============================================================== @@@@ @@@@ @@@ @@@@ @ @ @@@@ @@@@ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @@@ @ @ @@@@@ @ @@@ @@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @ @@@ @@@@ @ @ @@@@ @@@@ @ @ @ ============================================================== Volume 9.11 June 5, 2002 -------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org/alert/EPIC_Alert_9.11.html ======================================================================= Table of Contents ======================================================================= [1] FBI Docs Obtained by EPIC: Carnivore Hampered Terror Probe [2] EPIC, ACLU Prevail - Library Filtering Law Unconstitutional [3] Coalition Questions New Investigative Guidelines [4] EU Officials Launch Investigation of Microsoft Passport [5] Data Retention: EU Vote and ReplayTV Decision [6] "Observing Surveillance" in Washington, DC [7] EPIC Bookstore - Overseers of the Poor [8] Upcoming Conferences and Events ======================================================================= [1] FBI Docs Obtained by EPIC: Carnivore Hampered Terror Probe ======================================================================= FBI documents obtained by EPIC show that an anti-terrorism investigation possibly involving Osama bin Laden was hampered by technical flaws in the Bureau's controversial Carnivore Internet surveillance system. A written report describes the incident as part of a "pattern" indicating "an inability on the part of the FBI to manage" its foreign intelligence surveillance activities. An internal FBI e-mail message dated April 5, 2000, recounts how the Carnivore "software was turned on and did not work correctly." The surveillance system captured not only the electronic communications of the court-authorized target, "but also picked up E-Mails on non-covered" individuals, a violation of federal wiretap law. According to the Bureau document, the "FBI technical person was apparently so upset that he destroyed all the E-Mail take, including the take on [the authorized target]." The botched surveillance was performed by the FBI's International Terrorism Operations Section (ITOS) and its "UBL Unit," which refers to the government's official designation of bin Laden. The Bureau document indicates that an official at the Justice Department's Office of Intelligence Policy and Review became aware of the problem, and "[t]o state that she is unhappy with ITOS and the UBL Unit would be an understatement of incredible proportions." The reported problem apparently was not the first to arise during the course of FBI implementation of the Foreign Intelligence Surveillance Act (FISA). The internal document concludes its report of the "UBL Unit" incident by noting, "When you add this story to the FISA mistakes covered in [another, unreleased document], you have a pattern of occurrences which indicate to OIPR an inability on the part of the FBI to manage its FISAs." Two Bureau documents written one week later discuss Carnivore's tendency to cause "the improper capture of data," and note that "[s]uch unauthorized interceptions not only can violate a citizen's privacy but also can seriously 'contaminate' ongoing investigations" and that such interceptions are "unlawful." Since its existence became public in 2000, the Carnivore system has been criticized by EPIC and other privacy groups, as well as members of Congress, because it gives the FBI unprecedented, direct access to the data networks of Internet service providers. The FBI has publicly downplayed the system's potential for over-collection of private communications, although internal documents released earlier to EPIC confirmed such a risk. The newly-released FBI documents were provided to EPIC on May 24, in response to a court order issued by U.S. District Judge James Robertson in EPIC's ongoing lawsuit seeking the disclosure of material concerning Carnivore. The order directed the Bureau to conduct a second search for relevant documents after EPIC successfully argued (over the Bureau's objections) that an initial FBI search was inadequate and likely overlooked responsive records (see EPIC Alert 9.06). More information on Carnivore, including the newly-released FBI documents, is available at: http://www.epic.org/privacy/carnivore/ ======================================================================= [2] EPIC, ACLU Prevail - Library Filtering Law Unconstitutional ======================================================================= A three-judge panel in Philadelphia ruled May 31 that the government's third attempt to regulate content on the Internet violates the First Amendment because it would restrict substantial amounts of protected speech "whose suppression serves no legitimate government interest." This censorship comes in the form of the Childrens Internet Protection Act (CIPA), which requires the installation of filtering software on computers in libraries that receive federal support. In a 195-page opinion, the panel concluded that current filtering technology is far too problematic to survive First Amendment scrutiny, and that these "[f]iltering products' shortcomings will not be solved through a technical solution in the foreseeable future." EPIC's recent publication, Filters & Freedom 2.0, details the free expression implications of filtering technologies. The decision also notes that the law infringes upon the First Amendment right to anonymity because it forces patrons to reveal their identity in order to get certain sites unblocked. Congress approved CIPA in December 1999, after even its own 18-member committee rejected the proposal because of the risk that "protected, harmless, or