EPIC logo

        @@@@  @@@@  @@@  @@@@      @    @     @@@@  @@@@  @@@@@
        @     @  @   @   @        @ @   @     @     @  @    @
        @@@@  @@@    @   @       @@@@@  @     @@@   @@@     @
        @     @      @   @       @   @  @     @     @  @    @
        @@@@  @     @@@  @@@@    @   @  @@@@  @@@@  @   @   @
    Volume 9.23                                  November 19, 2002
                             Published by the
               Electronic Privacy Information Center (EPIC)
                             Washington, D.C.

Table of Contents

[1] Public Protest Over Pentagon Surveillance System Mounts
[2] Appeals Court Permits Broader Electronic Surveillance
[3] Homeland Security Bill Limits Open Government
[4] Circuit Court Approves Faxed Warrants
[5] DC City Council Attacks Camera System, Adopts Regulations
[6] California Passes Database Privacy Legislation
[7] EPIC Bookstore - Data Protection Law
[8] Upcoming Conferences and Events

[1] Public Protest Over Pentagon Surveillance System Mounts

The Pentagon's proposed "Total Information Awareness" (TIA)
surveillance system is coming under increasing attack.  In an open
letter sent yesterday, a coalition of over 30 civil liberties groups
urged Senators Thomas Daschle (D-SD) and Trent Lott (R-MS) to "act
immediately to stop the development of this unconstitutional system of
public surveillance."  Newspapers across the country have written
editorials castigating the program.  The New York Times has said that
"Congress should shut down the program pending a thorough
investigation."  The Washington Post wrote, "The defense secretary
should appoint an outside committee to oversee it before it proceeds."
William Safire's recent column, which played a major role in igniting
the public outcry, called the surveillance system "a supersnooper's

The TIA project is part of the Defense Advanced Research Projects
Agency (DARPA)'s Information Awareness Office, headed by John
Poindexter.  The surveillance system purports to capture a person's
"information signature" so that the government can track potential
terrorists and criminals involved in "low-intensity/low-density"
forms of warfare and crime.  The goal of the system is to track
individuals by collecting as much information about them as possible
and using computer algorithms and human analysis to detect potential
activity.  The project calls for the development of "revolutionary
technology for ultra-large all-source information repositories," which
would contain information from multiple sources to create a "virtual,
centralized, grand database."  This database would be populated by
transaction data contained in current databases, such as financial
records, medical records, communication records, and travel records,
as well as new sources of information.  Intelligence data would also
be fed into the database.

A key component of the project is the development of data mining or
knowledge discovery tools that will sift through the massive amount
of information to find patterns and associations.  The surveillance
plan will also improve the power of search tools such as Project
Genoa, which Poindexter's former employer Syntek Technologies
assisted in developing.  The Defense Department aims to fund the
development of more such tools and data mining technology to help
analysts understand and even "preempt" future action.  A further
crucial component is the development of biometric technology to
enable the identification and tracking of individuals.  DARPA has
already funded its "Human ID at a Distance" program, which aims to
positively identify people from a distance through technologies such
as face recognition and gait recognition.  A nationwide
identification system might also be of great assistance to such a
project by providing an easy means to track individuals across
multiple information sources.

The initial plan calls for a five year research project into these
various technologies.  According to the announcement soliciting
industry proposals, the interim goal is to build "leave-behind
prototypes with a limited number of proof-of-concept demonstrations
in extremely high risk, high payoff areas."  The FBI and the
Transportation Security Administration (TSA) are also working on data
mining projects that will merge commercial databases, public
databases, and intelligence data.  Documents obtained by EPIC through
the Freedom of Information Act (FOIA) show that the developers of the
new passenger profiling system in the TSA held meetings with
Poindexter's team earlier this year.  EPIC is currently involved in a
FOIA lawsuit to obtain documents from the Information Awareness

The coalition's letter to Senators Daschle and Lott is available at:


EPIC's Total Information Awareness Page:


Information Awareness Office's Total Information Awareness project


[2] Appeals Court Permits Broader Electronic Surveillance

The Foreign Intelligence Surveillance Court of Review issued an
opinion this week broadly expanding the Justice Department's
surveillance authority.  The Court held that the Department of Justice
could use looser foreign intelligence standards to conduct criminal
investigations in the United States.

