EPIC logo

                            E P I C  A l e r t
Volume 10.24                                           December 3, 2003

                             Published by the
               Electronic Privacy Information Center (EPIC)
                             Washington, D.C.
http://www.epic.org/alert/EPIC_Alert_10.24.html ======================================================================
Table of Contents

[1] U.S. Supreme Court Hears Privacy Cases
[2] Voting Committee Urges Better Standards
[3] Coalition Recommends RFID Privacy Practices
[4] Human Rights a Concern at Upcoming World Summit
[5] Court Invalidates Car Navigation System Surveillance
[6] News in Brief
[7] EPIC Bookstore: Silenced
[8] Upcoming Conferences and Events

[1] U.S. Supreme Court Hears Privacy Cases
The United States Supreme Court today focused on privacy issues
presented in Freedom of Information Act and Privacy Act cases. EPIC
submitted a "friend of the court" brief in Doe v. Chao, a case that
will determine whether government public disclosure of an individual's
Social Security number causes sufficient harm to justify an award of
damages under the Privacy Act.

The Court first heard oral argument in Office of Independent Counsel
v. Favish, which arises from a California attorney's Freedom of
Information Act (FOIA) request for photographs taken during the police
investigation of the death of Vincent Foster, deputy counsel to former
President Clinton. The requester sought the photos as part of an
effort to investigate what he believed was a cover-up of Foster's
murder, despite the determination of the Office of Independent Counsel
(OIC) that Foster's death was a suicide. Lower court proceedings
resulted in the release of numerous photographs and the withholding of
others. On remand from the court of appeals, the district court
determined that the public interest in the release of five of the
photos outweighed the Foster family's privacy interest in those
photos. The appeals court affirmed that ruling for all but one of the
photographs in an unpublished opinion. The Supreme Court will
determine whether the OIC properly withheld photos relating to
Foster's death because their release would constitute "an unwarranted
invasion of personal privacy" of the Foster family under exemption
7(c) of the FOIA.

In a second oral argument, the Court turned its attention to Doe v.
Chao. In this case, the Department of Labor used miners' Social
Security numbers (SSNs) as claim identifiers for black lung benefit
applications, and subsequently disclosed those numbers in public
documents. The miners filed suit against the Secretary of Labor,
asserting that the Labor Department's public disclosure had violated
their rights to privacy under the Privacy Act. The district court
held that proof of actual injury is necessary to receive statutory
damages, the amount of which is specified in advance by the Privacy
Act so that a dollar amount doesn't have to be proved. The court
determined that only one miner, Buck Doe, had successfully proved
actual damages by showing emotional distress. On appeal, the Fourth
Circuit held that a person must show a privacy violation caused actual
harm to recover damages under the Privacy Act, despite the fact that
the Privacy Act provides for damages of at least $1000 for those who
have suffered an "adverse effect" from an agency's willful or
intentional violation of the law. The Fourth Circuit also held that
Buck Doe's showing of emotional distress was insufficient to justify
an award of damages under the Privacy Act. The Supreme Court will
review the question of whether actual damages must be shown in order
to obtain a statutory damages award for violation of the Privacy Act.

In its "friend of the court" brief in Doe v. Chao, EPIC discussed the
grave dangers posed by SSN disclosure, specifically focusing on
identity theft. EPIC pointed out that Congress has provided statutory
damages in other federal privacy laws to enforce rights where it is
difficult to determine a monetary value. The brief also reviewed the
Privacy Act's legislative history to demonstrate that Congress has
long recognized the risks to privacy posed by unnecessary SSN
disclosure, and intended to provide statutory damages for Privacy Act
violations. EPIC asserted that the award of statutory damages under
the Privacy Act should be triggered not by a showing of specific
monetary damages, but by a showing of adverse affect to the individual
posed by SSN misuse.

The Supreme Court will render decisions in Favish and Doe before the
Court's summer recess in late June or early July.

EPIC's Doe v. Chao amicus brief is available at:


For background information, see EPIC's Doe v. Chao page at:

http://www.epic.org/privacy/chao/ ======================================================================
[2] New Voting Committee Formed to Promote Verification
A new organization dedicated to promoting voting integrity in the U.S.
has urged the 2004 presidential candidates to take a stand on
electronic voting issues. The recently-formed National Committee on
Voter Integrity (NCVI) held a press conference to discuss the
reliability and integrity of electronic voting systems. The Committee
also presented its letter to the presidential candidates, calling on
them to state their position on electronic voting machines and asking
what steps they believe should be taken to ensure the integrity of the
election process. The Committee, which brings together a host of
experts on voting issues working in technology, academia, politics,
and media, is chaired by Peter G. Neumann, principal scientist at SRI
International Computer Science Laboratory. NCVI has been established
in response to growing concern over flaws and vulnerabilities in
electronic voting systems that are being adopted in states across the
country, with the stated goal of promoting voter-verified balloting
and preserving privacy protections for elections in the United States.

