EPIC logo

                              E P I C  A l e r t
Volume 15.18                                         September 12, 2008

                               Published by the
                  Electronic Privacy Information Center (EPIC)
                               Washington, D.C.


Table of Contents
[1] Presidential Candidate Speaks at Privacy '08 Event in Washington
[2] EPIC Testifies in Congress on Watchlist Errors
[3] Federal Appeals Court Hears Telephone Privacy Case
[4] EPIC Speaks in Brussels on Internet Privacy
[5] Google Browser Faces Privacy Criticisms
[6] News in Brief
[7] EPIC Bookstore: "Stolen Lives"
[8] Upcoming Conferences and Events
 	- Subscription Information
 	- Privacy Policy
 	- About EPIC
 	- Donate to EPIC http://www.epic.org/donate
 	- Support Privacy '08 http://www.privacy08.org

[1] Presidential Candidate Speaks at Privacy '08 Event in Washington

EPIC held a Privacy '08 event at the National Press Club on September
5, 2008. At the event, Bob Barr, the Libertarian Party candidate for
President of the United States, addressed privacy concerns facing the
American public. 

Congressman Barr spoke about laptop searches at borders, government
surveillance of U.S. citizens, immunity to telecom companies and online
data tracking. Barr further highlighted that the otherwise vigorous
Presidential debate neglected to address issues of Constitutional
rights and civil liberties. Privacy issues were not even raised.
Barr exhorted the candidates to debate on wiretapping and
surveillance and urged the public to challenge the next leader to
articulate a position on how citizen's privacy interfaces with the
government's need to promote industry and prevent crime.

The federal government has been spending an increased amount of money
on surveillance technology and programs at the expense of other
projects. However, citizens have not been fully informed of the extent
of government surveillance. Barr promised to reverse the anti-privacy
trend and favor data protection. He compared the protection of privacy
to the protection of property and stressed that both needed to be
afforded similar legal rights.

Congressman Barr further highlighted that recent suggested statutory
changes indicated the continual erosion of privacy rights. Speaking on
this issue, he cited the amendments to the Foreign Intelligence
Surveillance Act, the Patriot Act and the Real ID Act and said that
Congress had been largely responsible in perpetuating privacy
invasions. He suggested that remedial action begin with open discussion
and an acknowledgement of the concerns raised by warrantless
surveillance and data collection.

Barr stated that privacy involved a wide range of issues and any scheme
would need a multifaceted approach because not only individuals are
affected, but also trade and commerce, corporate efficiency and law
enforcement both in the United States as well as abroad. Barr supported
initiating the process by bringing great focus on privacy issues and
then encouraging discussion.

Privacy '08 is a nonpartisan effort to promote privacy discussions
during the 2008 Presidential campaign. It encourages voters to take an
active interest in privacy as an election issue. The campaign aims to
encourage discussion among the public and the candidates.

A panel of three members of the media consisting of Charlie Savage of
the New York Times, Christine Mumford of the Bureau of National Affairs
and Julian Sanchez of Ars Technica was present. The event opened with a
discussion on the concentration of power in the hands of the government
and whether this concern was being addressed in the presidential debates.

EPIC's Privacy 08 campaign page:

Privacy '08 Facebook Cause:

Support Privacy '08:

Bob Barr's Presidential campaign website:

[2] EPIC Testifies in Congress on Watchlist Errors

EPIC Associate Director Lillie Coney testified at a Congressional
hearing on "Ensuring America's Security: Cleaning Up the Nation's
Watchlists." EPIC testified that there are three primary problems with
the security watchlists. First, the databases in the system are not
subject to the full safeguards of the Privacy Act of 1974, as the
Transportation Security Administration (TSA) has sought wide-ranging
exemptions for the record system and private companies engaged by the
agency are not subject to the Privacy Act. As a result, legal
safeguards that help ensure accuracy and accountability in other
databases are absent from the watchlist system.

