EPIC logo

        @@@@  @@@@  @@@  @@@@      @    @     @@@@  @@@@  @@@@@
        @     @  @   @   @        @ @   @     @     @  @    @
        @@@@  @@@    @   @       @@@@@  @     @@@   @@@     @
        @     @      @   @       @   @  @     @     @  @    @
        @@@@  @     @@@  @@@@    @   @  @@@@  @@@@  @   @   @
    Volume 9.19                                   October 17, 2002
                             Published by the
               Electronic Privacy Information Center (EPIC)
                             Washington, D.C.

Table of Contents

[1] Memo Reveals FBI National Security Wiretap Violations
[2] Court Hears Argument in Warrant Service Procedure Case
[3] Public Interest Registry (PIR) To Operate .ORG
[4] EPIC, Junkbusters Urge AGs to Protect Privacy of Amazon Booklists
[5] National Research Council Report Finds Polygraph Testing Flawed
[6] House Passes Measure Requiring Agencies to Report Privacy Risks
[7] EPIC Bookstore - First Anniversary of the USA PATRIOT Act
[8] Upcoming Conferences and Events

[1] Memo Reveals FBI National Security Wiretap Violations

A recently released FBI memo provides the latest evidence that the
Bureau has frequently overstepped its legal bounds when conducting
intrusive national security surveillance.  The document, which was
written in April 2000 and originally classified as "secret," reveals
that FBI agents illegally videotaped suspects, intercepted e-mail
without court permission, recorded the wrong phone conversations, and
conducted "unauthorized searches."  The incidents detailed in the memo
involved cases requiring warrants under the Foreign Intelligence
Surveillance Act (FISA).

The declassified document was obtained by Rep. William Delahunt
(D-MA), with the assistance of EPIC.  The existence of the memo was
first revealed in an FBI document obtained by EPIC earlier this year
through its Freedom of Information Act lawsuit for information
concerning the Bureau's controversial Carnivore Internet surveillance
system (see EPIC Alert 9.11).  That earlier disclosure, which showed
that an anti-terrorism investigation involving Osama bin Laden was
hampered by technical flaws in the Carnivore system, alluded to a
separate document discussing other "FISA mistakes."  EPIC worked with
Rep. Delahunt's office to seek disclosure of the "mistakes" memo.

The latest disclosure comes as the Foreign Intelligence Surveillance
Court of Review (FISCR), in its first proceeding since being created
in 1978, is considering the legality of new Justice Department
surveillance rules.  DOJ has asked the FISCR to overturn a decision of
the Foreign Intelligence Surveillance Court, which in May unanimously
rejected the government's bid for expanded powers.  In its decision,
the intelligence court documented abuses of "national security"
warrants by both the Bush and Clinton Administrations, including
serious errors in approximately 75 applications for foreign
intelligence surveillance (see EPIC Alert 9.16).

The newly disclosed "mistakes" memo reveals errors that extend beyond
those detailed by the surveillance court in May, which concerned FBI
misrepresentations in applications for surveillance warrants.  The new
"mistakes" involve the manner in which surveillance activities were
actually conducted, a potentially more serious issue as the incidents
appear to involve violations of both FISA and the Fourth Amendment.

The FBI "FISA mistakes" memo is available at:


Background information (including selected documents) on EPIC's
Carnivore FOIA litigation is available at:


Background information on FISA is available at:


[2] Court Hears Argument in Warrant Service Procedure Case

On October 10, the Eighth Circuit held oral arguments in United States
v. Bach, a case examining how the Fourth Amendment protects stored
e-mail and other files held by Internet Service Providers (ISPs).  The
issue raised is whether a police officer's presence is required during
service of a search warrant on an ISP.

EPIC filed an amicus brief in the case, arguing that police officer
presence is required during the service of a warrant on an ISP.  The
case arose after Yahoo! was "served" with a search warrant by fax, a
procedure that EPIC argues does not adequately safeguard the Fourth
Amendment guarantee of a "reasonable" search.  EPIC's brief details
the history of U.S. search and seizure law, which has mandated officer
presence at the site of the service of a warrant since the 1700s.

