EPIC logo

                              E P I C   A l e r t
Volume 15.23                                          November 20, 2008

                                Published by the
                   Electronic Privacy Information Center (EPIC)
                                Washington, D.C.


Table of Contents
[1] Court Upholds New Hampshire Prescription Privacy Law
[2] EPIC Complaint Leads to Halt of Stalker Spyware Distribution
[3] Google Flu Trends Raises Privacy Concerns
[4] Massachusetts to Adopt Data Privacy Regulations
[5] Civil Society Participation at the OECD
[6] News in Brief
[7] EPIC Bookstore: "Protectors of Privacy"
[8] Upcoming Conferences and Events
  	- Subscription Information
  	- Privacy Policy
  	- About EPIC
  	- Donate to EPIC http://www.epic.org/donate
  	- Support Privacy '08 http://www.privacy08.org
	- Job Announcement

[1] Court Upholds New Hampshire Prescription Privacy Law

On November 18, 2008, the First Circuit Court of Appeals upheld a New
Hampshire law that bans the sale of prescriber-identifiable
prescription drug data for marketing purposes. In August, EPIC and 16
experts in privacy and technology filed a "friend of the court" brief
in the case, IMS v. Ayotte. The EPIC brief urged the federal appellate
court to reverse a lower court ruling that delayed enforcement of the
New Hampshire Prescription Confidentiality Act. The experts said the
lower court should be reversed because there is a substantial privacy
interest in patient data that the lower court failed to consider. The
New Hampshire Attorney General also defended the law, calling
pharmaceutical representatives "invisible intruder[s] in the
physician's examination room." Data mining companies challenged the
law, claiming that the privacy measure violated their free speech
rights. Two of the three appellate judges concluded that the law does
not regulate speech, and the third said that although it could be
considered a regulation of speech, such regulation was justified in
this instance.

There are approximately 1.4 million health care providers in the United
States. These providers write billions of prescriptions each year for
more than 8,000 different pharmaceutical products, which are filled at
54,000 retail pharmacies throughout the country. For every prescription
they fill, the retail pharmacies acquire records, which include:
patient name; prescriber identification; drug name; dosage requirement;
quantity; and date filled. In order to comply with federal and state
privacy laws, patient-identifying information is encrypted and
de-identified, often with software installed by the data mining
companies themselves. The rest of the prescription record remains
intact. Thus, a patient's entire drug history is correlated, and each
provider can be identified along with its prescribing habits. This
practice raises privacy concerns for both patients and health care
providers, said EPIC and the 16 experts in their brief.

On June 30, 2006, the New Hampshire legislature unanimously passed the
Prescription Confidentiality Act, which prohibits prescription
information records that contain patient- or prescriber-identifiable
data from being transferred, licensed, sold, or used for most
commercial purposes. This includes marketing, advertising, and other
forms of promotion. The Act specifically bars the use of prescriber-
identifiable data for "physician detailing," which involves the sale of
patient prescription records to data mining firms that generate sales
leads for pharmaceutical companies. The Act explicitly permits the use
of this data for such non-commercial purposes as research and

New Hampshire is one of several states that sought to regulate the
practice of "detailing."  The New Hampshire law said that "records
relative to prescription information containing patient-identifiable
and prescriber-identifiable data shall not be licensed, transferred,
used or sold by any pharmacy benefits manager, insurance company,
electronic-transmission intermediary, retail, mail order or Internet
pharmacy or other similar entity, for any commercial purpose, except
for the limited purposes of pharmacy reimbursement; formulary
compliance; care management; utilization review by a healthcare
provider, the patient's insurance provider or the agent of either;
healthcare research; or as otherwise provided by law." Vermont and
Maine are presently defending First Amendment lawsuits challenging
similar prescription privacy laws. Maine resides in the First Circuit,
and stands to be directly affected by the appellate court's resolution
of IMS v. Ayotte.

The Plaintiffs-Appellees, IMS Health and Verispan, are both data mining
companies that purchase and compile prescription information in order
to sell the data. IMS Health and Verispan alleged that the New
Hampshire law violated their First Amendment right to free speech,
claiming that: 1) the law was subject to strict scrutiny because it
provided a content-based restriction on non-commercial free speech;
2) the law violated the First Amendment because it was not narrowly
tailored to serve compelling state interests; and 3) if the judge
determined that the law was subject to intermediate scrutiny because it
only restricted commercial speech, it still did not advance a
substantial government interest in a narrowly tailored way.

