EPIC logo

        @@@@  @@@@  @@@  @@@@      @    @     @@@@  @@@@  @@@@@
        @     @  @   @   @        @ @   @     @     @  @    @
        @@@@  @@@    @   @       @@@@@  @     @@@   @@@     @
        @     @      @   @       @   @  @     @     @  @    @
        @@@@  @     @@@  @@@@    @   @  @@@@  @@@@  @   @   @
    Volume 9.20                                   October 24, 2002
                             Published by the
               Electronic Privacy Information Center (EPIC)
                             Washington, D.C.

Table of Contents

[1] EPIC FOIA Lawsuit Seeks USA PATRIOT Act Information
[2] EPIC Files Comments at FCC to Protect Telephone Privacy
[3] Public Protest Over Data Retention Increases in Europe
[4] DC City Council Discusses Regulation of Surveillance Cameras
[5] National Academies Report on "Sensitive but Unclassified"
[6] California Leads States in Privacy Protection
[7] EPIC Bookstore - CTRL [SPACE]
[8] Upcoming Conferences and Events

[1] EPIC FOIA Lawsuit Seeks USA PATRIOT Act Information

The Electronic Privacy Information Center today filed a Freedom of
Information Act (FOIA) lawsuit asking a federal court to order the
Department of Justice to account for its use of the extraordinary new
surveillance powers granted to it by Congress last year.  The records
requested concern the government's implementation of the USA PATRIOT
Act, legislation that was passed in the wake of the September 11
terrorist attacks.  By amending laws such as the Foreign Intelligence
Surveillance Act (FISA), the USA PATRIOT Act vastly expanded the
government's authority to obtain personal information about those
living in the United States, including United States citizens.

EPIC and the American Civil Liberties Union filed the lawsuit as
attorneys for their organizations and for the American Booksellers
Foundation for Free Expression and the Freedom to Read Foundation,
citing concerns that the new surveillance laws threaten the First
Amendment-protected activities of librarians, library patrons,
booksellers and their customers, and investigative journalists.  The
FOIA request, which was submitted to DOJ and the FBI on August 21,
seeks general information about the use of new surveillance powers,
including the number of times the government has:

  Directed a library, bookstore or newspaper to produce "tangible
  things," e.g, the titles of books an individual has purchased or
  borrowed or the identity of individuals who have purchased or
  borrowed certain books;

  Initiated surveillance of Americans under the expanded Foreign
  Intelligence Surveillance Act;

  Conducted "sneak and peek" searches, which allow law enforcement
  to enter people's homes and search their belongings without
  informing them until long after;

  Authorized the use of devices to trace the telephone calls or
  e-mails of people who are not suspected of any crime;

  Investigated American citizens or permanent legal residents on
  the basis of activities protected by the First Amendment (e.g.,
  writing a letter to the editor or attending a rally).

Some of the information was previously sought by the House Judiciary
Committee, and last week Rep. James Sensenbrenner (R-WI), the Chairman
of the Committee, reported that he had received some of the
information in classified form.

The EPIC/ACLU court complaint is available at:


Information on the USA PATRIOT Act is available at:


[2] EPIC Files Comments at FCC to Protect Telephone Privacy

On October 21, EPIC filed comments with the Federal Communications
Commission (FCC) urging it to protect the privacy of telephone
customers when a telecommunications company goes out of business or
wants to sell customer information as a business asset.

The comments relate to the use by telecommunications carriers of
"customer proprietary network information" (CPNI), which includes the
name, telephone number, call information and services subscribed to by
a telephone customer.  In 1998, the FCC formulated its initial rule
regarding CPNI, which required telecommunications carriers to obtain
explicit customer approval (opt-in) before using customer information
in any manner inconsistent with provision of services (for example,
building detailed profiles based on personal information obtained
through private telephone calls).

Following a court challenge to the FCC's 1998 CPNI rule, the FCC
adopted a new rule in July 2002, which allowed telephone companies and
their affiliates to use customer information with only opt-out
approval from the customer.  Opt-out allows the company to use CPNI
until a customer specifically informs the company otherwise.  However,
the July 2002 rule requires opt-in customer approval when a company
that has no business relationship with a customer tries to use or
disclose CPNI.  In the July 2002 ruling, the FCC sought public comment
on whether a company that is going out of business should be allowed
to sell CPNI as a business asset.  In addition, the FCC asked whether
a company who is going out of business or merges with another company
should be able to share customer information with the company who is
going to take over the business.

