EPIC logo

=======================================================================
                              E P I C   A l e r t
=======================================================================
Volume 15.25                                          December 23, 2008
-----------------------------------------------------------------------

                                Published by the
                   Electronic Privacy Information Center (EPIC)
                                Washington, D.C.

                 http://www.epic.org/alert/EPIC_Alert_15.25.html

			"Defend Privacy. Support EPIC."
			     http://epic.org/donate


=======================================================================
Table of Contents
=======================================================================
[1] Privacy Coalition Members Write to President-elect Obama
[2] India Hosts Third Internet Governance Forum
[3] Government Issues Final Rules in Education Records Privacy
[4] Privacy, Security and Openness at the Internet Governance Forum
[5] DHS Releases Fusion Center Privacy Impact Assessment
[6] News in Brief
[7] EPIC Bookstore: "The Privacy Advocates"
[8] Upcoming Conferences and Events
  	- Subscription Information
  	- Privacy Policy
  	- About EPIC
  	- Donate to EPIC http://www.epic.org/donate
  	- Support Privacy '08 http://www.privacy08.org
	- Job Announcement

=======================================================================
[1] Privacy Coalition Members Write to President-elect Obama
=======================================================================

Thirty members of the Privacy Coalition sent a letter to
President-elect Barack Obama on the importance of protecting privacy in
the next administration. The Privacy Coalition is a nonpartisan
coalition of consumer, civil liberties, educational, family, library,
labor, and technology organizations that have agreed to the Privacy
Pledge. The coalition provides an opportunity for advocacy
organizations to share resources and collaborate on issues of mutual
interest. 

The organizations joining the letter included the Electronic Privacy
Information Center, American Association of Law Libraries, American-
Arab Anti-Discrimination Committee, American Policy Center, Bill of
Rights Defense Committee, Center for American Progress Action Fund,
Consumer Federation of America, Consumers Union, Electronic Frontier
Foundation, Government Accountability Project, Liberty Coalition,
Privacy Rights Clearinghouse, and US Bill of Rights Foundation.

The letter called for: protection of sensitive information; the privacy
of personal information obtained by the government, health information,
and consumer privacy; strengthening of the Federal Trade Commission;
limiting the use of Homeland Security Databases; and allowing states to
continue to innovate to create legislative solutions. 

The organizations outlined their support for the incoming president's
expressed positions on privacy, consumer rights, and civil liberties.
President-elect Obama stated support for strengthening privacy
protections by harnessing the power of technology to hold government
and businesses accountable for violations of personal privacy. The
coalition said that "[t]here is a clear need to address the spiraling
problems of identity theft, security breaches, and the
commercialization of personal information."

The President-elect's transition process has named the heads of each
of the major Federal government agencies. Barack Obama will be sworn
in as the 44th President of the United States on January 20, 2009.



Letter from Privacy Coalition to the President-elect:
     http://www.privacycoalition.org/obama-ftc-ltr.pdf

Privacy Coalition:
     http://privacycoalition.org

Barack Obama "Change That We Can Believe In: Technology:"
     http://epic.org/redirect/122208_Obama_TechStatement_0222.html

Privacy Coalition Members:
     http://privacycoalition.org/about.php

Privacy Coalition Pledge:
     http://privacycoalition.org/pledge.php



=======================================================================
[2] India Hosts Third Internet Governance Forum
=======================================================================

With the slogan "Internet for all," the third annual meeting of the
Internet Governance Forum took place in Hyderabad, India on December
3-6, 2008. The IGF is a multi-stakeholder forum for policy dialogue on
issues of Internet governance. The United Nations Secretary General
established the IGF in July 2006 and since then three annual forums
have been organized.

The third IGF, which was held in the aftermath of terrorist attacks in
Mumbai, brought together governments, the private sector, civil
society, and the academic and technical communities to debate Internet
governance and related public policy issues, exchange information, and
to share good practices. In all, close to 1,300 participants from 94
countries attended the meeting, which was webcast with video and audio
streaming. The proceedings of the main sessions were transcribed and
displayed in the main session hall in real time and streamed to the
Web. Remote hubs held parallel meetings in Argentina, Brazil, India,
Pakistan, Columbia, Serbia and Spain.

Ms. Marilia Maciel, Remote Participation Working Group coordinator
stated:

"These hubs are local meetings which exhibit the Webcast of the IGF and
also interact with people in the event, sending text as well as video
questions....Participants of the Remote hub used it as a starting point
to create a local committee to discuss [Information and Communication
Technology] related issues."

