EPIC logo

        @@@@  @@@@  @@@  @@@@      @    @     @@@@  @@@@  @@@@@
        @     @  @   @   @        @ @   @     @     @  @    @
        @@@@  @@@    @   @       @@@@@  @     @@@   @@@     @
        @     @      @   @       @   @  @     @     @  @    @
        @@@@  @     @@@  @@@@    @   @  @@@@  @@@@  @   @   @
    Volume 9.17                                 September 20, 2002
                             Published by the
               Electronic Privacy Information Center (EPIC)
                             Washington, D.C.

Table of Contents

[1] Groups Urge Secret Appeals Court to Reject Expanded Spying Powers
[2] Bush Administration Releases Cyber Security Plan
[3] EPIC Testifies Before Congress on Preventing SSN Misuse
[4] FCC Approves Rulemaking on Telephone Consumer Protection Act
[5] Coalition Urges FTC to Adopt Effective Strategy for Passport
[6] Groups File Brief Opposing Identification of ISP Subscriber
[7] EPIC Bookstore - Litigation Under the Federal Open Government Laws
[8] Upcoming Conferences and Events

[1] Groups Urge Secret Appeals Court to Reject Expanded Spying Powers

EPIC today joined with a coalition of civil liberties groups to urge a
secret appeals court to reject a government bid for broadly expanded
powers to conduct "national security" surveillance on U.S. citizens.
In a "friend of the court" brief filed with the Foreign Intelligence
Surveillance Court of Review (FISCR), the groups said that expanding
such powers would jeopardize fundamental constitutional interests,
"including the First Amendment right to engage in lawful public
dissent, and the warrant, notice, and judicial review rights
guaranteed by the Fourth and Fifth Amendments."

At issue in the case is whether new Justice Department surveillance
rules seeking to use looser foreign intelligence standards to conduct
criminal investigations in the United States are constitutional and
permissible under the USA PATRIOT Act adopted by Congress after the
September 11 terrorist attacks.  The civil liberties brief urges the
FISCR to uphold a decision of the Foreign Intelligence Surveillance
Court, which in May unanimously rejected the government's bid for
expanded powers.  In its decision, the intelligence court documented
abuses of "national security" warrants by both the Bush and Clinton
Administrations, including serious errors in approximately 75
applications for foreign intelligence surveillance (see EPIC Alert

At a hearing last week, members of the Senate Judiciary Committee,
which has oversight of the Justice Department, also condemned the
government's position.  "We need to do our work well and ensure that
domestic surveillance is aimed at true national security targets and
does not simply serve as an excuse to violate the Constitutional
rights of our own citizens," said Committee Chairman Patrick J. Leahy
(D-VT).  "The abuses of the past are far too fresh simply to surrender
to the executive branch unfettered discretion to determine the scope
of these changes."

After the lower court's decision was made public in late August, the
civil liberties groups notified the FISCR that they intended to file a
brief.  The groups had hoped to submit their brief before the appeals
court met to review the case, but the secret court met on September 9
and only the government was allowed to present arguments.  EPIC joined
the American Civil Liberties Union, Center for Democracy and
Technology, Center for National Security Studies, Electronic Frontier
Foundation, and the Open Society Institute in submitting today's

The civil liberties amicus brief is available at:


Background information on the Foreign Intelligence Surveillance Act,
including the current controversy, is available at:


The text of the USA PATRIOT ACT is available at:


[2] Bush Administration Releases Cyber Security Plan

Amid tight security on pre-publication, the President's Critical
Infrastructure Protection Board on September 18 released its first
public draft of the National Strategy to Secure Cyberspace at a joint
government-industry press event at Stanford University.  The White
House claimed the draft plan "was developed in close collaboration
with key sectors of the economy that rely on cyberspace, State, and
local governments, colleges and universities, and concerned

Among the initiatives called for in the strategy are the creation of a
North American "Cyber Safe Zone," extension of the Council of Europe
Cybercrime Convention to other countries not currently signatories to
the Convention, and the promotion of "national and international watch
and warning" and a "global 'culture of security.'"  Identifiable
"cyber points of contact" are also encouraged in the plan.

