EPIC logo

  
========================================================================
                           E P I C  A l e r t
========================================================================
Volume 14.07                                              April 5, 2007
------------------------------------------------------------------------

                            Published by the
               Electronic Privacy Information Center (EPIC)
                            Washington, D.C.

             http://www.epic.org/alert/EPIC_Alert_14.07.html


========================================================================
Table of Contents
========================================================================
[1] New Privacy Safeguards for Telephone Customers
[2] EPIC Speaks Before European Parliament on Transatlantic Privacy
[3] EPIC Recommends Against Use of Universal Identifiers
[4] FBI Director Testifies on National Security Letter Misuse
[5] UK Report: You Can Have Security and Privacy
[6] News in Brief
[7] EPIC Bookstore: "Cybercrime"
[8] Upcoming Conferences and Events

========================================================================
[1] New Privacy Safeguards for Telephone Customers
========================================================================

In response to a petition filed by EPIC, the Federal Communications
Commission issued rules to protect the privacy of consumers' telephone
records.  The new safeguards prohibit unauthorized access to phone
records, require passwords for customer accounts, require notice of any
changes to account information, and establish opt-in consent before
disclosing customer information.

FCC Chairman Martin called the unauthorized disclosure of customer
information "a significant privacy invasion." In its petition, EPIC
proposed five security measures that would more adequately protect
access to call detail information: consumer-set passwords, security
breach notification, audit trails, encryption, and limiting data
retention. The FCC addressed the first two security measures in its
rule, and announced a new rulemaking to consider audit trails,
encryption, data retention, and safeguards for information stored in
cell phones.

The rule prohibits companies from releasing call detail information over
the phone except when the customer provides a password. The reason is to
prevent others from pretending to be the customer and fraudulently
obtaining the call record information. If a customer does not provide a
password, the information can be disclosed by mail to the customer's
address of record, or by the company calling the customer's phone number
of record. The rule also requires that customers receive notice of any
changes made to their account information. The rules also include a
requirement to notify customers of unauthorized disclosures of telephone
records; however, law enforcement agencies can delay notification, a
provision that was criticized by Commissioner Copps and Commissioner
Adelstein.

Previous regulations prohibited disclosure of call detail information to
third parties offering non-communications-related services without the
express, or opt-in, consent of customers. The FCC's new rule extends the
requirement of opt-in consent to joint venture partners and independent
contractors. The FCC stated that substantial evidence shows that
"current opt-out rules do not adequately protect customer privacy," and
that an opt-in regime "directly and materially advances privacy and
safety interests by giving customers direct control over the
distribution of their private information."  The FCC also extended the
rules to providers of interconnected VoIP service.

The FCC regulation addresses some of the issues that are considered in
legislation pending in Congress. The Prevention of Fraudulent Access to
Phone Records Act, H.R. 936 has been referred to the House Energy and
Commerce Committee for consideration.

EPIC Executive Director Marc Rotenberg testified on March 9 in support
of this legislation, stressing that action in this area was overdue. 
The Act calls for several of the same measures as the FCC regulations,
such as opt-in requirements for third party disclosure, periodic audits
of telecommunications carriers by the FCC, and the use of
customer-specific identifiers in order to access call detail information.

In several areas, the Act provides stronger privacy protections than the
regulations.  The Act would require telecommunications carriers to keep
a record of each time that a customer's call detail information was
requested, if access was granted, and how the person's identity or
authority to access the information was verified.  Such records would
provide customers with knowledge of how their information was improperly
accessed, giving them a greater ability to prevent another breach.
Furthermore, the Act requires timely notice to a customer if there is an
unauthorized disclosure of his or her information. The Act also requires
the FCC to consider making regulations to require deletion of call
detail information after "a reasonable period of time if such data is no
longer necessary for the purpose for which it was collected."