The international meeting focused on 5 main sessions which were
organized in 3 thematic days under the headings: "Reaching
the Next Billion;" "Promoting Cyber-Security and Trust;" and "Managing
Critical Internet Resources." The last day covered "Emerging Issues -
the Internet of Tomorrow" and "Taking Stock and the Way Forward."
Parallel to the main sessions, 87 self-organized workshops were held,
including meetings of the IGF dynamic coalitions, best practices and
open forums.

The Government of India hosted the meeting, which was chaired by
Mr. Thiru Andimuthu Raja, India's Union Cabinet Minister for
Communications and Information Technology. Opening addresses were made
by Mr. Jomo Kwame Sundaram on behalf of the Secretary General of the
United Nations, Mr. Nitin Desai, special advisor to the Secretary
General for Internet Governance and chairman of the multistakeholder
Advisory Group, Mr. Damodar Reddy, Minister for Information Technology,
Government of Andhra Pradesh, and Minister Andimuthu Raja.

UN representative Mr. Sundaram stated during the Opening Session:
"The IGF is not a new organization or agency, and rather than being a
decision-making body, the IGF is a space, a platform, for frank and
enlightened debate. The forum provides a unique opportunity for all
stakeholders to foster innovative dialogue under the auspices of the
United Nations. The forum shapes and informs the decision-making
processes of other institutions and governments and prepares the ground
for negotiations that will take place in intergovernmental as well as
other forums."

Mr. Sundaram further emphasized: 
"The forum is a place to launch ideas, trial balloons, perhaps that
can serve as the basis of broader agreement on concrete ways and means
to shape and govern the Internet."

In the summary of the conference, Chairman Andimuthu Raja noted:
"The role of the IGF in building an Internet society was inclusive,
human centered and geared to development." Mr. Raja also indicated that
"[a]ccess to information by the people helped democracy by having
transparency in the functioning of the government and enhanced the
participation of the people in the governing process. Without
appropriate information, people could not adequately exercise their
rights as citizens."

The summary of the conference also highlighted:
"Speakers noted that the IGF provided the opportunity for a dialogue
between all stakeholders and a mutual exchange of ideas. It fostered
the building of partnerships and relationships that otherwise might not
occur. The IGF was appreciated for its open multi-stakeholder model,
with examples of new national and regional IGF initiatives illustrating
the spread of the multi-stakeholder ideal and its value in policy
discussion."

In 2010, the United Nations General Assembly will decide if it should 
extend the IGF's initial five-year mandate, based on a review of its
work as well as its achievements. The next IGF meetings will be held in
Cairo, Egypt, on November 15-18, 2009 and in Vilnius, Lithuania in
2010.


Internet Governance Forum:
     http://www.intgovforum.org/

IGF Chairman's Summary (pdf):
     http://epic.org/redirect/122208_IGF_Chairman.html
  
The Public Voice:
     http://www.thepublicvoice.org

Remote Participation:
     http://www.intgovforum.org/cms/index.php/remoteparticipation




=======================================================================
[3] Government Issues Final Rules in Education Records Privacy
=======================================================================

The Department of Education issued its Final Rules under a federal
statute that protects the privacy of student education records. The law
applies to all schools that receive federal funds. The new rules which
come into effect on January 8, 2009, have been formulated because
educational agencies and institutions face considerable challenges,
especially with regard to maintaining safe campuses, protecting
personally identifiable information in students' education records and
responding to requests for data on student progress.

The new rules under the Family Educational Rights and Privacy Act
include amendments needed to implement provisions of other federal
laws, as well as two Supreme Court decisions. The new rules are
consistent with the USA Patriot Act, which added new exceptions
permitting the disclosure of personally identifiable information from
education records without consent. The changes: 1) clarify permissible
disclosures to parents of eligible students; 2) clarify conditions that
apply to disclosures in health and safety emergencies; 3) clarify
permissible disclosures of student identifiers as directory
information; 4) and allow disclosures to contractors and other outside
parties in connection with the outsourcing of institutional functions
and services. 

The amendments also revise certain key definitions of terms. The rule 
modifies "attendance" to include "other electronic information and
telecommunications technologies" that do not require classroom
presence. The rules also note that there is no statutory authority
under the federal law to prohibit an educational institution from using
a  student's social security number as a student ID number. The
definition of "disclosure" now excludes the return of a document to its
source and clarifies that information maintained in a consolidated
student records system may be provided back to the original institution
without consent. The new rules clarify that "education records" does
not include information created or received on a former student as long
as it is not directly related to a students' attendance. Noting that
removal of the name and SSN (or other ID number), does not necessarily
prevent the release of personally identifiable information, the amendments
also delete the "easily traceable" standard as it lacked "specificity
and clarity." Additionally, biometric records have also been included
within the definition of "personally identifiable information."

