======================================================================== E P I C A l e r t ======================================================================== Volume 15.10 May 15, 2008 ------------------------------------------------------------------------ Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org/alert/EPIC_Alert_15.10.html ======================================================================== Table of Contents ======================================================================== [1] EPIC, Groups Urge Supreme Court: Uphold Accuracy In Police Databases [2] EPIC Supports Opt-In for Telephone Services [3] .ORG to consider secure DNS [4] EPIC Report: REAL ID Implementation: Few Benefits, Staggering Costs [5] EPIC Prevails in Virginia Fusion Center FOIA Case [6] News in Brief [7] EPIC Bookstore: Guiding Life's Dark Secrets [8] Upcoming Conferences and Events - EPIC launches Privacy'08 campaign - Subscription Information - Privacy Policy - About EPIC - Donate to EPIC http://www.epic.org/donate - Support Privacy '08 http://www.privacy08.org ======================================================================== [1] EPIC, Groups Urge Supreme Court: Uphold Accuracy In Police Databases ======================================================================== Today, EPIC filed a "friend of the court" brief in the United States Supreme Court, urging the Justices to ensure the accuracy of police databases. The brief was filed on behalf of 27 legal scholars and technical experts and 13 privacy and civil liberty groups. In Herring v. US, the Court will be asked to determine whether an arrest based on inaccurate information in a criminal justice database should be upheld. EPIC explained how government databases are becoming increasingly unreliable; according to the government's own studies. EPIC also urged the Court to "ensure an accuracy obligation on law enforcement agents who rely on criminal justice information systems." Amici said that the technology of government databases has changed dramatically since 1995, when the Court upheld the use of evidence obtained from an erroneous arrest record that was the product of a clerical mistake. In recent years, there has been an increase in information sharing not just among government agencies but also among federal, state, local, tribal and commercial entities. The policies and practices of modern-day policing have been changed by the federal governments Information Sharing Environment as well as state and local fusion centers. These developments allow broad data gathering and sharing. "Today, the police have within their electronic reach access to an extraordinary range of databases including: the National Crime Information Center, systems associated with the federal government's employment eligibility verification system, terrorist watch lists and various commercial databases," amici said. These government and commercial databases are filled with errors; according to the federal government's own reports. "Yet the government has further compounded the problems with record inaccuracies with two decisions: first, the increased distribution of the data not just among government agencies but among federal, state, local, tribal and commercial entities; and second, the exemption of database systems from important privacy and accuracy requirements set out in federal laws." The amici warned that, "to permit a good faith reliance on data that is inaccurate, incomplete, or out of date will actually exacerbate the problem and increase the likelihood of unfair treatment in the criminal justice system." "Friend-of-the-court," Brief by EPIC, 27 Legal Scholars and Technical Experts and 13 Privacy and Civil Liberty Groups (pdf) (May 16, 2008): http://epic.org/privacy/herring/07-513tsac_epic.pdf US Supreme Court Docket page for Herring v. US: http://www.supremecourtus.gov/docket/07-513.htm EPIC page on Herring v. US http://epic.org/privacy/herring/ EPIC's page on the 2003 online petition urging the reestablishment of accuracy requirements for the FBI's National Crime Information Center, the nation's largest criminal justice database: http://epic.org/privacy/ncic/ ======================================================================== [2] EPIC Supports Opt-In for Telephone Services ======================================================================== On May 6, 2008, EPIC filed a "friend of the court" brief in federal appellate court urging support for opt-in safeguards for telephone customers. The brief was filed on behalf of consumer and privacy organizations, technical experts, and legal scholars. At issue is an April 2, 2007 Federal Communications Commission Order that protects consumers' telephone record information. "Consumers have a legitimate expectation of privacy with respect to sensitive personal information such as whom they call on a telephone," the brief