In the State's defense, the Attorney General argued: 1) that the law
did not implicate the First Amendment because it did not regulate
speech; and 2) even if the Act did implicate speech, that the law
should survive intermediate scrutiny because it advanced the State's
substantial interests in promoting public health, controlling health
care costs and protecting the privacy of patients and doctors, while
still allowing the data to be used for non-commercial purposes. A 
federal trial court rejected all of the Attorney General's arguments,
finding that the government did not have an interest in "preventing the
dissemination of truthful commercial information" and that the law was
more expansive than necessary to promote the State's interests. The
trial court held that the Act did not advance a substantial interest
in protecting the privacy of patients and health care providers. The
November 18, 2008 ruling overturns the trial court's decision.

In their brief, EPIC and the experts said the lower court should be
reversed, because it failed to consider the substantial privacy
interest in de-identified patient data. Although de-identification
measures are increasingly innovative and computationally complex,
patient data is still vulnerable to attacks because sophisticated
re-identification programs are also being developed, the experts
said. Individuals can be re-identified using information such as zip
code, date of birth, and gender and then comparing that data to
publicly available information. Such information is easily accessible
through birth and death records, incarceration reports, voter
registration files, and driver's license information.

EPIC wrote in the brief, "Simply stated, amicus believes that the
privacy interest that undergirds the state's interest in this statute
is even greater than what the legislature recognized, and that the
Court should give even greater weight to the Central Hudson... analysis
if it concludes that the statute implicates speech interests."

EPIC has argued in federal court for a decade that properly crafted
privacy laws should survive First Amendment challenges. EPIC's
original amicus effort on this issue was in US West v. FCC, 182 F.3d
1224 (10th Cir. 1999), litigation concerning telephone record privacy.
EPIC recently supported this proposition in NCTA v. FCC, No. 07-1312
(D.D.C. filed Aug. 7, 2007), a case involving a First Amendment
challenge to telephone privacy regulations.

EPIC's IMS Health v. Ayotte page:

Opinion Upholding New Hampshire Prescription Confidentiality Act:

EPIC's Brief in Support of Prescription Privacy:

New Hampshire Prescription Confidentiality Act:

Maine's Prescription Privacy Law:

Vermont's Prescription Privacy Law:

EPIC's US West v. FCC page:

EPIC's NCTA v. FCC page:

[2] EPIC Complaint Leads to Halt of Stalker Spyware Distribution

Pursuant to a complaint by EPIC to the Federal Trade Commission (FTC)
earlier this year, a federal court ordered CyberSpy Software to stop
selling malicious computer software. The EPIC complaint, filed in
March, stated that the spyware company engages in unfair and deceptive
practices by (1) promoting illegal surveillance; (2) encouraging
"Trojan Horse" email attacks; and (3) failing to warn customers of the
legal dangers arising from misuse of the software. The FTC agreed and
moved the court for a permanent injunction barring the sales of the
spyware program. The court issued a temporary restraining order on
November 6, 2008 pending further litigation.

Surveillance technology software is available for purchase from all
over the internet. These technologies can be used for illegitimate
purposes and usually includes the interception of email, audio, video,
instant messaging, text messaging, and computer passwords. Such
surveillance can be in the form of keyloggers, screenshot, spywares,
trojans or sniffers. These programs collects vast amounts of personal
information which aids in identity theft, stalking and intimidation.
Individual uses of these technologies are harder to detect as they
render themselves invisible to the computer user.

Federal statutes prohibit the interception of wire, oral and electronic
communications as well as the accessing of communications that has been
stored electronically. Federal statutes also forbid the intentional,
unauthorized access to a computer and obtaining any information from
such accessed computer. Thus, in essence, the use of the surveillance
technology software automatically results in the violation of federal
statutes. The EPIC complaint highlighted the fact that the purchasers
of the software are exposed to criminal and civil liability. The
victims face privacy violations; are exposed to identity theft; are
placed in physical danger; may not find help from law enforcement
authorities; and may not find adequate compensation via the civil
legal system. In light of the harm caused by these programs, EPIC
requested the FTC to investigate the companies selling such software,
determine the extent of the threat they posed to consumer privacy and
safety and seek appropriate injunctive and compensatory relief.

