EPIC logo

        @@@@  @@@@  @@@  @@@@      @    @     @@@@  @@@@  @@@@@
        @     @  @   @   @        @ @   @     @     @  @    @
        @@@@  @@@    @   @       @@@@@  @     @@@   @@@     @
        @     @      @   @       @   @  @     @     @  @    @
        @@@@  @     @@@  @@@@    @   @  @@@@  @@@@  @   @   @
    Volume 9.11                                       June 5, 2002
                             Published by the
               Electronic Privacy Information Center (EPIC)
                             Washington, D.C.
Table of Contents

[1] FBI Docs Obtained by EPIC: Carnivore Hampered Terror Probe
[2] EPIC, ACLU Prevail - Library Filtering Law Unconstitutional
[3] Coalition Questions New Investigative Guidelines
[4] EU Officials Launch Investigation of Microsoft Passport
[5] Data Retention: EU Vote and ReplayTV Decision
[6] "Observing Surveillance" in Washington, DC
[7] EPIC Bookstore - Overseers of the Poor
[8] Upcoming Conferences and Events

[1] FBI Docs Obtained by EPIC: Carnivore Hampered Terror Probe

FBI documents obtained by EPIC show that an anti-terrorism
investigation possibly involving Osama bin Laden was hampered by
technical flaws in the Bureau's controversial Carnivore Internet
surveillance system.  A written report describes the incident as part
of a "pattern" indicating "an inability on the part of the FBI to
manage" its foreign intelligence surveillance activities.

An internal FBI e-mail message dated April 5, 2000, recounts how the
Carnivore "software was turned on and did not work correctly."  The
surveillance system captured not only the electronic communications of
the court-authorized target, "but also picked up E-Mails on
non-covered" individuals, a violation of federal wiretap law.
According to the Bureau document, the "FBI technical person was
apparently so upset that he destroyed all the E-Mail take, including
the take on [the authorized target]."

The botched surveillance was performed by the FBI's International
Terrorism Operations Section (ITOS) and its "UBL Unit," which refers
to the government's official designation of bin Laden.  The Bureau
document indicates that an official at the Justice Department's Office
of Intelligence Policy and Review became aware of the problem, and
"[t]o state that she is unhappy with ITOS and the UBL Unit would be an
understatement of incredible proportions."

The reported problem apparently was not the first to arise during the
course of FBI implementation of the Foreign Intelligence Surveillance
Act (FISA).  The internal document concludes its report of the "UBL
Unit" incident by noting, "When you add this story to the FISA
mistakes covered in [another, unreleased document], you have a pattern
of occurrences which indicate to OIPR an inability on the part of the
FBI to manage its FISAs."  Two Bureau documents written one week later
discuss Carnivore's tendency to cause "the improper capture of data,"
and note that "[s]uch unauthorized interceptions not only can violate
a citizen's privacy but also can seriously 'contaminate' ongoing
investigations" and that such interceptions are "unlawful."

Since its existence became public in 2000, the Carnivore system has
been criticized by EPIC and other privacy groups, as well as members
of Congress, because it gives the FBI unprecedented, direct access to
the data networks of Internet service providers.  The FBI has publicly
downplayed the system's potential for over-collection of private
communications, although internal documents released earlier to EPIC
confirmed such a risk.

The newly-released FBI documents were provided to EPIC on May 24, in
response to a court order issued by U.S. District Judge James
Robertson in EPIC's ongoing lawsuit seeking the disclosure of material
concerning Carnivore.  The order directed the Bureau to conduct a
second search for relevant documents after EPIC successfully argued
(over the Bureau's objections) that an initial FBI search was
inadequate and likely overlooked responsive records (see EPIC Alert

More information on Carnivore, including the newly-released FBI
documents, is available at:


[2] EPIC, ACLU Prevail - Library Filtering Law Unconstitutional

A three-judge panel in Philadelphia ruled May 31 that the government's
third attempt to regulate content on the Internet violates the First
Amendment because it would restrict substantial amounts of protected
speech "whose suppression serves no legitimate government interest."
This censorship comes in the form of the Childrens Internet Protection
Act (CIPA), which requires the installation of filtering software on
computers in libraries that receive federal support.

In a 195-page opinion, the panel concluded that current filtering
technology is far too problematic to survive First Amendment scrutiny,
and that these "[f]iltering products' shortcomings will not be solved
through a technical solution in the foreseeable future."  EPIC's
recent publication, Filters & Freedom 2.0, details the free expression
implications of filtering technologies.  The decision also notes that
the law infringes upon the First Amendment right to anonymity because
it forces patrons to reveal their identity in order to get certain
sites unblocked.