The Court of Review convened in September for the first time in its 23
year existence to hear the Justice Department's appeal of an
unprecedented decision by the Foreign Intelligence Surveillance Court
(FISC), a special panel of federal judges that oversees implementation
of the Foreign Intelligence Surveillance Act (FISA).  The
extraordinary ruling, issued by the FISC in May, revealed a pattern of
FBI misrepresentations to the FISC and cast serious doubt on the
veracity and accuracy of claims made by the Justice Department and the
FBI in support of requests for approval of national security and
anti-terrorism surveillance.  The court found that DOJ and FBI
officials had submitted erroneous information in more than 75
applications for search warrants and wiretaps and had improperly
shared intelligence information with agents and prosecutors handling
criminal cases on at least four occasions.

As a result of these problems, the court refused to give DOJ the broad
new surveillance powers it sought to employ after the September 11
terrorist attacks.  Specifically, the FISC ruled that new procedures
proposed by Attorney General John Ashcroft earlier this year would
give DOJ prosecutors too much control over national security
investigations and would allow the government to improperly use
intelligence information for criminal cases, without the requisite
showing of "probable cause."  The court noted that it was rejecting
the new DOJ procedures "to protect the privacy of Americans in these
highly intrusive surveillances and searches."

The government argued in its appeal that the FISC failed to properly
apply changes to FISA that were contained in the USA PATRIOT Act,
which Congress enacted in the wake of the September 11 attacks.  EPIC
joined the American Civil Liberties Union, Center for Democracy and
Technology, Center for National Security Studies, Electronic Frontier
Foundation, and Open Society Institute in submitting an amicus brief
that argued that expanding the executive branch's powers would
jeopardize fundamental constitutional interests, "including the First
Amendment right to engage in lawful public dissent, and the warrant,
notice, and judicial review rights guaranteed by the Fourth and Fifth
Amendments." (See EPIC Alert 9.17.)

The Court of Review's decision, released yesterday, permits the
government to remove the separation that has long existed between
officials conducting surveillance on suspected foreign agents and
criminal prosecutors investigating crimes.  The Court of Review
concluded that the FISC read into FISA limitations on the Act's scope
of FISA that never existed and appear nowhere in the statute.  The
court concluded that the changes to FISA under the USA PATRIOT Act are
constitutional, although just barely:

     Our case may well involve the most serious threat our
     country faces.  Even without taking into account the
     President's inherent constitutional authority to conduct
     warrantless foreign intelligence surveillance, we think
     the procedures and government showings required under
     FISA, if they do not meet the minimum Fourth Amendment
     warrant standards, certainly come close.
Attorney General Ashcroft has announced that he intends to use FISA to
sharply increase the number of domestic wiretaps.

EPIC and its coalition partners are considering a number of options in
the wake of the appellate decision, including a potential request for
the Supreme Court to review the decision, and urging Congress to amend
FISA to reflect the opinion of the lower court that the Justice
Department is not authorized to use FISA's looser surveillance
standards in ordinary criminal cases.

The FISC Review Court is a special three-judge panel appointed by
Chief Justice William H. Rehnquist in accordance with provisions of
the Foreign Intelligence Surveillance Act.  The judges are: Hon.
Laurence H. Silberman of the U.S. Court of Appeals for the District of
Columbia Circuit; Hon. Edward Leavy, U.S. Court of Appeals for the
Ninth Circuit and Hon. Ralph B. Guy, Jr., U.S. Court of Appeals for
the Sixth Circuit.  All three judges were appointed by President
Ronald Reagan.

The Court of Review's ruling is available at: 


The civil liberties amicus brief is available at:


Background information on the Foreign Intelligence Surveillance Act,
including information on the current controversy, the government's
brief and the FISC's May 2002 Memorandum Opinion and Order, is
available at:


[3] Homeland Security Bill Limits Open Government

The Senate is likely to approve a measure to create a cabinet-level
Department of Homeland Security today or tomorrow.  The legislation
creating the department contains a number of provisions that will
enhance government surveillance powers while limiting public access to
government records and advisory committees.  Limited privacy
protections are included in the bill.