The district court suppressed the evidence, stating that the law
enforcement practice of faxing search warrants for the contents of
e-mails to ISPs violated the Constitution because the Fourth Amendment
required the government to be physically present to execute the
warrant.  The government appealed to the circuit court.

At oral argument, the government's attorney urged the court to resolve
the question on narrow reasonableness grounds, without addressing the
broader issue of whether an Internet user has an expectation of
privacy in remotely stored files held by an ISP.

For more information on the case, see EPIC's Bach Page:


Recordings of the oral arguments and other files are available through
the Web site of the U.S. Court of Appeals for the 8th Circuit:


[3] Public Interest Registry (PIR) To Operate .ORG

The Internet Corporation for Assigned Names and Numbers (ICANN) has
selected the proposal of the Internet Society (ISOC) for the operation
of the .org top-level domain, beginning January 1, 2003.  The Public
Interest Registry (PIR), established by ISOC, will be the registry
operator.  EPIC President Marc Rotenberg was named as one of the
founding board members of PIR.

ICANN launched a bid solicitation and evaluation process last April.
Eleven bids were received in response to a request for proposals.  As
part of the evaluation, two evaluation teams focused on technical
issues.  Another team, provided by ICANN's Non Commercial Domain Name
Holders Constituency (NCDNHC), focused on the effectiveness of the
proposals to address the particular needs of the .org registry.
Additional input came from comments by the public and the applicants

ICANN is re-assigning the .org registry under a revised agreement
among ICANN, VeriSign, and the U.S. Department of Commerce that was
signed in May 2001.  Under that agreement, VeriSign was permitted to
keep its registrar business, NSI, provided that it agreed to
relinquish .org at the end of December 2002, and subject to other
provisions of the revised agreements.  As part of those revised
agreements, VeriSign agreed to endow the new operator with $5 million
to help fund operating costs, provided that the new operator was a
not-for-profit organization.

ISOC's .ORG Bid:


ICANN Announcement:


ISOC Announcement:


[4] EPIC, Junkbusters Urge AGs to Protect Privacy of Amazon Booklists

EPIC and Junkbusters Corp. have sent a letter to state Attorneys
General (AGs) urging them to protect the privacy of Amazon.com's
patrons.  Specifically, the groups requested that Amazon.com be
blocked from selling customers' booklists; that customers be
guaranteed a right of access to and deletion of sales records; and
that the company undergo an audit of its information practices.  The
letter was sent in response to a statement made by Amazon.com to the
AGs in which the company indicated that it might sell customer records
in the event of an acquisition or bankruptcy.

EPIC and Junkbusters noted that in other contexts, the same booklists
that Amazon.com holds enjoy statutory and Constitutional protections.
Circulation records held by libraries are covered by privacy laws or
regulations in all states, and by systems that can expunge records of
book borrowing.  The groups also noted that in a recent case before
the Colorado Supreme Court, it was held that a release of book records
to law enforcement would violate readers' First Amendment rights.

The Massachusetts AG responded to the letter, encouraging Amazon.com
to reply to the suggestions made by EPIC and Junkbusters.  The AG
statement clarifies that individuals who have sent e-mail to
"never@amazon.com" to opt out of all information sharing will not have
their records sold.

Amazon.com changed its privacy policy in September 2000 to allow the
company to sell customer records in the event of a business
acquisition or bankruptcy.  Previously, Amazon.com had promised that
it would not sell or rent consumers' information.  As a result of that
change, EPIC severed its "affiliate" relationship with the company and
filed a complaint with the FTC alleging that Amazon.com violated
federal consumer protection law.

EPIC and Junkbusters Corp. Letter to the State Attorneys General:


Massachusetts Attorney General's Response:


[5] National Research Council Report Finds Polygraph Testing Flawed

The National Academies' National Research Council recently conducted a
study of the reliability and scientific soundness of using polygraph
testing to identify spies or other national security risks in
screening prospective and current employees, and reported that
polygraph test results are unreasonably inaccurate when used in this
manner.  The U.S. Department of Energy and other federal agencies are
required by law to test employees in sensitive positions.