The final report of the Review Panel of the mass shootings at Virginia
Tech cited misinterpretations of information privacy laws as the reason
why action was not taken regarding the shooter's mental health history.
The amendments clarified that institutions are permitted to disclose
personally identifiable information from students' education records,
without consent, "to appropriate parties in connection with an
emergency if knowledge of the information is necessary to protect the
health or safety of the student or other individuals."

The amendments implement a provision of the USA Patriot Act allowing
the Attorney General to apply for a court order to collect, retain,
disseminate, and use certain education records in the possession of an
educational agency or institution without regard to any other statutory
requirement. 

The rules widen the meaning of "education record" to include even
records with all names and Social Security Numbers redacted if the
institutions believe that the records could be used to identify a
student. The Department of Education stated it would not recognize an
exception to confidentiality even if the person to whom the document
related has voluntarily revealed her own identity to the media, because
the "general public interest does not give an educational agency or
institution permission to release the same or related information from
education records without consent."


Education Records Privacy Final Rules - Federal Register, Vol. 73,
No. 237, December 9, 2008: 
     http://edocket.access.gpo.gov/2008/pdf/E8-28864.pdf 

Family Educational Rights and Privacy Act (FERPA),
U.S. Department of Education:
     http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html

EPIC's page on FERPA:
     http://epic.org/privacy/education/ferpa.html

EPIC's page on Privacy of Education Records:
     http://epic.org/privacy/education/school.html

EPIC's Student Privacy Page:
     http://epic.org/privacy/student/



=======================================================================
[4] Privacy, Security and Openness at the Internet Governance Forum
=======================================================================

On December 2, 2008, the third meeting of the Internet Governance
Forum, held in Hyderabad, India, focused its discussions on the theme
of "Promoting Cyber-Security and Trust." 

The topic was covered in two panel discussions, one on the "Dimensions
of Cybersecurity and Cyber-crime," and the second on "Fostering
Security, Privacy and Openness." An open dialogue followed these
panels. In parallel, many events on this topic were organized: 14
dedicated to Openness, 8 to Security, 1 to best practices and 1 to
Emerging Topics on the Future of Online Privacy. The events provided
an opportunity for IGF participants to discuss ideas and share
experiences.

The first main session on the "Dimensions of Cyber-Security and
Cyber-crime" was chaired by Mr. Rentala Chandershekhar, Special
Secretary of the Department of Information Technology in the Indian
Ministry of Communications & Information Technology, and moderated by
Mr. Bertrand de la Chapelle, Special Envoy for Information Society of 
the French Foreign Ministry. The main points of the discussion regarded
cybercrime and the problems concerning jurisdiction and geographical
boundaries that law enforcement agencies face because of the borderless
nature of the Internet. The session also addressed the need to
intensify efforts to combat cybercrime. However, the discussions did
not address any public accountability measures to oversee the legality
and limit the use of the surveillance in communications. There was no
mention of the wiretapping abuses that have been revealed around the
world, sometimes involving thousands of illegal wiretaps, as noted by
many participants at the Latin American Regional Preparatory Meeting
of the IGF. Furthermore, no emphasis was recorded regarding the need of
the States and countries that signed the Cybercrime Treaty of the
Council of Europe to also sign the "Convention 108 for the Protection
of Individuals with regard to Automatic Processing of Personal Data"
in order to enhance privacy while fighting cybercrime as suggested by
civil society participants at some IGF parallel privacy workshops.

The second session, "Fostering Security, Privacy and Openness," was
chaired by Mr. Shyamai Ghosh, Chairman of the Data Security Council of
India (DSCI) and moderated by Ambassador David A. Gross, Coordinator
for International Communications and Information Policy in the United
States Department of State.

Chairman Raja noted in the summary of the conference:

"The increased awareness of the importance of data protection was
mentioned as regards not only the protection of the private sphere of
individuals, but their very freedom. Internal and international
security requirements and market interests could lead to the erosion of
fundamental safeguards of privacy and freedom. It was discussed how data
that were collected for one specific purpose were often made available
for other purposes and made available to bodies, both public and
private, that were not intended recipients of these data."

Chairman Raja also acknowledged the comments of the moderator regarding
the role of online anonymity:

"The moderator mentioned an issue that was alluded to, but not
discussed in this session, that is, the role of anonymity on the
Internet and its relation to privacy, especially in spheres such as
medical information." In concluding, Chairman Raja acknowledged the
challenge in converting the areas of tension or conflict into areas of
convergence, so that both the issues of security and privacy could be
addressed in the proper perspective.