The second flaw of the program aggravates the issue further -- the
security watchlists on which the system is based are riddled with
inaccurate and obsolete data. Documents obtained by EPIC under the 
Freedom of Information Act in September 2005 revealed travelers'
struggles with watchlist errors. The situation has not changed
materially and recent news continues to reveal more incidents of false
positives and harrowing experiences of legitimate travelers.

Third, the existence of the Registered Traveler program may become a
textbook example of "Security Theater." Further, the approach is
triggering typical hallmarks of "mission creep" - the databases of
personal information collected by private sector companies will be used
for purposes other than originally intended - aviation security. The
TSA has outsourced the vetting of bona fide air-travelers to Verified
Identity Pass, Inc. (Verified ID), a privately held company running The
Clear Registered Traveler program (Clear).

EPIC recommended that DHS  employ the expertise of a human factors
expert to revamp the TRIP query process to help limit the data
collection process to only those affected by watchlist issues; the
agency should be prohibited from exempting itself from Privacy Act
obligations; the process for citizens and non-citizens should be clear
and governed by a series of questions. The information presented
should make it clear if it is intended for a citizen or non-citizen.
The information collected should only apply to that category;
respondents should be told their rights and protections afforded to
them; over-collection of data should be prohibited; and agency
personnel, airlines, and contractors should be held accountable
by Privacy Act civil and criminal penalties or held to contractual
obligations with the equivalent effect.

EPIC has testified before Congressional committees and submitted
extensive agency comments regarding the development and use of
watchlists, the passenger redress program, and secure flight.


EPIC Privacy Act Page:

EPIC Spotlight on Surveillance: Secure Flight:

EPIC Spotlight on Surveillance: Problem Filled Traveler Redress Program:

House Committee on Homeland Security Hearing:

EPIC's Air Travel Privacy Page:

[3] Federal Appeals Court Hears Telephone Privacy Case

On September 10, 2008, a federal court in the District of Columbia
heard arguments in a challenge to telephone privacy regulations. At
issue is an April 2, 2007 Federal Communications Commission order that
protects consumers' telephone record information. The federal rule
requires telephone companies to obtain affirmative, opt-in consent from
customers before they disclose personal information to outside
corporations. The National Cable & Telecommunications Association
challenged the privacy rule, claiming that companies have a free speech
interest in disclosing their customers' personal information without
their opt-in consent. The industry group asked the court to invalidate
federal regulators' opt-in requirement, and replace it with an opt-out
regime, which provides less protection for customers' privacy.

On May 6, 2008, EPIC filed a "friend of the court" brief in the case
urging support for opt-in safeguards for telephone customers. The brief
was filed on behalf of consumer and privacy organizations, technical
experts, and legal scholars. "Consumers have a legitimate expectation
of privacy with respect to sensitive personal information such as whom
they call on a telephone," the brief said. "An opt-out policy would
provide neither adequate protection for consumer data nor sufficient
notice to consumers." The case is presently pending before the U.S.
Court of Appeals for the District of Columbia Circuit.

The FCC rule prohibits companies from sharing "customer proprietary
network information" with third parties without a consumer's opt-in
consent. Customer proprietary network information (CPNI) is the data
collected by telecommunications corporations about a consumer's
telephone calls. It includes the time, date, duration and destination
number of each call, the type of network a consumer subscribes to, and
any other information that appears on the consumer's telephone bill.
EPIC has detailed the privacy violations that have resulted from
unauthorized disclosure of CPNI. Such violations include pretexting,
stalking, and the widespread sale of individuals' phones records on the

The Telecommunications Act of 1996 required telecommunications
companies to obtain customers' approval prior to sharing their CPNI
with third parties. However, there was a difference of opinion on the
interpretation of "approval." EPIC and other privacy advocates and
consumer rights groups argued that "approval" required that a consumer
give positive, express consent to the sharing of information: that is,
to "opt-in" to the marketing scheme. Telecommunications industry
entities supported a presumption of consent ? an opt-out system. The
FCC rule clarified that the law requires "opt-in consent." The National
Cable and Telecommunications Association challenged the FCC rule,
alleging that corporations had a First Amendment right to share CPNI
with third parties for marketing purposes. 