While the accuracy of a polygraph may be satisfactory for
investigation of specific, identifiable events (e.g. specific crimes),
its accuracy is inadequate for screening employees for the following
reasons: (1) examiners ask nonspecific questions during screenings,
since the examiners do not know what security risks the examinee may
be hiding; and (2) the test flags large numbers of truthful test
takers as lying, while failing to spot actual security risks.  In a
population of 10,000 employees, including 10 spies, a polygraph
sensitive enough to detect eight spies would result in 1,598 false

The report also raises scientific objections: namely, that theories
about the link between deception and the corresponding physiological
effects being measured (e.g. breathing rates, sweating and blood
pressure) have not been subjected to vigorous scientific study and are
therefore unverified.  The polygraph test is especially susceptible to
error because a number of psychological and physical factors can have
an effect on test results.  Worse yet, deceptive individuals, with
sufficient incentive and resources, can learn to duplicate the
physiological responses of truthful test takers.

For these reasons, the study concluded that the federal government
should not rely on polygraph tests for screening employees to identify
national security risks.  Congress recommended that the Department of
Energy devise a new plan to screen employees that would take the
study's findings into account.

For the full report, see National Research Council, The Polygraph and
Lie Detection (2002):


[6] House Passes Measure Requiring Agencies to Report Privacy Risks

The House of Representatives has passed H.R. 4561, the Federal Agency
Protection of Privacy Act (FAPPA).  Introduced by Rep. Bob Barr
(R-GA), the measure would require all federal agencies to articulate
how new regulations will affect privacy interests.  A companion bill
has been introduced as S. 2492 in the Senate by Sen. Max Cleland

The bill would require agencies to issue an initial privacy impact
analysis when publishing a rulemaking.  The initial analysis follows a
strong framework of Fair Information Practices (FIPs) by explaining
how the agency plans to collect, use, secure, disclose, and prevent
secondary use of personal information.  The agency must also explain
how an individual can gain access to and correct information held by
the agency under the proposed rule.  Additionally, agencies must
consider significant alternatives to the proposed rule to minimize
privacy risks.

Upon promulgating a rule, the bill would require the agency to issue a
final privacy impact analysis.  This final report would assess
information practices explained in the initial analysis, summarize any
potential risks raised by comments from the public, and describe how
the agency has taken steps to minimize privacy risks.

The bill also calls for periodic review of rules to determine whether
policies can be changed to be less invasive of individual privacy.
Individuals adversely affected by agency action would be able to sue
under the FAPPA.  In such a case, the court could require the agency
to reevaluate the privacy implications of the rule, or to block
enforcement of the rule altogether.

H.R. 4561, Federal Agency Protection of Privacy Act (House Version):


S. 2492, Federal Agency Protection of Privacy Act (Senate Version):


[7] EPIC Bookstore - First Anniversary of the USA PATRIOT Act

October 26 marks the first anniversary of the passage of the USA
PATRIOT Act.  Two recently released monographs explain the
significance of the legislative changes, providing historical context
for assessing the administration's actions.

"Silencing Political Dissent: How Post-September 11 Anti-Terrorism
Measures Threaten Our Civil Liberties," by Nancy Chang of the Center
for Constitutional Rights, is written to encourage readers to "join
the growing movement to reclaim our civil liberties."  Chang begins by
providing a quick tour of the history of political repression in the
United States.  The monuments in her tour will be familiar to many;
the clear thread running through the descriptions is that, in times of
uncertainty, ugly authoritarian impulses have invariably surfaced in
American society.  She asserts that the USA PATRIOT Act undermines
civil liberties in three key ways -- by adopting an overbroad
definition of "domestic terrorism;" by reducing the expectation of
privacy through expanded surveillance powers; and by eroding the due
process rights of non-citizens.  Chang's book serves as a useful
primer to the issues at stake in this new environment.