Internet Governance Forum:
     http://www.intgovforum.org/ 

IGF Chairman's Summary (pdf): 
     http://epic.org/redirect/122208_IGF_Chairman.html 

IGF "Promoting Cyber-Security and Trust" transcripts: 
     http://www.intgovforum.org/cms/index.php/hyderabadprogramme 

Latin American and The Caribbean Regional Preparatory Meeting of the IGF 
     http://www.lacnic.net/en/eventos/mvd2008/igf.html 

Convention for the Protection of Individuals with regard to Automatic 
Processing of Personal Data: 
     http://conventions.coe.int/Treaty/en/Treaties/Html/108.htm 



=======================================================================
[5] DHS Releases Fusion Center Privacy Impact Assessment
=======================================================================

The Department of Homeland Security has released the Privacy Impact
Assessment for the State, Local, and Regional Fusion Center Initiative.
The assessment, which is the first of two reports by the agency,
examines the privacy implications of the State, Local and Regional
Fusion Centers and the DHS' State and Local Program Management Office.
Fusion Centers are intelligence databases that collect information on
ordinary citizens. 

The DHS' Privacy Office identified a number of privacy risks presented
by the fusion center program. These include ambiguous lines of
authority, rules, and oversight; participation of the military and the
private sector; data mining; excessive secrecy; inaccurate and
incomplete information; and mission creep. The assessment reports that
no "two fusion centers define or carry out their missions in exactly
the same way or are subject to the same authorities or regulations." It
also asserts that notions of comity and federalism prohibit the DHS
from placing certain requirements on fusion centers. 

The assessment asserts that a number of steps have been taken to embed
privacy into the management of fusion center programs and encourage
the fusion centers to consider privacy in their practices. For example,
the DHS disseminated the Global Justice Information Sharing
Initiative Guidelines. The report states that the Criminal Intelligence
Systems Operating Policies, which includes privacy requirements for
federally funded criminal intelligence systems at use in the states,
served as the foundation for many of the recommendations related to
privacy. These policies recommend mechanisms that centers can develop
to assist them in adhering to their privacy policies. Such mechanisms 
include: establishing a privacy oversight committee or appointing a
privacy officer; developing or updating privacy training and
orientation for all employees; taking steps to promote ongoing
information privacy awareness; developing a process for tracking and
handling privacy complaints or concerns; developing a consistent
sanction policy for failure to comply with the privacy policy for all
individuals in the organization; recognizing the overlap in privacy
activities and security activities; and ensuring that all personnel are
adequately trained in the privacy policy compliance.

The Privacy Office recommends that fusion centers: undertake "regular
and aggressive public accounting of fusion center activities"; perform
regular privacy audits; acknowledge errors and take corrective action;
implement the Program Manager of the Information Sharing Environment's
guidance regarding error correction. The report also clarifies that DHS
analysts may not share and collect information that does not have a
nexus to DHS' mission and intelligence and analysis responsibilities.
The Privacy Office acknowledged that the assessment is incomplete – it
does not cover all conceivable issues raised by either the involvement
of the Justice Department or all practices of the states who manage and
operate various fusion centers. 

In May, EPIC prevailed in its freedom of information request to 
disclose documents describing the federal government's involvement in 
efforts to limit Virginia's transparency and privacy laws and 
uncovered a secret contract between the State Police and the FBI that 
limits the rights of Virginia citizens to learn what information the 
State Police collect about them. 


Privacy Impact Assessment, Department of Homeland Security,
State, Local, and Regional Fusion Center Initiative:
     http://epic.org/redirect/122208_PIA_Fusion_dhs.html

EPIC's page on Information Fusion Centers and Privacy:
     http://epic.org/privacy/fusion/

State and Local Fusion Centers:
     http://www.dhs.gov/xinfoshare/programs/gc_1156877184684.shtm

Fusion Center Guidelines: Developing and Sharing Information in a
New Era (Global Guidelines):
     http://it.ojp.gov/documents/fusion_center_guidelines.pdf

EPIC v. Virginia Department of State Police:
     http://epic.org/privacy/virginia_fusion/



=======================================================================
[6] News in Brief
=======================================================================

Health Department Encourages Use of Patient Information to Improve Care

The U.S. Department of Health & Human Services announced privacy
principles and a toolkit to guide efforts to harness the potential of
new technology and more effective data analysis, while protecting
privacy. Secretary Michael Leavitt stated that consumers should not be
forced to accept privacy risks. Secretary Leavitt articulated several
principles like individual access; correction; openness and
transparency; individual choice; collection, use, and disclosure
limitation; data integrity; safeguards and accountability. Also
announced were several tools intended to help consumers and health
information exchanges improve toward privacy protection and consumer
access to their information.