EPIC has a long history of supporting privacy safeguards in this area.
In 2000, EPIC filed a friend of the court brief in US West v. FCC, the
first case that considered privacy safeguards for CPNI information.
More recently, in August 2005, EPIC filed a petition urging the FCC to
require security measures to protect access to CPNI from pretexters and
other unauthorized parties. In July 2007, EPIC filed detailed comments
asking the FCC to implement additional safeguards for consumer
telecommunications data. EPIC's proposals included encryption of CPNI,
the implementation of audit trails, and limitations on data retention.

EPIC's "friend of the court" brief in NCTA v. FCC:

EPIC's NCTA v. FCC Web Page:

EPIC, US West v. FCC -- The Privacy of Telephone Records

FCC Order Regarding CPNI opt-in:

EPIC's 2005 Petition to the FCC:

EPIC's July 9, 2007 Comments to the FCC:

[4] EPIC Speaks in Brussels to Bloggers, Privacy Roundup

EPIC Executive Director Marc Rotenberg spoke at the European Parliament
on September 8 at a conference for Internet bloggers on  "EU Protection
of Privacy and Consumers Rights in the Age of the Internet." European
Parliament Members Stavros Lambrinidis and Mary Matsouka sponsored the
meeting. Mr. Rotenberg discussed the recent efforts of EPIC to promote
discussion about privacy in the context of the U.S. Presidential
elections through the Privacy '08 campaign.

Invited speakers included Mr. Tony Bunyan of Statewatch, Mr. Benjamin
Henrion of the Foundation for a Free Information Infrastructure, 
European Parliament Member Sophia in't Veld, Mr. Christophe Espern of
the "Squaring the Net" group, Mr. Emilio De Capitani, the Head of 
Secretariat of the Civil Liberties, Justice and Home Affairs Committee,
and Mr. Peter Hustinx, the European Data Protection Supervisor.

The European Parliament also hosted a meeting to consider proposed
amendments to the European Union Directive for Privacy in Electronic 
Communications. The 2002 Directive covers a wide range of communications
activities. Proposed amendments address such topics as the scope of
personally identifiable information, security breach notification and 
data retention.

And Google's proposal to reduce data retention to 9 months was greeted
with some skepticism when the details of the search giant's procedures
for "anonymization" were examined.

EU Directive 2002/58/EC on Data Protection and Privacy:

Google, "Another Step to Protect User Privacy":

Google Response to Article 29 Working Party, September 8, 2008:

US News & World Report,
"Google's Supposed Enhancements to Privacy are 'Totally Worthless':"

European Digital Rights Initiative:

[5] Google Browser Faces Privacy Criticisms
On September 2, 2008, Google launched a web browser, "Google Chrome."
The software permits users to display and navigate web sites, much like
Microsoft's Internet Explorer, Mozilla's Firefox, and Apple's Safari.
The release touched off a firestorm of criticism from privacy watchdogs,
with much attention focused on the browser's license agreement. The
agreement stated that Google claimed authority to reproduce and
publicly display all information submitted by users through the 
browser. "[Y]ou give Google a perpetual, irrevocable, worldwide,
royalty-free, and non-exclusive license to reproduce, adapt, modify,
translate, publish, publicly perform, publicly display and distribute
any Content which you submit, post or display," the license read. Such
information could include web searches, email messages, blog posts, or
web sites visited - virtually all of a person's online activity. 

Privacy advocates also criticized Chrome's data collection practices,
which collect detailed information about users' online behavior. By
default, the Google browser collects every keystroke entered into the
address bar. This information is transmitted to Google, and associated
with users' Internet Protocol addresses and Google account identifiers.
Google also retains a percentage of user data, which remains linked to
personal identifiers.