Section 225 of the Homeland Security Act of 2002 includes the entire
text of the Cyber Security Enhancement Act (CSEA), which previously
passed the House as a free-standing measure.  The CSEA, originally
sponsored by Representative Lamar Smith (R-TX), allows service
providers to voluntarily provide government agents with access to the
contents of customer communications without consent based on a "good
faith" belief that an emergency justifies the release.  The same
section grants law enforcement the power to install pen register and
trap and trace devices without a court order where there is an ongoing
attack on a "protected computer."  Any computer involved in interstate
commerce or communications qualifies as a "protected computer."
Further, section 225 introduces fines and 20-year prison terms for
offenders who recklessly cause or attempt to cause serious bodily

Section 891 contains the entire text of the Homeland Security
Information Sharing Act (HSISA), another measure that passed the House
earlier in the session as H.R. 4598.  HSISA will facilitate the
sharing of sensitive intelligence information with state and local
authorities.  Section 891 also allows greater sharing of grand jury
information and the content of electronic intercepts with state and
local authorities.

Title II of the bill broadly exempts "critical infrastructure
information" (CII) voluntarily submitted to the Department of Homeland
Security from the Freedom of Information Act.  CII is information that
relates to the operation of systems such as the national power grid
and telecommunications networks.  Once disclosed to the government,
CII could not be used against the company in civil litigation, and
government agents who disclose the information would be subject to
criminal penalties and fines.

Section 871 allows the Department to form advisory committees with
industry representatives that are exempt from the Federal Advisory
Committee Act (FACA), an open government law.  FACA promotes openness
and accountability through requiring the recording of minutes, notice
of meetings, procedures for holding open meetings, limits on special
interests, and balance of viewpoints.

Limited privacy protections were included in the bill.  Section 222
creates a privacy officer for the department charged with the
responsibility of compliance with the Privacy Act, with formulating
privacy impact assessments for rules proposed by the Department, and
with preparing an annual report to Congress.  Section 770 prohibits
all federal agencies from implementing the Terrorism Information and
Prevention System (TIPS).  Section 815 prohibits the new Department
from developing a national identification system or card.

H.R. 5710, The Homeland Security Act:

EPIC's February 26, 2002 Letter to the House Judiciary Committee,
regarding the CSEA:


EPIC's Critical Infrastructure Information Page:

EPIC's Open Government Page:

[4] Circuit Court Approves Faxed Warrants

The Eighth Circuit ruled this week that service of a warrant on an ISP
by fax complies with the "reasonableness" requirements of the Fourth
Amendment.  The case was one of the first to address the issue of how
the Fourth Amendment applies to the protection of stored e-mail and
other files held by Internet Service Providers (ISPs).

The case arose after Yahoo! was "served" with a search warrant by fax,
a procedure that EPIC argues does not adequately safeguard the Fourth
Amendment guarantee of a "reasonable" search.  The defendant had
argued before the district court that the law enforcement practice of
faxing the warrant to the ISP and having the ISP execute the warrant
violated his Fourth Amendment rights.  The district court agreed,
holding that the Fourth Amendment requires the government to be
physically present at the ISP during the execution of a search
warrant.  EPIC filed an amicus brief in the Eight Circuit detailing
that the history of U.S. search and seizure law has mandated officer
presence at the site of the service of a warrant since the 1700s (see
EPIC Alert 9.15).

The court resolved the case on the narrow ground that the government's
actions were "reasonable," without deciding the broader issue of
whether an Internet user has a Fourth Amendment expectation of privacy
in their e-mail.

