============================================================== @@@@ @@@@ @@@ @@@@ @ @ @@@@ @@@@ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @@@ @ @ @@@@@ @ @@@ @@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @ @@@ @@@@ @ @ @@@@ @@@@ @ @ @ ============================================================== Volume 9.19 October 17, 2002 -------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org/alert/EPIC_Alert_9.19.html ======================================================================= Table of Contents ======================================================================= [1] Memo Reveals FBI National Security Wiretap Violations [2] Court Hears Argument in Warrant Service Procedure Case [3] Public Interest Registry (PIR) To Operate .ORG [4] EPIC, Junkbusters Urge AGs to Protect Privacy of Amazon Booklists [5] National Research Council Report Finds Polygraph Testing Flawed [6] House Passes Measure Requiring Agencies to Report Privacy Risks [7] EPIC Bookstore - First Anniversary of the USA PATRIOT Act [8] Upcoming Conferences and Events ======================================================================= [1] Memo Reveals FBI National Security Wiretap Violations ======================================================================= A recently released FBI memo provides the latest evidence that the Bureau has frequently overstepped its legal bounds when conducting intrusive national security surveillance. The document, which was written in April 2000 and originally classified as "secret," reveals that FBI agents illegally videotaped suspects, intercepted e-mail without court permission, recorded the wrong phone conversations, and conducted "unauthorized searches." The incidents detailed in the memo involved cases requiring warrants under the Foreign Intelligence Surveillance Act (FISA). The declassified document was obtained by Rep. William Delahunt (D-MA), with the assistance of EPIC. The existence of the memo was first revealed in an FBI document obtained by EPIC earlier this year through its Freedom of Information Act lawsuit for information concerning the Bureau's controversial Carnivore Internet surveillance system (see EPIC Alert 9.11). That earlier disclosure, which showed that an anti-terrorism investigation involving Osama bin Laden was hampered by technical flaws in the Carnivore system, alluded to a separate document discussing other "FISA mistakes." EPIC worked with Rep. Delahunt's office to seek disclosure of the "mistakes" memo. The latest disclosure comes as the Foreign Intelligence Surveillance Court of Review (FISCR), in its first proceeding since being created in 1978, is considering the legality of new Justice Department surveillance rules. DOJ has asked the FISCR to overturn a decision of the Foreign Intelligence Surveillance Court, which in May unanimously rejected the government's bid for expanded powers. In its decision, the intelligence court documented abuses of "national security" warrants by both the Bush and Clinton Administrations, including serious errors in approximately 75 applications for foreign intelligence surveillance (see EPIC Alert 9.16). The newly disclosed "mistakes" memo reveals errors that extend beyond those detailed by the surveillance court in May, which concerned FBI misrepresentations in applications for surveillance warrants. The new "mistakes" involve the manner in which surveillance activities were actually conducted, a potentially more serious issue as the incidents appear to involve violations of both FISA and the Fourth Amendment. The FBI "FISA mistakes" memo is available at: http://www.epic.org/privacy/terrorism/fisa/FISA-mistakes.pdf Background information (including selected documents) on EPIC's Carnivore FOIA litigation is available at: http://www.epic.org/privacy/carnivore/ Background information on FISA is available at: http://www.epic.org/privacy/terrorism/fisa/ ======================================================================= [2] Court Hears Argument in Warrant Service Procedure Case ======================================================================= On October 10, the Eighth Circuit held oral arguments in United States v. Bach, a case examining how the Fourth Amendment protects stored e-mail and other files held by Internet Service Providers (ISPs). The issue raised is whether a police officer's presence is required during service of a search warrant on an ISP. EPIC filed an amicus brief in the case, arguing that police officer presence is required during the service of a warrant on an ISP. The case arose after Yahoo! was "served" with a search warrant by fax, a procedure that EPIC argues does not adequately safeguard the Fourth Amendment guarantee of a "reasonable" search. EPIC's brief details the history of U.S. search and seizure law, which has mandated officer presence at the site of the service of a warrant since the 1700s. The district court suppressed the evidence, stating that the law enforcement practice of faxing search warrants for the contents of e-mails to ISPs violated the Constitution because the Fourth Amendment required the government to be physically