FCC Report and Order and Further Notice of Proposed Rulemaking (pdf):

     http://hraunfoss.fcc.gov/edocs_public/attachmatch/FCC-07-22A1.pdf

Prevention of Fraudulent Access to Phone Records Act, H.R. 936:

     http://thomas.loc.gov/cgi-bin/bdquery/z?d110:h.r.00936:

EPIC's Petition to the FCC:

     http://epic.org/privacy/iei/cpnipet.html

EPIC's Illegal Sale of Phone Records page:

     http://www.epic.org/privacy/iei


========================================================================
[2] EPIC Speaks Before European Parliament on Transatlantic Privacy
========================================================================

EPIC Executive Director Marc Rotenberg appeared before the European
Parliament's Committee on Civil Liberties, Justice and Home Affairs for
a public seminar on transatlantic relations and data protection. The
European Parliament is currently reviewing the transfer of travel,
consumer, and financial information on European citizens to the United
States government. European institutions are concerned about the absence
of adequate privacy protection for personal information.

The seminar examined the constitutional and legal context of data
processed in Europe, and in the USA, as well as the applicable
principles on the international level for transfer of personal data,
particularly as they pertain to passenger name records and financial
data. The self-regulatory Safe Harbor model of data transfer was also
discussed.  Members of the European Parliament particularly wanted to
know: what kinds of data are being collected; what are the reasons for
the collection; problems that have arisen following collection; and what
kinds of joint review and redress mechanisms exist.

Mr. Rotenberg's presentation outlined "Recent Privacy Developments in
the United States." He explained that with respect to the privacy of
travelers, “much of the focus continues to be on problems with the watch
list systems as well as proposals to expand profiling and screening of
air travelers.” The data collected is being used by US authorities for a
range of purposes other than the fight against terrorism. He pointed out
"a critical shortcoming of the US Privacy Act," namely that it contains
"no protection at all for non-US citizens," results in a lack of redress
for European travelers.

Greek Member of Parliament Stavros Lambrinidis said that he was
"concerned about the amount of data transferred as well as about the
unclear purposes for which it will be used." Data protection expert and
Commission advisor Spiros Simitis said that the Commission had "clearly
breached its obligations" by negotiating agreements that were in breach
of data protection laws. The first two US-EU passenger name records
agreements have been highly criticized for their lack of transparency,
data protections, and redress provisions. Negotiations of a third
agreement are currently underway. This month, a Parliamentary delegation
will visit the US to discuss the passenger name records negotiations, as
well as other data transfer issues.

European Parliament Committee on Civil Liberties, Justice and Home
Affairs:

     http://www.europarl.europa.eu/committees/libe_home_en.htm

Marc Rotenberg, “Recent Privacy Developments in the United States”
(pdf):

     http://www.epic.org/redirect/rotenberg0407.html

Privacy International SWIFT Campaign:

     http://www.epic.org/redirect/pi0407.html

EPIC's EU-US Passenger Airline Data page:

     http://www.epic.org/privacy/intl/passenger_data.html


========================================================================
[3] EPIC Recommends Against Use of Universal Identifiers
========================================================================

In comments to the Federal Trade Commission, EPIC warned against using
universal identifiers in authentication systems. "Any move toward
universal identifiers, while potentially deterring amateur thieves,
increases the potential for misuse once determined criminals steal that
data," EPIC said.

EPIC also urged the restriction, rather than expansion, of the use of
Social Security numbers as identifiers. "Social Security numbers have
become a classic example of 'mission creep,' where a program designed
for a specific, limited purpose has been transformed for additional,
unintended purposes, sometimes with disastrous results," EPIC said. The
pervasiveness of the SSN and its use to both identify and authenticate
individuals threatens privacy and financial security; expanding use of
the SSN, making it a universal identifier, would harm, rather than help,
security efforts, EPIC said.

EPIC recommended against the creation of a centralized identification
system and advocated an identity metasystem in which authentication is
confined to specific contexts in order to limit the scope for potential
misuse. EPIC and others have explained that it decreases security to
have a centralized system of identification with one ID card for many
purposes, as there will be a substantial amount of harm when the card is
compromised. "Using a national ID card would be as if you used one key
to open your house, your car, your safe deposit box, your office, and
more," EPIC said. A centralized system of identification creates a
"one-stop shop" for identity thieves. "The confidence and trust of
consumers will fall when such a breach occurs; people will withdraw
because of privacy and security questions," EPIC said.

