EPIC logo

                              E P I C  A l e r t
Volume 15.11                                                May 30, 2008

                               Published by the
                  Electronic Privacy Information Center (EPIC)
                               Washington, D.C.


Table of Contents
[1] Congressman Barton Urges Scrutiny of Google's Privacy Practices
[2] Computers, Freedom & Privacy Conference Explores Technology Policy
[3] Telecom Immunity 'Compromise' Under Consideration in Congress
[4] Senate Investigates Role of US Firms in China
[5] Congressmembers Call on Charter Cable to Halt Net Snooping Plan
[6] News in Brief
[7] EPIC Bookstore: Privacy Journal Survey of State and Federal Laws
[8] Upcoming Conferences and Events
    - Subscription Information
    - Privacy Policy
    - About EPIC
    - Donate to EPIC
    - Support Privacy '08

[1] Congressman Barton Urges Scrutiny of Google's Privacy Practices

In a letter to Google's Eric Schmidt, the top Republican of a powerful
Congressional committee has asked the Google CEO to explain the
company's privacy practices since the acquisition of Internet advertiser
Doubleclick. Rep. Joe Barton (R-TX) is the co-founder of the House
Privacy Caucus.

"Individually, Google and Doubleclick collect a great deal of data
relating to their users' online activity. It is critical that Google's
and Doubleclick's policies and procedures for handling this information
be transparent, and that every effort is made to protect consumers'
data," Rep. Barton wrote. He also pressed Google about the retention of
persistent identifiers, such as IP addresses and User IDs.

Google also is creating controversy by refusing to place a link to its
Privacy Policy on its home page. The Network Advertising Initiative,
which sets standards for companies that collect data for targeting
advertising, requires that its members provide "clear and conspicuous
notice" of how they collect and uses data. This has meant that members
should place a link to their Privacy Policies on their home page. Though
Google applied for membership in the NAI after acquiring Doubleclick,
the search engine has refused to comply with the requirement of placing
its Privacy Policy on its home page.

In response to a reporter's question as to why Google would refuse to
add a link to its Privacy Policy on its home page, a company spokesman
responded, "We do believe that having very limited text on our home page
is important and that is something we have shared with the N.A.I." The
NAI has refused to discuss Google's application.

The California-based Google may also be violating state law. The 2003
California Online Privacy Protection Act requires that operators of
commercial Web sites that collects personal data about users to
"conspicuously post its privacy policy on its Web site." The Act sets
out regulations for the placement of the link, including that the policy
must be "located on the homepage or first significant page after
entering the Web site."

Last year, EPIC, CDD and US PIRG filed a complaint with the Federal
Trade Commission requesting that the Commission open an investigation
into the proposed acquisition, specifically with regard to the ability
of Google to record, analyze, track, and profile the activities of
Internet users with data that is both personally identifiable and data
that is not personally identifiable. EPIC further urged the Commission
to require Google to publicly present a plan to comply with
well-established government and industry privacy standards such as the
OECD Privacy Guidelines. Pending the resolution of these and other
issues, EPIC encouraged the Commission to halt the acquisition. However,
the Commission failed to impose privacy safeguards as a condition of the
Google-Doubleclick merger.

Earlier this year, in testimony before the European Parliament in
Brussels, EPIC President Marc Rotenberg said that Google was beginning
to reveal the characteristics of an "information monopolist" and that it
was important for governments to act to preserve the rights of citizens
and to safeguard competition and innovation in the information economy.
EPIC also recommended to the European Commission that IP addresses be
considered personally identifiable information. A subsequent report from
the Article 29 Data Protection Working Party endorsed this approach.