present to execute the warrant. The government appealed to the circuit court. At oral argument, the government's attorney urged the court to resolve the question on narrow reasonableness grounds, without addressing the broader issue of whether an Internet user has an expectation of privacy in remotely stored files held by an ISP. For more information on the case, see EPIC's Bach Page: http://www.epic.org/privacy/bach/ Recordings of the oral arguments and other files are available through the Web site of the U.S. Court of Appeals for the 8th Circuit: http://www.ca8.uscourts.gov/tmp/021238.html ======================================================================= [3] Public Interest Registry (PIR) To Operate .ORG ======================================================================= The Internet Corporation for Assigned Names and Numbers (ICANN) has selected the proposal of the Internet Society (ISOC) for the operation of the .org top-level domain, beginning January 1, 2003. The Public Interest Registry (PIR), established by ISOC, will be the registry operator. EPIC President Marc Rotenberg was named as one of the founding board members of PIR. ICANN launched a bid solicitation and evaluation process last April. Eleven bids were received in response to a request for proposals. As part of the evaluation, two evaluation teams focused on technical issues. Another team, provided by ICANN's Non Commercial Domain Name Holders Constituency (NCDNHC), focused on the effectiveness of the proposals to address the particular needs of the .org registry. Additional input came from comments by the public and the applicants themselves. ICANN is re-assigning the .org registry under a revised agreement among ICANN, VeriSign, and the U.S. Department of Commerce that was signed in May 2001. Under that agreement, VeriSign was permitted to keep its registrar business, NSI, provided that it agreed to relinquish .org at the end of December 2002, and subject to other provisions of the revised agreements. As part of those revised agreements, VeriSign agreed to endow the new operator with $5 million to help fund operating costs, provided that the new operator was a not-for-profit organization. ISOC's .ORG Bid: http://www.isoc.org/dotorg/ ICANN Announcement: http://www.icann.org/announcements/announcement-14oct02.htm ISOC Announcement: http://www.isoc.org/isoc/media/releases/021014pr.shtml ======================================================================= [4] EPIC, Junkbusters Urge AGs to Protect Privacy of Amazon Booklists ======================================================================= EPIC and Junkbusters Corp. have sent a letter to state Attorneys General (AGs) urging them to protect the privacy of Amazon.com's patrons. Specifically, the groups requested that Amazon.com be blocked from selling customers' booklists; that customers be guaranteed a right of access to and deletion of sales records; and that the company undergo an audit of its information practices. The letter was sent in response to a statement made by Amazon.com to the AGs in which the company indicated that it might sell customer records in the event of an acquisition or bankruptcy. EPIC and Junkbusters noted that in other contexts, the same booklists that Amazon.com holds enjoy statutory and Constitutional protections. Circulation records held by libraries are covered by privacy laws or regulations in all states, and by systems that can expunge records of book borrowing. The groups also noted that in a recent case before the Colorado Supreme Court, it was held that a release of book records to law enforcement would violate readers' First Amendment rights. The Massachusetts AG responded to the letter, encouraging Amazon.com to reply to the suggestions made by EPIC and Junkbusters. The AG statement clarifies that individuals who have sent e-mail to "never@amazon.com" to opt out of all information sharing will not have their records sold. Amazon.com changed its privacy policy in September 2000 to allow the company to sell customer records in the event of a business acquisition or bankruptcy. Previously, Amazon.com had promised that it would not sell or rent consumers' information. As a result of that change, EPIC severed its "affiliate" relationship with the company and filed a complaint with the FTC alleging that Amazon.com violated federal consumer protection law. EPIC and Junkbusters Corp. Letter to the State Attorneys General: http://www.epic.org/privacy/amazon/amazonltr10.8.02.html Massachusetts Attorney General's Response: http://www.epic.org/privacy/amazon/agresponse10.8.02.pdf ======================================================================= [5] National Research Council Report Finds Polygraph Testing Flawed ======================================================================= The National Academies' National Research Council recently conducted a study of the reliability and scientific soundness of using polygraph testing to identify spies or other national security risks in screening prospective and current employees, and reported that polygraph test results are unreasonably inaccurate