======================================================================= E P I C A l e r t ======================================================================= Volume 15.25 December 23, 2008 ----------------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org/alert/EPIC_Alert_15.25.html "Defend Privacy. Support EPIC." http://epic.org/donate ======================================================================= Table of Contents ======================================================================= [1] Privacy Coalition Members Write to President-elect Obama [2] India Hosts Third Internet Governance Forum [3] Government Issues Final Rules in Education Records Privacy [4] Privacy, Security and Openness at the Internet Governance Forum [5] DHS Releases Fusion Center Privacy Impact Assessment [6] News in Brief [7] EPIC Bookstore: "The Privacy Advocates" [8] Upcoming Conferences and Events - Subscription Information - Privacy Policy - About EPIC - Donate to EPIC http://www.epic.org/donate - Support Privacy '08 http://www.privacy08.org - Job Announcement ======================================================================= [1] Privacy Coalition Members Write to President-elect Obama ======================================================================= Thirty members of the Privacy Coalition sent a letter to President-elect Barack Obama on the importance of protecting privacy in the next administration. The Privacy Coalition is a nonpartisan coalition of consumer, civil liberties, educational, family, library, labor, and technology organizations that have agreed to the Privacy Pledge. The coalition provides an opportunity for advocacy organizations to share resources and collaborate on issues of mutual interest. The organizations joining the letter included the Electronic Privacy Information Center, American Association of Law Libraries, American- Arab Anti-Discrimination Committee, American Policy Center, Bill of Rights Defense Committee, Center for American Progress Action Fund, Consumer Federation of America, Consumers Union, Electronic Frontier Foundation, Government Accountability Project, Liberty Coalition, Privacy Rights Clearinghouse, and US Bill of Rights Foundation. The letter called for: protection of sensitive information; the privacy of personal information obtained by the government, health information, and consumer privacy; strengthening of the Federal Trade Commission; limiting the use of Homeland Security Databases; and allowing states to continue to innovate to create legislative solutions. The organizations outlined their support for the incoming president's expressed positions on privacy, consumer rights, and civil liberties. President-elect Obama stated support for strengthening privacy protections by harnessing the power of technology to hold government and businesses accountable for violations of personal privacy. The coalition said that "[t]here is a clear need to address the spiraling problems of identity theft, security breaches, and the commercialization of personal information." The President-elect's transition process has named the heads of each of the major Federal government agencies. Barack Obama will be sworn in as the 44th President of the United States on January 20, 2009. Letter from Privacy Coalition to the President-elect: http://www.privacycoalition.org/obama-ftc-ltr.pdf Privacy Coalition: http://privacycoalition.org Barack Obama "Change That We Can Believe In: Technology:" http://epic.org/redirect/122208_Obama_TechStatement_0222.html Privacy Coalition Members: http://privacycoalition.org/about.php Privacy Coalition Pledge: http://privacycoalition.org/pledge.php ======================================================================= [2] India Hosts Third Internet Governance Forum ======================================================================= With the slogan "Internet for all," the third annual meeting of the Internet Governance Forum took place in Hyderabad, India on December 3-6, 2008. The IGF is a multi-stakeholder forum for policy dialogue on issues of Internet governance. The United Nations Secretary General established the IGF in July 2006 and since then three annual forums have been organized. The third IGF, which was held in the aftermath of terrorist attacks in Mumbai, brought together governments, the private sector, civil society, and the academic and technical communities to debate Internet governance and related public policy issues, exchange information, and to share good practices. In all, close to 1,300 participants from 94 countries attended the meeting, which was webcast with video and audio streaming. The proceedings of the main sessions were transcribed and displayed in the main session hall in real time and streamed to the Web. Remote hubs held parallel meetings in Argentina, Brazil, India, Pakistan, Columbia, Serbia and Spain. Ms. Marilia Maciel, Remote Participation Working Group coordinator stated: "These hubs are local meetings which exhibit the Webcast of the IGF and also interact with people in the event, sending text as well as video questions....Participants of the Remote hub used it as a starting point to create a local committee to discuss [Information and Communication Technology] related issues." The international meeting focused on 5 main sessions which were organized in 3 thematic days under the headings: "Reaching