innocent speech would be accidentally or inappropriately blocked." The chairman of the panel, Donald Telage, told the Wall Street Journal that "not even the most conservative members of the commission felt that [blocking] was the road to go down." The law would have required public libraries to install the filters or risk losing federal funding starting July 1. CIPA was challenged by a coalition of libraries and patrons, with EPIC acting as co-counsel in the lawsuit. The statute provides for an automatic right of review to the Supreme Court; the government has not yet indicated whether it plans to seek such review. The ruling is available at: http://www.epic.org/free_speech/cipa/opinion_e.d.pa.html and http://www.epic.org/free_speech/cipa/cipa_ruling.pdf EPIC's CIPA Page: http://www.epic.org/free_speech/cipa.html "Filters & Freedom 2.0: Free Speech Perspectives on Internet Content Controls" is available at: http://www.epic.org/bookstore/filters2.0/ ======================================================================= [3] Coalition Questions New Investigative Guidelines ======================================================================= Attorney General John Ashcroft has established new policies that pose serious threats to First Amendment and Fourth Amendment freedoms. The new Attorney General's Guidelines on General Crimes, Racketeering and Terrorism ("Guidelines") allow the FBI to engage in prospective searches of private-sector databases, and to attend public events and even religious gatherings where there is no suspicion of criminal activity. Under the new Guidelines, political speech and free association could be chilled by the specter of government monitoring and ordinary, law-abiding individuals could be profiled in government databases for signs of criminal deviance. Ashcroft justified the Guidelines by claiming that FBI agents could not use the Internet, use private-sector databases, or even go into public places to prevent crime. Those claims were inaccurate -- the FBI did engage in such activities under the former Guidelines, but only pursuant to a legitimate investigation, one that was based on information pointing to the possibility of criminal wrongdoing. The FBI has a long history of using its investigative powers to monitor and disrupt legitimate, constitutionally-protected political activity. Years of abuses, perhaps marked most notably by an aggressive smear campaign of the Rev. Martin Luther King, Jr., led to the development of the first Attorney General's Guidelines in 1976. A coalition of over thirty civil liberties organizations has sent letters to the House and Senate Judiciary Committees urging prompt review of the Attorney General's Guidelines. The letters urge Congress to review how the changes impact First Amendment freedoms of political and religious organizations, to question the legal basis for the changes, to establish regular oversight of FBI activities to prevent abuse, and to determine how long the guidelines will be in effect. EPIC's Attorney General's Guidelines Page: http://www.epic.org/privacy/fbi/ Coalition Letter to the Senate Judiciary Committee on the Guidelines, June 4, 2002: http://www.indefenseoffreedom.org/ag_guidelines/senate_ltr.pdf Coalition Letter to the House Judiciary Committee on the Guidelines, June 4, 2002: http://www.indefenseoffreedom.org/ag_guidelines/house_ltr.pdf Attorney General's Guidelines: http://www.usdoj.gov/olp/ ======================================================================= [4] EU Officials Launch Investigation of Microsoft Passport ======================================================================= The European Commission (EC) has begun an investigation into Microsoft's Passport to determine whether the service complies with data protection laws. The announcement came in a response to written questions posed by Dutch EC member Erik Meijer. In March 2002, Meijer submitted a series of questions regarding the privacy of individuals' information in Passport, its security, whether aggregation of personal information through Passport was legal, and whether law enforcement officials could access the information without notice and consent to the data subject. Commissioner Frits Bolkestein confirmed that the Commission was aware of Microsoft's Passport, and assured Meijer that the body "is looking to this as a matter of priority, [...] with national data protection authorities, as regards the system's compatibility (or not) with EU data protection law." The Commission plans to make a report on Microsoft Passport by the end of 2002. In two previous filings with the Federal Trade Commission (FTC), fifteen privacy and consumer protection organizations urged the Commission to investigate Microsoft Passport and related services. However, the Commission has taken no public action to investigate Microsoft. EPIC's Passport Investigation Docket: http://www.epic.org/privacy/consumer/microsoft/passport.html EPIC's Sign Out of Passport Page: http://www.epic.org/privacy/consumer/microsoft/default.html ======================================================================= [5] Data Retention: EU Vote and ReplayTV Decision ======================================================================= The European Parliament voted on May 30 on the new European Union Telecommunications Privacy Directive (COM(2000)385). In a remarkable reversal of their original opposition to data retention, the members voted to allow each EU government to demand access to individuals' electronic communications. Included in the scope of the directive are e-mails, faxes, phone calls on land lines and cellular phones, messages on the World Wide Web, and electronic communications in general. Law