when used in this manner. The U.S. Department of Energy and other federal agencies are required by law to test employees in sensitive positions. While the accuracy of a polygraph may be satisfactory for investigation of specific, identifiable events (e.g. specific crimes), its accuracy is inadequate for screening employees for the following reasons: (1) examiners ask nonspecific questions during screenings, since the examiners do not know what security risks the examinee may be hiding; and (2) the test flags large numbers of truthful test takers as lying, while failing to spot actual security risks. In a population of 10,000 employees, including 10 spies, a polygraph sensitive enough to detect eight spies would result in 1,598 false positives. The report also raises scientific objections: namely, that theories about the link between deception and the corresponding physiological effects being measured (e.g. breathing rates, sweating and blood pressure) have not been subjected to vigorous scientific study and are therefore unverified. The polygraph test is especially susceptible to error because a number of psychological and physical factors can have an effect on test results. Worse yet, deceptive individuals, with sufficient incentive and resources, can learn to duplicate the physiological responses of truthful test takers. For these reasons, the study concluded that the federal government should not rely on polygraph tests for screening employees to identify national security risks. Congress recommended that the Department of Energy devise a new plan to screen employees that would take the study's findings into account. For the full report, see National Research Council, The Polygraph and Lie Detection (2002): http://www.nap.edu/books/0309084369/html/ ======================================================================= [6] House Passes Measure Requiring Agencies to Report Privacy Risks ======================================================================= The House of Representatives has passed H.R. 4561, the Federal Agency Protection of Privacy Act (FAPPA). Introduced by Rep. Bob Barr (R-GA), the measure would require all federal agencies to articulate how new regulations will affect privacy interests. A companion bill has been introduced as S. 2492 in the Senate by Sen. Max Cleland (D-GA). The bill would require agencies to issue an initial privacy impact analysis when publishing a rulemaking. The initial analysis follows a strong framework of Fair Information Practices (FIPs) by explaining how the agency plans to collect, use, secure, disclose, and prevent secondary use of personal information. The agency must also explain how an individual can gain access to and correct information held by the agency under the proposed rule. Additionally, agencies must consider significant alternatives to the proposed rule to minimize privacy risks. Upon promulgating a rule, the bill would require the agency to issue a final privacy impact analysis. This final report would assess information practices explained in the initial analysis, summarize any potential risks raised by comments from the public, and describe how the agency has taken steps to minimize privacy risks. The bill also calls for periodic review of rules to determine whether policies can be changed to be less invasive of individual privacy. Individuals adversely affected by agency action would be able to sue under the FAPPA. In such a case, the court could require the agency to reevaluate the privacy implications of the rule, or to block enforcement of the rule altogether. H.R. 4561, Federal Agency Protection of Privacy Act (House Version): http://thomas.loc.gov/cgi-bin/query/z?c107:H.R.4561: S. 2492, Federal Agency Protection of Privacy Act (Senate Version): http://thomas.loc.gov/cgi-bin/bdquery/z?d107:s.2492: ======================================================================= [7] EPIC Bookstore - First Anniversary of the USA PATRIOT Act ======================================================================= October 26 marks the first anniversary of the passage of the USA PATRIOT Act. Two recently released monographs explain the significance of the legislative changes, providing historical context for assessing the administration's actions. "Silencing Political Dissent: How Post-September 11 Anti-Terrorism Measures Threaten Our Civil Liberties," by Nancy Chang of the Center for Constitutional Rights, is written to encourage readers to "join the growing movement to reclaim our civil liberties." Chang begins by providing a quick tour of the history of political repression in the United States. The monuments in her tour will be familiar to many; the clear thread running through the descriptions is that, in times of uncertainty, ugly authoritarian impulses have invariably surfaced in American society. She asserts that the USA PATRIOT Act undermines civil liberties in three key ways -- by adopting an overbroad definition of "domestic terrorism;" by reducing the expectation of privacy through expanded surveillance powers; and by eroding the due process rights of non-citizens. Chang's book serves