The plan separates cyberspace into five levels: 1) Home users and
small businesses; 2) Major private enterprises; 3) Various sectors of
the national information infrastructure; 4) National Priorities; and
5) Global.

The draft represents an ongoing work in progress that is subject to
change and modification, according to White House sources.  Earlier
drafts of the plan were viewed by the private sector, particularly the
wireless industry and Internet Service Providers, as unreasonably
mandating government-induced security standards.

Contrary to earlier reports, the National Strategy does not contain
requirements of data retention or any other data collection/data
mining requirements by ISPs or other IT service providers.
Significantly, unlike previous versions of the plan, the current draft
strategy does not call for the creation of a Federal privacy "czar"

Comments on the plan are invited until November 18, 2002.  They may be
e-mailed to feedback@who.eop.gov.

The draft National Strategy to Secure Cyberspace is available at:


[3] EPIC Testifies Before Congress on Preventing SSN Misuse

At a joint hearing before two House subcommittees, EPIC legislative
counsel Chris Hoofnagle urged Congress to create a comprehensive set
of limitations on the collection and use of the Social Security Number
(SSN).  The hearing, chaired by Rep. Clay Shaw (R-FL), focused on
"Preserving the Integrity of Social Security Numbers and Preventing
Their Misuse by Terrorists and Identity Thieves."  Representatives
from the Social Security Administration, the Federal Bureau of
Investigation, and the Secret Service also testified before the

EPIC's testimony covered recent developments in identity theft, state
attempts to limit the SSN, and federal legislation designed to stem
SSN use.  According to the Privacy Rights Clearinghouse,
500,000-700,000 persons are affected by identity theft annually.  The
toll on victims is burdensome -- most victims do not discover that
their identities have been stolen until many months after the crime
has occurred.  Victims spend hundreds of hours and substantial sums of
money fixing their credit rating.

Two states, California and Georgia, have recently passed legislation
to limit the use of SSNs.  In California, Senate Bill 168 was signed
into law in October 2001.  The bill prohibits public posting of SSNs
and the printing of SSNs on identity cards or documents used to obtain
a product or service.  The bill also prohibits businesses from
printing SSNs on invoices or bills sent through the mail.  In Georgia,
businesses are now required to safely dispose of records that contain
personal identifiers.  Business records -- including data stored on
computer hard drives -- must be shredded or, in the case of electronic
records, completely wiped clean where they contain SSNs, driver's
license numbers, dates of birth, medical information, account
balances, or credit limit information.  The Georgia law carries
penalties up to $10,000.

EPIC praised H.R. 2036, the Social Security Number Privacy and
Identity Theft Prevention Act of 2001, which was introduced by Rep.
Shaw and enjoys bipartisan support.  The bill would establish
meaningful restrictions on the sale and display of SSNs, and
discourage the use of the identifier in the private sector.

EPIC's Testimony:


Hearing Notice and Links to Witness Testimony:


H.R. 2036, Social Security Number Privacy and Identity Theft
Prevention Act of 2001:


[4] FCC Approves Rulemaking on Telephone Consumer Protection Act

The Federal Communications Commission (FCC) has approved a notice of
proposed rulemaking (NPRM) on the Telephone Consumer Protection Act of
1991 (TCPA), a federal law that regulates telemarketing and fax
advertising.  The NPRM solicits comments on a series of telemarketing
issues, including automatic dialers, prerecorded voice telemarketing,
unsolicited fax advertising, and whether the FCC should create a
national do-not-call (DNC) list.  The TCPA authorized the FCC to
create a DNC list ten years ago, but the agency declined to do so.
Instead, the FCC adopted a "company-specific" DNC list that requires
individuals to opt-out from each business that engages in

The Direct Marketing Association (DMA) has opposed the creation of DNC
lists, arguing that its opt-out list, the "Telephone Preference
Service" (TPS), adequately protects consumers.  However, the TPS only
applies to DMA members.  Enrollment in the TPS is burdensome, as the
DMA allows a free opt-out only to those who send in a letter by postal
mail.  Additionally, states have been far more effective in
facilitating convenient enrollment in DNC lists.  Many states offer
free Internet enrollment, but the DMA continues to charge $5 for the
same service.