said. "An opt-out policy would provide neither adequate protection for consumer data nor sufficient notice to consumers." The National Cable and Telecommunications Association challenged the FCC rule, which requires companies to obtain consumers' opt-in consent before they reveal personal data regarding telephone calls. The case is presently pending before the U.S. Court of Appeals for the District of Columbia Circuit. The FCC rule prohibits companies from sharing "customer proprietary network information" with third parties without a consumer's opt-in consent. Customer proprietary network information (CPNI) is the data collected by telecommunications corporations about a consumer's telephone calls. It includes the time, date, duration and destination number of each call, the type of network a consumer subscribes to, and any other information that appears on the consumer's telephone bill. EPIC has detailed the privacy violations that have resulted from unauthorized disclosure of CPNI. Such violations include pretexting (unlawful impersonation to get access to data), stalking, and the sale of individuals' phones records on the Internet. The Telecommunications Act of 1996 required telecommunications companies to obtain customers' approval prior to sharing their CPNI with third parties. However, there was a difference of opinion on the interpretation of "approval." EPIC and other privacy advocates and consumer rights groups argued that "approval" required that a consumer gives positive, express consent to the sharing of information. That is, consumers should "opt-in" to the marketing scheme. Telecommunications industry entities supported a presumption of consent - an opt-out system. The FCC rule clarified that the law requires "opt-in consent." The National Cable and Telecommunications Association challenged the FCC rule, alleging that corporations had a First Amendment right to share CPNI with third parties for marketing purposes. Similar arguments were rejected by federal courts in Trans Union v. FTC, 245 F.3d 809 (D.C. Cir. 2001) and IRSG v. FTC, 145 F. Supp. 2d 6, No. 00-1828 (D.D.C. 2001). EPIC has a long history of supporting privacy safeguards in this area. In August 2005, EPIC filed a petition urging the FCC to require security measures to protect access to CPNI from pretexters and other unauthorized parties. On July 9, 2007, EPIC filed detailed comments asking the FCC to implement additional safeguards for consumer telecommunications data. EPIC's proposals included encryption of CPNI, the implementation of audit trails, and limitations on data retention. EPIC's "friend of the court" brief: http://epic.org/privacy/nctafcc/epic-ncta-050608.pdf EPIC's NCTA v. FCC Web Page: http://epic.org/privacy/nctafcc/ FCC Order Regarding CPNI opt-in: http://hraunfoss.fcc.gov/edocs_public/attachmatch/FCC-07-22A1.pdf EPIC's 2005 FCC Petition to the FCC: http://www.epic.org/privacy/iei/cpnipet.html EPIC's July 9, 2007 Comments to the FCC: http://epic.org/privacy/cpni/cpni_070607.pdf ======================================================================== [3] .ORG to Pursue DNS Security Standard ======================================================================== ICANN (The Internet Corporation for Assigned Names and Numbers) will soon vote on adding a significant security layer to the domain name service system for .org domain names. The DNS security extension (DNSSEC) will primarily protect users from attempts by hackers to spoof, masquerade and hijack websites, attacks that users of wireless networks are particularly vulnerable to. DNSSEC adds cryptographic information to the domain name system, which will make such redirection and spoof attacks exceedingly difficult. It will provide DNS clients with origin authentication of data, data integrity and authenticated denial of existence. Under the existing system, network operators (the owner of an Internet cafe, an ISP, or a group of hackers) can redirect requests for one site (www.mybank.com) to a totally different website, which may be masquerading as a legitimate site (www.evilhacker.com), without the end user noticing. This may be used to collect account information from the user. With DNSSEC, unauthorized redirecting of DNS requests will become much harder. If approved, .org would adopt the technology that is already in use by the top-level country code domains of Sweden, Bulgaria, Brazil and Puerto Rico. Results in Sweden were favorable, where DNSSEC ran at servers at the largest LAN party in Sweden, without any complications. A survey amongst top-level domain owners in Sweden showed that the biggest barrier for DNSSEC is adoption. Only 14% of the top-level domain owners said that DNSSEC is very interesting as a commercial service and 54% indicated that a 50-euro annual charge was rather high. Furthermore, the biggest Swedish ISP pointed out that DNSSEC adoption could hamper