as a useful primer to the issues at stake in this new environment. "The Enemy Within: Intelligence Gathering, Law Enforcement, and Civil Liberties in the Wake of September 11," a Century Foundation Report by Stephen Schulhofer, takes a self-consciously pragmatic view on the same subject. Schulhofer, a criminal law professor at NYU, asks three main questions: Are the new measures effective? Are there adequate safeguards? And are there better, less invasive alternatives? Schulhofer's history tour focuses on the debates around civil liberties that have taken place in times of crisis, making the point that criticism was not only alive and well in those times, but that the courts at times even sided with the defenders of civil liberties. The book's main contention is that the most significant threat to civil liberties comes from the administration's thirst for unchecked executive power. The manner in which the USA PATRIOT Act was rammed through Congress vividly emphasizes his point that the administration shows little respect for the Constitution's built-in structural safeguards. Schulhofer concludes that the new measures have been marked by bad compromises, September 11 opportunism, and unchecked executive power. He argues for countering these changes through better checks and balances, and suggests a list of policy proposals to achieve this aim. "The Enemy Within" provides some much needed perspective for those in the trenches as well as for newcomers. While some of Schulhofer's proposals might be controversial, the picture of the threat he paints is convincing and the need for action clear. As Christopher Edley, Jr. said at the Century Foundation's book release, the civil liberties guaranteed by the Constitution should be the floor, not the ceiling, of what our society offers. Silencing Political Dissent: http://www.epic.org/bookstore/powells/redirect/alert919.html The Enemy Within: http://www.tcf.org/Publications/Detail.asp?ItemID=167 EPIC's Analysis of the USA PATRIOT Act: http://www.epic.org/privacy/terrorism/usapatriot/ ================================ EPIC Publications: "FOIA 2002: Litigation Under the Federal Open Government Laws," Harry Hammitt, David Sobel and Mark Zaid, editors (EPIC 2002). Price: $40. http://www.epic.org/bookstore/foia2002/ This is the standard reference work covering all aspects of the Freedom of Information Act, the Privacy Act, the Government in the Sunshine Act, and the Federal Advisory Committee Act. The 21st edition fully updates the manual that lawyers, journalists and researchers have relied on for more than 25 years. For those who litigate open government cases (or need to learn how to litigate them), this is an essential reference manual. ================================ "Privacy & Human Rights 2002: An International Survey of Privacy Laws and Developments" (EPIC 2002). Price: $25. http://www.epic.org/bookstore/phr2002/ This survey, by EPIC and Privacy International, reviews the state of privacy in over fifty countries around the world. The survey examines a wide range of privacy issues including data protection, telephone tapping, genetic databases, video surveillance, location tracking, ID systems and freedom of information laws. ================================ "The Privacy Law Sourcebook 2001: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2001). Price: $40. http://www.epic.org/bookstore/pls2001/ The "Physicians Desk Reference of the privacy world." An invaluable resource for students, attorneys, researchers and journalists who need an up-to-date collection of U.S. and International privacy law, as well as a comprehensive listing of privacy resources. ================================ "Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20. http://www.epic.org/bookstore/filters2.0/ A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ "The Consumer Law Sourcebook 2000: Electronic Commerce and the Global Economy," Sarah Andrews, editor (EPIC 2000). Price: $40. http://www.epic.org/cls/ The Consumer Law Sourcebook provides a basic set of materials for consumers, policy makers, practitioners and researchers who are interested in the emerging field of electronic commerce. The focus is on framework legislation that articulates basic rights for consumers and the basic responsibilities for businesses in the online economy. ================================ "Cryptography and Liberty 2000: An International Survey of Encryption Policy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price: $20. http://www.epic.org/crypto&/ EPIC's third survey of encryption policies around the world. The results indicate that the efforts to reduce export controls on strong encryption products have largely succeeded, although several governments are gaining new powers to combat the perceived threats of encryption to law enforcement. ================================ EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at: EPIC Bookstore http://www.epic.org/bookstore/ "EPIC Bookshelf" at Powell's Books http://www.powells.com/features/epic/epic.html ======================================================================= [8] Upcoming Conferences