Earlier this year, the Federal Trade Commission (FTC) sought public
comment on telemarketing practices and on whether that agency should
create a national DNC list.  The FCC voted 4-0 to examine these same
issues, marking a willingness to cooperate with FTC in order to create
more comprehensive protections against telemarketing.  The mood of the
FCC commissioners was favorable to empowering individuals to exercise
control over telemarketing solicitations.  Commissioner Michael Copps
said, "Unrestricted telemarketing has gone beyond being a nuisance and
become in many cases an invasion of privacy."

FCC NPRM on Regulations Implementing the Telephone Consumer Protection
Act of 1991:


EPIC's Telemarketing Page:


[5] Coalition Urges FTC to Adopt Effective Strategy for Passport

In comments to the Federal Trade Commission (FTC), EPIC and a
coalition of privacy organizations urged the agency to amend its
Consent Order regarding Microsoft Passport to include greater privacy
protections.  In July and August 2001, EPIC and a coalition of privacy
organizations filed complaints with the FTC describing privacy and
security risks inherent in the Microsoft Passport identification and
authentication system.  The FTC began an investigation into Passport,
and in July 2002, issued a Complaint and Consent Order finding four
violations of federal consumer protection law (see EPIC Alert 9.15).

The Consent Order requires Microsoft to implement a new information
security program that is audited by an independent third-party. The
company must reassess this security program every two years. Microsoft
is also barred from making misrepresentations about the security or
privacy of Passport.

The groups made four recommendations to the FTC to ensure effective
implementation of the Consent Order.  First, the groups requested that
the security audits of Passport be made available to the public, and
that individuals be given access to their entire Passport profile.
Second, the groups recommended that the FTC examine AOL's
authentication system, the "Screen Name Service," and Project Liberty,
which is currently under development.  Third, the groups recommended
that the FTC ensure Microsoft is complying with the EU-US Safe Harbor.
Last, the groups requested the FTC to establish limitations on the
functions of Passport.  Without limitations on the functions that
Passport performs and the information that Passport collects, Passport
becomes an increasingly attractive and lucrative target for malicious

EPIC's Comments on the Microsoft Passport Consent Order:


EPIC's "Sign Out of Passport" Page:


FTC Consent Order Page:


[6] Groups File Brief Opposing Identification of ISP Subscriber

EPIC and a coalition of civil liberties groups filed an amicus brief
in late August challenging the Recording Industry Association of
America (RIAA)'s attempt to identify a Verizon ISP subscriber.  The
brief argues that a portion of the Digital Millennium Copyright Act
(DMCA) unconstitutionally violates individuals' right to anonymous

The case arose after Verizon refused to comply with a subpoena sent by
the RIAA in July, compelling the ISP to release the name of a customer
accused of illegally trading hundreds of songs.  RIAA filed suit
seeking to have a court enforce the subpoena and force Verizon to
disclose the customer's name.  The RIAA's subpoena was sent pursuant
to a provision of the DMCA that permits a copyright owner to send a
subpoena (without filing a lawsuit) ordering a "service provider" to
turn over information about a subscriber.

The amicus brief states that the provision violates the right of
Americans to be anonymous online: "Purported copyright owners should
not have the right to violate protected, anonymous speech with what
amounts to a single snap of the fingers."  The amicus brief (as well
as Verizon's brief, which opposes RIAA's motions mostly on procedural
grounds) maintains that the RIAA has the right to unmask a true
copyright infringer, but argues that common civil procedure rules have
always provided sufficient routes for obtaining such information.

If copyright owners were permitted to use the DMCA's subpoena process
to assail peer-to-peer pirates, the amicus brief argues, the combined
number of notices and subpoenas that Internet providers would have to
process could easily reach into the millions annually.

The coalition's Amicus Brief is available at:


Verizon's Brief is available at:


[7] EPIC Bookstore - Litigation Under the Federal Open Government Laws


Litigation Under the Federal Open Government Laws 2002
570 pages, $40.00


     "Deserves a place in the library of everyone who
     is involved in, or thinking about, litigation
     under the Freedom of Information Act."