U.S. Department of Health & Human Services, News Release,
December 15, 2008:
     http://www.hhs.gov/news/press/2008pres/12/20081215a.html

EPIC's page on Medical Privacy:
     http://epic.org/privacy/medical/



Change in Yahoo Search Retention Leaves Privacy Questions Unresolved

Yahoo announced that, after 90 days, it will obscure some elements in
the records that it keeps about all Internet users who use the
company's services. The search company will continue to keep modified
record locators, time/date stamps, web pages viewed, and a persistent
user identifier, known as a "cookie," for an indefinite period. Yahoo
is also retaining much of the IP address. Privacy rules classify IP
addresses as "personal data" and the partial deletion of IP addresses
does not provably anonymize user records. In September, Google also
announced the partial anonymization of users’ IP addresses. However,
experts have criticized the partial deletion of IP address data as
insufficient to protect consumers, and it is possible to use a database
containing user search data to sort by time and location, to locate and
identify the source of search queries, and to build individual
profiles.


Yahoo! Sets New Industry Privacy Standard with Data Retention Policy:
     http://biz.yahoo.com/bw/081217/20081217005332.html

EPIC's page on Search Engine Privacy:
     http://epic.org/privacy/search_engine/



Survey Reflects Continued Importance of Privacy

A Ponemon Institute survey announced the results of the Ponemon
Institute's fifth annual survey of Most Trusted Companies for Privacy.
Around 73 percent of consumers felt that protection of personal
privacy was "important" or "very important." The survey also found
consumers losing faith in the ability to exercise control over their
personal information. While 62 percent of consumers believed identity
theft affected their notion in trusting a company, 53 percent thought
data breach notifications affected their perception in a company's
privacy.

Ponemon Institute and TRUSTe Announce Results of Annual Most Trusted
Companies for Privacy Survey:
     http://truste.org/about/press_release/12_15_08.php

EPIC's page Privacy and Consumer Profiling:
     http://epic.org/privacy/profiling/



Massachusetts Holds Hearing on Data Security Rules 

In November, the Commonwealth of Massachusetts became the first state
in the United States to enact comprehensive data privacy and security
standards and regulations. The rules will go into effect on May 1,
2009, consistent with rules of the Federal Trade Commission that
require financial institutions and creditors to develop and create ID
theft prevention programs. The Massachusetts Office of Consumer Affairs
and Business Regulation announced that it will hold a public hearing on
January 16, 2009 to allow interested parties an opportunity to provide
receive oral and written testimony regarding the "Standards for The
Protection of Personal Information of Residents of the Commonwealth." 



Notice of Public Hearing, Office of Consumer Affairs and Business
Regulation, Commonwealth of Massachusetts:
     http://epic.org/redirect/122208_Notice_OCABR_Mass.html

"Standards for The Protection of Personal Information of Residents of
the Commonwealth" (201 CMR 17.00):
     http://epic.org/redirect/122208_OCABR_210cmr1700.html

201 CMR 17.00 Compliance Checklist:
     http://www.mass.gov/Eoca/docs/idtheft/compliance_checklist.pdf

FAQs regarding 201 CMR 17.00:
     http://epic.org/redirect/112008_FAQ_201CMR1700.html

EPIC's page on Privacy Preemption Watch:
     http://epic.org/privacy/preemption/



Federal Court Denies DHS Lifting Ban on SSN No-Match Letters

In October 2008, DHS finalized a rule providing a "safe harbor" from
liability to employers who follow certain procedures when they receive
a letter from the Social Security Administration stating that the SSN
of their employee did not match with the SSA database. Failure to
correct discrepancies results in liability under US Immigration laws.
However, due to the cumbersome process involved in correcting errors,
employers may instead choose to fire workers including citizens and
non-citizens. Earlier, a federal court had granted a preliminary
injunction in implementing such a rule. Now, the same court declined to
vacate the injunction on the federal agency's SSN No-Match Rule. EPIC
has detailed substantial errors in government databases. The DHS has
also been sponsoring advertisements in the media for the E-Verify
program, which is supposed to determine employee work eligibility.
Government investigators have highlighted errors in the databases used
by E-Verify and detailed the many problems associated with the program.

Department of Homeland Security,
Safe Harbor Procedures for Employers, October 28: 
     http://edocket.access.gpo.gov/2008/pdf/E8-25544.pdf 

EPIC: Spotlight on Surveillance, E-Verify System: DHS Changes Name, 
But Problems Remain for U.S. Workers: 
     http://epic.org/privacy/surveillance/spotlight/0707/default.html 




Canadian Privacy Commissioner Issues Report to Parliament

The Canadian Privacy Commissioner issued the Annual Report to the
Parliament. The report for the year 2007-2008 on the Privacy Act,
lists key accomplishments for the year, which included proactively
supporting the Parliament, addressing public needs through inquiries,
investigations, campaigns and litigations. The Office of the
Commissioner also worked with international organizations and groups
and encouraged research and debate. However, the report also
cites significant concern regarding the posting of Canadian's highly
sensitive personal information to the web by the government's passport
operations and federal administrative tribunals. The report recommended
providing all employees who handle personal information with privacy
training. 