if the hosting of websites is DNSSEC but the pointers to those websites (the DNS resolvers) are not supporting DNSSEC. As most Internet users only use the resolvers provided by their (domestic) ISPs this means that adoption by these ISPs forms a bottleneck. A resolved issue with DNSSEC is that is was designed to return a pre-signed report of names that are not assigned. This information is less easily available. Hackers could benefit from this information. A solution has been proposed for this problem, and has been implemented with succes in a pilot with VeriSign. Important security is provided by the root zone, which is used to validate the public keys that lower zones use. This is why Bernard Turcotte (president of the Canadian Internet Registration Authority) drew attention to the proposal of the U.S. Department of Homeland Security that the key to sign the DNS root zone be placed in the hands of the U.S. government. Heise online reports that "this ultimate master key would then allow authorities to track DNS Security Extensions all the way back to the servers that represent the name system's root zone on the Internet." That level of control could potentially have allowed DHS (or whoever has the keys) to spoof large portions of the Internet. ICANN opened a public comment period on the proposal on April 23 2008, and will accept comments until May 24 2008. ICANNs announcement of the RFC for Public Interest Registry (PIR)'s proposed implementation of DNS Security Extensions (DNSSEC): http://www.icann.org/announcements/announcement-23apr08.htm EPIC page on DNSSEC: http://epic.org/privacy/dnssec/default.html Department of Homeland and Security wants master key for DNS: http://www.heise.de/english/newsticker/news/87655 Paul Vixie on DNSSEC: http://psg.com/lists/namedroppers/namedroppers.2006/msg01514.html ======================================================================== [4] EPIC Report: REAL ID Implementation: Few Benefits, Staggering Costs ======================================================================== At a REAL ID workshop at the Berkman Center on May 13, EPIC released a new report on the Department of Homeland Security's national identification proposal, the REAL ID system. The REAL ID Act mandates that State driver's licenses and ID cards follow federal technical standards and verification procedures issued by Homeland Security. REAL ID also enables tracking, surveillance, and profiling of the American public. Last year, EPIC submitted detailed comments to the Department of Homeland Security on the draft proposal for REAL ID. With the assistance of many experts, EPIC attempted to address the enormous challenge in the project proposal. In this report, EPIC detailed the many problems with the final plan to implement this vast national identification system. Ultimately, "the REAL ID system remains filled with threats to privacy, security and civil liberties that have not been resolved." "May 11, 2008 is the statutory deadline for implementation of the REAL ID system. Yet on this date, not one State is in compliance with the federal law creating a national identification system. In fact, 19 States have passed resolutions or laws rejecting the national ID program," EPIC said. "The final rule includes few protections for individual privacy and security in its massive national identification database. It harms national security by creating yet another "trusted" credential for criminals to exploit." In fact, "[t]he Department of Homeland Security has faced so many obstacles with the REAL ID system that the agency now plans an implementation deadline of 2017." Homeland Security claims that it is making strides in implementing the national ID program and Homeland Security Secretary Michael Chertoff encourages the use of the REAL ID system for a wide variety of purposes unrelated to the law that authorized the system. In an opinion column written by Secretary Chertoff after the publication of the final rule in January, he said, "embracing REAL ID" would mean it would be used to "cash a check, hire a baby sitter, board a plane or engage in countless other activities." However, "[n]one of these uses for the REAL ID have a legal basis," EPIC explained. Each one of these uses creates a new risk for Americans who are already confronting the staggering problem of identity theft. Instead, EPIC recommended a system of decentralized identification. "If you are banking, you should have a bank account number. If go to the library, you should have a library card number. If you rent videos from a store, you should have a video rental store card number. Utility bills, telephone bills, insurance, the list goes on. These context-dependent usernames and passwords enable authentication without the risk of a universal identification system. That way, if one number is compromised, all of the numbers are not spoiled and identity