enforcement authorities could, in the future, be given the power by their national legislatures to require Internet service providers and telephone companies to store communications for long periods and provide them with traffic and localization data logs of individuals' communications. Such requirements could be implemented for purposes varying from national security to criminal investigations and prevention, and prosecution of criminal offences, all without specific judicial authorization. The vote was the major final step before the final adoption of the European regulation. After the Council's approval, EU Member States' Parliaments have to implement the Directive into their own national legal system, which generally takes from 2 to 5 years. During this phase, the data retention provisions of the directive might raise constitutional issues in some countries as fundamental rights principles (e.g., presumption of innocence, right to privacy and secrecy of communication, and freedom of expression) contained in their constitutions may be interpreted to conflict with governmental measures that authorize preventive and generalized control of individuals' communications. The Directive also includes an obligation for the European Commission to report in three years to the Parliament and the Council on the implementation of the Directive and its impact on economic interests and consumers. EPIC actively participated in a campaign with other members of the Global Internet Liberty Campaign to oppose data retention. A coalition of 60 civil liberties organizations and more than 16,000 individuals from 73 countries endorsed an open letter that was sent to all MEPs and heads of the EU institutions. The open letter asserted that data retention (for reasons other than billing purposes) is contrary to well-established international human rights conventions and case law. Because of the cross-border nature of Internet communications, EU-wide implementation of data retention could have negative repercussions for Americans and citizens of other countries. In the United States, current regulations do not require data retention, even after the enactment of the anti-terrorism USA PATRIOT Act. On the domestic front, a federal district court judge ruled on May 31 that ReplayTV would not be required to conduct electronic surveillance on its PVR customers. As previously reported (see EPIC Alert 9.10), entertainment studios had obtained an order from a lower judge requiring ReplayTV to collect data on the television uses of its customers. When ReplayTV (owned by SONICblue) challenged that order, EPIC and other groups filed an amicus brief, alerting the court to the privacy rights and intellectual freedom concerns implicated by the decision. After this briefing, the Court stated that it was required "to decide whether the Magistrate Judge, based on the evidence and information before him, rendered a decision that was clearly erroneous or contrary to law." The Court further stated, "Although each of the issues raises serious questions, which have been very well briefed on all sides, the Court is persuaded to reverse the Magistrate Judge's Order on the grounds that it impermissibly requires defendants to create new data which does not now exist." For more information on developments in the EU, see EPIC's new Data Retention web page: http://www.epic.org/privacy/intl/data_retention.html An unofficial version of the new Telecommunication Privacy Directive (COM(2000)385) is available at: http://www.gilc.org/as_voted_2nd_read.html Individuals are encouraged to endorse a new version of the open letter that will be sent to important officials of each EU Member State, and may do so until July 1, 2002 at: http://www.stop1984.com/index2.php?lang=en&text=letter.txt Additional information on the ReplayTV case and related issues can be obtained at EPIC's ReplayTV Litigation Page: http://www.epic.org/litigation/replaytv/ ======================================================================= [6] "Observing Surveillance" in Washington, DC ======================================================================= Privacy experts convened on June 3 to question the growing pervasiveness of video surveillance in American life at a conference entitled "Observing Surveillance," hosted by EPIC in Washington, DC. Designed to draw attention to increased surveillance of the nation's capital, the conference featured panel discussions, multimedia presentations, and an exhibit of photographs of some of the hundreds of cameras positioned within blocks of the National Mall, taken by EPIC policy fellow Cédric Laurant. The current situation is a "pivotal moment" for the United States, said Simon Davies, director general of Privacy International. Davies said the United States must decide whether to limit the surreptitious surveillance of people in public places or go the route of countries like England where, with an estimated 2.5 million cameras, the average Londoner is caught on tape about 300 times per day. Camera surveillance was introduced in England to prevent terrorist attacks by the Irish Republican Army, but despite its proliferation it has been of little help, Davies said. Other speakers also urged the United States not to follow England's lead by confusing greater surveillance with greater safety. Privacy and security can be compatible, said Deborah Hurley, former director of the Harvard Information Infrastructure Project and member of the EPIC Board of Directors. In fact, increased surveillance may lead to less security, noted Duke Law School professor James Boyle, because police departments are flooded with "junk data" that they do not have the resources to analyze. Panelists