the Next Billion;" "Promoting Cyber-Security and Trust;" and "Managing Critical Internet Resources." The last day covered "Emerging Issues - the Internet of Tomorrow" and "Taking Stock and the Way Forward." Parallel to the main sessions, 87 self-organized workshops were held, including meetings of the IGF dynamic coalitions, best practices and open forums. The Government of India hosted the meeting, which was chaired by Mr. Thiru Andimuthu Raja, India's Union Cabinet Minister for Communications and Information Technology. Opening addresses were made by Mr. Jomo Kwame Sundaram on behalf of the Secretary General of the United Nations, Mr. Nitin Desai, special advisor to the Secretary General for Internet Governance and chairman of the multistakeholder Advisory Group, Mr. Damodar Reddy, Minister for Information Technology, Government of Andhra Pradesh, and Minister Andimuthu Raja. UN representative Mr. Sundaram stated during the Opening Session: "The IGF is not a new organization or agency, and rather than being a decision-making body, the IGF is a space, a platform, for frank and enlightened debate. The forum provides a unique opportunity for all stakeholders to foster innovative dialogue under the auspices of the United Nations. The forum shapes and informs the decision-making processes of other institutions and governments and prepares the ground for negotiations that will take place in intergovernmental as well as other forums." Mr. Sundaram further emphasized: "The forum is a place to launch ideas, trial balloons, perhaps that can serve as the basis of broader agreement on concrete ways and means to shape and govern the Internet." In the summary of the conference, Chairman Andimuthu Raja noted: "The role of the IGF in building an Internet society was inclusive, human centered and geared to development." Mr. Raja also indicated that "[a]ccess to information by the people helped democracy by having transparency in the functioning of the government and enhanced the participation of the people in the governing process. Without appropriate information, people could not adequately exercise their rights as citizens." The summary of the conference also highlighted: "Speakers noted that the IGF provided the opportunity for a dialogue between all stakeholders and a mutual exchange of ideas. It fostered the building of partnerships and relationships that otherwise might not occur. The IGF was appreciated for its open multi-stakeholder model, with examples of new national and regional IGF initiatives illustrating the spread of the multi-stakeholder ideal and its value in policy discussion." In 2010, the United Nations General Assembly will decide if it should extend the IGF's initial five-year mandate, based on a review of its work as well as its achievements. The next IGF meetings will be held in Cairo, Egypt, on November 15-18, 2009 and in Vilnius, Lithuania in 2010. Internet Governance Forum: http://www.intgovforum.org/ IGF Chairman's Summary (pdf): http://epic.org/redirect/122208_IGF_Chairman.html The Public Voice: http://www.thepublicvoice.org Remote Participation: http://www.intgovforum.org/cms/index.php/remoteparticipation ======================================================================= [3] Government Issues Final Rules in Education Records Privacy ======================================================================= The Department of Education issued its Final Rules under a federal statute that protects the privacy of student education records. The law applies to all schools that receive federal funds. The new rules which come into effect on January 8, 2009, have been formulated because educational agencies and institutions face considerable challenges, especially with regard to maintaining safe campuses, protecting personally identifiable information in students' education records and responding to requests for data on student progress. The new rules under the Family Educational Rights and Privacy Act include amendments needed to implement provisions of other federal laws, as well as two Supreme Court decisions. The new rules are consistent with the USA Patriot Act, which added new exceptions permitting the disclosure of personally identifiable information from education records without consent. The changes: 1) clarify permissible disclosures to parents of eligible students; 2) clarify conditions that apply to disclosures in health and safety emergencies; 3) clarify permissible disclosures of student identifiers as directory information; 4) and allow disclosures to contractors and other outside parties in connection with the outsourcing of institutional functions and services. The amendments also revise certain key definitions of terms. The rule modifies "attendance" to include "other electronic information and telecommunications technologies" that do not require classroom presence. The rules also note that there is no statutory authority under the federal law to prohibit an educational institution from using a student's social security number as a student ID number. The definition of "disclosure" now excludes the return of a document to its source and clarifies that information maintained in a consolidated student records system may be provided back to the original institution without consent. The new rules clarify that "education records" does not include information created or received on a