In response to the privacy backlash, Google altered the Chrome license
agreement and some aspects of its data retention policies. The license
agreement dropped language relating to Google's reproduction and public
display of information submitted through the browser. Google also
stated that it would take steps to alter the IP address data that it
collects, though no date was set for the change, and technical experts
have criticized the company's IP address obfuscation techniques as

This week also saw further developments regarding Google's proposed
advertising deal with Yahoo - an arrangement that has been criticized
by privacy advocates. The U.S. Justice Department has reportedly hired
Sanford Litvack, an experienced litigator, as a consultant in its
review of the deal. The federal probe focuses on Google's growing power
in advertising. Privacy experts have faulted the arrangement on similar
grounds. Combined, Google and Yahoo control more than 80% of U.S.
online-search ads.

EPIC has a long history of opposing actions that consolidate data
concerning users' online habits. On April 20, 2007, EPIC and other
privacy groups filed a complaint with the Federal Trade Commission,
requesting that federal regulators open an investigation into the
proposed Google/Doubleclick merger. EPIC identified specific privacy
threats arising from the heightened ability of the merged company to
record, analyze, track, and profile Internet users' activities. In
February 2000, EPIC filed a regulatory complaint challenging
DoubleClick's plan to personally identify internet users through data
acquired by the online advertising colossus from Abacus Direct, a
giant in offline marketing information. DoubleClick subsequently
backed off the controversial web-tracking plan.

Google Chrome License Agreement (after revision):

EPIC's Search Engine Privacy page:

EPIC's page on Privacy? Proposed Google/DoubleClick Deal:

EPIC page on DoubleClick/Abacus merger:

[6] News in Brief

Virginia Supreme Court Strikes Down Spam Law

The Virginia Supreme Court has determined that the state spam law
violates the First Amendment. The Court held that the law is overbroad
on its face, prohibiting the anonymous transmission of all unsolicited
bulk e-mails ? including those containing political, religious or other
protected speech. Referring to the pseudo-anonymous essays written by
the framers of the Constitution, Justice Agee wrote that "were the
Federalist Papers just being published today via e-mail, that
transmission by Publius would violate the statute.'' The Virginia law
is unusual in that it does not distinguish between commercial and
non-commercial spam. EPIC has testified in support of legislation for
unsolicited commercial email but has opposed  the regulation of
political speech on the Internet.

Jaynes v. Commonwealth, Virginia Supreme Court, Sept. 12, 2008

EPIC, Spam, Unsolicited Commercial E-Mail

Public-Interest NGO's Express Concern on ACTA Draft Treaty

The United States, the European Union, Japan and Switzerland
are negotiating a new Anti-Counterfeiting Trade Agreement, 
in short ACTA. The initiative, which had been joined by Korea, Mexico, 
Morocco, New Zealand, and Singapore, strives for stronger international
copyright enforcement, which will most likely also address measures 
to curb piracy online. A diverse group of organizations are urging the
negotiators of the ACTA to publish immediately the draft text of the
agreement as well as pre-draft discussion papers before continuing
further discussions over the treaty. Based on news reports from various
business associations, civil society is concerned that the pre-draft
text may require service providers to monitor communications and
terminate internet connections of their users based on the repeat
allegations of copyright infringement and disclose users identity
without judicial process. The OECD Civil Society Seoul Paper recommends
governments to protect their citizens' privacy rights by upholding the
foundational principle that ISPs and Internet intermediaries are not
required to monitor communications on their networks under any
circumstances. Furthermore, the Paper highlights the importance of
the end-to-end principle that is central to the Internet's open
architecture and conductive to innovation.

OECD Civil Society Seoul Declaration on ACTA (open for signature):

OECD Civil Society Background Paper (Section 2.2):

Wikileaks: ACTA discussion paper:

Letter to Anti-counterfeiting Trade Agreement Negotiators:

E-Deceptive Campaign Practices a New Election Threat

EPIC's voting project is collaborating with Common Cause and the
Lawyers Committee for Civil Rights Under Law to publish a report on
Electronic Deceptive Campaign Practices and the 2008 election.