The Eighth Circuit's Opinion is available at:


For more information on the case, see EPIC's Bach Page:


Recordings of the oral arguments and other files are available through
the Web site of the U.S. Court of Appeals for the 8th Circuit:


[5] DC City Council Attacks Camera System, Adopts Regulations

In an unexpectedly tight 7 to 6 vote on November 8, the DC City
Council approved regulations governing the use of surveillance cameras
by the Metropolitan Police Department (see EPIC Alert 9.20). Council
members took the opportunity to lambast the police department for
setting up the surveillance camera network without seeking prior
approval from the City Council.  Several members voiced their
opposition to the "Orwellian potential" of the cameras and signaled
their intention to kill the surveillance program altogether. Council
member Jim Graham said, "These cameras have been set up to deal with
demonstrations and dissent.  This will have a chilling effect and
discourage citizens from demonstrating openly here in the capital of
the United States of America."  Council member Sandy Allen, who held
the swing vote, took particular care to note that her vote should not
be seen as endorsing a surveillance network.

Council member Kathy Patterson is drafting permanent legislation to
regulate the cameras and has proposed pilot programs to test the
effectiveness of neighborhood surveillance cameras.  There is a
hearing scheduled for December 12, at which EPIC Executive Director
Marc Rotenberg is expected to testify.  Other council members might
introduce legislation in the coming months to remove the surveillance
camera network.  Council member Adrian Fenty said at the hearing, "At
first I thought Washington, because it's prone to more terrorist
attacks, would be a place where visitors would want cameras, but I
agree now with my colleagues who say Washington should be a beacon of

EPIC Alert readers, Washington residents, and other interested parties
can participate in the public debate over the proposed legislation by
continuing to send comments to Council members, either by e-mail to:
<dccouncil@dccouncil.washington.dc.us> or by postal mail to: Ms.
Phyllis Jones, Secretary to the Council, Suite 5, John A. Wilson
Building, 1350 Pennsylvania Avenue, N.W., Washington, DC 20004.

EPIC's Video Surveillance Page:


Observing Surveillance:


National Capital Area ACLU Web site:


[6] California Passes Database Privacy Legislation

A new law in California requires state agencies and businesses that
own databases to disclose security breaches involving certain personal
information.  The bill comes in response to an April 2002 incident in
which the records of over 200,000 state employees were accessed by a
computer cracker.  The California legislation exceeds federal
protections, as there is no national requirement for notice to
individuals when personal information is accessed without

Senate Bill 1386, sponsored by Senator Steve Peace (D-El Cajon),
creates a notice requirement where there has been an unauthorized
acquisition of an individual's name along with a Social Security
Number, a driver's license number, or an account number and
corresponding access code.  The notice requirement is also triggered
when there is a reasonable belief that a security breach occurred.
Notice must be given "in the most expedient time," but may be delayed
where it would impede a criminal investigation.

The law requires notice to be given to individuals in writing or
electronically, in accordance with federal e-signature law.  If the
cost of notice were to exceed $250,000, or where over 500,000 people
were affected by the security breach, notice could be delivered
through a combination of e-mail, a conspicuous posting on the agency
or company Web site, and notification of statewide media outlets. 
Agencies and companies could also create information security policies
in advance of security breaches to address the notice requirement.

The law does not apply to non-computerized files, such as personal
data stored on paper.  Also, only California residents enjoy the law's
protections.  Californians can bring civil actions for damages and
injunctive relief against entities that fail to comply with the law. 
The law takes effect on July 1, 2003.

Senator Peace has been a longtime state leader on privacy.  As early
as 1996, he attempted to pass a comprehensive information privacy bill
in California.

Senate Bill 1386:


[7] EPIC Bookstore - Data Protection Law

Data Protection Law: Approaching its Rationale, Logic and Limits, by
Lee A. Bygrave.

The field of data protection has evolved rapidly in the last ten
years, leading to a wide array of laws and regulations around the
world.  These laws and regulations, although generally guided by the
same fundamental principles established by international and European
data protection conventions, adopt diverse solutions that denote
confusion and incoherence when compared to each other.  Lee A.
Bygrave’s book, "Data Protection Law: Approaching its Rationale, Logic
and Limits," helps to get the big picture of some of the most
important principles that are embodied in the various data protection
rules existing in Europe.  Bygrave takes on the ambitious task of
confronting several issues that the academic world has had trouble
coming to terms with, one of which is trying to bridge the concepts of
data protection and privacy.