former student as long as it is not directly related to a students' attendance. Noting that removal of the name and SSN (or other ID number), does not necessarily prevent the release of personally identifiable information, the amendments also delete the "easily traceable" standard as it lacked "specificity and clarity." Additionally, biometric records have also been included within the definition of "personally identifiable information." The final report of the Review Panel of the mass shootings at Virginia Tech cited misinterpretations of information privacy laws as the reason why action was not taken regarding the shooter's mental health history. The amendments clarified that institutions are permitted to disclose personally identifiable information from students' education records, without consent, "to appropriate parties in connection with an emergency if knowledge of the information is necessary to protect the health or safety of the student or other individuals." The amendments implement a provision of the USA Patriot Act allowing the Attorney General to apply for a court order to collect, retain, disseminate, and use certain education records in the possession of an educational agency or institution without regard to any other statutory requirement. The rules widen the meaning of "education record" to include even records with all names and Social Security Numbers redacted if the institutions believe that the records could be used to identify a student. The Department of Education stated it would not recognize an exception to confidentiality even if the person to whom the document related has voluntarily revealed her own identity to the media, because the "general public interest does not give an educational agency or institution permission to release the same or related information from education records without consent." Education Records Privacy Final Rules - Federal Register, Vol. 73, No. 237, December 9, 2008: http://edocket.access.gpo.gov/2008/pdf/E8-28864.pdf Family Educational Rights and Privacy Act (FERPA), U.S. Department of Education: http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html EPIC's page on FERPA: http://epic.org/privacy/education/ferpa.html EPIC's page on Privacy of Education Records: http://epic.org/privacy/education/school.html EPIC's Student Privacy Page: http://epic.org/privacy/student/ ======================================================================= [4] Privacy, Security and Openness at the Internet Governance Forum ======================================================================= On December 2, 2008, the third meeting of the Internet Governance Forum, held in Hyderabad, India, focused its discussions on the theme of "Promoting Cyber-Security and Trust." The topic was covered in two panel discussions, one on the "Dimensions of Cybersecurity and Cyber-crime," and the second on "Fostering Security, Privacy and Openness." An open dialogue followed these panels. In parallel, many events on this topic were organized: 14 dedicated to Openness, 8 to Security, 1 to best practices and 1 to Emerging Topics on the Future of Online Privacy. The events provided an opportunity for IGF participants to discuss ideas and share experiences. The first main session on the "Dimensions of Cyber-Security and Cyber-crime" was chaired by Mr. Rentala Chandershekhar, Special Secretary of the Department of Information Technology in the Indian Ministry of Communications & Information Technology, and moderated by Mr. Bertrand de la Chapelle, Special Envoy for Information Society of the French Foreign Ministry. The main points of the discussion regarded cybercrime and the problems concerning jurisdiction and geographical boundaries that law enforcement agencies face because of the borderless nature of the Internet. The session also addressed the need to intensify efforts to combat cybercrime. However, the discussions did not address any public accountability measures to oversee the legality and limit the use of the surveillance in communications. There was no mention of the wiretapping abuses that have been revealed around the world, sometimes involving thousands of illegal wiretaps, as noted by many participants at the Latin American Regional Preparatory Meeting of the IGF. Furthermore, no emphasis was recorded regarding the need of the States and countries that signed the Cybercrime Treaty of the Council of Europe to also sign the "Convention 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data" in order to enhance privacy while fighting cybercrime as suggested by civil society participants at some IGF parallel privacy workshops. The second session, "Fostering Security, Privacy and Openness," was chaired by Mr. Shyamai Ghosh, Chairman of the Data Security Council of India (DSCI) and moderated by Ambassador David A. Gross, Coordinator for International Communications and Information Policy in the United States Department of State. Chairman Raja noted in the summary of the conference: "The increased awareness of the importance of data protection was mentioned as regards not only the protection of the private sphere of individuals, but their very freedom. Internal and international security requirements and market interests could lead to the erosion of fundamental safeguards of privacy and freedom. It was discussed how data that were collected for one specific purpose were