also tried to counteract what polls show to be an apparent indifference on the part of the American public to the invasion of their privacy posed by surveillance cameras by arguing that there are in fact certain rights to privacy in public places. People conduct personal business in the public sphere, such as banking and visits to the doctor, that they do not expect to be made public, said Anita Allen-Castellitto, a University of Pennsylvania Law School professor. In addition, public areas such as parks and cafes are places of repose where people do not expect to be videotaped. Furthermore, such surveillance may have a chilling effect on people's exercise of their First Amendment rights, Allen-Castellitto said. According to documents obtained by EPIC under the Freedom of Information Act, out of the 39 times the National Park Service's helicopter was used between July 2000 and May 2002, 23 instances involved surveillance of political demonstrations. The Park Service has also announced plans to install surveillance cameras at the sites it operates in Washington, DC, including the Washington Monument, before the end of 2002. Observing Surveillance: http://www.observingsurveillance.org/ EPIC maintains a website on face recognition and other surveillance technologies at: http://www.epic.org/privacy/facerecognition/ ======================================================================= [7] EPIC Bookstore - Overseers of the Poor ======================================================================= Overseers of the Poor: Surveillance, Resistance, and the Limits of Privacy, by John Gilliom. http://www.epic.org/bookstore/powells/redirect/alert911.html Poor people have less of everything. Less autonomy, less social mobility, and as Professor John Gilliom of Ohio University illustrates in his second book on surveillance, less privacy. Gilliom, in interviews with fifty mothers on welfare from the Appalachian Ohio area, details the surveillance programs used by the state to determine eligibility and worthiness for aid. He surveys the history of welfare surveillance, noting that government inquiry into recipients' lives has always been intense, but that it has been limited by technological abilities and the social norms of the times. With increased dependence on the Social Security Number (SSN), the government has been able to engage in pervasive tracking of aid recipients. Now, with the requirement that states implement Electronic Benefits Transfer (EBT) by October 2002, aid recipients are issued benefits cards that facilitate government tracking of all purchases. Combined with personal interviews delving into matters such as romantic relationships, this results in a comprehensive tracking system that subjects the poor "to forms and degrees of scrutiny matched only by the likes of patients, prisoners, and soldiers." Gilliom provides firsthand accounts of the humiliation brought to bear by individuals watched by the state. Gilliom argues that traditional notions of privacy do not adequately describe the total surveillance in which the poor exist. He argues that a new language is needed to describe the system of control that surveillance systems place on society: a language that explicitly recognizes surveillance as a tool of social control. He suggests that as a solution to this humiliation, aid recipients themselves have to be involved in defining the goals and framework of the welfare system. While writing Overseers of the Poor, Gilliom himself attracted the gaze of the surveillance state. Police searched his home after finding a patch of marijuana located one-third of a mile from his home on land that he didn't even own. He describes in personal terms the trauma that the innocent can suffer in cleaning a home ransacked by police and in the possibility of losing one's home and employment. He argues that the search of his home was a profound violation of privacy, but that the advice of his attorney to avoid public activism and criticism of the police was worse. - Chris Hoofnagle ================================ EPIC Publications: "Privacy & Human Rights 2001: An International Survey of Privacy Laws and Developments," (EPIC 2001). Price: $20. http://www.epic.org/bookstore/phr2001/ This survey, by EPIC and Privacy International, reviews the state of privacy in over fifty countries around the world. The survey examines a wide range of privacy issues including, data protection, telephone tapping, genetic databases, ID systems and freedom of information laws. ================================ "The Privacy Law Sourcebook 2001: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2001). Price: $40. http://www.epic.org/bookstore/pls2001/ The "Physicians Desk Reference of the privacy world." An invaluable resource for students, attorneys, researchers and journalists who need an up-to-date collection of U.S. and International privacy law, as well as a comprehensive listing of privacy resources. ================================ "Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20. http://www.epic.org/bookstore/filters2.0/ A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ "The Consumer Law Sourcebook 2000: Electronic Commerce and the Global Economy," Sarah Andrews, editor (EPIC 2000). Price: $40. http://www.epic.org/cls/ The Consumer Law Sourcebook provides a basic set of materials for consumers, policy makers, practitioners and researchers who are interested in the emerging field of electronic commerce. The focus is on framework legislation that articulates basic rights for consumers and the basic responsibilities for businesses in the online economy. ================================ "Cryptography and Liberty 2000: An International