EPIC's position is that the sale of CPNI as a business asset creates
serious privacy concerns for consumers and should not be allowed.  In
the case of a sale, EPIC urged the FCC to require that any company
seeking to sell its CPNI provide opt-in notification to customers,
prohibiting any sale of personal information without a customer's
consent.  In addition, EPIC urged the FCC to require companies to use
an opt-in approach before sharing CPNI when going out of business or
merging with another telecommunications company.  EPIC reasoned that
an opt-in approach is necessary to protect customers' privacy because
customers often have no previous business relationship with the new
telephone company, and do not always have an alternative phone company
to choose from if they do not want to accept service from the new

EPIC's comments are available at:


See EPIC's CPNI page:


[3] Public Protest Over Data Retention Increases in Europe

The prospect of generalized and systematic surveillance of electronic
communications across Europe is raising many pressing questions.
Several recent developments in Europe show that the principle of data
retention, introduced in the recent EU Directive on Privacy and
Electronic Communications (Dir. 2002/58/EC) is facing strong criticism
by privacy experts, data protection commissioners, civil liberties
groups, and the ISP industry.

This summer, the Danish government, current President of the European
Council, sent to all Member States a "questionnaire on traffic data
retention."  The document intended to gather comments with respect to
the regulation, practice and experiences of traffic data retention in
EU countries.  The responses were examined at a September 16 meeting
of an EU Council expert group (the Multidisciplinary Group on
Organized Crime), and most of the EU Member States' answers are now
available.  They reveal that most governments wish they could soon
implement an EU-wide data retention regulation with harmonized
standards and requirements.

On September 11, during the International Conference of Data
Protection Commissioners in Cardiff, the European Data Protection
Commissioners (also known as the "Working Party Article 29"), released
a declaration strongly warning against any future EU-wide mandatory
and systematic data retention scheme.  "Such retention," they
asserted, "would be an improper invasion of the fundamental rights
guaranteed to individuals by Article 8 of the European Convention on
Human Rights."  They argued that retention of traffic data for
purposes of law enforcement must occur for a limited period of time
and only where necessary, appropriate and proportionate in a
democratic society.

A few days ago, the press reported that the British Internet Service
Providers Association ("ISPA") is refusing to voluntarily implement
the Home Office's controversial data retention scheme, which is part
of the Anti-Terrorism Crime and Security Act enacted last year.  The
trade group is worried about the huge cost and privacy implications of
a data retention scheme that would radically change their customer
data storage and management procedures to allow law enforcement access.

Meanwhile, in Spain and Germany, civil liberties groups are fighting
against their governments' data retention endeavors.  Kriptopolis, a
Spanish activist organization, opposes some of the provisions of the
new Spanish "Law of Information Society Services and Electronic
Commerce" ("LSSI"), one of which compels all telecommunications
companies and ISPs to retain their customers' traffic and location
data for 12 months.  Stop1984, a civil liberties organization based in
Germany, is also launching a campaign to raise public awareness about
data retention proposals in Europe, creating a Web page with links to
other anti-data retention organizations, and collecting and organizing
material related to the retention of electronic communications data.

Danish Presidency's questionnaire on traffic data retention, August
14, 2002:


EU Member States' answers to the questionnaire, September 16, 2002:


Statement of the European Data Protection Commissioners at the
International Conference in Cardiff (September 9-11, 2002) on
mandatory systematic retention of telecommunication traffic data:




Stop1984's Anti-Data Retention Network:


For more information on developments related to data retention, see
EPIC's data retention Web page:


[4] DC City Council Discusses Regulation of Surveillance Cameras

The Judiciary Committee of the D.C. City Council on October 22
unanimously approved the proposed regulations governing the use of
surveillance cameras in Washington, DC.  The regulations will now be
considered by the full Council on November 7, after which they will
serve as an interim measure while the Council drafts permanent
legislation.  Councilmember Kathy Patterson is drafting this
legislation, which will be the subject of a public hearing scheduled
for December 12.  The legislative debates are expected to consider
whether the surveillance camera system is an effective or necessary
crime-fighting tool and whether it is an appropriate investment of
public funds.  Meanwhile, the interim regulations are at least an
important first step toward protecting the privacy of D.C. residents
and visitors, and they help to set the baseline for future debates in
other parts of the country.  However, the current regulations still
contain significant deficiencies that will hopefully be cured in the
final legislation.