often made available for other purposes and made available to bodies, both public and private, that were not intended recipients of these data." Chairman Raja also acknowledged the comments of the moderator regarding the role of online anonymity: "The moderator mentioned an issue that was alluded to, but not discussed in this session, that is, the role of anonymity on the Internet and its relation to privacy, especially in spheres such as medical information." In concluding, Chairman Raja acknowledged the challenge in converting the areas of tension or conflict into areas of convergence, so that both the issues of security and privacy could be addressed in the proper perspective. Internet Governance Forum: http://www.intgovforum.org/ IGF Chairman's Summary (pdf): http://epic.org/redirect/122208_IGF_Chairman.html IGF "Promoting Cyber-Security and Trust" transcripts: http://www.intgovforum.org/cms/index.php/hyderabadprogramme Latin American and The Caribbean Regional Preparatory Meeting of the IGF http://www.lacnic.net/en/eventos/mvd2008/igf.html Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data: http://conventions.coe.int/Treaty/en/Treaties/Html/108.htm ======================================================================= [5] DHS Releases Fusion Center Privacy Impact Assessment ======================================================================= The Department of Homeland Security has released the Privacy Impact Assessment for the State, Local, and Regional Fusion Center Initiative. The assessment, which is the first of two reports by the agency, examines the privacy implications of the State, Local and Regional Fusion Centers and the DHS' State and Local Program Management Office. Fusion Centers are intelligence databases that collect information on ordinary citizens. The DHS' Privacy Office identified a number of privacy risks presented by the fusion center program. These include ambiguous lines of authority, rules, and oversight; participation of the military and the private sector; data mining; excessive secrecy; inaccurate and incomplete information; and mission creep. The assessment reports that no "two fusion centers define or carry out their missions in exactly the same way or are subject to the same authorities or regulations." It also asserts that notions of comity and federalism prohibit the DHS from placing certain requirements on fusion centers. The assessment asserts that a number of steps have been taken to embed privacy into the management of fusion center programs and encourage the fusion centers to consider privacy in their practices. For example, the DHS disseminated the Global Justice Information Sharing Initiative Guidelines. The report states that the Criminal Intelligence Systems Operating Policies, which includes privacy requirements for federally funded criminal intelligence systems at use in the states, served as the foundation for many of the recommendations related to privacy. These policies recommend mechanisms that centers can develop to assist them in adhering to their privacy policies. Such mechanisms include: establishing a privacy oversight committee or appointing a privacy officer; developing or updating privacy training and orientation for all employees; taking steps to promote ongoing information privacy awareness; developing a process for tracking and handling privacy complaints or concerns; developing a consistent sanction policy for failure to comply with the privacy policy for all individuals in the organization; recognizing the overlap in privacy activities and security activities; and ensuring that all personnel are adequately trained in the privacy policy compliance. The Privacy Office recommends that fusion centers: undertake "regular and aggressive public accounting of fusion center activities"; perform regular privacy audits; acknowledge errors and take corrective action; implement the Program Manager of the Information Sharing Environment's guidance regarding error correction. The report also clarifies that DHS analysts may not share and collect information that does not have a nexus to DHS' mission and intelligence and analysis responsibilities. The Privacy Office acknowledged that the assessment is incomplete it does not cover all conceivable issues raised by either the involvement of the Justice Department or all practices of the states who manage and operate various fusion centers. In May, EPIC prevailed in its freedom of information request to disclose documents describing the federal government's involvement in efforts to limit Virginia's transparency and privacy laws and uncovered a secret contract between the State Police and the FBI that limits the rights of Virginia citizens to learn what information the State Police collect about them. Privacy Impact Assessment, Department of Homeland Security, State, Local, and Regional Fusion Center Initiative: http://epic.org/redirect/122208_PIA_Fusion_dhs.html EPIC's page on Information Fusion Centers and Privacy: http://epic.org/privacy/fusion/ State and Local Fusion Centers: http://www.dhs.gov/xinfoshare/programs/gc_1156877184684.shtm Fusion Center Guidelines: Developing and Sharing Information in a New Era (Global Guidelines): http://it.ojp.gov/documents/fusion_center_guidelines.pdf EPIC v. Virginia Department of State Police: http://epic.org/privacy/virginia_fusion/ ======================================================================= [6] News in Brief ======================================================================= Health Department Encourages Use of Patient Information to Improve Care The U.S. Department of Health & Human Services announced privacy principles and a toolkit to guide efforts to harness the potential of new technology and more effective data analysis, while protecting privacy. Secretary Michael Leavitt stated that consumers should not be forced to accept privacy risks. Secretary Leavitt articulated several principles like individual access; correction; openness and transparency; individual choice; collection, use, and disclosure limitation; data integrity; safeguards and accountability. Also announced were several tools intended to help consumers and health information exchanges improve toward privacy protection and consumer access to their information. U.S. Department of Health & Human Services, News Release, December 15, 2008: http://www.hhs.gov/news/press/2008pres/12/20081215a.html EPIC's page on Medical Privacy: http://epic.org/privacy/medical/ Change in Yahoo Search Retention Leaves Privacy Questions Unresolved Yahoo announced that, after 90 days, it will obscure some elements in the records that it keeps about all Internet users who use the company's services. The search company will continue to keep modified record locators, time/date stamps, web pages viewed, and a persistent user identifier, known as a "cookie," for an indefinite period. Yahoo is also retaining much of the IP address. Privacy rules classify IP addresses as "personal data" and the partial deletion of IP addresses does not provably anonymize user records. In September, Google also announced the partial anonymization of users IP addresses. However, experts have criticized the partial deletion of IP address data as insufficient to protect consumers, and it is possible to use a database containing user search data to sort by time and location, to locate and identify the source of search queries, and to build individual profiles. Yahoo! Sets New Industry Privacy Standard with Data Retention Policy: http://biz.yahoo.com/bw/081217/20081217005332.html EPIC's page on Search Engine Privacy: http://epic.org/privacy/search_engine/ Survey Reflects Continued Importance of Privacy A Ponemon Institute survey announced the results of the Ponemon Institute's fifth annual survey of Most Trusted Companies for Privacy. Around 73 percent of consumers felt that protection of personal privacy was "important" or "very important." The survey also found consumers losing faith in the ability to exercise control over their personal information. While 62 percent of consumers believed identity theft affected their notion in trusting a company, 53 percent thought data breach notifications affected their perception in a company's privacy. Ponemon Institute and TRUSTe Announce Results of Annual Most Trusted Companies for Privacy Survey: http://truste.org/about/press_release/12_15_08.php EPIC's page Privacy and Consumer Profiling: http://epic.org/privacy/profiling/ Massachusetts Holds Hearing on Data Security Rules In November, the Commonwealth of Massachusetts became the first state in the United States to enact comprehensive data privacy and security standards and regulations. The rules will go into effect on May 1, 2009, consistent with rules of the Federal Trade Commission that require financial institutions and creditors to develop and create ID theft prevention programs. The Massachusetts Office of Consumer Affairs and Business Regulation announced that it will hold a public hearing on January 16, 2009 to allow interested parties an opportunity to provide receive oral and written testimony regarding the "Standards for The Protection of Personal Information of Residents of the Commonwealth." Notice of Public Hearing, Office of Consumer Affairs and Business Regulation, Commonwealth of Massachusetts: http://epic.org/redirect/122208_Notice_OCABR_Mass.html "Standards for The Protection of Personal Information of Residents of the Commonwealth" (201 CMR 17.00): http://epic.org/redirect/122208_OCABR_210cmr1700.html 201 CMR 17.00 Compliance Checklist: http://www.mass.gov/Eoca/docs/idtheft/compliance_checklist.pdf FAQs regarding 201 CMR 17.00: http://epic.org/redirect/112008_FAQ_201CMR1700.html EPIC's page on Privacy Preemption Watch: http://epic.org/privacy/preemption/ Federal Court Denies DHS Lifting Ban on SSN No-Match Letters In October 2008, DHS finalized a rule providing a "safe harbor" from liability to employers who follow certain procedures when they receive a letter from the Social Security Administration stating that the SSN of their employee did not match with the SSA database. Failure to correct discrepancies results in liability under US Immigration laws. However, due to the cumbersome process involved in correcting errors, employers may instead choose to fire workers including citizens and non-citizens. Earlier, a federal court had granted a preliminary injunction in implementing such a rule. Now, the same court declined to vacate the injunction on the federal agency's SSN No-Match Rule. EPIC has detailed substantial errors in government databases. The DHS has also been sponsoring advertisements in the media for the E-Verify program, which is supposed to determine employee work eligibility. Government investigators