EPIC explained that "a system of distributed identification reduces the
risks associated with security breaches and the misuse of personal
information." For example, a banking PIN number, in conjunction with a
bank card, provides a better authentication system because it is not
coupled with a single, immutable consumer identity. If the combination
is compromised, a new bank card and PIN number can be issued and the old
combination cancelled, limiting the damage done by the compromised data.
"Distributing identity in this way allows for different profiles to be
used in different authenticating contexts.  New profiles can be created
as required within a single identity metasystem," EPIC said.  Misuse is
therefore limited to the context of the information breached, whether it
is a single bank account, online merchant, or medical records.

Possibilities for data misuse can also be limited at the data collection
stage, EPIC explained. Amassing large databases of credit card numbers
creates an attractive target for potential identity thieves. "One simple
response to identity theft is to require a PIN to be used in conjunction
with all credit cards. An identity metasystem would further reduce the
value of such aggregated database targets, because authenticators would
be separate and distinct from all personally identifiable information,"
EPIC said.

The FTC will hold a workshop, "Proof Positive: New Directions for ID
Authentication," on April 23 at the Commission's Satellite Building
Conference Center located at 601 New Jersey Avenue, NW, Washington, D.C.
The event is open to the public and attendance is free. There will not
be pre-registration.

EPIC Comments to the FTC (March 23, 2007) (pdf):

     http://www.epic.org/privacy/id_cards/epic_ftc_032307.pdf

Federal Trade Commission Notice Announcing Workshop and Requesting
Comments:

     http://www.epic.org/redirect/ftc0407.html

EPIC page on Identity Theft: Causes and Solutions:

     http://www.epic.org/privacy/idtheft/

EPIC page on National ID Cards and the REAL ID Act:

     http://www.epic.org/privacy/id_cards/

========================================================================
[4] FBI Director Testifies on National Security Letter Misuse
========================================================================

On March 27, 2007, FBI Director Robert Mueller testified before the Senate
Judiciary Committee regarding the Bureau's National Security Letter
authority.  A recent report by the Department of Justice Office of the
Inspector General found significant violations of law and regulations by
the FBI in its use of National Security Letters. In his opening
statement, Committee Chairman Patrick Leahy stated that the FBI's
"pattern of abuse of authority and mismanagement causes me and many
others on both sides of the aisle to wonder whether the FBI and
Department of Justice have been faithful trustees of the great trust
that the Congress and American people have placed in them to keep our
nation safe while respecting the privacy rights and civil liberties of
all Americans."

In his testimony, Mr. Mueller stressed the importance of the security
letters in fighting terrorism. He further stressed that the FBI was
committed to fixing the problems exposed in the report.  However, many
senators expressed concern over whether such problems could be fixed,
again raising the question of whether the FBI should be stripped of its
domestic intelligence functions in favor of creating a new agency for
such duties.  Senator Arlen Specter, the ranking Republican member on
the committee, stated that "the question is emerging as to whether the
FBI is up to the enormous task that we have asked it to perform,"
pointing out that "every time we turn around, there is another, very
serious, failure on the part of the bureau."

Senator Specter showed particular concern for the fact that the report
had uncovered that many of the National Security Letters issued under
exigent circumstances were not based on a factual record to support such
a letter.  He stressed the vital importance of factual accuracy, stating
that if incorrect facts are included, an individual is subjected to an
invasion of privacy, and such letters should not be issued.

Representative Jane Harman (D-CA) reintroduced legislation on March 28,
2007, that would return the threshold the issuance of a National
Security Letter back to the pre-Patriot Act standard of requiring that
the FBI show a specific connection to a terrorist or foreign power.  The
bill, H.R.1739, also requires the approval of a Foreign Intelligence
Surveillance Court judge or designated United States Magistrate Judge
prior to the issuance of a National Security Letter.  The bill would
further increase Congressional oversight of the FBI's use of the
letters.