Congress approved CIPA in December 1999, after even its own 18-member
committee rejected the proposal because of the risk that "protected,
harmless, or innocent speech would be accidentally or inappropriately
blocked."  The chairman of the panel, Donald Telage, told the Wall
Street Journal that "not even the most conservative members of the
commission felt that [blocking] was the road to go down."  The law
would have required public libraries to install the filters or risk
losing federal funding starting July 1.  CIPA was challenged by a
coalition of libraries and patrons, with EPIC acting as co-counsel in
the lawsuit.

The statute provides for an automatic right of review to the Supreme
Court; the government has not yet indicated whether it plans to seek
such review.

The ruling is available at:

     and http://www.epic.org/free_speech/cipa/cipa_ruling.pdf



"Filters & Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" is available at:


[3] Coalition Questions New Investigative Guidelines

Attorney General John Ashcroft has established new policies that pose
serious threats to First Amendment and Fourth Amendment freedoms.  The
new Attorney General's Guidelines on General Crimes, Racketeering and
Terrorism ("Guidelines") allow the FBI to engage in prospective
searches of private-sector databases, and to attend public events and
even religious gatherings where there is no suspicion of criminal
activity.  Under the new Guidelines, political speech and free
association could be chilled by the specter of government monitoring
and ordinary, law-abiding individuals could be profiled in government
databases for signs of criminal deviance.

Ashcroft justified the Guidelines by claiming that FBI agents could
not use the Internet, use private-sector databases, or even go into
public places to prevent crime.  Those claims were inaccurate -- the
FBI did engage in such activities under the former Guidelines, but
only pursuant to a legitimate investigation, one that was based on
information pointing to the possibility of criminal wrongdoing.

The FBI has a long history of using its investigative powers to
monitor and disrupt legitimate, constitutionally-protected political
activity.  Years of abuses, perhaps marked most notably by an
aggressive smear campaign of the Rev. Martin Luther King, Jr., led to
the development of the first Attorney General's Guidelines in 1976.

A coalition of over thirty civil liberties organizations has sent
letters to the House and Senate Judiciary Committees urging prompt
review of the Attorney General's Guidelines.  The letters urge
Congress to review how the changes impact First Amendment freedoms of
political and religious organizations, to question the legal basis for
the changes, to establish regular oversight of FBI activities to
prevent abuse, and to determine how long the guidelines will be in

EPIC's Attorney General's Guidelines Page:


Coalition Letter to the Senate Judiciary Committee on the Guidelines,
June 4, 2002:


Coalition Letter to the House Judiciary Committee on the Guidelines,
June 4, 2002:


Attorney General's Guidelines:


[4] EU Officials Launch Investigation of Microsoft Passport

The European Commission (EC) has begun an investigation into
Microsoft's Passport to determine whether the service complies with
data protection laws.  The announcement came in a response to written
questions posed by Dutch EC member Erik Meijer.

In March 2002, Meijer submitted a series of questions regarding the
privacy of individuals' information in Passport, its security, whether
aggregation of personal information through Passport was legal, and
whether law enforcement officials could access the information without
notice and consent to the data subject.

Commissioner Frits Bolkestein confirmed that the Commission was aware
of Microsoft's Passport, and assured Meijer that the body "is looking
to this as a matter of priority, [...] with national data protection
authorities, as regards the system's compatibility (or not) with EU
data protection law."  The Commission plans to make a report on
Microsoft Passport by the end of 2002.

In two previous filings with the Federal Trade Commission (FTC),
fifteen privacy and consumer protection organizations urged the
Commission to investigate Microsoft Passport and related services.
However, the Commission has taken no public action to investigate

EPIC's Passport Investigation Docket:


EPIC's Sign Out of Passport Page:


[5] Data Retention: EU Vote and ReplayTV Decision

The European Parliament voted on May 30 on the new European Union
Telecommunications Privacy Directive (COM(2000)385).  In a remarkable
reversal of their original opposition to data retention, the members
voted to allow each EU government to demand access to individuals'
electronic communications.  Included in the scope of the directive are
e-mails, faxes, phone calls on land lines and cellular phones,
messages on the World Wide Web, and electronic communications in
general.  Law enforcement authorities could, in the future, be given
the power by their national legislatures to require Internet service
providers and telephone companies to store communications for long
periods and provide them with traffic and localization data logs of
individuals' communications.  Such requirements could be implemented
for purposes varying from national security to criminal investigations
and prevention, and prosecution of criminal offences, all without
specific judicial authorization.