have highlighted errors in the databases used by E-Verify and detailed the many problems associated with the program. Department of Homeland Security, Safe Harbor Procedures for Employers, October 28: http://edocket.access.gpo.gov/2008/pdf/E8-25544.pdf EPIC: Spotlight on Surveillance, E-Verify System: DHS Changes Name, But Problems Remain for U.S. Workers: http://epic.org/privacy/surveillance/spotlight/0707/default.html Canadian Privacy Commissioner Issues Report to Parliament The Canadian Privacy Commissioner issued the Annual Report to the Parliament. The report for the year 2007-2008 on the Privacy Act, lists key accomplishments for the year, which included proactively supporting the Parliament, addressing public needs through inquiries, investigations, campaigns and litigations. The Office of the Commissioner also worked with international organizations and groups and encouraged research and debate. However, the report also cites significant concern regarding the posting of Canadian's highly sensitive personal information to the web by the government's passport operations and federal administrative tribunals. The report recommended providing all employees who handle personal information with privacy training. Annual Report to Parliament 2007-2008, Office of the Privacy Commissioner of Canada: http://www.privcom.gc.ca/information/ar/200708/200708_pa_e.asp EPIC's Online Guide to Privacy Resources: http://epic.org/privacy/privacy_resources_faq.html European Researchers Issue Report on Web 2.0 Vulnerabilities The European Network and Information Security Agency released a position paper on Web 2.0 Security and Privacy. The report underscores the inadequacy of access and authorization frameworks in the Web 2.0 model and in policy frameworks governing the separation of control between web applications. Excessive privileges and weak authentication are other risks identified in this area. The report also highlights knowledge and information management problems like misinformation dissemination and establishing trustworthiness of collaborative knowledge systems. The paper recommends policy incentives for secure development practices and encourage public and intergovernmental discussion. ENISA Report on Web 2.0 Security and Privacy: http://www.enisa.europa.eu/doc/pdf/deliverables/enisa_pp_web2.pdf ENISA Report Survey Results: http://www.enisa.europa.eu/doc/pdf ======================================================================= [7] EPIC Bookstore: "The Privacy Advocates" ======================================================================= "The Privacy Advocates: Resisting the Spread of Surveillance" by Colin J. Bennett, (MIT Press 2008) http://www.powells.com/biblio/62-9780262026383-1?&PID=24075 Consider the phrase "the privacy movement." It is almost an oxymoron. How could people, committed to the "right to be left alone," join together to create any type of political force? One might as easily imagine "anarchist governance" or the "libertarian bureaucracy." And yet a privacy movement has emerged, with growing influence, widening impact, and far-reaching political consequence. What is most remarkable is the presence of privacy campaigns in so many places on so many issues. In South Korea, teachers object to the creation of a new student database and organize a protest. In Germany, activists take to the streets to object to an obscure government regulation that requires telephone companies to keep data on their customers. Japanese officials resign rather than to implement a nationwide identity system. In Peru, opposition is launched to surveillance cameras. And French activists recently brought an end to a massive new government database. As Bob Dylan once wrote, "something is happening here" that is amazing, remarkable, often heartening, and not well understood. To be sure, the movement has almost everything going against it. To begin with, the issues are complex and the technology rapidly changing. The twin dynamics of the post 9/11 security economy coupled with the "Internet must not be regulated" mantra have created a surveillance tsunami. Privacy groups must do their homework and then anticipate that, on any matter of consequence, there will be well-paid experts on the other side to prove that the world is flat, that two and two equals five, and that the massive aggregation of search histories is not a ticking privacy time bomb. There is also the fundamental problem that privacy claims are almost always viewed as a "worry" or a "concern," a failure to understand the wonders of new technology, the imposition of a paternalistic moral code, or perhaps (according to those who repeat this gibberish) a combination of all of the above. The legacy of Orwell's 1984 fatalism and determinism has also not served the movement well. As you recall, there was no happy ending in 1984. Thus, the first challenge for the privacy advocate is to translate a concern into a genuine political debate, to create a space where people are empowered to make decisions about such topics as identity cards, surveillance cameras, technical standards, and business practices. It is in this space that the opportunity for political change arises. Privacy advocates have to work harder than advocates in other fields because the public simply assumes the benefits (or necessity), as well as the inevitability, of new technology. Still, these