The rise of political participation is attracting the attention of
those who would use technologies in positive and negative ways.
Deception of voters can include: reliability of voting systems, voter
registration status, polling location information, and positions of
candidates for public office. Political fundraising efforts are also
vulnerable to pharming and phishing efforts to dupe supporters into
sending contributions to thieves.

The report will be completed by early October 2008.

EPIC's page on e-deceptive campaign practices:

EPIC Fundraiser - October 5, 2008

Legal Commentator Jeffrey Rosen will speak on "The Future of the
Supreme Court" at a fundraising event for EPIC in Washington, DC
on October 5, 2008. Mr. Rosen is Professor of Law at George 
Washington University Law School, Legal Affairs Correspondent for
the New Republic, and the author of several popular books law.

RSVP, EPIC Fundraiser, October 5, 2008

[7] EPIC Bookstore: "Stolen Lives"

"Stolen Lives - Identity Theft Prevention Made Simple,"
by John D. Sileo

Identity Theft is the fastest growing crime in the United States. It is
also the crime that keeps on giving, because victims may have to
repeatedly work to clear themselves of fraudulent activity committed in
their name. The source of the problem is not consumers, but how credit
is granted by American businesses. Because of poor credit granting
policies a theft can get a long way with just a name and a social
security number.

The advice provided in Stolen Lives- Identity Theft Prevention Made
Simple seems to put the responsibility for protecting against this
crime on the shoulders of the victims. The author provides a list of
personal information that consumers should protect, but he does not
discern what individual pieces of information might be more valuable to
identity thieves, such as the value of a social security number, verses
an individual's height. One piece of personal information, if its the
right piece, can be of greater value to an identity theft than several
other pieces of information such as height, weight, and ethnicity.
However, so long as credit grantors rely on personal information of
consumers as the sole means for granting credit, identity theft will
continue to thrive.

The recommendations made by the author are practical and may serve a
greater purpose by helping consumers become accustomed to challenging
commercial request for personal information. The writer correctly
informs readers that they are not going to be able to completely
protect themselves from identity theft. It is EPIC's position that
fair information practices are the rules that support privacy
protection and that the primary reason identity theft is the fastest
growing crime in the US rests on the lack of adherence to these

The book is a short read that promotes action on the part of consumers
without explaining the root cause of identity theft, the poor business
practices of private sector data collectors. 

-Lillie Coney


EPIC Publications:

"Information Privacy Law: Cases and Materials, Second Edition" Daniel J.
Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98.


This clear, comprehensive introduction to the field of information
privacy law allows instructors to enliven their teaching of fundamental
concepts by addressing both enduring and emerging controversies. The
Second Edition addresses numerous rapidly developing areas of privacy
law, including: identity theft, government data mining and electronic
surveillance law, the Foreign Intelligence Surveillance Act,
intelligence sharing, RFID tags, GPS, spyware, web bugs, and more.
Information Privacy Law, Second Edition, builds a cohesive foundation
for an exciting course in this rapidly evolving area of law.


"Privacy & Human Rights 2006: An International Survey of Privacy Laws
and Developments" (EPIC 2007). Price: $75.

This annual report by EPIC and Privacy International provides an
overview of key privacy topics and reviews the state of privacy in over
75 countries around the world. The report outlines legal protections,
new challenges, and important issues and events relating to privacy.
Privacy & Human Rights 2006 is the most comprehensive report on privacy
and data protection ever published.


"FOIA 2006: Litigation Under the Federal Open Government Laws," Harry A.
Hammitt, Marc Rotenberg, Melissa Ngo, and Mark S. Zaid, editors (EPIC
2007). Price: $50.


This is the standard reference work covering all aspects of the Freedom
of Information Act, the Privacy Act, the Government in the Sunshine Act,
and the Federal Advisory Committee Act.  The 23nd edition fully updates
the manual that lawyers, journalists and researchers have relied on for
more than 25 years.  For those who litigate open government cases (or
need to learn how to litigate them), this is an essential reference


"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.