"The Enemy Within: Intelligence Gathering, Law Enforcement, and Civil
Liberties in the Wake of September 11," a Century Foundation Report by
Stephen Schulhofer, takes a self-consciously pragmatic view on the
same subject.  Schulhofer, a criminal law professor at NYU, asks three
main questions: Are the new measures effective?  Are there adequate
safeguards?  And are there better, less invasive alternatives?
Schulhofer's history tour focuses on the debates around civil
liberties that have taken place in times of crisis, making the point
that criticism was not only alive and well in those times, but that
the courts at times even sided with the defenders of civil liberties.
The book's main contention is that the most significant threat to
civil liberties comes from the administration's thirst for unchecked
executive power.  The manner in which the USA PATRIOT Act was rammed
through Congress vividly emphasizes his point that the administration
shows little respect for the Constitution's built-in structural
safeguards.  Schulhofer concludes that the new measures have been
marked by bad compromises, September 11 opportunism, and unchecked
executive power.  He argues for countering these changes through
better checks and balances, and suggests a list of policy proposals to
achieve this aim.  "The Enemy Within" provides some much needed
perspective for those in the trenches as well as for newcomers.  While
some of Schulhofer's proposals might be controversial, the picture of
the threat he paints is convincing and the need for action clear.  As
Christopher Edley, Jr. said at the Century Foundation's book release,
the civil liberties guaranteed by the Constitution should be the
floor, not the ceiling, of what our society offers.

Silencing Political Dissent:


The Enemy Within:


EPIC's Analysis of the USA PATRIOT Act:



EPIC Publications:

"FOIA 2002: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Mark Zaid, editors (EPIC 2002). Price: $40.

This is the standard reference work covering all aspects of the
Freedom of Information Act, the Privacy Act, the Government in the
Sunshine Act, and the Federal Advisory Committee Act.  The 21st
edition fully updates the manual that lawyers, journalists and
researchers have relied on for more than 25 years.  For those who
litigate open government cases (or need to learn how to litigate
them), this is an essential reference manual.

"Privacy & Human Rights 2002: An International Survey of Privacy Laws
and Developments" (EPIC 2002). Price: $25.

This survey, by EPIC and Privacy International, reviews the state of
privacy in over fifty countries around the world.  The survey examines
a wide range of privacy issues including data protection, telephone
tapping, genetic databases, video surveillance, location tracking, ID
systems and freedom of information laws.


"The Privacy Law Sourcebook 2001: United States Law, International
Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2001).
Price: $40. http://www.epic.org/bookstore/pls2001/

The "Physicians Desk Reference of the privacy world."  An invaluable
resource for students, attorneys, researchers and journalists who need
an up-to-date collection of U.S. and International privacy law, as
well as a comprehensive listing of privacy resources.


"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.


"The Consumer Law Sourcebook 2000: Electronic Commerce and the Global
Economy," Sarah Andrews, editor (EPIC 2000). Price: $40.

The Consumer Law Sourcebook provides a basic set of materials for
consumers, policy makers, practitioners and researchers who are
interested in the emerging field of electronic commerce.  The focus is
on framework legislation that articulates basic rights for consumers
and the basic responsibilities for businesses in the online economy.


"Cryptography and Liberty 2000: An International Survey of Encryption
Policy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price:
$20. http://www.epic.org/crypto&/

EPIC's third survey of encryption policies around the world.  The
results indicate that the efforts to reduce export controls on strong
encryption products have largely succeeded, although several
governments are gaining new powers to combat the perceived threats of
encryption to law enforcement.
EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:
     EPIC Bookstore
     "EPIC Bookshelf" at Powell's Books
[8] Upcoming Conferences and Events

Privacy & Data Security Academy & Expo. International Association of
Privacy Officers (IAPO). October 16-18, 2002. Chicago, IL. For more
information: http://www.privacyassociation.org/html/conferences.html

Privacy Law and Policy: Meeting the Challenges of Technology,
Terrorism, and Accountability. Council on Law in Higher Education
(CLHE). October 20-22, 2002. Washington, DC. For more information:

Paying Artists, Protecting Innovation: New Alternatives for Resolving
the Digital Copyright Debate. Washington College of Law, American
University. October 21, 2002. Washington, DC. For more information:

Privacy Trends: Complying With New Demands. Riley Information Services
Inc. and the Commonwealth Centre for Electronic Governance. October
22, 2002. Ottawa, Canada. For more information:

Secrecy, Freedom & Empire: Lessons for Today from Vietnam and the
Pentagon Papers. The Independent Institute. October 23, 2002.
Berkeley, CA. For more information:

Symposium on Privacy and Security (SPS). Stiftung für Datenschutz und
Informationssicherheit (SDI), Basel/Switzerland. October 30-31, 2002.
Zurich, Switzerland. For more information:

2nd Courtroom 21 Conference on Privacy and Public Access to Court
Records. Courtroom 21 (College of William & Mary and the National
Center for State Courts). Williamsburg, VA. October 31-November 2,
2002. For more information: http://www.courtroom21.net/privacyconf/

3rd Annual Privacy and Security Workshop: Privacy & Security: Totally
Committed. Centre for Applied Cryptographic Research, University of
Waterloo and the Information and Privacy Commissioner/Ontario.
University of Toronto. November 7-8, 2002. Toronto, Canada. For more
information: http://www.epic.org/redirect/cacr.html

First Hawaii Biometrics Conference. Windward Community College,
Pacific Center for Advanced Technology Training (PCATT). November
10-13, 2002. Waikiki, HI. For more information:

Call for Papers: November 15, 2002. CFP2003: 13th Annual Conference on
Computers, Freedom, and Privacy. Association for Computing Machinery
(ACM). April 1-4, 2003. New York, NY. For more information:

Transformations in Politics, Culture and Society. Inter-
Disciplinary.Net. December 6-8, 2002. Brussels, Belgium. For more
information: http://www.inter-disciplinary.net/tpcs1.htm

18th Annual Computer Security Applications Conference (ACSAC):
Practical Solutions to Real Security Problems. Applied Computer
Security Associates. December 9-13, 2002. Las Vegas, NV. For more
information: http://www.acsac.org/

O'Reilly Bioinformatics Technology Conference. February 3 - 6, 2003.
San Diego, CA. For more information:

Third Annual Privacy Summit. International Association of Privacy
Officers. February 26-28, 2003. Washington, DC. For more information:

O'Reilly Open Source Convention. July 7-11, 2003. Portland, OR. For
more information: http://conferences.oreilly.com/oscon/

Subscription Information
Subscribe/unsubscribe via Web interface:

Subscribe/unsubscribe via email:
     To: epic_news-request@mailman.epic.org
     Subject line: "subscribe" or "unsubscribe" (no quotes)
Help with subscribing/unsubscribing:

     To: epic_news-request@mailman.epic.org
     Subject: "help" (no quotes)
Back issues are available at:

The EPIC Alert displays best in a fixed-width font, such as Courier.
Privacy Policy
The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities.  We do not sell, rent or share our
mailing list.  We also intend to challenge any subpoena or other legal
process seeking access to our mailing list.  We do not enhance (link
to other databases) our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe your email address
from this list, please follow the above instructions under
"subscription information".  Please contact info@epic.org if you would
like to change your subscription email address, if you are
experiencing subscription/unsubscription problems, or if you have any
other questions.
About EPIC
The Electronic Privacy Information Center is a public interest
research center in Washington, DC.  It was established in 1994 to
focus public attention on emerging privacy issues such as the Clipper
Chip, the Digital Telephony proposal, national ID cards, medical
record privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Act
litigation, and conducts policy research.  For more information,
e-mail info@epic.org, http://www.epic.org or write EPIC, 1718
Connecticut Ave., NW, Suite 200, Washington, DC 20009.
+1 202 483 1140 (tel), +1 202 483 1248 (fax).
If you'd like to support the work of the Electronic Privacy
Information Center, contributions are welcome and fully
tax-deductible.  Checks should be made out to "EPIC" and sent to
1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009.
Or you can contribute online at:

Drink coffee, support civil liberties, get a tax deduction, and learn
Latin at the same time!  Receive a free epic.org "sed quis custodiet
ipsos custodes?" coffee mug with donation of $75 or more.
Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the
right of privacy and efforts to oppose government regulation of
encryption and expanding wiretapping powers.
Thank you for your support.
   ---------------------- END EPIC Alert 9.19 -----------------------