efforts often succeed. Just ask John Poindexter, the architect of Total Information Awareness, who watched his proposal for an all-seeing government surveillance plan collapse under a wave of public criticism. (Of course, he did receive a Big Brother Award from Privacy International for his efforts). When a privacy concern is understood as a policy choice, the public becomes engaged, and bad ideas can be defeated. This happens more often than most people would suspect. It is also one of the reasons that major players in the privacy world the government agencies, the private companies seek out the opinions of privacy experts before the big announcements. Privacy advocates must also contend with the absence of a decent business model. Unlike the public interest organizations that emerged in the late twentieth century with their monthly newsletters, large membership lists, foundation grants, and annual dues, the privacy groups in the current era are often little more than a web site, a few dedicated individuals, and a PayPal button. Surprising outcomes can still be obtained, but glory and news clips do not pay the bills. Which raises the thorny question of the relationship between privacy advocates and the organizations that they are often expected to oversee. For some in the privacy community, this presents a genuine moral quandary, as most conflicts of interest do. For others, it has become a nearly perfected business model, an opportunity to bless controversial projects, isolate critics, and make the policy case to the public that the sponsors never could. The companies see the business case as well. Much better to provide a fellowship or a sponsorship to a non-profit than to risk a critical news story or an actual lawsuit. One company's notable achievement is not simply to obtain the silence of consumer groups that might otherwise raise privacy objections to the search firm's business practices, but to enlist these same organization's active support in *privacy campaigns* against its business competitors, which is as remarkable as it is ironic. Some government officials, privacy agencies and individual donors, who recognize this problem, are providing the funding and support to research institutions and advocacy organizations that allows real inquiry and meaningful policy solutions to be pursued, without the heavy hand of a private sponsor steering toward a predetermined conclusion. But there are other concerns in the privacy movement as well. There is in the Anglo countries the nagging problem that few privacy groups have addressed the issue of diversity in any meaningful way. The problem is not unique to privacy organizations; there is still "movement essentialism," left over from the past generation of activists that limits the ability of people of color from articulating claims of common concern. But this may be changing also, as the recent Presidential election in the United States suggests. Still, the progress is real and the impact beyond dispute. Privacy campaigns of this era reflect both the opportunities and challenges of this new age. To look at the privacy movement today and imagine that it would be similar to social movements of the past is a mistake. Political organizations have been transformed by technology. They are global, dynamic, and fluid. There is little time for formal organization and even less incentive. A campaign may attract a nation's attention over a few weeks, produce a favorable outcome, and then dissolve. And still, with surprising frequency, those who believe in privacy, a fundamental human right, join forces, work together, and transform the politics of the modern age. -- Marc Rotenberg ================================ EPIC Publications: "Litigation Under the Federal Open Government Laws 2008," edited by Harry A. Hammitt, Marc Rotenberg, John A. Verdi, and Mark S. Zaid (EPIC 2008). Price: $60. http://epic.org/bookstore/foia2008/ Litigation Under the Federal Open Government Laws is the most comprehensive, authoritative discussion of the federal open access laws. This updated version includes new material regarding the substantial FOIA amendments enacted on December 31, 2007. Many of the recent amendments are effective as of December 31, 2008. The standard reference work includes in-depth analysis of litigation under Freedom of Information Act, Privacy Act, Federal Advisory Committee Act, Government in the Sunshine Act. The fully updated 2008 volume is the 24th edition of the manual that lawyers, journalists and researchers have relied on for more than 25 years. ================================ "Information Privacy Law: Cases and Materials, Second Edition" Daniel J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98. http://www.epic.org/redirect/aspen_ipl_casebook.html This clear, comprehensive introduction to the field of information privacy law allows instructors to enliven their teaching of fundamental concepts by addressing both enduring and emerging controversies. The Second Edition addresses numerous rapidly developing areas of privacy law, including: identity theft, government data mining and electronic surveillance law, the Foreign Intelligence Surveillance Act, intelligence sharing, RFID tags, GPS, spyware, web bugs, and more. Information Privacy Law, Second Edition, builds a cohesive foundation for an exciting course in this rapidly evolving area of