The vote was the major final step before the final adoption of the
European regulation.  After the Council's approval, EU Member States'
Parliaments have to implement the Directive into their own national
legal system, which generally takes from 2 to 5 years.  During this
phase, the data retention provisions of the directive might raise
constitutional issues in some countries as fundamental rights
principles (e.g., presumption of innocence, right to privacy and
secrecy of communication, and freedom of expression) contained in
their constitutions may be interpreted to conflict with governmental
measures that authorize preventive and generalized control of
individuals' communications.  The Directive also includes an
obligation for the European Commission to report in three years to the
Parliament and the Council on the implementation of the Directive and
its impact on economic interests and consumers.

EPIC actively participated in a campaign with other members of the
Global Internet Liberty Campaign to oppose data retention.  A
coalition of 60 civil liberties organizations and more than 16,000
individuals from 73 countries endorsed an open letter that was sent to
all MEPs and heads of the EU institutions.  The open letter asserted
that data retention (for reasons other than billing purposes) is
contrary to well-established international human rights conventions
and case law.  Because of the cross-border nature of Internet
communications, EU-wide implementation of data retention could have
negative repercussions for Americans and citizens of other countries.
In the United States, current regulations do not require data
retention, even after the enactment of the anti-terrorism USA PATRIOT

On the domestic front, a federal district court judge ruled on May 31
that ReplayTV would not be required to conduct electronic surveillance
on its PVR customers.  As previously reported (see EPIC Alert 9.10),
entertainment studios had obtained an order from a lower judge
requiring ReplayTV to collect data on the television uses of its
customers.  When ReplayTV (owned by SONICblue) challenged that order,
EPIC and other groups filed an amicus brief, alerting the court to the
privacy rights and intellectual freedom concerns implicated by the
decision.  After this briefing, the Court stated that it was required
"to decide whether the Magistrate Judge, based on the evidence and
information before him, rendered a decision that was clearly erroneous
or contrary to law."  The Court further stated, "Although each of the
issues raises serious questions, which have been very well briefed on
all sides, the Court is persuaded to reverse the Magistrate Judge's
Order on the grounds that it impermissibly requires defendants to
create new data which does not now exist."

For more information on developments in the EU, see EPIC's new Data
Retention web page:


An unofficial version of the new Telecommunication Privacy Directive
(COM(2000)385) is available at:


Individuals are encouraged to endorse a new version of the open letter
that will be sent to important officials of each EU Member State, and
may do so until July 1, 2002 at:


Additional information on the ReplayTV case and related issues can be
obtained at EPIC's ReplayTV Litigation Page:


[6] "Observing Surveillance" in Washington, DC

Privacy experts convened on June 3 to question the growing
pervasiveness of video surveillance in American life at a conference
entitled "Observing Surveillance," hosted by EPIC in Washington, DC.
Designed to draw attention to increased surveillance of the nation's
capital, the conference featured panel discussions, multimedia
presentations, and an exhibit of photographs of some of the hundreds
of cameras positioned within blocks of the National Mall, taken by
EPIC policy fellow CÚdric Laurant.

The current situation is a "pivotal moment" for the United States,
said Simon Davies, director general of Privacy International.  Davies
said the United States must decide whether to limit the surreptitious
surveillance of people in public places or go the route of countries
like England where, with an estimated 2.5 million cameras, the average
Londoner is caught on tape about 300 times per day.  Camera
surveillance was introduced in England to prevent terrorist attacks by
the Irish Republican Army, but despite its proliferation it has been
of little help, Davies said.

Other speakers also urged the United States not to follow England's
lead by confusing greater surveillance with greater safety.  Privacy
and security can be compatible, said Deborah Hurley, former director
of the Harvard Information Infrastructure Project and member of the
EPIC Board of Directors.  In fact, increased surveillance may lead to
less security, noted Duke Law School professor James Boyle, because
police departments are flooded with "junk data" that they do not have
the resources to analyze.

Panelists also tried to counteract what polls show to be an apparent
indifference on the part of the American public to the invasion of
their privacy posed by surveillance cameras by arguing that there are
in fact certain rights to privacy in public places.  People conduct
personal business in the public sphere, such as banking and visits to
the doctor, that they do not expect to be made public, said Anita
Allen-Castellitto, a University of Pennsylvania Law School professor.
In addition, public areas such as parks and cafes are places of repose
where people do not expect to be videotaped.  Furthermore, such
surveillance may have a chilling effect on people's exercise of their
First Amendment rights, Allen-Castellitto said.