In June 2008, EPIC testified before the Senate Commerce Committee
warning of the privacy risks of spyware including the theft of private
information, monitoring of communications and the tracking of an
individual's online activity. EPIC supported the ability of the FTC to
seek treble fines and penalize pattern or practice violations as
authorized under a newly-enacted statute, the Counter-Spy Act, while
not pre-empting state laws.

TRO in FTC v. CyberSpy Software, LLC:

FTC complaint (Civil Action No. 08-CV-01872):

EPIC's complaint to the FTC:

Court Orders Halt to Sale of Spyware (FTC):

EPIC's page on Personal Surveillance Technologies:

EPIC's page on Domestic Violence and Privacy:

Court Halts Sale of DIY Spyware:

EPIC's Senate Testimony on Spyware:

[3] Google Flu Trends Raises Privacy Concerns

In the online world, search engines are the primary method by which a
person accesses information on any given topic. In July 2008, 11.8
billion online searches were conducted in the US with Google holding
the lion's share at 61.9 percent. However, when search data is
collected, stored and analyzed, it raises serious privacy concerns.
Google Flu Trends is a classic example in causing such unease.

Google Flu Trends is a Google utility for locating geographic areas
where people are searching for the word "flu" and related terms.
Google believes such searches correlate with outbreaks of influenza,
and can potentially aid in influenza prevention. It is an extension of
Google Trends, a technology that analyzes search queries submitted by
Google users. User search data is stored on Google's servers, and
retained by the search engine giant. This information includes the
Internet Protocol (IP) address, the date and time of the query as well
as a unique cookie ID assigned to the browser.

As Google believes that computed statistical analyses of Flu Trends
were almost two weeks faster than traditional flu analysis by agencies
such as the Centers for Disease Control and Prevention (CDC), it is
sharing Flu Trends data with the CDC, part of the US Department of
Health and Human Services. Plainly, information about users' searches
for medical information is now being handed over to the government.

Google has stated that it will anonymize search data after a period of
nine months, but technical experts have questioned the efficacy of the
"anonymization" technique. Google obfuscates the fourth octet but
retains the rest of the IP address. At most, the redacted IP address is
one of 254 other users. Moreover, the unique cookie assigned by Google
to the browser remains unchanged over time and can be easily used by
Google (or any entity with powers to subpoena Google) to trace back the
search query down to a specific user. This linking of a search term to
a specific user can re-identify search terms back to an individual that
had been previously "de-identified" by Google.

On November 12, 2008, EPIC wrote a letter to Google warning of the
dangers of linking searches to individuals and asked Google to publish
the technique used to maintain privacy of search queries for Google Flu
Trends while ensuring re-identification is not possible. EPIC noted that
"Census data, the quintessential form of aggregate data, was used during
the Second World War to identity and then displace Japanese Americans.
The Department of Homeland Security sought information from the US
Census about Muslim Americans in the United States after 9-11"

EPIC's page on Google Flu Trends and Privacy:

EPIC's page on Search Engine Privacy

EPIC's November 12, 2008 Letter to Google:

How Google Flu Trends work:

Official Google Blog: Tracking Flu Trends:

Server Information Google Retains:

[4] Massachusetts to Adopt Data Privacy Regulations

The Commonwealth of Massachusetts has become the first state in the
United States to enact data privacy and security standards and
regulations. The Massachusetts Office of Consumer Affairs and Business
Regulation decided on having comprehensive methods to ensure that
businesses are taking steps to safeguard personal information about
Massachusetts residents. The new regulation prescribes the minimum
standards that are to be implemented. Although it was initially
announced that the rules will come into effect from January 1, 2009 it
was subsequently postponed to  May 1, 2009, consistent with the Red
Flag rules of the federal regulators. The Red Flag rules requires
financial institutions and creditors to develop and create ID theft
prevention programs.

The purpose of the new regulation is to protect against unauthorized
access or use in a way that creates a risk of identity theft or fraud.
This can be achieved by ensuring minimum standards in safeguarding
personal information consistent with industry standards which will
protect against anticipated threats or hazards to the security and
integrity of the information. Identity Theft has been identified as the
number one crime committed in the United States. Identity theft has
been committed for a number of reasons including deriving or obtaining
financial benefits and impersonation of another person or entity.