law. ================================ "Privacy & Human Rights 2006: An International Survey of Privacy Laws and Developments" (EPIC 2007). Price: $75. http://www.epic.org/phr06/ This annual report by EPIC and Privacy International provides an overview of key privacy topics and reviews the state of privacy in over 75 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy & Human Rights 2006 is the most comprehensive report on privacy and data protection ever published. ================================ "The Public Voice WSIS Sourcebook: Perspectives on the World Summit on the Information Society" (EPIC 2004). Price: $40. http://www.epic.org/bookstore/pvsourcebook This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, and recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process. ================================ "The Privacy Law Sourcebook 2004: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price: $40. http://www.epic.org/bookstore/pls2004/ The Privacy Law Sourcebook, which has been called the "Physician's Desk Reference" of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act. ================================ "Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20. http://www.epic.org/bookstore/filters2.0 A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at: EPIC Bookstore http://www.epic.org/bookstore "EPIC Bookshelf" at Powell's Books http://www.powells.com/bookshelf/epicorg.html ================================ EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act. Subscribe to EPIC FOIA Notes at: https:/mailman.epic.org/mailman/listinfo/foia_notes ======================================================================= [8] Upcoming Conferences and Events ======================================================================= The Privacy by Design Challenge - nine privacy leaders from major corporations present their latest innovations in Privacy-Enhancing Technologies. Toronto, Canada, January 28, 2009. For more information, http://www.privacybydesign.ca/registration.htm The American Conference Institute is hosting the 8th National Symposium on Privacy and Security of Consumer and Employee Information at the Four Points by Sheraton, Washington, D.C., January 27-28, 2009, Washington, DC. http://www.americanconference.com/Privacy.htm "Patents, Copyrights and Knowledge Governance: The Next Four Years," Trans Atlantic Consumer Dialogue (TACD) Workshop held by the TACD Working Group on Intellectual Property, Washington, D.C., January 12-13, 2009. For more information, http://www.tacd-ip.org/blog/?page_id=5 The IAPP Privacy Summit 2009 will be held between March 11-13, 2009, at Washington, D.C. For more information, http://www.privacysummit.org "Conference on International Aspects of Securing Personal Data," The Federal Trade Commission, Washington, D.C., March 16-17, 2009: For more information, http://ftc.gov/opa/2008/12/datasec.shtm Computers, Freedom, and Privacy, 19th Annual Conference, Washington, D.C., June 1-4, 2009. For more information, http://www.cfp2009.org/wiki/index.php/Main_Page "The Transformation of Privacy Policy," Institutions, Markets Technology Institute for Advanced Studies (IMT)Lucca, Italy, July 2-4, 2009. ======================================================================= Subscription Information ======================================================================= Subscribe/unsubscribe via web interface: https://mailman.epic.org/mailman/listinfo/epic_news Back issues are available at: http://www.epic.org/alert The EPIC Alert displays best in a fixed-width font, such as Courier. ======================================================================= Privacy Policy ======================================================================= The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information." ======================================================================= About EPIC ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). ======================================================================= Donate to EPIC ======================================================================= If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at: http://www.epic.org/donate Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ======================================================================= Support Privacy '08 ======================================================================= If you would like more information on Privacy '08, go online and search for "Privacy 08." You'll find a Privacy08 Cause at Facebook, Privacy08 at Twitter, a Privacy08 Channel on YouTube to come soon, and much more. You can also order caps and t-shirts at CafePress Privacy08. Start a discussion. Hold a meeting. Be creative. Spread the word. You can donate online at epic.org. Support the campaign. Facebook Cause: http://www.epic.org/redirect/fbprivacy08.html Twitter: http://twitter.com/privacy08 CafePress: http://www.cafepress.com/epicorg ======================================================================== E P I C Job Announcement ======================================================================== EPIC is seeking a smart, energetic, creative individual for the position of Staff Counsel Deadline: Jan. 1, 2009 Click here for more details http://www.epic.org/epic/jobs/counsel_1108.html ------------------------- END EPIC Alert 15.25 ------------------------ .