According to documents obtained by EPIC under the Freedom of
Information Act, out of the 39 times the National Park Service's
helicopter was used between July 2000 and May 2002, 23 instances
involved surveillance of political demonstrations.  The Park Service
has also announced plans to install surveillance cameras at the sites
it operates in Washington, DC, including the Washington Monument,
before the end of 2002.

Observing Surveillance:


EPIC maintains a website on face recognition and other surveillance
technologies at:


[7] EPIC Bookstore - Overseers of the Poor

Overseers of the Poor: Surveillance, Resistance, and the Limits of
Privacy, by John Gilliom.


Poor people have less of everything.  Less autonomy, less social
mobility, and as Professor John Gilliom of Ohio University illustrates
in his second book on surveillance, less privacy.  Gilliom, in
interviews with fifty mothers on welfare from the Appalachian Ohio
area, details the surveillance programs used by the state to determine
eligibility and worthiness for aid.  He surveys the history of welfare
surveillance, noting that government inquiry into recipients' lives
has always been intense, but that it has been limited by technological
abilities and the social norms of the times.

With increased dependence on the Social Security Number (SSN), the
government has been able to engage in pervasive tracking of aid
recipients.  Now, with the requirement that states implement
Electronic Benefits Transfer (EBT) by October 2002, aid recipients are
issued benefits cards that facilitate government tracking of all
purchases.  Combined with personal interviews delving into matters
such as romantic relationships, this results in a comprehensive
tracking system that subjects the poor "to forms and degrees of
scrutiny matched only by the likes of patients, prisoners, and

Gilliom provides firsthand accounts of the humiliation brought to bear
by individuals watched by the state.  Gilliom argues that traditional
notions of privacy do not adequately describe the total surveillance
in which the poor exist.  He argues that a new language is needed to
describe the system of control that surveillance systems place on
society: a language that explicitly recognizes surveillance as a tool
of social control.  He suggests that as a solution to this
humiliation, aid recipients themselves have to be involved in defining
the goals and framework of the welfare system.

While writing Overseers of the Poor, Gilliom himself attracted the
gaze of the surveillance state.  Police searched his home after
finding a patch of marijuana located one-third of a mile from his home
on land that he didn't even own.  He describes in personal terms the
trauma that the innocent can suffer in cleaning a home ransacked by
police and in the possibility of losing one's home and employment.  He
argues that the search of his home was a profound violation of
privacy, but that the advice of his attorney to avoid public activism
and criticism of the police was worse.

- Chris Hoofnagle

EPIC Publications:
"Privacy & Human Rights 2001: An International Survey of Privacy Laws
and Developments," (EPIC 2001). Price: $20.
This survey, by EPIC and Privacy International, reviews the state of
privacy in over fifty countries around the world.  The survey examines
a wide range of privacy issues including, data protection, telephone
tapping, genetic databases, ID systems and freedom of information
"The Privacy Law Sourcebook 2001: United States Law, International
Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2001).
Price: $40. http://www.epic.org/bookstore/pls2001/
The "Physicians Desk Reference of the privacy world." An invaluable
resource for students, attorneys, researchers and journalists who need
an up-to-date collection of U.S. and International privacy law, as
well as a comprehensive listing of privacy resources.
"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.
A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.
"The Consumer Law Sourcebook 2000: Electronic Commerce and the Global
Economy," Sarah Andrews, editor (EPIC 2000). Price: $40.
The Consumer Law Sourcebook provides a basic set of materials for
consumers, policy makers, practitioners and researchers who are
interested in the emerging field of electronic commerce.  The focus is
on framework legislation that articulates basic rights for consumers
and the basic responsibilities for businesses in the online economy.
"Cryptography and Liberty 2000: An International Survey of Encryption
Policy," Wayne Madsen and David Banisar, authors (EPIC 2000).
Price: $20. http://www.epic.org/crypto&/
EPIC's third survey of encryption policies around the world. The
results indicate that the efforts to reduce export controls on strong
encryption products have largely succeeded, although several
governments are gaining new powers to combat the perceived threats of
encryption to law enforcement.
EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:
     EPIC Bookstore
     "EPIC Bookshelf" at Powell's Books
[8] Upcoming Conferences and Events