The formation of the National Committee on Voter Integrity comes as
the debate over electronic voting has reached a new level of
intensity. Just last week, California Secretary of State Kevin
Shelley announced a new requirement for "voter verified paper audit
trails" for all touch screen voting machines used in the state by
2006. The decision comes following the review of a report by a voting
task force convened last February, as well as a series of recent
reports and local snafus demonstrated the concerns about such voting
systems are valid. As it stands, all electronic voting machines used
in the state are required to be equipped with a printer that produces
a paper receipt of each voter's selections by July of 2006. Beginning
in July 2005, counties will not be able to purchase any electronic
machines that do not produce a paper trail. The California decision
is a significant victory for advocates of voter verification,
including NCVI.

In another important development, one of the preeminent electronic
voting machine makers, Diebold Election Systems, announced Monday that
it was withdrawing its legal threats against ISPs and individuals who
had posted Diebold memos online. The private memos, which contained
information damaging to Diebold, were leaked earlier this year and
passed around the web to dozens of voting activists. In response,
Diebold sent out cease and desist letters in an attempt to force the
posters to remove the memos, claiming copyright infringement under the
Digital Millennium Copyright Act. However, the company has backed
down, perhaps as the result of a recent lawsuit filed by the
Electronic Frontier Foundation and Center for Internet and Society
Cyberlaw Clinic at Stanford Law School contesting Diebold's tactics. The National Committee for Voting Integrity's website is available at:


California Secretary of State Kevin Shelley's announcement is
available at:


The Electronic Frontier Foundation's press release on Diebold's
decision is available at:


For background information, see EPIC's Voting page at:


[3] Coalition Recommends RFID Privacy Practices
More than 35 groups, including EPIC, have endorsed a privacy statement
outlining the threats and best practices for the use of Radio
Frequency Identification (RFID) technology in consumer products.
The November 20 statement outlined the threat to civil liberties and
consumer privacy that RFID technology poses in eliminating purchasing
anonymity, and recommended solutions to curb the most important
threats. The solution put forth includes routine technical
assessments of the use of the technology and requiring companies to
abide by established fair information practices (FIPs) recommended by
the Organization for Economic Co-operation and Development (OECD).
The OECD guidelines include requiring open policies and accountability
for breaches of those policies, purpose specification, limits on
collection, and security safeguards.

The debate over use of RFID technology is not just playing out in
theory and privacy statements. The technology has been making
headlines recently as more and more retail outlets are stocking their
shelves with products tagged by RFID. Wal-Mart received criticism for
the company's secret testing of RFID in heath and beauty products
earlier this year, but that has not stopped the push for RFID.
Wal-Mart announced that it intends to require all of the products sold
in the store to be tagged with RFID within two years.

However, the coalition privacy statement does not advocate a complete
rejection of the retail use of the technology. On the contrary, the
statement acknowledged that there are acceptable uses of RFID,
including for use in tracking pharmaceuticals, certain manufactured
goods before the point of sale, and tracking toxic substances. Yet,
for all other uses of the technology, especially at the point where
the consumer comes in, the statement urges reasonable measures to
assure that the individuals are not forced to relinquish their
anonymity at the point of sale and after they leave the store.
The coalition's positions paper is available at:


The OECD's fair information practices guidelines are available at:


For background information, see EPIC's RFID page at:

[4] Human Rights a Concern at Upcoming World Summit

The first phase of the World Summit on the Information Society will
take place next week in Geneva, Switzerland. The Summit, organized by
the International Telecommunication Union (ITU) and other UN Agencies,
will be held in two phases, the second phase taking place in Tunisia
from November 16-18, 2005. The Summit process includes the drafting
and adoption of a Declaration of Principles and Plan of Action
involving goals for the Information Society and the means of achieving