"Data Protection Law" is organized into three parts, each analyzing
the rationale, logic and limits of data protection laws.  In doing so,
it describes the origins, aims and purposes of data protection laws,
sets out their basic regulatory mechanisms, and attempts to point out
where those laws differ from other types of laws -- and to what extent
their regulatory mechanisms may be ineffective.  In the first section,
Bygrave explains the kinds of interests and values that data
protection laws promote; he then details the extent to which the
processing of information on private collective entities should be
regulated by these laws.  In the final section, he proceeds to explain
the ability of these laws to control profiling practices.

The book's principal interest resides in the main thesis that Bygrave
tries to convey.  An analysis of data protection regulations'
rationale, logic and limits has to take into account what the author
calls the "electronic interpenetration" of previously distinct spheres
of activity.  Greater dissemination of information across traditional
organizational boundaries has made it more difficult to draft,
implement and interpret data protection rules.  Bygrave's aim is to
provide privacy experts, lawyers and policymakers with a clearer
picture of the shift that occurred from different levels of the data
protection regulatory framework: from the individual to the collective
and systemic, from the national to the inter- and supranational, and
from the intra-organizational to the inter-organizational levels.

This book will be helpful for privacy scholars, regulators,
policymakers, lawyers, and generally anyone who is interested in
comparative privacy issues.

- Cédric Laurant

EPIC maintains a Web page on the issue of data retention at:



EPIC Publications:

"The Privacy Law Sourcebook 2002: United States Law, International
Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2002).
Price: $40. http://www.epic.org/bookstore/pls2002/

The "Physicians Desk Reference of the privacy world."  An invaluable
resource for students, attorneys, researchers and journalists who need
an up-to-date collection of U.S. and International privacy law, as
well as a comprehensive listing of privacy resources.


"FOIA 2002: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Mark Zaid, editors (EPIC 2002). Price: $40.

This is the standard reference work covering all aspects of the
Freedom of Information Act, the Privacy Act, the Government in the
Sunshine Act, and the Federal Advisory Committee Act.  The 21st
edition fully updates the manual that lawyers, journalists and
researchers have relied on for more than 25 years.  For those who
litigate open government cases (or need to learn how to litigate
them), this is an essential reference manual.

"Privacy & Human Rights 2002: An International Survey of Privacy Laws
and Developments" (EPIC 2002). Price: $25.

This survey, by EPIC and Privacy International, reviews the state of
privacy in over fifty countries around the world.  The survey examines
a wide range of privacy issues including data protection, telephone
tapping, genetic databases, video surveillance, location tracking, ID
systems and freedom of information laws.


"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.


"The Consumer Law Sourcebook 2000: Electronic Commerce and the Global
Economy," Sarah Andrews, editor (EPIC 2000). Price: $40.

The Consumer Law Sourcebook provides a basic set of materials for
consumers, policy makers, practitioners and researchers who are
interested in the emerging field of electronic commerce.  The focus is
on framework legislation that articulates basic rights for consumers
and the basic responsibilities for businesses in the online economy.


"Cryptography and Liberty 2000: An International Survey of Encryption
Policy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price:
$20. http://www.epic.org/crypto&/

EPIC's third survey of encryption policies around the world.  The
results indicate that the efforts to reduce export controls on strong
encryption products have largely succeeded, although several
governments are gaining new powers to combat the perceived threats of
encryption to law enforcement.
EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:
     EPIC Bookstore
     "EPIC Bookshelf" at Powell's Books
[8] Upcoming Conferences and Events

Ninth ACM Conference on Computer and Communications Security (CCS).
Association for Computing Machinery (ACM) Special Interest Group on
Security, Audit, and Control (SIGSAC). November 18-22, 2002.
Washington, DC. For more information:

