation in the early days of America served several functions. In a
mobile society, based on commerce and not title, reputation helped
establish status and obtain credit. Reputation could be remade and it
could also be manufactured. There was some space, some “leeway,” between
public reputation and private life. Friedman describes the “Victorian
compromise” that outwardly maintained a strict moral code in matters of
vice and sexual conduct, while permitting a certain amount of private
indiscretion. These social understandings, largely sanctioned by the
courts, came under assault with the temperance movement and other
moralists of the late nineteenth century. Then they were swept in the
opposite direction by the sexual revolution and the rights revolution
during the second half of the twentieth century.

Friedman also describes the extraordinary inversion of the right of
defamation, originally cast to safeguard the interests of elites, that
lost much of its force following the Times v. Sullivan decision and
subsequent cases that left public officials, and then public figures,
fair game for gossip as long as it was not done with malice and reckless
disregard for the truth.  Today “there is widespread agreement,”
Professor Friedman writes, “that citizens of democracies should have
free rein to criticize officials, governments, and public figures. There
is some disagreement, however, on limits and boundaries.”

What happens next in the American experience remains an interesting
question. There are at least two powerful trends pulling in very
different directions. In the online world of digital personas, there is
far more creation of identity than in the era of the confidence man.
Avatars can be tossed aside more quickly than a fine coat and recently
printed business card. But in the physical world, there is ever-greater
dependence on detailed, recorded, private facts. Employers check your
credit scores. Airport security agents examine your watch list status.
An ill-considered blog post remains long after the drunken escapade has

If there is a message in Professor Friedman's broad survey perhaps it is
that laws that attempt to impose caste-like systems of social status
diminish social mobility and lead to unsustainable contradictions.
Perhaps a world of overlapping reputational matrices would provide the
basis to manage the conflicting demands of public scrutiny and private
life even as technology presses the construction of identity at both

- Marc Rotenberg


EPIC Publications:

"Information Privacy Law: Cases and Materials, Second Edition" Daniel J.
Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98.


This clear, comprehensive introduction to the field of information
privacy law allows instructors to enliven their teaching of fundamental
concepts by addressing both enduring and emerging controversies. The
Second Edition addresses numerous rapidly developing areas of privacy
law, including: identity theft, government data mining and electronic
surveillance law, the Foreign Intelligence Surveillance Act,
intelligence sharing, RFID tags, GPS, spyware, web bugs, and more.
Information Privacy Law, Second Edition, builds a cohesive foundation
for an exciting course in this rapidly evolving area of law.


"Privacy & Human Rights 2006: An International Survey of Privacy Laws
and Developments" (EPIC 2007). Price: $75.


This annual report by EPIC and Privacy International provides an
overview of key privacy topics and reviews the state of privacy in over
75 countries around the world. The report outlines legal protections,
new challenges, and important issues and events relating to privacy.
Privacy & Human Rights 2006 is the most comprehensive report on privacy
and data protection ever published.


"FOIA 2006: Litigation Under the Federal Open Government Laws," Harry
A. Hammitt, Marc Rotenberg, Melissa Ngo, and Mark S. Zaid, editors
(EPIC 2007). Price: $50. 


This is the standard reference work covering all aspects of the Freedom
of Information Act, the Privacy Act, the Government in the Sunshine Act,
and the Federal Advisory Committee Act.  The 23nd edition fully updates
the manual that lawyers, journalists and researchers have relied on for
more than 25 years.  For those who litigate open government cases (or
need to learn how to litigate them), this is an essential reference


"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.


This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS).  This
reference guide provides the official UN documents, regional and
issue-oriented perspectives, and recommendations and proposals for
future action, as well as a useful list of resources and contacts for
individuals and organizations that wish to become more involved in the
WSIS process.


"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:


The Privacy Law Sourcebook, which has been called the "Physician's Desk
Reference" of the privacy world, is the leading resource for students,
attorneys, researchers, and journalists interested in pursuing privacy
law in the United States and around the world. It includes the full
texts of major privacy laws and directives such as the Fair Credit
Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well
as an up-to-date section on recent developments. New materials include
the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the


"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.


A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.


EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:

EPIC Bookstore 


"EPIC Bookshelf" at Powell's Books



EPIC also publishes EPIC FOIA Notes, which provides brief summaries of
interesting documents obtained from government agencies under the
Freedom of Information Act.

Subscribe to EPIC FOIA Notes at:


[8] Upcoming Conferences and Events

CFP 2008: Technology Policy 08. New Haven, Connecticut. May 19-23,
2008. For more information

Privacy Compliance Fundamentals: PTAs, PIAs, and SORNs. GSA Regional
Headquarters. May 23, 2008. For more information:

Future of the Internet Economy - OECD Ministerial Meeting. June 17-18,
2008. Seoul, Korea. For more information:

Second Annual National Institute on Cyberlaw: Expanding the Horizons.
June 18-20, 2008. Washington DC. For more information:

Conference on Ethics, Technology and Identity. The Hague. June 18-20,
2008. For more information

Privacy Laws & Business 21st Annual International Conference. Value
Privacy, Secure Your Reputation, Reduce Risk. 7-9th July, 2008, St.
John’s College, Cambridge. For more information:

The Privacy Symposium - Summer 2008: An Executive Education Program on
Privacy and Data Security Policy and Practice, August 18-21, 2008,
Harvard University, Cambridge, MA. For more information:

Subscription Information

Subscribe/unsubscribe via web interface:


Back issues are available at:


The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities.  We do not sell, rent or share our
mailing list.  We also intend to challenge any subpoena or other legal
process seeking access to our mailing list.  We do not enhance (link to
other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail address
from this list, please follow the above instructions under "subscription

About EPIC

The Electronic Privacy Information Center is a public interest research
center in Washington, DC.  It was established in 1994 to focus public
attention on emerging privacy issues such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale of personal information. EPIC publishes the
EPIC Alert, pursues Freedom of Information Act litigation, and conducts
policy research.  For more information, see http://www.epic.org or write
EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202
483 1140 (tel), +1 202 483 1248 (fax).

Donate to EPIC

If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible.  Checks
should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW,
Suite 200, Washington, DC 20009.  Or you can contribute online at:


Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation of encryption and
expanding wiretapping powers.

Thank you for your support.
Support Privacy '08

If you would like more information on Privacy '08, go online and search
for "Privacy 08". You'll find a Privacy08 Cause at Facebook, Privacy08
at Twitter, a Privacy08 Channel on YouTube to come soon, and much more.
You can also order caps and t-shirts at CafePress Privacy08.

Start a discussion. Hold a meeting. Be creative. Spread the word. You
can donate online at epic.org. Support the campaign.

Facebook Cause:






------------------------- END EPIC Alert 15.10 -------------------------