Letter from Rep. Barton to Google (May 21, 2008) (pdf):


2003 California Online Privacy Protection Act:


Article 29 Data Protection Working Party, Opinion on data protection
issues related to search engines (April 4, 2008) (pdf):


EPIC's Testimony before the European Parliament (pdf):


EPIC page on Privacy? Proposed Google-DoubleClick Merger:


[2] Computers, Freedom & Privacy Conference Explores Technology Policy

The 18th Annual meeting of Computers Freedom and Privacy took place in
New Haven Connecticut from May 20-24, 2008. The meeting hosted panel
discussions on a wide range of topics, including: Constitutional Law in
Cyberspace, e-Deceptive Campaign Practices, Presidential Policy and
Technology: Priorities for the Next Executive, the National Security
State, and all day Hands-on Session on Social Networking.

The theme of the meeting focused on the opportunities to shape
information technology policy of the next President of the United
States. Meeting planners sought to offer perspectives and advice to the
next Administration on key technology and policy issues such as:
surveillance, consumer protection, innovation, and sustainable Internet
technology policy. The meeting included representatives from Senators
John McCain and Barack Obama, who presented their candidates' views on
technology policy and the presidency.

An in-depth discussion on technology and the changing face of society
reviewed key areas that have seen the greatest change for the 2008
Presidential election. Key areas are the deployments of Fusion Centers,
the Surveillance State, and e-Deceptive Campaign Practices. Plenary
panel discussions on the 21st Century Panopticon and the National
Surveillance State and the Next Administration looked closely at the
adoption of surveillance policies and their infrastructures. A panel
discussion on e-Deceptive Campaign Practices explored the first signs
that voter deceptive practices in the off-line world may be reaching

The conclusion of the meeting was the collective drafting of an open
letter to all of the presidential candidates on the importance of
information technology policy.   The letter outlined key topics for the
unfolding election year debate such as: creating a safer Internet for
children and adults; reducing identity theft; the role of content
ownership; using new technologies effectively; enabling access to
technology and knowledge; as well as protecting privacy.

Computers, Freedom, and Privacy 2008:


Information on e-Deceptive Campaign Practices; National
Surveillance State and the Next Administration; and the 21st Century
Panopticon can be found at:


EPIC's Privacy '08 Campaign:


[3] Telecom Immunity 'Compromise' Under Consideration in Congress

Congressional leaders and White House officials are reportedly
considering a compromise in the ongoing debate over changes to the
President's warrantless surveillance powers. Changes to the Foreign
Intelligence Surveillance Act ("FISA") are being debated along with a
provision of immunity for telecommunications companies that participated
in the President's warrantless surveillance program.

The President had previously vowed to veto any bill that did not include
immunity for those telecom companies. The Senate passed an immunity
bill, but the House has twice-passed a different bill. The latest, HR
3773, rejects administration demands for automatic retroactive immunity
for the telecom companies, establishes a bipartisan commission to
investigate the President's warrantless wiretapping program, and
provides for greater oversight of surveillance targeted against persons
overseas. The House bill also allows secret evidence to be introduced in
court instead of being barred by claims of the state secrets privilege
by the President.

Republican Sen. Kit Bond offered some terms of compromise in an attempt
to make the Senate bill more palatable to the House. The compromise
proposal would allow the secret FISA court to dismiss cases if a
preponderance of evidence supported a certification by the attorney
general that the President authorized the programs. The FISA court would
not determine whether the telecommunications companies broke the law,
whether the programs were lawful, or whether there was a basis in the
companies for believing that they were being asked to participate in a
lawful program.

The FISA court consists of judges appointed by the Chief Justice of the
United States; its normal role involves hearing secret applications for
government wiretaps. The government has submitted thousands of
applications for secret warrants and less than 10 have been denied.

Other offers in the compromise include an Inspector General review of
the warrantless surveillance program, and language duplicating the
provision that FISA is the "exclusive means" by which electronic
surveillance is done. These debates follow the expiration of the Protect
America Act, which expanded the President's warrantless surveillance
powers. The Act removed some surveillance from the limited FISA court
review and allowed the government to create more surveillance programs
with limited review.