thieves cannot access all of your accounts." EPIC Report: "REAL ID Implementation Review: Few Benefits, Staggering Costs" (pdf) (May 2008): http://epic.org/privacy/id-cards/epic_realid_0508.pdf Department of Homeland Security, Final Rule for Implementation of REAL ID Act (January 11, 2008): http://www.dhs.gov/xprevprot/programs/gc_1200062053842.shtm Op-Ed by DHS Secretary Chertoff, "National ID security," published in Sacramento Bee (January 16, 2008): http://www.sacbee.com/110/story/636479.html EPIC's page on National ID Cards and the REAL ID Act (including information on State anti-REAL ID legislation): http://epic.org/privacy/id-cards/ ======================================================================== [5] EPIC Prevails in Virginia Fusion Center FOIA Case ======================================================================== On May 8, 2008, the Richmond General District Court held that EPIC "substantially prevailed" on the merits of its freedom of information lawsuit against the Virginia State Police. EPIC filed the case after the State Police refused to disclose documents regarding the federal government's involvement in efforts to limit Virginia's transparency and privacy laws. The court's letter opinion requires the State Police to pay EPIC's litigation costs, but not its attorneys' fees. The opinion affirms that the State Police failed to comply with Virginia's open government laws in response to EPIC's February 12, 2008 freedom of information request. EPIC has broadened its investigation of the federal government's role in limiting state transparency and privacy laws. On April 18, 2008, EPIC filed an open government request with the Texas Department of Public Safety. This request seeks documents about the federal government's role in the Texas Fusion Center's transparency and privacy policies, and is presently pending. The Texas Fusion Center is a database that collects information on ordinary citizens. The White House's official position requires all fusion centers to respect state open government and privacy laws. However, EPIC obtained documents, through the Virginia FOI lawsuit, that reveal federal involvement in limiting Virginia's open government and privacy protections. Through the Virginia litigation, EPIC uncovered a Memorandum of Understanding - a secret contract - between the State Police and the FBI concerning the Virginia Fusion Center. The Memorandum was signed in early 2008, and limits the rights of Virginia citizens to learn what information the State Police collect about them. The agreement requires the State Police to comply with federal regulations that restrict the disclosure of records to the public. The federal regulations (28 CFR Part 16) cited in the Memorandum contain at least thirty-seven exemptions from open government and privacy laws. The Memorandum also requires the State Police to refer open government requests to federal agents if the requests relate to information shared by the FBI with the fusion center. EPIC's lawsuit also caused the State Police to disclose other documents, including the Virginia Fusion Center's draft Privacy Policy. EPIC sued the State Police to compel the disclosure of public records relating to the role of federal agencies in the Virginia Fusion Center. Of particular interest to EPIC is federal involvement in recent legislative efforts to limit Virginia's open government and privacy laws. EPIC's requests and lawsuit sought to determine whether the U.S. Dept. of Justice or the U.S. Dept. of Homeland Security participated in the development of the legislation, HB 1007. The legislation, signed on April 2, 2008, limits Virginia's open government and privacy statutes, as well as Virginia's common law right of privacy, for the Virginia Fusion Center. The Virginia Fusion center is one of several similar entities established by state governments throughout the United States. Fusion centers are intelligence databases that collect information from federal, state, municipal, and private sources. Privacy advocates have criticized the non-transparent operation of fusion centers, and their lack of meaningful civilian oversight. Federal guidelines call for fusion centers to accumulate and retain information about citizens from sources such as: financial records, credit reports, medical records, internet and email data, video surveillance from retail stores and sporting facilities, data from preschools, and welfare records. Richmond General District Court Opinion: http://epic.org/privacy/virginia_fusion/Opinion05-08-08.pdf EPIC v. Virginia Department of State Police - Fusion Center Secrecy Bill: http://epic.org/privacy/virginia_fusion/ Memorandum of Understanding: http://epic.org/privacy/virginia_fusion/MOU.pdf EPIC - Information Fusion Centers and Privacy: http://epic.org/privacy/fusion/ ======================================================================== [6] News