In a March 21, 2007, letter to the Senate Judiciary Committee, EPIC
recommended that Congress repeal the FBI's National Security Letter
authority.  In 2005, EPIC uncovered documents concerning these letters
which revealed violations of law reported to the Intelligence Oversight
Board. EPIC advised the committee that these documents and the recent
Inspector General report show that the FBI both misused its authority to
issue National Security Letters and has failed to be forthcoming with
information on the use of these powers.  EPIC further urged that the
result of these failures should be the repeal of Section 505 of the
Patriot Act.

Office of the Inspector General's Report (pdf):

     http://www.usdoj.gov/oig/special/s0703b/final.pdf

EPIC's Patriot Act Page:

     http://www.epic.org/privacy/terrorism/usapatriot/

EPIC's National Security Letters page:

     http://www.epic.org/privacy/nsl/

EPIC's letter to the Senate Judiciary Committee (pdf):

     http://www.epic.org/privacy/pdf/nsl_letter.pdf

========================================================================
[5] UK Report: You Can Have Security and Privacy
========================================================================

In a new report, "Dilemmas of Privacy and Surveillance," the Royal
Academy of Engineering explains that security and privacy are not at
odds. The Academy urges the UK government to make "full use of
engineering expertise in managing the risks posed by surveillance and
data management technologies."

The Academy also says "[o]rganisations should not seek to identify the
individuals with whom they have dealings if all they require is
authentication of rightful access to goods or services." The Academy
suggests that travel and shopping services can be designed to allow
anonymous use, thereby maintaining personal privacy. For example, subway
cards should not be linked to any personally identifiable data, because
all that is needed is the authentication of the riders' ability to pay.

Stricter guidelines for companies who hold personal data, requiring them
to store data securely, to notify customers if their data security is
breached, and to tell customers what the data are being used for, are
also necessary, the Academy says. The need for stricter guidelines comes
from the expansion of large databases housing sensitive data; these
databases and networks can "suffer from mechanical failure or software
bugs. Human error can lead to personal data being lost or stolen. If the
system breaks down, as a result of accident or sabotage, millions could
be inconvenienced or even have their lives put in danger."

Among the other key recommendations of the report:

- Information systems should be designed to diminish the risk of failure
and individuals should be compensated when failures occur

- The powers of the [UK] Information Commissioner should be extended

- Research into the effectiveness of camera surveillance is necessary,
to judge whether its potential intrusion into  people's privacy is
outweighed by its benefits

- Commercial organisations that select their customers or vary their
offers to individuals on the basis of profiling  should be required, on
request, to divulge to the data subjects that profiling has been used

- Access by individuals to their personal data should also be made
easier; for example, by automatically providing free copies of credit
reports annually

There have been a string of high-profile data breaches in the last year.
Recently, at least 45.7 million credit and debit card numbers were
stolen by hackers who accessed the computer systems at the TJX Companies
in the United States over a period of several years, making it the
biggest breach of personal data ever reported.

As the Royal Academy notes, "loss or theft of personal data, or
significant mistakes in personal data, can have catastrophic effects on
an individual. They may find themselves refused credit, refused
services, the subject of suspicion, or liable for debts that they did
not incur."

EPIC has long advocated the use of Privacy Enhancing Technologies that
minimize or eliminate the collection of personally identifiable
information. Recently, in comments to the Identity Theft Task Force,
EPIC explained that these technologies allow for the separation of
authentication and identification, creating authentication systems that
preserve anonymity.

Royal Academy of Engineering, Dilemmas of Privacy and Surveillance:
Challenges of Technological Change (March 26, 2007) (pdf):

     http://www.epic.org/redirect/uk0407.html

National Research Council Report, "Who Goes There?":

     http://books.nap.edu/html/whogoes/

EPIC page on Video Surveillance (CCTV):

     http://www.epic.org/privacy/surveillance/

EPIC Comments to Identity Theft Task Force (January 2007) (pdf):

     http://www.epic.org/privacy/idtheft/EPIC_FTC_ID_Theft_Comments.pdf

EPIC page on Identity Theft: Its Causes and Solutions:

     http://www.epic.org/privacy/idtheft/

EPIC's comments to DC Metro:

     http://www.epic.org/open_gov/foia/wmata/parp_cmts-021405.html


========================================================================
[6] News in Brief
========================================================================