Sen. Bond's Compromise Offer (pdf):


House Bill, HR 3773:


EPIC page on FISA:


EPIC page on FISA Court Orders:


[4] Senate Investigates Role of US Firms in China

On May 20, the Senate Judiciary Committee held a hearing examining
"Global Internet Freedom: Corporate Responsibility and the Rule of Law."
 Representatives from Google, Yahoo, and Cisco answered questions about
corporate practices. The surveillance firm L-1, which was the focus of a
recent Rolling Stone article regarding surveillance in China, did not

EPIC and Privacy International annually publish Privacy and Human
Rights, a detailed report on the state of privacy around the world. The
most recent edition discusses new systems of surveillance in China and
notes privacy concerns surrounding the upcoming Beijing 2008 Summer
Olympics. It was recently reported that tickets for the opening and
closing ceremonies will be embedded with microchips containing the
tickeholder's photograph, passport details, addresses, e-mail and
telephone numbers. This represents an unprecedented link between
personal information and Olympic tickets.

In March, the U.S. State Department issued a warning for Americans
intending to travel to China for the 2008 Summer Olympics. The
Department warned that visitors should expect lowered standards of
privacy and increased surveillance by the Chinese authorities.

In the Department's 2007 Human Rights Report, China is described as an
authoritarian state. The report maintains that while the laws ostensibly
protect the freedom and privacy of citizens, in practice privacy is not
respected. According to the report:  "During [2007,] authorities
monitored telephone conversations, facsimile transmissions, e-mail, text
messaging, and Internet communications. Authorities also opened and
censored domestic and international mail. The security services
routinely monitored and entered residences and offices to gain access to
computers, telephones, and fax machines. All major hotels had a sizable
internal security presence, and hotel guestrooms were sometimes bugged
and searched for sensitive or proprietary materials."

EPIC previously urged the Department of Commerce to restrict the export
of high-tech surveillance equipment to China. Following the 1989
Tiananmen Square massacre, the U.S. restricted the export of products
such as tear gas, handcuffs, and shotguns to China. EPIC has noted that
American firms sell technology products to Chinese police and security
authorities that can be used to track political dissidents, in spite of
China's dismal human rights record. Cisco, for example, has marketed and
sold its products as "strengthening police control."

Congress has criticized American technology companies for their role in
supplying China with tools to suppress free speech and invade privacy. 
In 2006, members of Congress accused four major U.S. Internet companies,
Microsoft, Yahoo, Cisco Systems, and Google, of helping the Chinese
government block certain online information by providing it with
surveillance and filtering tools. Yahoo has been further criticized for
its role in helping Chinese authorities identify dissidents who posted
information on the Web through Yahoo's online services. Two such
dissidents were identified, arrested and sentenced to prison terms of
eight and 10 years.

EPIC's Privacy and Human Rights Report:


EPIC page on Olympic Privacy:


U.S. State Department travel warning regarding privacy in China:


U.S. State Department's 2007 Human Rights Report on China:


EPIC's 2006 Letter Regarding Surveillance Technology Exports To China


[5] Congressmembers Call on Charter Cable to Halt Net Snooping Plan

Rep. Edward J. Markey (D-MA) and Rep. Joe Barton (R-TX), senior members
of Congress, challenged the legality of Charter Communications' plan to
intercept and inspect their customers' Internet activity. The
Congressmen stated that Charter's plan "raises substantial questions"
related to the federal Cable Television Privacy Act. Charter, the
nation's fourth-largest cable provider, recently announced that it has
partnered with NebuAd to intercept and analyze Charter customers'
Internet activity and develop profiles based on the data. Congressmen
Markey and Barton requested that Charter hold off on the proposed
venture with NebuAd.