in Brief ======================================================================== DOJ's 2007 FISA Report Increases in Government Searches The Department of Justice released the 2007 FISA report, which reports the annual figures on the applications made by the federal government for electronic surveillance and physical searches. According to the 2007 FISA report, the Foreign Intelligence Surveillance Court approved 2,370 applications to conduct electronic surveillance and physical searches in the United States. The numbers show an increase over the 2006 figure of 2,176. For the first time, the report includes information regarding the total number of requests made by the Department of Justice with National Security Letter authority for information concerning U.S. persons. The report said that in 2006, the government made approximately 12,583 NSL requests for information concerning 4,790 U.S. persons. In related news, the 2007 Wiretap report, said that federal and state courts issued 2,208 orders for the interception of wire, oral or electronic communications in 2007, compared to 1,839 in 2006. Statistics on FISA Reports: http://epic.org/privacy/wiretap/stats/fisa_stats.html EPIC Page on FISA: http://epic.org/privacy/terrorism/fisa/ Wiretap Report: http://www.uscourts.gov/wiretap07/contents.html EPIC Wiretap Page: http://epic.org/privacy/wiretap/ EPIC Urges FTC to Impose Civil Penalties in Data Breach Settlements On April 28, 2008, EPIC filed comments with the Federal Trade Commission urging the FTC to include civil penalties in settlements with TJX, Reed Elsevier, and Seisint. The Commission recently concluded investigations of the companies' weak security policies. The companies' weak security policies resulted in data breaches involving hundreds of thousands of consumers, and the Commission reached preliminary settlements with TJX, Reed Elsevier, and Seisint. The proposed settlements would impose security and audit responsibilities, but no financial penalties. EPIC noted that civil penalties were necessary to provide incentives for companies to better safeguard personal consumer data in the future. EPIC further observed that the FTC imposed $10 million in civil penalties in the Choicepoint case - a similar case that affected fewer consumers. The FTC's investigations arose from TJX, Reed Elsevier, and Seisint's 2004-2005 data breaches, which exposed the sensitive personal information of over 500,000 consumers and resulted in millions of dollars in alleged financial fraud. As a result of the 2005 TJX data breach, between 45 million and 100 million credit card numbers were exposed to fraud. As a result of the 2004 data breach involving both Reed Elsevier and Seisint, personal information regarding several hundred thousand people was exposed in a scheme involving stolen computer logins and passwords. The proposed settlements do not include civil penalties. In comparison, in 2006, the FTC imposed $10 million in civil penalties on Choicepoint as a result of a data breach that affected approximately half as many consumers. Agency Announces Settlement of Separate Actions Against Retailer TJX, and Data Brokers Reed Elsevier and Seisint for Failing to Provide Adequate Security for Consumers' Data: http://www.ftc.gov/opa/2008/03/datasec.shtm EPIC's Comments to the FTC: http://epic.org/privacy/idtheft/042808_ftc.pdf Canadian Privacy Commissioner: Social Networking Sites Biggest Threat Jennifer Stoddard, the Canadian Privacy Commissioner, singled out social networking sites as the biggest threat to the security of personal information. The information on Social Networking Sites can be collected and used lawlessly. Though sites may offer privacy settings, many users do not update these from the permissive defaults. Employers and law enforcement are also accessing social networking sites. Fear the 'web' of deceit: expert; Social-networking sites expose personal data, privacy boss says: http://www.thewhig.com/ArticleDisplay.aspx?e=1021156 Canadian Privacy Commission Social Networking and Privacy: http://www.privcom.gc.ca/information/social/index_e.asp EPIC Social Networking Privacy Page: http://epic.org/privacy/socialnet/ New Trend: Data 'portability' in Social Networking Sites Google, Facebook and Myspace have all recently announced new initiatives to facilitate social information sharing on the web. Websites will be able to add social networking features to their own offerings, using the social information that users have provided to their social networking sites. Myspace users will be able to import their profile information to sites like Yahoo, Ebay and Photobucket. Facebook users will be able to log into sites such as Digg.com with their Facebook identities, thus importing their friend relationships into those interactions. The announcements do not discuss how much user information from these third party sites will