In March, the D.C. City Council passed emergency legislation requiring
the Metropolitan Police Department (MPD) to draft regulations for the
use of the surveillance cameras.  The Council acted after learning
from media reports that the MPD had constructed an 8 million-dollar
surveillance camera system in the District.  The MPD regulations have
improved significantly from their April draft, in which they stated
that cameras are a "valid law enforcement tool" useful in combating
crime and even the "fear of crime," and provided for little
accountability or safeguards.  At the Council's public hearing in
June, EPIC Executive Director Marc Rotenberg testified on the
regulations, noting several specific clauses in the regulations where
improvements were necessary to protect the rights of residents and
visitors (see EPIC Alert 9.12).

The final version of the regulations includes some of the changes
suggested by critics of the surveillance camera system, including
EPIC, the NAACP, and the National Capital Area ACLU.  The regulations
now limit the cameras to two uses: to help manage public resources
during major public events and demonstrations, and to coordinate
traffic control.  No cameras will be installed for general crime
deterrence purposes until legislation approving it is enacted. Section
2501.3 explicitly states, "Under no circumstances shall the CCTV
systems be used for the purpose of infringing upon First Amendment
rights."  The regulations will also create an extensive audit trail if
recording is authorized.  However, they fail to properly consider the
expectation of privacy in public spaces and also do not provide clear
definitions for key terminology, including, for example, "exigent
circumstances."  In addition, the regulations do not address the need
for the system, and therefore should not be understood as legitimizing
the use of surveillance cameras.

Police chief Charles Ramsey has requested public comments on the
system and on specific camera installations.  Comments should be sent
to Terrence D. Ryan, General Counsel, Metropolitan Police Department,
Room 4125, 300 Indiana Avenue, NW, Washington, D.C. 20001.  The City
Council is also accepting public comments (see EPIC Alert 9.13).
Further, there is a new slide show on the Observing Surveillance Web
site that documents the presence of the MPD's surveillance cameras.

EPIC's Video Surveillance page:


Observing Surveillance:


[5] National Academies Report on "Sensitive but Unclassified"

In a recent report, the National Academies asked the federal
government to abstain from creating inadequately defined categories of
"sensitive, but unclassified" information, while recognizing their
responsibility to help protect the United States from terrorism and
other national security threats.

The National Academies expressed their concern that inadequately
defined categories of "sensitive, but unclassified" do not provide
sufficient guidance on what data should be restricted from public
access.  Furthermore, while acknowledging that some restrictions on
public information may be necessary to protect strategic secrets, the
National Academies emphasized the necessity of openness to scientific
and technological advancement, including advancements in countering
national security threats.

Vague criteria on when to classify and/or restrict public access to
scientific information create confusion among scientists, engineers,
researchers and government officials responsible for enforcing
regulations, thereby hindering progress and weakening national
security.  The National Academies accordingly maintained that an
appropriate and necessary balance between security and openness
requires clearly defined categories of information, recommending a
renewal of dialogue between the scientific, engineering and research
community and policy-makers to develop clear criteria for "sensitive,
but unclassified" information.

The National Academies' full report on the role of science and
technology in countering terrorism is available at:


[6] California Leads States in Privacy Protection

California leads the states in providing individuals with privacy
protections, according to a ranking performed by Robert Ellis Smith of
the Privacy Journal.  The other states ranking in the top ten are
Minnesota, Connecticut, Florida, Hawaii, Illinois, Massachusetts, New
York, Washington, and Wisconsin.

The ranking is based on "Compilation of State and Federal Privacy
Laws," a recently updated Privacy Journal publication that describes
more than 1200 state and federal laws on the confidentiality of
personal information.  States are assigned points based on protections
for medical, financial, credit, and library records.  Extra points
accrue to states with Constitutional privacy safeguards, and to those
that have been assertive in protecting privacy through regulation and

Under the Privacy Journal ranking system, the federal government would
fall among the next-to-last tier of states for privacy protection. The
federal government provides only limited protections for financial and
medical records, no statutory protection for library records, and
weakened protections against law enforcement surveillance as a result
of the USA PATRIOT Act.