                              - Steve Aftergood
                                Federation of American Scientists

This is the standard reference work covering all aspects of the
Freedom of Information Act, the Privacy Act, the Government in the
Sunshine Act, and the Federal Advisory Committee Act.  EPIC has
published the book jointly with Access Reports and the James Madison

This 21st edition fully updates the manual that lawyers, journalists
and researchers have relied on for more than 25 years.  It is edited
by Harry Hammitt of Access Reports, David L. Sobel of EPIC, and Mark
S. Zaid of the James Madison Project.  The book draws upon the
expertise of practicing attorneys who are recognized leaders in the

Appendices include the text of the relevant acts, and sample pleadings
for litigators.  "Litigation Under the Federal Open Government Laws
2002" adheres to the same high standards as previous editions and is
intended as a guide for FOIA requesters and plaintiff litigators.  For
those who litigate open government cases (or need to learn how to
litigate them), this is an essential reference manual.

EPIC Publications:

"Privacy & Human Rights 2002: An International Survey of Privacy Laws
and Developments" (EPIC 2002). Price: $25.

This survey, by EPIC and Privacy International, reviews the state of
privacy in over fifty countries around the world.  The survey examines
a wide range of privacy issues including data protection, telephone
tapping, genetic databases, video surveillance, location tracking, ID
systems and freedom of information laws.


"The Privacy Law Sourcebook 2001: United States Law, International
Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2001).
Price: $40. http://www.epic.org/bookstore/pls2001/

The "Physicians Desk Reference of the privacy world."  An invaluable
resource for students, attorneys, researchers and journalists who need
an up-to-date collection of U.S. and International privacy law, as
well as a comprehensive listing of privacy resources.


"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.


"The Consumer Law Sourcebook 2000: Electronic Commerce and the Global
Economy," Sarah Andrews, editor (EPIC 2000). Price: $40.

The Consumer Law Sourcebook provides a basic set of materials for
consumers, policy makers, practitioners and researchers who are
interested in the emerging field of electronic commerce.  The focus is
on framework legislation that articulates basic rights for consumers
and the basic responsibilities for businesses in the online economy.


"Cryptography and Liberty 2000: An International Survey of Encryption
Policy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price:
$20. http://www.epic.org/crypto&/

EPIC's third survey of encryption policies around the world.  The
results indicate that the efforts to reduce export controls on strong
encryption products have largely succeeded, although several
governments are gaining new powers to combat the perceived threats of
encryption to law enforcement.
EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:
     EPIC Bookstore
     "EPIC Bookshelf" at Powell's Books
[8] Upcoming Conferences and Events

Civil Liberties Under Attack -- One Year Later. National Lawyers
Guild; Refuse & Resist. September 7, 2002. Los Angeles, CA. For more
information: http://www.refuseandresist.org/new/calendar.php

IT and Law. University of Geneva, University of Bern, Swiss
Association of IT and Law. September 9-10, 2002. Geneva, Switzerland.
For more information: http://www.informatiquejuridique.ch/

Observing Surveillance. Photo Exhibit. September 12, 2002. Washington,
DC. For more information: dcvsp@epic.org

ILPF Conference 2002: Security v. Privacy. Internet Law & Policy
Forum. September 17-19, 2002. Seattle, WA. For more information:

The Biometric Consortium Conference (BC2002). Biometric Consortium.
September 23-25, 2002. Arlington, VA. For more information:

Privacy2002: Information, Security & New Global Realities. Technology
Policy Group. September 24-26, 2002. Cleveland, OH. For more
information: http://www.privacy2000.org/privacy2002/

Privacy Management Summit. Privastaff. September 25, 2002. San Jose,
CA. For more information: http://www.privastaff.com/psevents.html

Commercialization of Human Genomics: Consequences for Science and
Humanity. Duke University Center for Genome Ethics, Law, and Policy.
September 27-28, 2002. Durham, NC. For more information:

Privacy in Ubicomp 2002: Workshop on Socially-informed Design of
Privacy-enhancing Solutions in Ubiquitous Computing. Held as part of
UBICOMP 2002. September 29, 2002. Goeteborg, Sweden. For more
information: http://guir.berkeley.edu/privacyworkshop2002/