The new law, dubbed the "Standards for The Protection of Personal
Information of Residents of the Commonwealth" charges every person
owning, licensing, storing or maintaining personal information about
a Massachusetts resident to develop, implement and monitor a
comprehensive, written information security program for any record
containing personal information. The new law establishes a wide
spectrum of duties upon the record holder such as risk identification,
developing security policies, imposition of disciplinary measures and
preventing access by personnel unless specifically authorized. Minimum
data collection, annual audits and security breach documentation also
feature in the new rules. The new law will result in companies
installing firewalls to protect personal data and encrypting them 
whenever transmitted or saved on a portable device like laptops or
flash drives. Also, as some companies may prefer a singular approach
to ensuring data privacy and security, it may choose to implement
nationwide policies. 

A violation of such law may also lead to a jury trial in addition to
the imposition of penalties. Additionally, the Massachusetts law may
serve as a model state privacy law. Although, many entities have been
clamoring towards a single federal privacy law, such federal law may
end up pre-empting better and more robust state privacy laws, unless it
explicitly states that it establishes a minimum national baseline and
leaves the states to provide better or higher standards in data privacy
or security.

EPIC has long warned against business practices that expose customer
information to potential pilferage and has advocated the imposition of
civil penalties so as to provide greater incentives towards better
guarding against data breaches. Recently, a mortgage company settled
with the federal regulators after a hacker obtained credit reports due
to its lax security.

Standards for The Protection of Personal Information of Residents of
the Commonwealth (201 CMR 17.00):

201 CMR 17.00 Compliance Checklist:

FAQs regarding 201 CMR 17.00:

EPIC's page on Identity Theft:

[5] Civil Society Participation at the OECD

At the OECD Ministerial Conference on the Future of the Internet
Economy, the OECD Secretary General expressed support for an effort to
formalize the participation of civil society in the work of the OECD
concerning the future of the Internet. This recommendation follows
almost two decades of civil society participation at the OECD, and
after specific proposals the civil society contributed to the 1998 OECD
Ministerial Conference as well as the Civil Society Declaration at the
2008 Ministerial Conference.

The OECD Ministerial Meeting on the Future of the Internet Economy was
held in Seoul, Korea, on 17-18 June 2008. Participants agreed on the
need for governments to work closely with business, civil society and
technical experts on policies that promote competition, empower and
protect consumers, and expand Internet access and use worldwide.

In his "Remarks on Future Work by the OECD in the Closing Session", the
Secretary-General of the OECD stated, "We appreciate the participation
of the stakeholders in this Ministerial meeting. I recommend that we
begin the process of formalizing the participation of civil society and
the technical community in the work of the OECD on the Internet

Ministers and representatives of the OECD member countries, as well as
non-member nations attending the Ministerial Meeting, issued the Seoul
Declaration for the Future of the Internet Economy. The Declaration
stated, "We invite the OECD to further the objectives set out in this
Declaration, through multi-stakeholder co-operation, by...reinforcing
co-operative relationships and mutually beneficial collaboration with
... civil society...."

Civil society participants of the Public Voice Coalition engage
actively in the OECD Ministerial Meeting on the Future of the Internet
Economy. In connection with the Ministerial Meeting, civil society, in
cooperation with Trade Union Advisory Committee worked together
effectively and successfully for many months to formulate the Forum
program, engage participants, develop recommendations, prepare the
Declaration, draft the Background Paper, and arrange the participation
of civil society participants from OECD member and non-member countries.

The OECD was established in 1961. Very early in the existence of the
OECD, the OECD member countries recognized the desirability of liaison
and consultation with international non-governmental organizations
interested in its activities. In recognition of this goal, the Council
of the OECD adopted the Decision of the Council on Relations With
International Non-governmental Organizations on March 13, 1962.
Pursuant to the Council's Decision, the Business and Industry Advisory
Committee (BIAC) and Trade Union Advisory Committee (TUAC) to the
OECD began to participate in the work of the OECD.

Although it has not had formal status, civil society participants have
engaged and been welcomed in the work of the ICCP Committee for
eighteen years. Civil society participation has expanded over time
through and has played an increasingly important role. For example, in
1998, civil society participants of the Public Voice Coalition
organized a successful symposium for the OECD Ministerial in Ottawa,
similar to its recent Forum in Seoul, which helped shape OECD policy in
key areas in the early days of electronic commerce.