Privacy Journal:


[7] EPIC Bookstore - CTRL [SPACE]

CTRL [SPACE]: Rhetorics of Surveillance from Bentham to Big Brother,
edited by Thomas Y. Levin, Ursula Frohne, and Peter Weibel.


Video surveillance is an important topic that is currently being
explored by policymakers, civil liberties organizations, and the
public at large.  However, another important group has joined the
discussion about the subject of surveillance: artists.  Just as the
use of surveillance cameras in public spaces raises important policy
questions, the cameras themselves are a form of visual media, and thus
the arts community has also become involved in the debate.  "CTRL
[SPACE]" uses the arts as a springboard to explore different ideas and
issues surrounding surveillance and its history, from philosophical
questions posed by Michel Foucault and Jeremy Bentham to 21st-century
America's growing obsession with "reality television."  It also serves
as an exhaustive catalog for the recent art exhibition of the same
name, held from October 13, 2001 to February 24, 2002 at the ZKM
Center for Art and Media in Karlsruhe, Germany.

The book features numerous essays and artistic works by and about many
diverse groups, including the Surveillance Camera Players, the New
York Civil Liberties Union's "NYC Surveillance Camera Project," and
noted creative personalities such as Yoko Ono and Andy Warhol.  A
large, elaborately designed work comprising over 650 pages of images
and text, "CTRL [SPACE]" feels at home in a library full of policy
books, philosophy books, art books, and/or all (or none) of the above.

- Kate Rears

For more perspectives on video surveillance, see the Observing
Surveillance project:



EPIC Publications:

"FOIA 2002: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Mark Zaid, editors (EPIC 2002). Price: $40.

This is the standard reference work covering all aspects of the
Freedom of Information Act, the Privacy Act, the Government in the
Sunshine Act, and the Federal Advisory Committee Act.  The 21st
edition fully updates the manual that lawyers, journalists and
researchers have relied on for more than 25 years.  For those who
litigate open government cases (or need to learn how to litigate
them), this is an essential reference manual.

"Privacy & Human Rights 2002: An International Survey of Privacy Laws
and Developments" (EPIC 2002). Price: $25.

This survey, by EPIC and Privacy International, reviews the state of
privacy in over fifty countries around the world.  The survey examines
a wide range of privacy issues including data protection, telephone
tapping, genetic databases, video surveillance, location tracking, ID
systems and freedom of information laws.


"The Privacy Law Sourcebook 2001: United States Law, International
Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2001).
Price: $40. http://www.epic.org/bookstore/pls2001/

The "Physicians Desk Reference of the privacy world."  An invaluable
resource for students, attorneys, researchers and journalists who need
an up-to-date collection of U.S. and International privacy law, as
well as a comprehensive listing of privacy resources.


"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.


"The Consumer Law Sourcebook 2000: Electronic Commerce and the Global
Economy," Sarah Andrews, editor (EPIC 2000). Price: $40.

The Consumer Law Sourcebook provides a basic set of materials for
consumers, policy makers, practitioners and researchers who are
interested in the emerging field of electronic commerce.  The focus is
on framework legislation that articulates basic rights for consumers
and the basic responsibilities for businesses in the online economy.


"Cryptography and Liberty 2000: An International Survey of Encryption
Policy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price:
$20. http://www.epic.org/crypto&/

EPIC's third survey of encryption policies around the world.  The
results indicate that the efforts to reduce export controls on strong
encryption products have largely succeeded, although several
governments are gaining new powers to combat the perceived threats of
encryption to law enforcement.
EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:
     EPIC Bookstore
     "EPIC Bookshelf" at Powell's Books
[8] Upcoming Conferences and Events

Liberties Lost! First Central European Cyber Liberties Conference
(CECLC). Quintessenz and VIBE!AT User Group. October 25, 2002. Vienna,
Austria. For more information: http://ceclc.quintessenz.org/

Symposium on Privacy and Security (SPS). Stiftung für Datenschutz und
Informationssicherheit (SDI), Basel/Switzerland. October 30-31, 2002.
Zurich, Switzerland. For more information:

2nd Courtroom 21 Conference on Privacy and Public Access to Court
Records. Courtroom 21 (College of William & Mary and the National
Center for State Courts). Williamsburg, VA. October 31-November 2,
2002. For more information: http://www.courtroom21.net/privacyconf/