** The Public Voice in Internet Policy Making. June 22, 2002.
Washington, DC. The Electronic Privacy Information Center (EPIC) will
host a one-day public symposium to discuss the future of our rights
and freedoms in the information age. The event is being hosted in
conjunction with INET 2002 and is free and open to the public. For
more information: http://www.thepublicvoice.org/events/dc02/ **


Big Brother Is Watching: The Independent Policy Forum. The Independent
Institute. June 6, 2002. Oakland, CA. For more information:

Save Privacy: Grenzverschiebungen im Digitalen Zeitalter. The Heinrich
Böll Foundation. June 7-8, 2002. Berlin, Germany. For more
information: http://www.saveprivacy.org/

Second Annual Information, Networks and Technology Institute. Berkeley
Center for Law and Technology, University of Texas School of Law. June
13-14, 2002. San Jose, CA. For more information:

Privacy Paradox: The Gain of Security vs. Privacy's Loss. Strategic
Research Institute. June 17-18, 2002. Chicago, IL. For more
information: http://www.srinstitute.com/ci234/

INET 2002. Internet Crossroads: Where Technology and Policy Intersect.
Internet Society. June 18-21, 2002. Washington, DC. For more
information: http://www.inet2002.org/

Third Annual Institute on Privacy Law. Practising Law Institute. June
24-25, New York, NY. For more information: http://www.pli.edu/

IViR International Copyright Law Summer Course. Royal Netherlands
Academy of Arts and Sciences. July 8-12, 2002. Amsterdam, Netherlands.
For more information: http://www.ivir.nl/

O'Reilly Open Source Convention. O'Reilly and Associates. July 22-26,
2002. San Diego, CA. For more information:

Cyberwar, Netwar and the Revolution in Military Affairs: Real Threats
and Virtual Myths. International School on Disarmament and Research on
Conflicts (ISODARCO). August 3-13, 2002. Trento, Italy. For more
information: http://www.isodarco.it/html/trento02.html

ILPF Conference 2002: Security v. Privacy. Internet Law & Policy
Forum. September 17-19, 2002. Seattle, WA. For more information:

Privacy2002. Technology Policy Group. September 24-26, 2002.
Cleveland, OH. For more information:

IAPO Privacy & Security Conference. International Association of
Privacy Officers. October 16-18, 2002. Chicago, IL. For more
information: http://www.privacyassociation.org/html/conferences.html

18th Annual Computer Security Applications Conference (ACSAC):
Practical Solutions to Real Security Problems. Applied Computer
Security Associates. December 9-13, 2002. Las Vegas, NV. For more
information: http://www.acsac.org/

Third Annual Privacy Summit. International Association of Privacy
Officers. February 26-28, 2003. Washington, DC. For more information:

Subscription Information
Subscribe/unsubscribe via Web interface:

Subscribe/unsubscribe via email:
     To: epic_news-request@mailman.epic.org
     Subject line: "subscribe" or "unsubscribe" (no quotes)
Help with subscribing/unsubscribing:

     To: epic_news-request@mailman.epic.org
     Subject: "help" (no quotes)
Back issues are available at:

The EPIC Alert displays best in a fixed-width font, such as Courier.
Privacy Policy
The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities.  We do not sell, rent or share our
mailing list.  We also intend to challenge any subpoena or other legal
process seeking access to our mailing list.  We do not enhance (link
to other databases) our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe your email address
from this list, please follow the above instructions under
"subscription information".  Please contact info@epic.org if you would
like to change your subscription email address, if you are
experiencing subscription/unsubscription problems, or if you have any
other questions.
About EPIC
The Electronic Privacy Information Center is a public interest
research center in Washington, DC.  It was established in 1994 to
focus public attention on emerging privacy issues such as the Clipper
Chip, the Digital Telephony proposal, national ID cards, medical
record privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Act
litigation, and conducts policy research.  For more information,
e-mail info@epic.org, http://www.epic.org or write EPIC, 1718
Connecticut Ave., NW, Suite 200, Washington, DC 20009.
+1 202 483 1140 (tel), +1 202 483 1248 (fax).
If you'd like to support the work of the Electronic Privacy
Information Center, contributions are welcome and fully
tax-deductible.  Checks should be made out to "EPIC" and sent to
1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009.
Or you can contribute online at:

Drink coffee, support civil liberties, get a tax deduction, and learn
Latin at the same time!  Receive a free epic.org "sed quis custodiet
ipsos custodes?" coffee mug with donation of $75 or more.
Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the
right of privacy and efforts to oppose government regulation of
encryption and expanding wiretapping powers.
Thank you for your support.
   ---------------------- END EPIC Alert 9.11 -----------------------