The International Symposium on the Information Society, Human Dignity
and Human Rights stated in preparation for the WSIS, that "the
information and communication society must be firmly based on, and
must contribute to the development of, human dignity and human rights
- all human rights, civil, political, economic, social and cultural
rights." Civil society groups have been working diligently to ensure
that this is the case, as the preparatory documents appear to sideline
human rights. Preparation for the Summit involved three preliminary
conferences, where the drafting of the Declaration of Principles and
Plan of Action took place. At the Geneva meeting, governments will
merely adopt the Declaration of Principles and Plan of Action. Many
members of civil society concerned about privacy and human rights feel
that much more needs to be done, and that the Declaration is not yet
adequate on a number of issues. First of all, preparation for the
Summit has involved a heavy concentration on fighting cyber-crime and
digital piracy, as the Cyber-Crime Convention of 2001 has shaped much
of the agenda. According to Cyber-Rights and Cyber-Liberties' recent
analysis of the Cyber-Crime Convention, the document significantly
favors law enforcement over a respect for fundamental human rights.
Many governments, including the United States are pushing for its
adoption, which will have harmful impacts on information privacy, even
before the countries that need communications development have started
to build a modern infrastructure.

Secondly, the drafts remain inadequate in protections for human
rights. Koïchiro Matsuura, the Director General of UNESCO, has
expressed concern over the fact that the reference to Article 19 of
the Universal Declaration of Human Rights is still under negotiation
in the present drafts of the WSIS Declaration of Principles and the
Plan of Action. Mr. Matsuura also faults the drafts for a lack of
unambiguous "assurance that freedom of expression is recognized as the
fundamental principle underlying and informing the development of the
information society." Finally, many civil society groups are working
to broaden the focus of the Summit to include communication and media
issues beyond the Internet. According to a representative from the
Communication Rights in the Information Society (CRIS) campaign,
"Early hopes that the WSIS would tackle a broad range of information
and communication issues have been dashed and the agenda that has
emerged is concerned mainly with telecommunication and internet
related issues, viewed from a technical perspective and a narrowly
construed development agenda."

Originally, the WSIS was organized to improve access to information
and communication technologies for the vast majority of the world's
population. At this point, however, it is still unclear whether the
Declaration and Action Plan will enhance or actually hinder access.
Civil society groups like UNESCO and CRIS are working to ensure that
human rights maintain a focal position, as are Stephanie Perrin, a
Senior Fellow at EPIC, and Deborah Hurley, an EPIC Advisory Board
member, who have both been selected to speak at the WSIS conference.
This work is also taking place outside the conference, as there are
many civil society events taking place in Geneva alongside the Summit.
For example, the CRIS campaign has initiated the World Forum on
Communication Rights, which will take place alongside the Summit in
Geneva on December 11. This Forum, an independent civil-society led
initiative, is not in opposition to the Summit but intended to
highlight and make practical progress in spheres the Summit fails to
The World Summit on the Information Society web page is available at:


The International Symposium on the Information Society, Human Dignity
and Human Rights Statement is available at:


Cyber-Rights & Cyber-Liberties' "Advocacy Handbook for the Non-
Governmental Organizations: The Council of Europe's Cyber-Crime
Convention 2001" is available at:


The UNESCO Statement is available at:


World Forum on Communication Rights web page is available at:

[5] Court Invalidates Car Navigation System Surveillance
The Ninth Circuit Court of Appeals has ruled that a lower court should
not have allowed the FBI to order a telematics company to convert an
automobile's navigation system into a wiretapping device. On-board
telematics systems use cellular technology to provide location
information, data and voice communication, and information about the
condition of the vehicle. The systems are used to aid in navigation,
or to alert police to an accident or emergency. The Court of Appeals
found that the conversion of a telematics device into an eavesdropping
system excessively interfered with the car's emergency features.
In the case, agents obtained a series of orders that required an
unnamed telematics company to quietly activate an anti-theft recovery
system in a suspect's car. The FBI employed 18 U.S.C. Sec. 2518(4) to
obtain the order, which requires communications companies, landlords,
and custodians to assist law enforcement in intercepting conversations
"unobtrusively and with a minimum of interference with the services"
provided. The system transmitted conversations held in the car
directly to the FBI, but in doing so, it also disabled the system's
safety features.