Now, after several months of drafting and deliberation, the civil
society participants of The Public Voice Coalition have submitted a
consensus proposal to the ICCP OECD Committee for the establishment of
the Civil Society Information Society Advisory Council (CSISAC) for
its approval at its meeting on December 11-12, 2008.

Under the Charter, the CSISAC will:

- Engage in constructive input and dialogue with the ICCP Committee
  about policy issues of interest to civil society;
- Pursue the agenda set out in the Civil Society Seoul Declaration of
- Report to civil society organizations about the OECD publications,
  events, and policy recommendations of interest to civil society;
- Identify and publicize opportunities for participation by civil
  society organizations in the work of the OECD;
- Maintain appropriate communications tools (e.g. content management
  system, mailing list, social network platform) that highlight key
  OECD-ICCP developments of interest to civil society and facilitate
  broader civil society participation; and
- Report on an annual basis the accomplishments of the past year and
  the goals for the next year.

The CSISAC governing structure includes the CSISAC Membership, the
CSISAC Steering Committee, and the CSISAC Liaison. The structure seeks
to facilitate the participation of interested parties in the work of
the OECD and to promote effective communications between stakeholders
and the OECD. The Public Voice project will serve as the CSISAC
interim liaison for the first two years of the CSISAC.

The CSISAC Charter:

The OECD Civil Society Seoul Declaration:

The OECD Civil Society Background Paper:

OECD, "The Future of the Internet Economy OECD Ministerial Meeting,"
June 17-18, 2008, Seoul, South Korea:

"Closing remarks by Angel Gurrķa, OECD Ministerial Meeting on the
Future of the Internet Economy," June 18, 2008:

OECD, Convention on the Organization for Economic Co-operation and
Development (1960):

[6] News in Brief

India Hosts the Third Internet Governance Forum

The Internet Governance Forum (IGF) was formed to support the United
Nations Secretary-General in carrying out the mandate from the World
Summit on the Information Society with regard to convening a new multi-
stakeholder policy dialogue forum to discuss issues related to key
elements of Internet governance.

The third annual meeting of the IGF will take place in Hyderabad,
India, on December 3-6, 2008.  It is expected that approximately 2,000
government, private, academic and civil society participants will
join in the forum. The proposed agenda for the Third Meeting includes
"Reaching the next billion"; "Promoting cyber-security and trust";
"Managing critical Internet resources"; "Taking stock and the way
forward"; and "Emerging issues - the Internet of tomorrow". The overall
theme of the meeting will be 'internet for all'. Five main sessions and
more than eighty self organized panel discussions built around the IGF
agenda will be held. The event will also include the IGF dynamic
coalitions' meetings, best practices and open forums. Documents and
webcasts of the main sessions for the IGF in Hyderabad will be posted
after the meeting in December. A remote participation project is being
prepared by a group of volunteers. The remote participation project is
based on the use of regional hubs from where participants will be able
to interact with the IGF main sessions of the Hyderabad meeting. The
next IGF meeting will be held in Egypt in 2009.

Internet Governance Forum:

A list of the submitted proposals for workshops and main sessions

IGF Remote Participation

IGF Dynamic Coalitions

The Public Voice:

Presidential Transition Job Application a Privacy Concern

As the Presidential transition team moves ahead towards nominating
individuals with great vigor, applicants for high-ranking positions
must disclose vast amounts of information to enable the vetting.
Historically, each successive incoming administration has vetted
applicants more tightly than the last. The Obama-Biden transition team
is no exception having prepared a list of 63-item, highly detailed
questionnaire designed to ferret out professional achievements as well
as personal and potentially embarrassing details. However, as the
information submitted to the transition team is not a part of any
government record, it is not subject to Privacy Act safeguards, which
would provide privacy protections and transparency.

EPIC's page on Obama-Biden Transition Team & Privacy:

Obama-Biden Transition Team questionnaire:

Obama-Biden Transition Team website:

EPIC's page on The Privacy Act:

The Obama-Biden Transition Team Privacy Policy:

Alternative Consultation on EU Justice & Home Affairs Policy

The European Commission has launched a public consultation on the
future priorities in the field of Justice and Home Affairs policy. The
European Union has been building measures concerning police
cooperation, counter- terrorism, immigration, asylum and border
controls and claims to that it has upheld civil liberties as well as
people's privacy with its policies. As part of the 'exchange of ideas'
that will lead to the definition of priorities for the next five years,
the European Commission has initiated 'wide-ranging public
consultation'. However, the consultation fails to evoke meaningful
exchange on the substance and content of those policies. As a result,
the European Civil Liberties Network designed an alternative
questionnaire that poses different questions about the development and
implementation of EU policies and their effect on civil liberties and
human rights.