be available to third party provider, but at least some information will have to flow as incidents of providing the service. The features are similar to a system that Microsoft introduced in 2001, named Passport. The system aimed to be a single sign-in and user registration feature that would store personal information and then be used to log in to several websites on the Internet. Microsoft aimed to "create the largest and most leverage able database of profiles on the planet." EPIC and a coalition of consumer groups filed a complaint with the FTC alleging that Microsoft was unfair and deceptive in its claims of protecting consumer privacy and keeping information secure. Microsoft eventually settled FTC charges the personal information collection in its Passport service. MySpace Introduces 'Data Availability': http://biz.yahoo.com/bw/080508/20080508006009.html Google: A Friend Connected Web: http://googleblog.blogspot.com/2008/05/friend-connected-web.html Announcing Facebook Connect: http://developers.facebook.com/news.php?blog=1&story=108 EPIC Social Networking Page: http://epic.org/privacy/socialnet/ EPIC Microsoft Passport Investigation Docket Page: http://epic.org/privacy/consumer/microsoft/passport.html EPIC Recommends Privacy Safeguards for Voting System Standards The Election Assistance Commission closed the first of several comment periods in the drafting of the 2007 Voluntary Voting System Guidelines. EPIC submitted comments to the Election Assistance Commission on the proposed Voluntary Voting System Guidelines. EPIC's comments support the establishment of Software Independence as a means of assuring that an error in a voting system's software will not result in an undetectable change in the information reported to election administrators. The standards present a number of changes from the earlier version such as adopting a class and topic organization structure that make it easier to following. The document also has expanded its accessibility and usability to the benefit of voters who will use these features to cast an independent ballot. Although the standards are voluntary, all voting systems certified by the agency will be under the adopted standard. The 2007 version will mark the second federal standard for voting systems developed by the agency. The first Voluntary Voting System Guidance drafted by the agency was released in 2005. EPIC Voting Page: http://epic.org/privacy/voting/ EPIC Voting Project: http://votingintegrity.org/ Election Assistance Committee (EAC): http://eac.gov Comments by EPIC: http://epic.org/privacy/voting/2007vvsg_5508.pdf D.C. Council Cuts Funding for Video Surveillance System The D.C. Council has removed $886,000 from the Mayor's proposed homeland security budget for a system of 5,200 surveillance cameras in the nation's capital. D.C. Council members and others criticized the "Video Interoperability for Public Safety" system, which lacks privacy safeguards. The Council required the Mayor to develop rules for video surveillance cameras and technology that must be approved by the Council before future funding is authorized. Last week, EPIC joined the ACLU-NCA and the Constitution Project in urging de-funding of the surveillance system. D.C. Council Report on the Mayor's Proposed Budget: http://epic.org/redirect/dccouncilbudget2009.html EPIC's page on Video Surveillance: http://epic.org/privacy/surveillance/ Observing Surveillance: http://observingsurveillance.org/ FTC Issues Additional CAN-SPAM Rules On May 12, 2008, the FTC approved several new rules implementing the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM). The Commission stated that consumers couldn't be charged a fee to opt out of unsolicited bulk commercial email (spam). The FTC also clarified several definitions, stating that: CAN-SPAM's definition of a "person" is not limited to natural persons and a P.O. box qualifies as a "physical address" under CAN-SPAM. Furthermore, it clarified that third-party list brokers (companies that sell email lists to spammers), are not "senders" under CAN-SPAM, and are therefore not subject to the law's opt-out requirements. The Commission's rule regarding list brokers fails to protect consumers, who continue to suffer from a barrage of spam despite CAN-SPAM. On May 12, 2005, the FTC issued a notice of proposed rulemaking on these issues. On June 27, 2005, EPIC submitted comments supporting the imposition of opt-out requirements on third-party list brokers. EPIC stated that such imposition was consistent with CAN-SPAM's purpose and legislative mandate. In addition, such imposition would provide a more effective remedy for consumers than the present system, which requires consumers to opt out with individual companies. FTC Approves New Rule Provision Under The CAN-SPAM Act: http://www.ftc.gov/opa/2008/05/canspam.shtm EPIC's Comments to the FTC: http://epic.org/privacy/junk_mail/spam/canspamcomment62705.html ======================================================================== [7] EPIC Bookstore: "Guiding Life's Dark Secrets" ======================================================================== Guarding Life's Dark Secrets: Legal and Social Controls over Reputation, Propriety, and Privacy by Lawrence M. Friedman (Stanford University Press, November 2007) ISBN: 978-0-8047-5739-3 http://www.powells.com/biblio/1-9780804757393-0?