The New Gatekeepers: A Conference on Free Expression in the Arts.
Columbia University Graduate School of Journalism and National Arts
Journalism Program. November 20-21, 2002. New York, NY. For more
information: http://www.najp.org/conferences/gatekeepers/panels.htm

eSafe Programme 2003-2004 -- Hearing on Options & Requirements.
European Commission. November 27-28, 2002. Kirchberg, Luxembourg. For
more information: http://www.saferinternet.org/news/esafe.asp

International Conference: Privacy: Cost to Resource. Safeguards for
Citizens, Opportunities for Businesses: Advantages of a
Privacy-Oriented Market. Garante per la Protezione dei Dati Personali
(Italian Data Protection Commission). December 5-6, 2002. Rome, Italy.
For more information: http://www.garanteprivacy.it/

Transformations in Politics, Culture and Society. Inter-
Disciplinary.Net. December 6-8, 2002. Brussels, Belgium. For more
information: http://www.inter-disciplinary.net/tpcs1.htm

18th Annual Computer Security Applications Conference (ACSAC):
Practical Solutions to Real Security Problems. Applied Computer
Security Associates. December 9-13, 2002. Las Vegas, NV. For more
information: http://www.acsac.org/

Call for Proposals: December 13, 2002. O'Reilly Emerging Technology
Conference. April 22-25, 2003. Santa Clara, CA. For more information:

Government Convention on Emerging Technologies. Defending America
Together: The New Era. Government Emerging Technology Alliance (GETA).
January 8-10, 2003. Las Vegas, NV. For more information:

O'Reilly Bioinformatics Technology Conference. February 3 - 6, 2003.
San Diego, CA. For more information:

Third Annual Privacy Summit. International Association of Privacy
Officers. February 26-28, 2003. Washington, DC. For more information:

P&AB's Privacy Practitioners' Workshop and Ninth Annual National
Conference. Privacy & American Business. March 12-14, 2002.
Washington, DC. For more information:

CFP2003: 13th Annual Conference on Computers, Freedom, and Privacy.
Association for Computing Machinery (ACM). April 1-4, 2003. New York,
NY. For more information: http://www.cfp2003.org/

O'Reilly Open Source Convention. July 7-11, 2003. Portland, OR. For
more information: http://conferences.oreilly.com/oscon/

Subscription Information
Subscribe/unsubscribe via Web interface:

Subscribe/unsubscribe via email:
     To: epic_news-request@mailman.epic.org
     Subject line: "subscribe" or "unsubscribe" (no quotes)
Help with subscribing/unsubscribing:

     To: epic_news-request@mailman.epic.org
     Subject: "help" (no quotes)
Back issues are available at:

The EPIC Alert displays best in a fixed-width font, such as Courier.
Privacy Policy
The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities.  We do not sell, rent or share our
mailing list.  We also intend to challenge any subpoena or other legal
process seeking access to our mailing list.  We do not enhance (link
to other databases) our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe your email address
from this list, please follow the above instructions under
"subscription information".  Please contact info@epic.org if you would
like to change your subscription email address, if you are
experiencing subscription/unsubscription problems, or if you have any
other questions.
About EPIC
The Electronic Privacy Information Center is a public interest
research center in Washington, DC.  It was established in 1994 to
focus public attention on emerging privacy issues such as the Clipper
Chip, the Digital Telephony proposal, national ID cards, medical
record privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Act
litigation, and conducts policy research.  For more information,
e-mail info@epic.org, http://www.epic.org or write EPIC, 1718
Connecticut Ave., NW, Suite 200, Washington, DC 20009.
+1 202 483 1140 (tel), +1 202 483 1248 (fax).
If you'd like to support the work of the Electronic Privacy
Information Center, contributions are welcome and fully
tax-deductible.  Checks should be made out to "EPIC" and sent to
1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009.
Or you can contribute online at:

Drink coffee, support civil liberties, get a tax deduction, and learn
Latin at the same time!  Receive a free epic.org "sed quis custodiet
ipsos custodes?" coffee mug with donation of $75 or more.
Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the
right of privacy and efforts to oppose government regulation of
encryption and expanding wiretapping powers.
Thank you for your support.
   ---------------------- END EPIC Alert 9.23 -----------------------