Washington State Introduces RFID Enabled Driver's Licenses for Border
Crossing

Washington State and the Department of Homeland Security are jointly
testing a project where the state driver's licenses and identification
cards will be accepted for use under the Western Hemisphere Travel
Initiative, which regulates travel between the United States, Canada,
Mexico, and the Caribbean. The Washington State ID cards would include
proof of citizenship and other sensitive personal data beyond what
current licenses hold. The licenses will include long-range radio
frequency identification (RFID) technology, which EPIC has repeatedly
warned is a privacy and security risk. The Department of Homeland
Security's Data Privacy and Integrity Advisory Committee also has
recommended against the use of RFID in ID documents.

EPIC's RFID Page:

     http://www.epic.org/privacy/rfid/

Spotlight on Surveillance on the Western Hemispheric Travel Initiative

     http://www.epic.org/privacy/surveillance/spotlight/0806/


Government Report: Data Mining Program Has Numerous Privacy Risks

A federal data mining program created to troll vast amounts of data in
order to attempt to find suspicious people has numerous privacy risks,
according to the Government Accountability Office. In a report, the GAO
says the Analysis, Dissemination, Visualization, Insight and Semantic
Enhancement (ADVISE) program's privacy risks "include the potential for
erroneous association of individuals with crime or terrorism and the
misidentification of individuals with similar names." The GAO recommends
that the Department of Homeland Security "immediately conduct a privacy
impact assessment of the ADVISE tool to identify privacy risks and
implement privacy controls to mitigate those risks." Previous data
mining efforts by the federal government include the 2002 Total
Information Awareness system, envisioned to give law enforcement access
to private data without suspicion of wrongdoing or a warrant. After a
public outcry and much criticism, in September 2003, Congress eliminated
funding for the controversial project and closed the Pentagon's
Information Awareness Office, which had developed it.

Government Accountability Office, Data Mining: Early Attention to
Privacy in Developing a Key DHS Program Could Reduce Risks (Feb. 2007)
(pdf):

     http://www.gao.gov/new.items/d07293.pdf

EPIC page on Total Information Awareness:

     http://www.epic.org/privacy/profiling/tia/


Ontario Information and Privacy Commission Report on Biometric
Encryption

The Information and Privacy Commissioner of Ontario, Dr. Ann Cavoukian,
released a joint research paper with Dr. Alex Stoianov, an
internationally-recognized biometrics scientist.  The paper, entitled,
"Biometric Encryption: A Positive Sum Technology that Achieves Strong
Authentication, Security AND Privacy," discusses how biometrics can be
deployed in a privacy-enhanced way that minimizes the potential for
surveillance and abuse, maximizes individual control, and ensures full
functionality of the systems in which biometrics are used. The paper
suggests that biometric encryption can address the privacy, security and
trust problems of current biometric information systems. With biometric
encryption, instead of storing a sample of one's fingerprint in a
database, you can use the fingerprint to encrypt or code some other
information, like a PIN or account number, or cryptographic key, and
only store the biometrically encrypted code, removing the need to
collect and store the biometric itself.

Information and Privacy Commission of Ontario:

     http://www.ipc.on.ca

EPIC's Biometric Identifiers page:

     http://www.epic.org/privacy/biometrics/


Internet Oversight Agency Creates New Group on Domain Name Privacy

The Internet Corporation for Assigned Names and Numbers (ICANN)'s WHOIS
task force submitted its Final Report on WHOIS Services to Council at
ICANN meetings in Lisbon last week. The report endorses the Operational
Point of Contact (OPoC) proposal to limit public access to domain name
registrants' personal information by allowing registrants to use
alternate contact details.  Because the proposal leaves many
implementation details unanswered, the Council decided to establish a
new working group to examine implementation issues. The group will focus
on the endorsed OPoC approach, and will only return to the alternative
proposal mentioned in the Final Report if it cannot sort out the
implementation details.