Annual Report to Parliament 2007-2008, Office of the Privacy
Commissioner of Canada:
     http://www.privcom.gc.ca/information/ar/200708/200708_pa_e.asp

EPIC's Online Guide to Privacy Resources:
     http://epic.org/privacy/privacy_resources_faq.html



European Researchers Issue Report on Web 2.0 Vulnerabilities

The European Network and Information Security Agency released a
position paper on Web 2.0 Security and Privacy. The report underscores
the inadequacy of access and authorization frameworks in the Web 2.0
model and in policy frameworks governing the separation of control
between web applications. Excessive privileges and weak authentication
are other risks identified in this area. The report also highlights
knowledge and information management problems like misinformation
dissemination and establishing trustworthiness of collaborative
knowledge systems. The paper recommends policy incentives for secure
development practices and encourage public and intergovernmental
discussion.

ENISA Report on Web 2.0 Security and Privacy:
     http://www.enisa.europa.eu/doc/pdf/deliverables/enisa_pp_web2.pdf

ENISA Report Survey Results:
     http://www.enisa.europa.eu/doc/pdf



=======================================================================
[7] EPIC Bookstore: "The Privacy Advocates"
=======================================================================

"The Privacy Advocates: Resisting the Spread of Surveillance"
by Colin J. Bennett, (MIT Press 2008) 

     http://www.powells.com/biblio/62-9780262026383-1?&PID=24075

	Consider the phrase "the privacy movement." It is almost an
oxymoron. How could people, committed to the "right to be left alone,"
join together to create any type of political force? One might as
easily imagine "anarchist governance" or the "libertarian bureaucracy."

	And yet a privacy movement has emerged, with growing influence,
widening impact, and far-reaching political consequence. What is most
remarkable is the presence of privacy campaigns in so many places on so
many issues. In South Korea, teachers object to the creation of a new
student database and organize a protest. In Germany, activists take to
the streets to object to an obscure government regulation that requires
telephone companies to keep data on their customers. Japanese officials
resign rather than to implement a nationwide identity system. In Peru,
opposition is launched to surveillance cameras. And French activists
recently brought an end to a massive new government database.

	As Bob Dylan once wrote, "something is happening here" that is
amazing, remarkable, often heartening, and not well understood. To be
sure, the movement has almost everything going against it. To begin
with, the issues are complex and the technology rapidly changing. The
twin dynamics of the post 9/11 security economy coupled with the
"Internet must not be regulated" mantra have created a surveillance
tsunami. Privacy groups must do their homework and then anticipate
that, on any matter of consequence, there will be well-paid experts on
the other side to prove that the world is flat, that two and two equals
five, and that the massive aggregation of search histories is not a
ticking privacy time bomb.

	There is also the fundamental problem that privacy claims are
almost always viewed as a "worry" or a "concern," a failure to
understand the wonders of new technology, the imposition of a
paternalistic moral code, or perhaps (according to those who repeat
this gibberish) a combination of all of the above. The legacy of
Orwell's 1984 – fatalism and determinism – has also not served the
movement well. As you recall, there was no happy ending in 1984.

	Thus, the first challenge for the privacy advocate is to
translate a concern into a genuine political debate, to create a space
where people are empowered to make decisions about such topics as
identity cards, surveillance cameras, technical standards, and
business practices. It is in this space that the opportunity for
political change arises. Privacy advocates have to work harder than
advocates in other fields because the public simply assumes the
benefits (or necessity), as well as the inevitability, of new
technology.

	Still, these efforts often succeed. Just ask John Poindexter,
the architect of Total Information Awareness, who watched his proposal
for an all-seeing government surveillance plan collapse under a wave of
public criticism. (Of course, he did receive a Big Brother Award from
Privacy International for his efforts). When a privacy concern is
understood as a policy choice, the public becomes engaged, and bad
ideas can be defeated. This happens more often than most people would
suspect. It is also one of the reasons that major players in the
privacy world – the government agencies, the private companies – seek
out the opinions of privacy experts before the big announcements.