&PID=24075 Lawrence Friedman, the dean of American Legal history, has written a wonderful and fact-filled book about the evolving understanding of privacy, defamation, and reputation in the United States. With a keen eye for both the obscure news articles from a small town and the broad themes that have transformed American law, Professor Friedman helps explain how in the present day the private has become the public. Reputation in the early days of America served several functions. In a mobile society, based on commerce and not title, reputation helped establish status and obtain credit. Reputation could be remade and it could also be manufactured. There was some space, some “leeway,” between public reputation and private life. Friedman describes the “Victorian compromise” that outwardly maintained a strict moral code in matters of vice and sexual conduct, while permitting a certain amount of private indiscretion. These social understandings, largely sanctioned by the courts, came under assault with the temperance movement and other moralists of the late nineteenth century. Then they were swept in the opposite direction by the sexual revolution and the rights revolution during the second half of the twentieth century. Friedman also describes the extraordinary inversion of the right of defamation, originally cast to safeguard the interests of elites, that lost much of its force following the Times v. Sullivan decision and subsequent cases that left public officials, and then public figures, fair game for gossip as long as it was not done with malice and reckless disregard for the truth. Today “there is widespread agreement,” Professor Friedman writes, “that citizens of democracies should have free rein to criticize officials, governments, and public figures. There is some disagreement, however, on limits and boundaries.” What happens next in the American experience remains an interesting question. There are at least two powerful trends pulling in very different directions. In the online world of digital personas, there is far more creation of identity than in the era of the confidence man. Avatars can be tossed aside more quickly than a fine coat and recently printed business card. But in the physical world, there is ever-greater dependence on detailed, recorded, private facts. Employers check your credit scores. Airport security agents examine your watch list status. An ill-considered blog post remains long after the drunken escapade has concluded. If there is a message in Professor Friedman's broad survey perhaps it is that laws that attempt to impose caste-like systems of social status diminish social mobility and lead to unsustainable contradictions. Perhaps a world of overlapping reputational matrices would provide the basis to manage the conflicting demands of public scrutiny and private life even as technology presses the construction of identity at both extremes. - Marc Rotenberg ================================ EPIC Publications: "Information Privacy Law: Cases and Materials, Second Edition" Daniel J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98. http://www.epic.org/redirect/aspen_ipl_casebook.html This clear, comprehensive introduction to the field of information privacy law allows instructors to enliven their teaching of fundamental concepts by addressing both enduring and emerging controversies. The Second Edition addresses numerous rapidly developing areas of privacy law, including: identity theft, government data mining and electronic surveillance law, the Foreign Intelligence Surveillance Act, intelligence sharing, RFID tags, GPS, spyware, web bugs, and more. Information Privacy Law, Second Edition, builds a cohesive foundation for an exciting course in this rapidly evolving area of law. ================================ "Privacy & Human Rights 2006: An International Survey of Privacy Laws and Developments" (EPIC 2007). Price: $75. http://www.epic.org/phr06/ This annual report by EPIC and Privacy International provides an overview of key privacy topics and reviews the state of privacy in over 75 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy & Human Rights 2006 is the most comprehensive report on privacy and data protection ever published. ================================ "FOIA 2006: Litigation Under the Federal Open Government Laws," Harry A. Hammitt, Marc Rotenberg, Melissa Ngo, and Mark S. Zaid, editors (EPIC 2007). Price: $50. http://www.epic.org/bookstore/foia2006 This is the standard reference work covering all aspects of the Freedom of Information Act, the Privacy Act, the Government in the Sunshine Act, and the Federal Advisory Committee Act. The 23nd edition fully updates the manual that lawyers, journalists and researchers have relied on for more than 25 years. For those who litigate open government cases (or need to learn how to litigate them), this is an essential reference manual. ================================ "The Public Voice WSIS Sourcebook: Perspectives on the World Summit on the Information Society" (EPIC 2004). Price: $40. http://www.epic.org/bookstore/pvsourcebook This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, and recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process. ================================ "The Privacy Law Sourcebook 2004: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price: $40. http://www.epic.org/bookstore/pls2004/ The Privacy Law Sourcebook, which has been called the "Physician's Desk Reference" of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act. ================================ "Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20. http://www.epic.org/bookstore/filters2.0 A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at: EPIC Bookstore http://www.epic.org/bookstore "EPIC Bookshelf" at Powell's Books http://www.powells.com/bookshelf/epicorg.html ================================ EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act. Subscribe to EPIC FOIA Notes at: https:/mailman.epic.org/mailman/listinfo/foia_notes ======================================================================== [8] Upcoming Conferences and Events ======================================================================== CFP 2008: Technology Policy 08. New Haven, Connecticut. May 19-23, 2008. For more information http://www.cfp2008.org Privacy Compliance Fundamentals: PTAs, PIAs, and SORNs. GSA Regional Headquarters. May 23, 2008. For more information: http://www.dhs.gov/xinfoshare/committees/editorial_0699.shtm Future of the Internet Economy - OECD Ministerial Meeting. June 17-18, 2008. Seoul, Korea. For more information: http://www.epic.org/redirect/OECD180608.html Second Annual National Institute on Cyberlaw: Expanding the Horizons. June 18-20, 2008. Washington DC. For more information: http://www.abanet.org/cle/programs/n08ceh1.html Conference on Ethics, Technology and Identity. The Hague. June 18-20, 2008. For more information http://www.ethicsandtechnology.eu/ETI Privacy Laws & Business 21st Annual International Conference. Value Privacy, Secure Your Reputation, Reduce Risk. 7-9th July, 2008, St. John’s College, Cambridge. For more information: http://www.privacylaws.com/ The Privacy Symposium - Summer 2008: An Executive Education Program on Privacy and Data Security Policy and Practice, August 18-21, 2008, Harvard University, Cambridge, MA. For more information: http://www.privacysummersymposium.com/ ====================================================================== Subscription Information ====================================================================== Subscribe/unsubscribe via web interface: https://mailman.epic.org/mailman/listinfo/epic_news Back issues are available at: http://www.epic.org/alert The EPIC Alert displays best in a fixed-width font, such as Courier. ======================================================================== Privacy Policy ======================================================================== The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information." ======================================================================== About EPIC ======================================================================== The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). ======================================================================== Donate to EPIC ======================================================================== If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at: http://www.epic.org/donate Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ======================================================================= Support Privacy '08 ======================================================================= If you would like more information on Privacy '08, go online and search for "Privacy 08". You'll find a Privacy08 Cause at Facebook, Privacy08 at Twitter, a Privacy08 Channel on YouTube to come soon, and much more. You can also order caps and t-shirts at CafePress Privacy08. Start a discussion. Hold a meeting. Be creative. Spread the word. You can donate online at epic.org. Support the campaign. Facebook Cause: http://www.epic.org/redirect/fbprivacy08.html Twitter: http://twitter.com/privacy08 CafePress: http://www.cafepress.com/epicorg ------------------------- END EPIC Alert 15.10 ------------------------- .