In mid-May, some Charter customers received notices stating that the
cable giant would soon begin to perform "deep packet inspection" of
their Internet traffic. Deep packet inspection can reveal the substance
of nearly all Internet traffic over a subscriber's connection, including
Web surfing content, search engine queries, and e-mail messages. The
notices were sent to customers in four markets: Fort Worth, Texas; San
Luis Obispo, California; Oxford, Massachusetts; and Newtown,
Connecticut.  Charter plans to use the initial four locations as test
markets, and intends to expand its deep packet inspection activities to
all Charter customers in the future.

Charter partnered with NebuAd to implement its deep packet inspection
program.  NebuAd will install its hardware on Charter's system, and pay
Charter a monthly fee per subscriber. Charter and NebuAd will use deep
packet inspection techniques to develop profiles of customers' online
behavior, and then target advertising at individual users. This sort of
intensive inspection and monitoring has been criticized by network
neutrality advocates, as well as in the online advertising context in
the UK. Charter's deep packet inspection program is the first
large-scale implementation by a major US Internet Service Provider.

The law cited by Congressmen. Markey and Barton, the Cable Television
Privacy Act, regulates companies that provide cable services. The Act
prohibits cable companies from disclosing subscribers' personally
identifiable information without "prior written or electronic consent of
the subscriber." Charter plans to disclose its customers' personally
identifiable information to NebuAd and others without obtaining prior
written consent.

In addition to the questions raised by Congressmen Markey and Barton,
Charter's deep packet inspection plan may run afoul of other laws.  For
example, the federal Wiretap Act bars, in most cases, interception of
electronic communications. The Act provides for civil liability and
criminal penalties against any entity that "intentionally intercepts,
endeavors to intercept, or procures any other person to intercept or
endeavor to intercept any […] electronic communication [except as
provided in the statute]."

EPIC page on Deep Packet Inspection and Privacy:


Letter from Rep. Markey and Rep. Barton to Charter (pdf):


Charter's Letter to Subscribers (pdf):


[6] News in Brief

EPIC Supports New Internet Privacy Standard

On May 24, EPIC submitted comments to ICANN (which manages domain names
and IP addresses) in support of the Domain Name System Security
Extensions (“DNSSEC”) proposal currently under consideration. The DNS
security extension would help protect users from attempts by hackers to
spoof, masquerade, and hijack Web sites, EPIC said. “Whereas an Internet
user with unsecured DNS can only guess about the authenticity of the
server which provides his browser with the IP address for a given domain
name, with DNSSEC users can validate the identity of the DNS server.”
The Public Interest Registry has proposed to implement DNSSEC for the
.ORG domain. DNSSEC is already in use by the top-level country code
domains of Sweden, Bulgaria, Brazil, and Puerto Rico.

Internet Corporation for Assigned Names and Numbers (ICANN):


EPIC Comments to ICANN in Support of DNSSEC Proposal (May 24, 2008):


EPIC page on Domain Name System Security Extensions (DNSSEC): 


President Signs Genetic Nondiscrimination Act

President Bush has signed into law the Genetic Information
Nondiscrimination Act of 2008. The Act had been introduced in 2003, but
died in the U.S. House after passing the U.S. Senate. The bill was
reintroduced in January and was passed by both chambers in the last few
weeks. The Act prohibits discrimination on the basis of genetic
information with respect to health insurance and employment. However,
the Act does not address the privacy risks associated with the
collection and storage of electronic health records.

Genetic Information Nondiscrimination Act, S. 358:


EPIC page on Genetic Privacy:


China Adds RFID Tags to Olympics Tickets

The Chinese government has announced that it will embed radio frequency
identification (“RFID”) tags into tickets for the 2008 Summer Olympic
Games. The RFID tags transmit data wirelessly and there are questions
about the security of the data, which will include the ticketholder's
passport details, address, and other personal data. In March, The U.S.
State Department issued a travel advisory warning that hotel rooms and
offices may be subject to monitoring and may be accessed without the
consent or knowledge of the occupant.