	Privacy advocates must also contend with the absence of a
decent business model. Unlike the public interest organizations that
emerged in the late twentieth century with their monthly newsletters,
large membership lists, foundation grants, and annual dues, the privacy
groups in the current era are often little more than a web site, a few
dedicated individuals, and a PayPal button. Surprising outcomes can
still be obtained, but glory and news clips do not pay the bills.
	
	Which raises the thorny question of the relationship between
privacy advocates and the organizations that they are often expected to
oversee. For some in the privacy community, this presents a genuine
moral quandary, as most conflicts of interest do. For others, it has
become a nearly perfected business model, an opportunity to bless
controversial projects, isolate critics, and make the policy case to
the public that the sponsors never could. The companies see the
business case as well. Much better to provide a fellowship or a 
sponsorship to a non-profit than to risk a critical news story or an
actual lawsuit. 

	One company's notable achievement is not simply to obtain the
silence of consumer groups that might otherwise raise privacy
objections to the search firm's business practices, but to enlist these
same organization's active support in *privacy campaigns* against its
business competitors, which is as remarkable as it is ironic.

	Some government officials, privacy agencies and individual
donors, who recognize this problem, are providing the funding and
support to research institutions and advocacy organizations that allows
real inquiry and meaningful policy solutions to be pursued, without the
heavy hand of a private sponsor steering toward a predetermined
conclusion.

	But there are other concerns in the privacy movement as well.
There is in the Anglo countries the nagging problem that few privacy
groups have addressed the issue of diversity in any meaningful way. The
problem is not unique to privacy organizations; there is still
"movement essentialism," left over from the past generation of
activists that limits the ability of people of color from articulating
claims of common concern. But this may be changing also, as the recent
Presidential election in the United States suggests.

	Still, the progress is real and the impact beyond dispute.
Privacy campaigns of this era reflect both the opportunities and
challenges of this new age. To look at the privacy movement today and
imagine that it would be similar to social movements of the past is a
mistake. Political organizations have been transformed by technology.
They are global, dynamic, and fluid. There is little time for formal
organization and even less incentive. A campaign may attract a nation's
attention over a few weeks, produce a favorable outcome, and then
dissolve.

	And still, with surprising frequency, those who believe in
privacy, a fundamental human right, join forces, work together, and
transform the politics of the modern age.

-- Marc Rotenberg



================================
EPIC Publications:

"Litigation Under the Federal Open Government Laws 2008," edited by
Harry A. Hammitt, Marc Rotenberg, John A. Verdi, and Mark S. Zaid
(EPIC 2008). Price: $60.

http://epic.org/bookstore/foia2008/
	
Litigation Under the Federal Open Government Laws is the most
comprehensive, authoritative discussion of the federal open access
laws. This updated version includes new material regarding the
substantial FOIA amendments enacted on December 31, 2007. Many of the
recent amendments are effective as of December 31, 2008. The standard
reference work includes in-depth analysis of litigation under Freedom
of Information Act, Privacy Act, Federal Advisory Committee Act,
Government in the Sunshine Act. The fully updated 2008 volume is the
24th edition of the manual that lawyers, journalists and researchers
have relied on for more than 25 years. 

================================

"Information Privacy Law: Cases and Materials, Second Edition" Daniel
J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98.

http://www.epic.org/redirect/aspen_ipl_casebook.html

This clear, comprehensive introduction to the field of information
privacy law allows instructors to enliven their teaching of fundamental
concepts by addressing both enduring and emerging controversies. The
Second Edition addresses numerous rapidly developing areas of privacy
law, including: identity theft, government data mining and electronic
surveillance law, the Foreign Intelligence Surveillance Act,
intelligence sharing, RFID tags, GPS, spyware, web bugs, and more.
Information Privacy Law, Second Edition, builds a cohesive foundation
for an exciting course in this rapidly evolving area of law.

================================

"Privacy & Human Rights 2006: An International Survey of Privacy Laws
and Developments" (EPIC 2007). Price: $75.
http://www.epic.org/phr06/

This annual report by EPIC and Privacy International provides an
overview of key privacy topics and reviews the state of privacy in over
75 countries around the world. The report outlines legal protections,
new challenges, and important issues and events relating to privacy.
Privacy & Human Rights 2006 is the most comprehensive report on privacy
and data protection ever published.

================================

"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.

http://www.epic.org/bookstore/pvsourcebook

This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS). This
reference guide provides the official UN documents, regional and
issue-oriented perspectives, and recommendations and proposals for
future action, as well as a useful list of resources and contacts for
individuals and organizations that wish to become more involved in the
WSIS process.

================================

"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:
$40.

http://www.epic.org/bookstore/pls2004/

The Privacy Law Sourcebook, which has been called the "Physician's Desk
Reference" of the privacy world, is the leading resource for students,
attorneys, researchers, and journalists interested in pursuing privacy
law in the United States and around the world. It includes the full
texts of major privacy laws and directives such as the Fair Credit
Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well
as an up-to-date section on recent developments. New materials include
the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the
CAN-SPAM Act.