Final Task Force Report on WHOIS Services:

     http://www.epic.org/redirect/whois0307.html

EPIC's WHOIS page:

     http://www.epic.org/privacy/whois/


Biggest Ever Breach of Data

A data breach at the corporate parent of retailers such as TJ Maxx and
Marshall's has exposed 45.7 million credit card account numbers. The
previous record was the 2005 breach of 40 million numbers at Cardsystems
Inc. Attackers broke into the company's computer system and downloaded
the numbers over the span of several years. For 450,000 costumers that
had returned items, driver's license information was also lost.  The
size and timing of the breach is being disclosed in filings to the
Securities and Exchange Commission after several months of TJX refusals
to describe the breach. A ring of credit card fraudsters using data from
TJX was recently apprehended in Florida. The breach spurred Congress to
call for legislation protecting personal data. Senators Leahy and
Specter have previously introduced the Personal Data Privacy and
Security Act, S. 495.

Personal Data Privacy and Security Act, S. 495:

     http://thomas.loc.gov/cgi-bin/bdquery/z?d110:s.00495:

EPIC's Identity Theft page:

     http://www.epic.org/privacy/idtheft/


========================================================================
[7] EPIC Bookstore: "Cybercrime"
========================================================================

Cybercrime: Digital Cops in a Networked Environment, by J. M. Balkin
(New York University Press, 2007).

     http://www.epic.org/redirect/powells0407.html

"The Internet has dramatically altered the landscape of crime and
national security, creating new threats, such as identity theft,
computer viruses, and cyberattacks. Moreover, because cybercrimes are
often not limited to a single site or nation, crime scenes themselves
have changed. Consequently, law enforcement must confront these new
dangers and embrace novel methods of prevention, as well as produce new
tools for digital surveillance - which can jeopardize privacy and civil
liberties. Cybercrime brings together leading experts in law, criminal
justice, and security studies to describe crime prevention and security
protection in the electronic age. Ranging from new government
requirements that facilitate spying to new methods of digital proof, the
book is essential to understand how criminal law-and even crime
itself-have been transformed in our networked world."

Contributors: Jack M. Balkin, Susan W. Brenner, Daniel E. Geer, Jr.,
James Grimmelmann, Emily Hancock, Beryl A. Howell, Curtis E.A. Karnow,
Eddan Katz, Orin S. Kerr, Nimrod Kozlovski, Helen Nissenbaum, Kim A.
Taipale, Lee Tien, Shlomit Wagman, and Tal Zarsky


================================

EPIC Publications:

"Information Privacy Law: Cases and Materials, Second Edition" Daniel J.
Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98.
http://www.epic.org/redirect/aspen_ipl_casebook.html

This clear, comprehensive introduction to the field of information
privacy law allows instructors to enliven their teaching of fundamental
concepts by addressing both enduring and emerging controversies. The
Second Edition addresses numerous rapidly developing areas of privacy
law, including: identity theft, government data mining and electronic
surveillance law, the Foreign Intelligence Surveillance Act,
intelligence sharing, RFID tags, GPS, spyware, web bugs, and more.
Information Privacy Law, Second Edition, builds a cohesive foundation
for an exciting course in this rapidly evolving area of law.

================================

"Privacy & Human Rights 2005: An International Survey of Privacy Laws
and Developments" (EPIC 2006). Price: $60.
http://www.epic.org/bookstore/phr2005/phr2005.html

This annual report by EPIC and Privacy International provides an
overview of key privacy topics and reviews the state of privacy in over
70 countries around the world. The report outlines legal protections,
new challenges, and important issues and events relating to privacy.
Privacy & Human Rights 2005 is the most comprehensive report on privacy
and data protection ever published.

================================

"FOIA 2004: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price:
$40.
http://www.epic.org/bookstore/foia2004

This is the standard reference work covering all aspects of the Freedom
of Information Act, the Privacy Act, the Government in the Sunshine Act,
and the Federal Advisory Committee Act.  The 22nd edition fully updates
the manual that lawyers, journalists and researchers have relied on for
more than 25 years.  For those who litigate open government cases (or
need to learn how to litigate them), this is an essential reference
manual.