U.S. State Department Travel Warning About 2008 Olympic Games in


EPIC's page on Privacy and the 2008 Olympic Summer Games: 


DHS Releases Privacy Impact Assessment for EINSTEIN 2 System

The Department of Homeland Security (DHS) has released a Privacy Impact
Assessment for the EINSTEIN 2 intrusion detection system. Though the
system collects IP and e-mail addresses, the Assessment states that no
System of Records Notice will be issued under the Privacy Act of 1974.
EINSTEIN 2 upgrades the previous EINSTEIN system, described in a 2004
Privacy Impact Assessment. The EINSTEIN system produced analyses on all
network traffic and recorded personally identifiable information for
later use. EINSTEIN 2 adds a system to automatically detect malicious
network activity, creating alerts when it is triggered. These alerts may
contain personally identifying information such as e-mail and IP

EINSTEIN 2 Privacy Impact Assessment:


US House Committee on Homeland Security Hearing On "The Cyber


EPIC Page on Deep Packet Inspection and Privacy:


'Privacy Lives': New Site Monitors the Pulse of Privacy

"Privacy Lives" is a new site covering privacy and civil liberties
issues in modern society. "In 1755, Benjamin Franklin wrote, 'Those who
would give up essential liberty to purchase a little temporary safety
deserve neither liberty nor safety.' Centuries later, we face numerous
attacks on our privacy and civil rights, ostensibly for national
security. Phone calls are tapped, e-mails are read, and individuals are
tracked by video surveillance. We're told that if you're not for these
invasive surveillance tactics, then you're with the terrorists.
PrivacyLives.com rejects such fear mongering. This site will chronicle
and analyze these attacks and various defenses against them to show that
privacy lives on, despite this onslaught." The publisher of the site,
Melissa Ngo, was previously EPIC's Senior Counsel and Director of EPIC's
Identification and Surveillance Project. She is currently a Privacy and
Information Policy Consultant.

Privacy Lives, "Monitoring the Pulse of Privacy":


[7] EPIC Bookstore: "Privacy Journal Survey of State and Federal Laws"

Privacy Journal Survey of State and Federal Laws, 2008 Update


"Privacy Journal has published the newest Supplement to its acclaimed
book of state laws on privacy, showing that 35 states have enacted laws
requiring notifications to persons affected by security breaches in
databases held by businesses or government agencies.  The federal
government has not yet passed such protections.

"A total of 22 states now provide a consumer an opportunity to have a
'security freeze' placed on a credit report, to make it more difficult
for a stranger to have credit reported in the name of an innocent
consumer. Oregon and California now require all entities to have
information security plans in place. And a few states have laws
requiring shredding of business records with individuals' account
numbers or Social Security numbers on them, according to Privacy
Journal's latest survey of state and federal privacy laws."

EPIC Publications:

"Information Privacy Law: Cases and Materials, Second Edition" Daniel J.
Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98.


This clear, comprehensive introduction to the field of information
privacy law allows instructors to enliven their teaching of fundamental
concepts by addressing both enduring and emerging controversies. The
Second Edition addresses numerous rapidly developing areas of privacy
law, including: identity theft, government data mining and electronic
surveillance law, the Foreign Intelligence Surveillance Act,
intelligence sharing, RFID tags, GPS, spyware, web bugs, and more.
Information Privacy Law, Second Edition, builds a cohesive foundation
for an exciting course in this rapidly evolving area of law.


"Privacy & Human Rights 2006: An International Survey of Privacy Laws
and Developments" (EPIC 2007). Price: $75.


This annual report by EPIC and Privacy International provides an
overview of key privacy topics and reviews the state of privacy in over
75 countries around the world. The report outlines legal protections,
new challenges, and important issues and events relating to privacy.
Privacy & Human Rights 2006 is the most comprehensive report on privacy
and data protection ever published.


"FOIA 2006: Litigation Under the Federal Open Government Laws," Harry
A. Hammitt, Marc Rotenberg, Melissa Ngo, and Mark S. Zaid, editors
(EPIC 2007). Price: $50. 