3rd Annual Privacy and Security Workshop: Privacy & Security: Totally
Committed. Centre for Applied Cryptographic Research, University of
Waterloo and the Information and Privacy Commissioner/Ontario.
University of Toronto. November 7-8, 2002. Toronto, Canada. For more
information: http://www.epic.org/redirect/cacr.html

First Hawaii Biometrics Conference. Windward Community College,
Pacific Center for Advanced Technology Training (PCATT). November
10-13, 2002. Waikiki, HI. For more information:

Call for Proposals: November 15, 2002. CFP2003: 13th Annual Conference
on Computers, Freedom, and Privacy. Association for Computing
Machinery (ACM). April 1-4, 2003. New York, NY. For more information:

Ninth ACM Conference on Computer and Communications Security (CCS).
Association for Computing Machinery (ACM) Special Interest Group on
Security, Audit, and Control (SIGSAC). November 18-22, 2002.
Washington, DC. For more information:

eSafe Programme 2003-2004 -- Hearing on Options & Requirements.
European Commission. November 27-28, 2002. Kirchberg, Luxembourg. For
more information: http://www.saferinternet.org/news/esafe.asp

International Conference: Privacy: Cost to Resource. Safeguards for
Citizens, Opportunities for Businesses: Advantages of a
Privacy-Oriented Market. Garante per la Protezione dei Dati Personali
(Italian Data Protection Commission). December 5-6, 2002. Rome, Italy.
For more information: http://www.garanteprivacy.it/

Transformations in Politics, Culture and Society. Inter-
Disciplinary.Net. December 6-8, 2002. Brussels, Belgium. For more
information: http://www.inter-disciplinary.net/tpcs1.htm

18th Annual Computer Security Applications Conference (ACSAC):
Practical Solutions to Real Security Problems. Applied Computer
Security Associates. December 9-13, 2002. Las Vegas, NV. For more
information: http://www.acsac.org/

O'Reilly Bioinformatics Technology Conference. February 3 - 6, 2003.
San Diego, CA. For more information:

Third Annual Privacy Summit. International Association of Privacy
Officers. February 26-28, 2003. Washington, DC. For more information:

O'Reilly Open Source Convention. July 7-11, 2003. Portland, OR. For
more information: http://conferences.oreilly.com/oscon/

Subscription Information
Subscribe/unsubscribe via Web interface:

Subscribe/unsubscribe via email:
     To: epic_news-request@mailman.epic.org
     Subject line: "subscribe" or "unsubscribe" (no quotes)
Help with subscribing/unsubscribing:

     To: epic_news-request@mailman.epic.org
     Subject: "help" (no quotes)
Back issues are available at:

The EPIC Alert displays best in a fixed-width font, such as Courier.
Privacy Policy
The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities.  We do not sell, rent or share our
mailing list.  We also intend to challenge any subpoena or other legal
process seeking access to our mailing list.  We do not enhance (link
to other databases) our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe your email address
from this list, please follow the above instructions under
"subscription information".  Please contact info@epic.org if you would
like to change your subscription email address, if you are
experiencing subscription/unsubscription problems, or if you have any
other questions.
About EPIC
The Electronic Privacy Information Center is a public interest
research center in Washington, DC.  It was established in 1994 to
focus public attention on emerging privacy issues such as the Clipper
Chip, the Digital Telephony proposal, national ID cards, medical
record privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Act
litigation, and conducts policy research.  For more information,
e-mail info@epic.org, http://www.epic.org or write EPIC, 1718
Connecticut Ave., NW, Suite 200, Washington, DC 20009.
+1 202 483 1140 (tel), +1 202 483 1248 (fax).
If you'd like to support the work of the Electronic Privacy
Information Center, contributions are welcome and fully
tax-deductible.  Checks should be made out to "EPIC" and sent to
1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009.
Or you can contribute online at:

Drink coffee, support civil liberties, get a tax deduction, and learn
Latin at the same time!  Receive a free epic.org "sed quis custodiet
ipsos custodes?" coffee mug with donation of $75 or more.
Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the
right of privacy and efforts to oppose government regulation of
encryption and expanding wiretapping powers.
Thank you for your support.
   ---------------------- END EPIC Alert 9.20 -----------------------