Survey of Encryption Policy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price: $20. http://www.epic.org/crypto&/ EPIC's third survey of encryption policies around the world. The results indicate that the efforts to reduce export controls on strong encryption products have largely succeeded, although several governments are gaining new powers to combat the perceived threats of encryption to law enforcement. ================================ EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at: EPIC Bookstore http://www.epic.org/bookstore/ "EPIC Bookshelf" at Powell's Books http://www.powells.com/features/epic/epic.html ======================================================================= [8] Upcoming Conferences and Events ======================================================================= ** The Public Voice in Internet Policy Making. June 22, 2002. Washington, DC. The Electronic Privacy Information Center (EPIC) will host a one-day public symposium to discuss the future of our rights and freedoms in the information age. The event is being hosted in conjunction with INET 2002 and is free and open to the public. For more information: http://www.thepublicvoice.org/events/dc02/ ** ======================================================================= Big Brother Is Watching: The Independent Policy Forum. The Independent Institute. June 6, 2002. Oakland, CA. For more information: http://www.independent.org/tii/forums/020606ipf.html Save Privacy: Grenzverschiebungen im Digitalen Zeitalter. The Heinrich Böll Foundation. June 7-8, 2002. Berlin, Germany. For more information: http://www.saveprivacy.org/ Second Annual Information, Networks and Technology Institute. Berkeley Center for Law and Technology, University of Texas School of Law. June 13-14, 2002. San Jose, CA. For more information: http://www.utexas.edu/law/cle/conferences/summer2002/TJ02/ Privacy Paradox: The Gain of Security vs. Privacy's Loss. Strategic Research Institute. June 17-18, 2002. Chicago, IL. For more information: http://www.srinstitute.com/ci234/ INET 2002. Internet Crossroads: Where Technology and Policy Intersect. Internet Society. June 18-21, 2002. Washington, DC. For more information: http://www.inet2002.org/ Third Annual Institute on Privacy Law. Practising Law Institute. June 24-25, New York, NY. For more information: http://www.pli.edu/ IViR International Copyright Law Summer Course. Royal Netherlands Academy of Arts and Sciences. July 8-12, 2002. Amsterdam, Netherlands. For more information: http://www.ivir.nl/ O'Reilly Open Source Convention. O'Reilly and Associates. July 22-26, 2002. San Diego, CA. For more information: http://conferences.oreilly.com/oscon/ Cyberwar, Netwar and the Revolution in Military Affairs: Real Threats and Virtual Myths. International School on Disarmament and Research on Conflicts (ISODARCO). August 3-13, 2002. Trento, Italy. For more information: http://www.isodarco.it/html/trento02.html ILPF Conference 2002: Security v. Privacy. Internet Law & Policy Forum. September 17-19, 2002. Seattle, WA. For more information: http://www.ilpf.org/conference2002/ Privacy2002. Technology Policy Group. September 24-26, 2002. Cleveland, OH. For more information: http://www.privacy2000.org/privacy02/index.shtml IAPO Privacy & Security Conference. International Association of Privacy Officers. October 16-18, 2002. Chicago, IL. For more information: http://www.privacyassociation.org/html/conferences.html 18th Annual Computer Security Applications Conference (ACSAC): Practical Solutions to Real Security Problems. Applied Computer Security Associates. December 9-13, 2002. Las Vegas, NV. For more information: http://www.acsac.org/ Third Annual Privacy Summit. International Association of Privacy Officers. February 26-28, 2003. Washington, DC. For more information: http://www.privacyassociation.org/html/conferences.html ======================================================================= Subscription Information ======================================================================= Subscribe/unsubscribe via Web interface: http://mailman.epic.org/cgi-bin/mailman/listinfo/epic_news Subscribe/unsubscribe via email: To: epic_news-request@mailman.epic.org Subject line: "subscribe" or "unsubscribe" (no quotes) Help with subscribing/unsubscribing: To: epic_news-request@mailman.epic.org Subject: "help" (no quotes) Back issues are available at: http://www.epic.org/alert/ The EPIC Alert displays best in a fixed-width font, such as Courier. ======================================================================= Privacy Policy ======================================================================= The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your email address from this list, please follow the above instructions under "subscription information". Please contact info@epic.org if you would like to change your subscription email address, if you are experiencing subscription/unsubscription problems, or if you have any other questions. ======================================================================= About EPIC ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, e-mail info@epic.org, http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at: http://www.epic.org/donate/ ======================================================================= Drink coffee, support civil liberties, get a tax deduction, and learn Latin at the same time! Receive a free epic.org "sed quis custodiet ipsos custodes?" coffee mug with donation of $75 or more. ======================================================================= Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ---------------------- END EPIC Alert 9.11 ----------------------- .