This is the standard reference work covering all aspects of the Freedom
of Information Act, the Privacy Act, the Government in the Sunshine Act,
and the Federal Advisory Committee Act.  The 23nd edition fully updates
the manual that lawyers, journalists and researchers have relied on for
more than 25 years.  For those who litigate open government cases (or
need to learn how to litigate them), this is an essential reference


"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.


This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS).  This
reference guide provides the official UN documents, regional and
issue-oriented perspectives, and recommendations and proposals for
future action, as well as a useful list of resources and contacts for
individuals and organizations that wish to become more involved in the
WSIS process.


"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:


The Privacy Law Sourcebook, which has been called the "Physician's Desk
Reference" of the privacy world, is the leading resource for students,
attorneys, researchers, and journalists interested in pursuing privacy
law in the United States and around the world. It includes the full
texts of major privacy laws and directives such as the Fair Credit
Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well
as an up-to-date section on recent developments. New materials include
the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the


"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.


A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.


EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:

EPIC Bookstore 


"EPIC Bookshelf" at Powell's Books



EPIC also publishes EPIC FOIA Notes, which provides brief summaries of
interesting documents obtained from government agencies under the
Freedom of Information Act.

Subscribe to EPIC FOIA Notes at:


[8] Upcoming Conferences and Events

A Progressive Framework for Bridging the ID Divide, Center for American
Progress. June 2, 2008. Washington, D.C. For more information:

2008 National Convention, American Constitution Society. June 12-14,
2008. Washington, DC. For more information: http://acslaw.org/

Making the Future of the Internet Economy Work for Citizens, Consumers
and Workers, The Public Voice Conference. June 16, 2008. Seoul, Korea.
For more information: http://thepublicvoice.org/events/seoul08/

Future of the Internet Economy - OECD Ministerial Meeting. June 17-18,
2008. Seoul, Korea. For more information:

Second Annual National Institute on Cyberlaw: Expanding the Horizons.
June 18-20, 2008. Washington DC. For more information:

Conference on Ethics, Technology and Identity. The Hague. June 18-20,
2008. For more information: http://www.ethicsandtechnology.eu/ETI

Privacy Laws & Business 21st Annual International Conference. Value
Privacy, Secure Your Reputation, Reduce Risk. 7-9th July, 2008, St.
John’s College, Cambridge. For more information:

The Privacy Symposium - Summer 2008: An Executive Education Program on
Privacy and Data Security Policy and Practice, August 18-21, 2008,
Harvard University, Cambridge, MA. For more information:

Subscription Information

Subscribe/unsubscribe via web interface:


Back issues are available at:


The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities.  We do not sell, rent or share our
mailing list.  We also intend to challenge any subpoena or other legal
process seeking access to our mailing list.  We do not enhance (link to
other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail address
from this list, please follow the above instructions under "subscription

About EPIC

The Electronic Privacy Information Center is a public interest research
center in Washington, DC.  It was established in 1994 to focus public
attention on emerging privacy issues such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale of personal information. EPIC publishes the
EPIC Alert, pursues Freedom of Information Act litigation, and conducts
policy research.  For more information, see http://www.epic.org or write
EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202
483 1140 (tel), +1 202 483 1248 (fax).

Donate to EPIC

If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible.  Checks
should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW,
Suite 200, Washington, DC 20009.  Or you can contribute online at:


Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation of encryption and
expanding wiretapping powers.

Thank you for your support.
Support Privacy '08

If you would like more information on Privacy '08, go online and search
for "Privacy 08". You'll find a Privacy08 Cause at Facebook, Privacy08
at Twitter, a Privacy08 Channel on YouTube to come soon, and much more.
You can also order caps and t-shirts at CafePress Privacy08.

Start a discussion. Hold a meeting. Be creative. Spread the word. You
can donate online at epic.org. Support the campaign.

Facebook Cause:






------------------------- END EPIC Alert 15.11 -------------------------