Justice and Home Affairs survey:

ECLN: Why an alternative consultation?

EU Future Group:

European Commission Consultation:

Subscribers Sue ISP Over NebuAd Deep Packet Inspection

A group of fifteen consumers sued 6 Internet Service Providers (ISPs)
over disclosing personally identifying information by spying on
websites they visited and Internet searches they conducted. The
complaint, alleging violation of federal and state laws, stated that no
adequate, informed notice was provided and "opting out of the pilot
program only applied to ads customers were shown." The NebuAd
technology uses a method called Deep Packet Inspection (DPI) that
reviews transmitted content across a network. Recent technological
advances have made is possible for ISPs and service providers to
implement DPI on a large scale and use this information for
targeting advertisement. EPIC has brought to light the perils of using
Deep Packet Inspection including behavioral targeting and traffic
throttling. DPI has also been criticized by network neutrality

Nebu Ad complaint:

EPIC's page on Deep Packet Inspection:

Net Spying Firm and ISPs Sued Over Ad System:

Report: NebuAd Forges Packets, Violates Net Standards:

Ask DSLReports.com: What Is NebuAD?

NIST Issues Guidelines on Cell Phone Security

The march of technology has seen personal communication devices
evolving into smartphones and becoming mini-computers. As the volume
of data on these devices continue to grow, the risk of data theft and
security breaches assumes paramount importance. The National Institute
of Standards and Technology (NIST) has released guidelines, (Special
Publication 800-124), for mitigating these risks. The NIST recommended
that organizations should initiate security policies for mobile devices
after conducting a risk assessment and training workers. The guidelines
included disabling unnecessary applications, using authentication to
restrict access, restricting the use of cameras, microphones and
removable media, the use of encryption technology and installation of
firewalls, antivirus and anti-malware programs.
EPIC has warned about the threats of data breaches, identity theft and
personal surveillance. EPIC maintains a Tools Page for ensuring privacy
on computers and the methods to be adopted in ensuring privacy in
personal communication devices are similar to that of computers.

NIST: Guidelines on Cell Phone and PDA  Security, (SP 800-124):

EPIC's page on Identity Theft:

EPIC's page on Personal Surveillance:

EPIC's Tools Page on Maintaining Online Privacy:

[7] EPIC Bookstore: "Protectors of Privacy"

Protectors of Privacy, Regulating Personal Data in the Global Economy
By Abraham L. Newman


Numerous data security debates have highlighted the differences between
the United States' self-regulatory approach to privacy protections and
the European Union's comprehensive privacy safeguards. From airline
passenger data sharing, to Internet Protocol (IP) Address privacy, to
commercial data retention, the U.S. and European frameworks exemplify
strikingly different regulatory regimes. The U.S. favors self-
regulation to establish consumer privacy protections, and lacks a
regulatory body that focuses on privacy protection. In contrast, the
E.U. maintains a strong, independent regulatory regime to ensure
consumer privacy safeguards. In "Protectors of Privacy," Abraham L.
Newman argues that the European design has been widely replicated,
while the American system remains largely confined to the United States
and its territories. "Protectors of Privacy" details the U.S.
regulatory scheme, much of which was established during the Clinton and
Bush administrations. The 2008 elections present an opportunity for the
government to disavow the failed self-regulatory policies of the Bush
administration by adopting comprehensive consumer privacy safeguards.
Newman's book demonstrates that the differences between U.S. and E.U.
privacy laws are entrenched. It would require sustained effort to
harmonize the regimes. But "Protectors of Privacy" also describes
circumstances that demonstrate the substantial transaction costs
resulting from the lack of harmony.