================================

"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.

http://www.epic.org/bookstore/filters2.0

A collection of essays, studies, and critiques of Internet content
filtering. These papers are instrumental in explaining why filtering
threatens free expression.

================================

EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:

EPIC Bookstore
http://www.epic.org/bookstore

"EPIC Bookshelf" at Powell's Books
http://www.powells.com/bookshelf/epicorg.html

================================

EPIC also publishes EPIC FOIA Notes, which provides brief summaries of
interesting documents obtained from government agencies under the
Freedom of Information Act.

Subscribe to EPIC FOIA Notes at:
https:/mailman.epic.org/mailman/listinfo/foia_notes


=======================================================================
[8] Upcoming Conferences and Events
=======================================================================

The Privacy by Design Challenge - nine privacy leaders from major
corporations present their latest innovations in Privacy-Enhancing
Technologies. Toronto, Canada, January 28, 2009. For more
information, http://www.privacybydesign.ca/registration.htm


The American Conference Institute is hosting the 8th National Symposium
on Privacy and Security of Consumer and Employee Information at the
Four Points by Sheraton, Washington, D.C., January 27-28, 2009,
Washington, DC. http://www.americanconference.com/Privacy.htm


"Patents, Copyrights and Knowledge Governance: The Next Four Years,"
Trans Atlantic Consumer Dialogue (TACD) Workshop held by the TACD
Working Group on Intellectual Property, Washington, D.C.,
January 12-13, 2009. For more information,
http://www.tacd-ip.org/blog/?page_id=5


The IAPP Privacy Summit 2009 will be held between March 11-13, 2009,
at Washington, D.C. For more information, http://www.privacysummit.org


"Conference on International Aspects of Securing Personal Data," The
Federal Trade Commission, Washington, D.C., March 16-17, 2009:
For more information, http://ftc.gov/opa/2008/12/datasec.shtm


Computers, Freedom, and Privacy, 19th Annual Conference, Washington,
D.C., June 1-4, 2009. For more information,
http://www.cfp2009.org/wiki/index.php/Main_Page


"The Transformation of Privacy Policy," Institutions, Markets
Technology Institute for Advanced Studies (IMT)Lucca, Italy, July 2-4,
2009.


=======================================================================
Subscription Information
=======================================================================

Subscribe/unsubscribe via web interface:
https://mailman.epic.org/mailman/listinfo/epic_news

Back issues are available at:
http://www.epic.org/alert


The EPIC Alert displays best in a fixed-width font, such as Courier.

=======================================================================
Privacy Policy
=======================================================================

The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities. We do not sell, rent or share our
mailing list. We also intend to challenge any subpoena or other legal
process seeking access to our mailing list. We do not enhance (link to
other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail address
from this list, please follow the above instructions under "subscription
information."

=======================================================================
About EPIC
=======================================================================

The Electronic Privacy Information Center is a public interest research
center in Washington, DC. It was established in 1994 to focus public
attention on emerging privacy issues such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale of personal information. EPIC publishes the
EPIC Alert, pursues Freedom of Information Act litigation, and conducts
policy research. For more information, see http://www.epic.org or write
EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202
483 1140 (tel), +1 202 483 1248 (fax).

=======================================================================
Donate to EPIC
=======================================================================

If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible. Checks
should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW,
Suite 200, Washington, DC 20009. Or you can contribute online at:

http://www.epic.org/donate

Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation of encryption and
expanding wiretapping powers.

Thank you for your support.

=======================================================================
Support Privacy '08
=======================================================================

If you would like more information on Privacy '08, go online and search
for "Privacy 08." You'll find a Privacy08 Cause at Facebook, Privacy08
at Twitter, a Privacy08 Channel on YouTube to come soon, and much more.
You can also order caps and t-shirts at CafePress Privacy08.

Start a discussion. Hold a meeting. Be creative. Spread the word. You
can donate online at epic.org. Support the campaign.

Facebook Cause:
http://www.epic.org/redirect/fbprivacy08.html

Twitter:
http://twitter.com/privacy08

CafePress:
http://www.cafepress.com/epicorg

========================================================================
                          E P I C   Job Announcement
========================================================================

        EPIC is seeking a smart, energetic, creative individual
                     for the position of Staff Counsel

                         Deadline: Jan. 1, 2009

                       Click here for more details
           http://www.epic.org/epic/jobs/counsel_1108.html


------------------------- END EPIC Alert 15.25 ------------------------

.