================================

"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.
http://www.epic.org/bookstore/pvsourcebook

This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS).  This
reference guide provides the official UN documents, regional and
issue-oriented perspectives, and recommendations and proposals for
future action, as well as a useful list of resources and contacts for
individuals and organizations that wish to become more involved in the
WSIS process.

================================

"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:
$40.
http://www.epic.org/bookstore/pls2004/

The Privacy Law Sourcebook, which has been called the "Physician's Desk
Reference" of the privacy world, is the leading resource for students,
attorneys, researchers, and journalists interested in pursuing privacy
law in the United States and around the world. It includes the full
texts of major privacy laws and directives such as the Fair Credit
Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well
as an up-to-date section on recent developments. New materials include
the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the
CAN-SPAM Act.

================================

"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.
http://www.epic.org/bookstore/filters2.0

A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.

================================

EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:

EPIC Bookstore http://www.epic.org/bookstore

"EPIC Bookshelf" at Powell's Books
http://www.powells.com/features/epic/epic.html

================================

EPIC also publishes EPIC FOIA Notes, which provides brief summaries of
interesting documents obtained from government agencies under the
Freedom of Information Act.

Subscribe to EPIC FOIA Notes at:
https://mailman.epic.org/cgi-bin/control/foia_notes


========================================================================
[8] Upcoming Conferences and Events
========================================================================

Roundtable on Health IT and privacy. April 13, 2007. Washington, DC.
For more information email brettefishman@allhealth.org

Security and Liberty Forum. University of North Carolina. April 14,
2007. Chapel Hill, NC. For more information: www.seclibforum.org

Proof Positive: New Directions for ID Authentication Public Workshop.
Federal Trade Commission. April 23 and 24, 2007. Washington DC. For more
information contact: idmworkshop@ftc.gov

CFP2007: Computers, Freedom, and Privacy Conference. Association for
Computing Machinery. May 2007. Montreal, Canada. For more information:
http://www.cfp2007.org

Music, Technology and IP Policy Day. May 2, 2007. Washington, DC. For
more information
http://www.futureofmusic.org/events/dcpolicyday07/index.cfm

Conference on Interdisciplinary Studies in Information Privacy and
Security. Rutgers University. May 22, 2007. New Brunswick. For more
information: http://www.scils.rutgers.edu/ci/isips/

Privacy Compliance Conference. The Canadian Institute.  May 30-31, 2007.
Toronto, Canada.  For more information:
http://www.privcom.gc.ca/events/index_e.asp

29th International Conference of Data Protection and Privacy
Commissioners. September 25-28, 2007.  Montreal, Canada. For more
information:
http://www.privacyconference2007.gc.ca/Terra_Incognita_home_E.html

======================================================================
Subscription Information
======================================================================

Subscribe/unsubscribe via web interface:

https://mailman.epic.org/cgi-bin/mailman/listinfo/epic_news

Back issues are available at:

http://www.epic.org/alert

The EPIC Alert displays best in a fixed-width font, such as Courier.

========================================================================
Privacy Policy
========================================================================

The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities.  We do not sell, rent or share our
mailing list.  We also intend to challenge any subpoena or other legal
process seeking access to our mailing list.  We do not enhance (link to
other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail address
from this list, please follow the above instructions under "subscription
information."

========================================================================
About EPIC
========================================================================

The Electronic Privacy Information Center is a public interest research
center in Washington, DC.  It was established in 1994 to focus public
attention on emerging privacy issues such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale of personal information. EPIC publishes the
EPIC Alert, pursues Freedom of Information Act litigation, and conducts
policy research.  For more information, see http://www.epic.org or write
EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202
483 1140 (tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible.  Checks
should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW,
Suite 200, Washington, DC 20009.  Or you can contribute online at:

http://www.epic.org/donate

Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation of encryption and
expanding wiretapping powers.

Thank you for your support.

------------------------- END EPIC Alert 14.06 -------------------------

.