"Privacy Protectors" describes two types of regulatory regimes.
"Limited regimes" regulate personal data held by the government, but
do not impose these regulations on all private sector companies. In
contrast, "comprehensive regimes" hold the public and private sector
accountable to the same privacy standards. Newman characterizes the
U.S. as a limited regime, and the European Union as a comprehensive
regime. The United States and Europe began to establish these systems
in the 1970s. But meaningful privacy regulation was largely ignored
in many parts of the world until the 1990s. Newman asserts that,
"beginning in the 1990s, the comprehensive system spread globally,
coming to dominate international data privacy efforts." Newman largely
ascribes the adoption of the comprehensive system to European data
privacy authorities, which took advantage of "domestically delegated
authority, expertise, and diverse network ties" to establish
independent regulatory authority for privacy. The regulators argued
that failure to provide strong privacy protections endangers
fundamental political objectives, including civil rights, as well as
basic economic objectives, such as consumer confidence, fairness, and

Comprehensive privacy regimes vary in their specific terms and
implementation. However, the limited American privacy regime stands
in stark contrast to the comprehensive privacy protections afforded
to E.U. consumers. The European Commission has an independent European
Data Protection Supervisor, whose office is devoted to protecting
personal data and privacy. The Article 29 Working Party, an independent
body that seeks to harmonize the application of data protection rules
throughout the European Union, also supports privacy protections.  E.U.
countries also have domestic, independent privacy commissioners. In
contrast, the U.S. lacks a Privacy Commissioner, and has not
established any federal agencies analogous to the European Data
Protection Supervisor or Article 29 Working Party. The Federal Trade
Commission, the U.S. agency charged with protecting consumer privacy,
has broad jurisdiction over a host of consumer protection issues,
including antitrust, merger review, and deceptive trade practices.
Privacy is only part of the Commission's portfolio, and it has stated
that it lacks authority to protect privacy in several key areas,
including merger review. 

These structural differences mirror substantive policy distinctions
between the regimes. For example, in Europe, Internet Protocol
Addresses (the "Internet phone number" assigned to a computer) are
protected as personal information. The U.S. does not require private
companies to treat Internet Protocol Addresses as personal data. In
addition, European regulators regularly consider consumer privacy
impacts in merger reviews. U.S. regulators failed to impose privacy
protections as conditions of the 2007 Google-Doubleclick merger
review despite ample evidence that the deal threatened consumer
privacy. The disparity between the E.U. and U.S. systems imposes
substantial transaction costs on cross-border business deals and
government agreements. For example, extensive negotiations were
required between 2001 and 2003 in response to a U.S. demand that
European airlines transfer international passengers' personal
information to the United States. "Protectors of Privacy" describes
European authorities' dismay at the lack of privacy safeguards for the
data once it reached the U.S. Complex negotiations were undertaken to
reach a compromise that would comport with E.U. privacy law.

"Protectors of Privacy" sets forth an insightful and compelling
explanation for the widespread adoption of comprehensive privacy
regimes. It also provides examples of how the differences between
comprehensive privacy regimes and the United States' limited regime can
require complicated negotiations and compromises between regulators on
cross-border privacy issues. These examples demonstrate that the U.S.
approach imposes costs, despite its self-regulatory nature.
Corporations and government officials often disdain the alleged costs
of comprehensive consumer privacy protections, and tout the savings
provided by the self-regulatory system. However, we increasingly live
in a world of comprehensive privacy protections. Cross-border business
deals and government agreements require entities to expend considerable
time and resources harmonizing the limited U.S. privacy regime with
international comprehensive requirements. These costs promise to increase
in the future, unless the U.S. adopts comprehensive privacy protections
that provide meaningful, clear safeguards for consumers. 

-- John Verdi

EPIC Publications:

"Litigation Under the Federal Open Government Laws 2008", edited by
Harry A. Hammitt, Marc Rotenberg, John A. Verdi, and Mark S. Zaid
(EPIC 2008). Price: $60.

Litigation Under the Federal Open Government Laws is the most
comprehensive, authoritative discussion of the federal open access
laws. This updated version includes new material regarding the
substantial FOIA amendments enacted on December 31, 2007. Many of the
recent amendments are effective as of December 31, 2008. The standard
reference work includes in-depth analysis of litigation under Freedom
of Information Act, Privacy Act, Federal Advisory Committee Act,
Government in the Sunshine Act. The fully updated 2008 volume is the
24th edition of the manual that lawyers, journalists and researchers
have relied on for more than 25 years. 


"Information Privacy Law: Cases and Materials, Second Edition" Daniel
J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98.