This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS).  This
reference guide provides the official UN documents, regional and
issue-oriented perspectives, and recommendations and proposals for
future action, as well as a useful list of resources and contacts for
individuals and organizations that wish to become more involved in the
WSIS process.


"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:


The Privacy Law Sourcebook, which has been called the "Physician's Desk
Reference" of the privacy world, is the leading resource for students,
attorneys, researchers, and journalists interested in pursuing privacy
law in the United States and around the world. It includes the full
texts of major privacy laws and directives such as the Fair Credit
Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well
as an up-to-date section on recent developments. New materials include
the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the


"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.


A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.


EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:

EPIC Bookstore

"EPIC Bookshelf" at Powell's Books


EPIC also publishes EPIC FOIA Notes, which provides brief summaries of
interesting documents obtained from government agencies under the
Freedom of Information Act.

Subscribe to EPIC FOIA Notes at:

[8] Upcoming Conferences and Events

Data Retention on the Internet: Challenges for Small, Alternative and 
Citizen-based Internet Service Providers. September 19, 2008.
Organized by The Center for Media and Communication Studies (CMCS)
at Central European University (CEU) in Budapest.

Workshop on Applications of Private and Anonymous Communications.
September 22, 2008. Istanbul, Turkey. For more information:

OneWebDay - an Earth Day for the internet. September 22, 2008.
Worldwide. http://onewebday.org/

World Summit on the Knowledge Society. September 24-28, 2008,
Athens, Greece http://www.open-knowledge-society.org/summit.htm

Telecommunications Policy Roundtable. September 26-28, 2008,
George Mason University School of Law, Arlington, Virginia.

Europe-wide action day "Freedom not fear." October 11, 2008.
Multiple sites. For more information:

International Symposium on Data Protection in Social Networks.
October 13, 2008, Strasbourg. For more information:

30th International Data Protection and Privacy Conference:
Protecting Privacy in a Borderless World. October 15-17, 2008,
Strasbourg. For more information:

European Dialogue on Internet Governance (EuroDIG).  October 20-21,
2008, Strasbourg, France http://www.eurodig.org/

Privacy in Social Network Sites Conference October 23-24, 2008.
Delft University of Technology, Faculty of TPM, The Netherlands. For
more information: http://www.ethicsandtechnology.eu

Third Internet Governance Forum. December 3-6, 2008. Hyderabad,
India. For more information: http://www.intgovforum.org

Tilting perspectives on regulating technologies, Tilburg Institute
for Law and Technology, and Society, Tilburg University.  December
10-11, Tilburg, Netherlands

Subscription Information

Subscribe/unsubscribe via web interface:

Back issues are available at:

The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities.  We do not sell, rent or share our
mailing list.  We also intend to challenge any subpoena or other legal
process seeking access to our mailing list.  We do not enhance (link to
other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail address
from this list, please follow the above instructions under "subscription

About EPIC

The Electronic Privacy Information Center is a public interest research
center in Washington, DC.  It was established in 1994 to focus public
attention on emerging privacy issues such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale of personal information. EPIC publishes the
EPIC Alert, pursues Freedom of Information Act litigation, and conducts
policy research.  For more information, see http://www.epic.org or write
EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202
483 1140 (tel), +1 202 483 1248 (fax).

Donate to EPIC

If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible.  Checks
should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW,
Suite 200, Washington, DC 20009.  Or you can contribute online at:


Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation of encryption and
expanding wiretapping powers.

Thank you for your support.

Support Privacy '08

If you would like more information on Privacy '08, go online and search
for "Privacy 08." You'll find a Privacy08 Cause at Facebook, Privacy08
at Twitter, a Privacy08 Channel on YouTube to come soon, and much more.
You can also order caps and t-shirts at CafePress Privacy08.

Start a discussion. Hold a meeting. Be creative. Spread the word. You
can donate online at epic.org. Support the campaign.

Facebook Cause:






------------------------- END EPIC Alert 15.18 -------------------------