Shrinking World, Expanding Net. Computer Professionals for Social
Responsibility (CPSR). October 5, 2002. Cambridge, MA. For more
information: http://www.cpsr.org/conferences/annmtg02/

Bridging the Digital Divide: Challenge and Opportunities. 3rd World
Summit on Internet and Multimedia. October 8-11, 2002. Montreux,
Switzerland. For more information: http://www.internetworldsummit.org/

2002 WSEAS International Conference on Information Security (ICIS
'02). World Scientific and Engineering Academy and Society. October
14-17, 2002. Rio de Janeiro, Brazil. For more information:

IAPO Privacy & Security Conference. International Association of
Privacy Officers. October 16-18, 2002. Chicago, IL. For more
information: http://www.privacyassociation.org/html/conferences.html

Privacy Trends: Complying With New Demands. Riley Information Services
Inc. and the Commonwealth Centre for Electronic Governance. October
22, 2002. Ottawa, Canada. For more information:

3rd Annual Privacy and Security Workshop: Privacy & Security: Totally
Committed. Centre for Applied Cryptographic Research, University of
Waterloo and the Information and Privacy Commissioner/Ontario.
University of Toronto. November 7-8, 2002. Toronto, Canada. For more
information: http://www.epic.org/redirect/cacr.html

First Hawaii Biometrics Conference. Windward Community College,
Pacific Center for Advanced Technology Training (PCATT). November
10-13, 2002. Waikiki, HI. For more information:

Transformations in Politics, Culture and Society. Inter-
Disciplinary.Net. December 6-8, 2002. Brussels, Belgium. For more
information: http://www.inter-disciplinary.net/tpcs1.htm

18th Annual Computer Security Applications Conference (ACSAC):
Practical Solutions to Real Security Problems. Applied Computer
Security Associates. December 9-13, 2002. Las Vegas, NV. For more
information: http://www.acsac.org/

Third Annual Privacy Summit. International Association of Privacy
Officers. February 26-28, 2003. Washington, DC. For more information:

CFP2003: 13th Annual Conference on Computers, Freedom, and Privacy.
Association for Computing Machinery (ACM). April 1-4, 2003. New York,
NY. For more information: http://www.cfp.org/

Subscription Information
Subscribe/unsubscribe via Web interface:

Subscribe/unsubscribe via email:
     To: epic_news-request@mailman.epic.org
     Subject line: "subscribe" or "unsubscribe" (no quotes)
Help with subscribing/unsubscribing:

     To: epic_news-request@mailman.epic.org
     Subject: "help" (no quotes)
Back issues are available at:

The EPIC Alert displays best in a fixed-width font, such as Courier.
Privacy Policy
The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities.  We do not sell, rent or share our
mailing list.  We also intend to challenge any subpoena or other legal
process seeking access to our mailing list.  We do not enhance (link
to other databases) our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe your email address
from this list, please follow the above instructions under
"subscription information".  Please contact info@epic.org if you would
like to change your subscription email address, if you are
experiencing subscription/unsubscription problems, or if you have any
other questions.
About EPIC
The Electronic Privacy Information Center is a public interest
research center in Washington, DC.  It was established in 1994 to
focus public attention on emerging privacy issues such as the Clipper
Chip, the Digital Telephony proposal, national ID cards, medical
record privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Act
litigation, and conducts policy research.  For more information,
e-mail info@epic.org, http://www.epic.org or write EPIC, 1718
Connecticut Ave., NW, Suite 200, Washington, DC 20009.
+1 202 483 1140 (tel), +1 202 483 1248 (fax).
If you'd like to support the work of the Electronic Privacy
Information Center, contributions are welcome and fully
tax-deductible.  Checks should be made out to "EPIC" and sent to
1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009.
Or you can contribute online at:

Drink coffee, support civil liberties, get a tax deduction, and learn
Latin at the same time!  Receive a free epic.org "sed quis custodiet
ipsos custodes?" coffee mug with donation of $75 or more.
Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the
right of privacy and efforts to oppose government regulation of
encryption and expanding wiretapping powers.
Thank you for your support.
   ---------------------- END EPIC Alert 9.17 -----------------------