This clear, comprehensive introduction to the field of information
privacy law allows instructors to enliven their teaching of fundamental
concepts by addressing both enduring and emerging controversies. The
Second Edition addresses numerous rapidly developing areas of privacy
law, including: identity theft, government data mining and electronic
surveillance law, the Foreign Intelligence Surveillance Act,
intelligence sharing, RFID tags, GPS, spyware, web bugs, and more.
Information Privacy Law, Second Edition, builds a cohesive foundation
for an exciting course in this rapidly evolving area of law.


"Privacy & Human Rights 2006: An International Survey of Privacy Laws
and Developments" (EPIC 2007). Price: $75.

This annual report by EPIC and Privacy International provides an
overview of key privacy topics and reviews the state of privacy in over
75 countries around the world. The report outlines legal protections,
new challenges, and important issues and events relating to privacy.
Privacy & Human Rights 2006 is the most comprehensive report on privacy
and data protection ever published.


"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.


This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS). This
reference guide provides the official UN documents, regional and
issue-oriented perspectives, and recommendations and proposals for
future action, as well as a useful list of resources and contacts for
individuals and organizations that wish to become more involved in the
WSIS process.


"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:


The Privacy Law Sourcebook, which has been called the "Physician's Desk
Reference" of the privacy world, is the leading resource for students,
attorneys, researchers, and journalists interested in pursuing privacy
law in the United States and around the world. It includes the full
texts of major privacy laws and directives such as the Fair Credit
Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well
as an up-to-date section on recent developments. New materials include
the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the


"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.


A collection of essays, studies, and critiques of Internet content
filtering. These papers are instrumental in explaining why filtering
threatens free expression.


EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:

EPIC Bookstore

"EPIC Bookshelf" at Powell's Books


EPIC also publishes EPIC FOIA Notes, which provides brief summaries of
interesting documents obtained from government agencies under the
Freedom of Information Act.

Subscribe to EPIC FOIA Notes at:

[8] Upcoming Conferences and Events

Privacy and Identity Theft Conference. November 24-25, 2008.
Fairmont Hotel, Vancouver, Canada. For more information:

Third Internet Governance Forum. December 3-6, 2008. Hyderabad,
India. For more information: http://www.intgovforum.org

International Human Rights Day, December 10, 2008. For more
information: http://www.un.org/events/humanrights/2008/

Tilting perspectives on regulating technologies, Tilburg Institute
for Law and Technology, and Society, Tilburg University. December
10-11, Tilburg, Netherlands.

The American Conference Institute is hosting the 8th National Symposium
on Privacy and Security of Consumer and Employee Information at the
Four Points by Sheraton, Washington, DC. January 27-28, 2009,
Washington, DC. http://www.americanconference.com/Privacy.htm

Subscription Information

Subscribe/unsubscribe via web interface:

Back issues are available at:

The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities. We do not sell, rent or share our
mailing list. We also intend to challenge any subpoena or other legal
process seeking access to our mailing list. We do not enhance (link to
other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail address
from this list, please follow the above instructions under "subscription

About EPIC

The Electronic Privacy Information Center is a public interest research
center in Washington, DC. It was established in 1994 to focus public
attention on emerging privacy issues such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale of personal information. EPIC publishes the
EPIC Alert, pursues Freedom of Information Act litigation, and conducts
policy research. For more information, see http://www.epic.org or write
EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202
483 1140 (tel), +1 202 483 1248 (fax).

Donate to EPIC

If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible. Checks
should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW,
Suite 200, Washington, DC 20009. Or you can contribute online at:


Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation of encryption and
expanding wiretapping powers.

Thank you for your support.

Support Privacy '08

If you would like more information on Privacy '08, go online and search
for "Privacy 08." You'll find a Privacy08 Cause at Facebook, Privacy08
at Twitter, a Privacy08 Channel on YouTube to come soon, and much more.
You can also order caps and t-shirts at CafePress Privacy08.

Start a discussion. Hold a meeting. Be creative. Spread the word. You
can donate online at epic.org. Support the campaign.

Facebook Cause:



                          E P I C   Job Announcement

        EPIC is seeking a smart, energetic, creative individual
                     for the position of Staff Counsel

                         Deadline: Jan. 1, 2009

                       Click here for more details

------------------------- END EPIC Alert 15.23 ------------------------