and Events ======================================================================= Privacy & Data Security Academy & Expo. International Association of Privacy Officers (IAPO). October 16-18, 2002. Chicago, IL. For more information: http://www.privacyassociation.org/html/conferences.html Privacy Law and Policy: Meeting the Challenges of Technology, Terrorism, and Accountability. Council on Law in Higher Education (CLHE). October 20-22, 2002. Washington, DC. For more information: http://www.clhe.org/programs/privacysymposium/ Paying Artists, Protecting Innovation: New Alternatives for Resolving the Digital Copyright Debate. Washington College of Law, American University. October 21, 2002. Washington, DC. For more information: pjaszi@wcl.american.edu Privacy Trends: Complying With New Demands. Riley Information Services Inc. and the Commonwealth Centre for Electronic Governance. October 22, 2002. Ottawa, Canada. For more information: http://www.rileyis.com/seminars/ Secrecy, Freedom & Empire: Lessons for Today from Vietnam and the Pentagon Papers. The Independent Institute. October 23, 2002. Berkeley, CA. For more information: http://www.independent.org/tii/forums/021023ipf.html Symposium on Privacy and Security (SPS). Stiftung für Datenschutz und Informationssicherheit (SDI), Basel/Switzerland. October 30-31, 2002. Zurich, Switzerland. For more information: http://www.privacy-security.ch/ 2nd Courtroom 21 Conference on Privacy and Public Access to Court Records. Courtroom 21 (College of William & Mary and the National Center for State Courts). Williamsburg, VA. October 31-November 2, 2002. For more information: http://www.courtroom21.net/privacyconf/ 3rd Annual Privacy and Security Workshop: Privacy & Security: Totally Committed. Centre for Applied Cryptographic Research, University of Waterloo and the Information and Privacy Commissioner/Ontario. University of Toronto. November 7-8, 2002. Toronto, Canada. For more information: http://www.epic.org/redirect/cacr.html First Hawaii Biometrics Conference. Windward Community College, Pacific Center for Advanced Technology Training (PCATT). November 10-13, 2002. Waikiki, HI. For more information: http://biometrics.wcc.hawaii.edu/ Call for Papers: November 15, 2002. CFP2003: 13th Annual Conference on Computers, Freedom, and Privacy. Association for Computing Machinery (ACM). April 1-4, 2003. New York, NY. For more information: http://www.cfp.org/ Transformations in Politics, Culture and Society. Inter- Disciplinary.Net. December 6-8, 2002. Brussels, Belgium. For more information: http://www.inter-disciplinary.net/tpcs1.htm 18th Annual Computer Security Applications Conference (ACSAC): Practical Solutions to Real Security Problems. Applied Computer Security Associates. December 9-13, 2002. Las Vegas, NV. For more information: http://www.acsac.org/ O'Reilly Bioinformatics Technology Conference. February 3 - 6, 2003. San Diego, CA. For more information: http://conferences.oreilly.com/macosxcon/ Third Annual Privacy Summit. International Association of Privacy Officers. February 26-28, 2003. Washington, DC. For more information: http://www.privacyassociation.org/html/conferences.html O'Reilly Open Source Convention. July 7-11, 2003. Portland, OR. For more information: http://conferences.oreilly.com/oscon/ ======================================================================= Subscription Information ======================================================================= Subscribe/unsubscribe via Web interface: http://mailman.epic.org/cgi-bin/mailman/listinfo/epic_news Subscribe/unsubscribe via email: To: epic_news-request@mailman.epic.org Subject line: "subscribe" or "unsubscribe" (no quotes) Help with subscribing/unsubscribing: To: epic_news-request@mailman.epic.org Subject: "help" (no quotes) Back issues are available at: http://www.epic.org/alert/ The EPIC Alert displays best in a fixed-width font, such as Courier. ======================================================================= Privacy Policy ======================================================================= The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your email address from this list, please follow the above instructions under "subscription information". Please contact info@epic.org if you would like to change your subscription email address, if you are experiencing subscription/unsubscription problems, or if you have any other questions. ======================================================================= About EPIC ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, e-mail info@epic.org, http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at: http://www.epic.org/donate/ ======================================================================= Drink coffee, support civil liberties, get a tax deduction, and learn Latin at the same time! Receive a free epic.org "sed quis custodiet ipsos custodes?" coffee mug with donation of $75 or more. ======================================================================= Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ---------------------- END EPIC Alert 9.19 ----------------------- .