The telematics company challenged the order, arguing that it was not
subject to the obligations of Sec. 2518(4), and that the surveillance
would interfere with the services provided to the customers. While
the Court of Appeals held that a telematics company would generally
have to comply with orders to assist law enforcement in wiretapping,
in this case, the eavesdropping interfered excessively with the
provision of navigation and emergency services. Accordingly, in
future cases, surveillance of auto telematics systems may be lawful
where it does not interfere unreasonably with the operation of the
The Company v. U.S.A. decision, No. 02-15635 (9th Cir. Nov. 18, 2003),
is available at:

[6] News in Brief
The Department of Homeland Security announced the termination of a
foreign visitor registry program that required certain non-immigrant
aliens to register every 30 days and annually with the government
while in the U.S. This program, called the National Security Entry
Exit Registration System (NSEERS), mandated that men and boys from 25
mostly Middle Eastern countries be fingerprinted, photographed and
interviewed at U.S. immigration offices. While intended to help
assure the government that no known terrorists were in this country,
the program was the target of a great deal of criticism for what many
felt was racial profiling and targeting of innocent foreigners. In
place of NSEERS, the U.S. government is planning to implement a system
called US-VISIT, that will digitally photograph and fingerprint
millions of people who visit the United States each year on tourist,
business and student visas. US-VISIT is slated to begin operation
January 5.
The Department of Homeland Security's Fact Sheet on US-VISIT is
available at:

The Supreme Court has unanimously ruled that police acted reasonably
when forcing entry to a suspect's home after announcing their intent
to enter and waiting fifteen to twenty seconds. In the case, police
announced their presence, waited, and then battered down a suspect's
door in search of drugs. The suspect had not heard the police, and a
search of the home produced weapons and cocaine. In evaluating
reasonableness of search warrant executions, the Court held that the
totality of facts known to the officers were relevant. Here, the
Court reasoned, delaying the entry beyond a short wait could have
given the suspect an opportunity to destroy the drugs, as a prudent
dealer would store the contraband near a sink or toilet. In other
cases, a short wait would be unreasonable: "Police seeking a stolen
piano may be able to spend more time to make sure they really need the
battering ram."
The United States v. Banks decision, No. 02-473 (US 2003), is
available at:

The Federal Communications Commission held a forum this week to
discuss "Voice Over Internet Protocol" (VoIP), a technology used to
facilitate Internet telephony. Many privacy issues are raised by the
technology. First, VoIP users can evade police wiretapping in some
cases. As a result, the FBI has sought to impose new requirements on
Internet telephony providers that would facilitate wiretapping.
Second, location privacy issues are raised with the development of
"presence sensing" and E911-compliant Internet telephony systems.
Finally, developing Internet telephony contact systems, such as ENUM,
may depend on individuals posting personal contact information in
publicly-available databases. FCC Commissioners were concerned also
with taxation issues, universal service access, and access to the
service by people who are disabled. Any member of the public may
submit comments on the forum until December 15. The FCC is expected
to release a Notice of Public Rulemaking on VoIP soon.
Information on the FCC VOIP Forum is available at:


For background information, see EPIC's Internet Telephony page at:


For background information, see EPIC's ENUM page at:

[7] EPIC Bookstore: Silenced
Privacy International and GreenNet Educational Trust, "Silenced: An
International Report on Censorship and Control of the Internet"

Privacy International and GreenNet Educational Trust's report,
"Silenced: An International Report on Censorship and Control of the
Internet," is a must-read for anyone interested in the role
information technology plays in society today. The report details the
many forces that exert control over Internet content and highlights
important trends that are emerging in online censorship. "Silenced"
underscores the dichotomy of the relationship between the Internet and
expression. On the one hand, the Internet bolsters access and
opportunity for people to communicate their views; however, it also
increases opportunities for surveillance and offers a wealth of power
to entities looking to control speech. This is not a new phenomenon,
the authors point out, and will continue to be a battleground as the
Internet matures.

A central theme of the report is the tightening of government
regulation of speech online in the wake of September 11. It's not
surprising that governments around the world have passed a host of new
laws targeting Internet control and surveillance in the past few
years, but it is cause for concern. The authors are careful to point
out, however, that other, less obvious threats to free online
expression lurk in the wings. One such threat they take pains to
highlight is the control that industry and private corporations are
increasingly exerting over Internet content. New copyright laws and
intellectual property protections have been enacted all over the world
in recent years, disproportionately advancing the interests of
business over individuals. Another important aspect of censorship
that the report bring to light is the relationships between censorship
and surveillance and the importance of anonymity in protecting speech
online. As the report states, "Anonymous speech is a mechanism that
protects individuals from intimidation; and this is what binds privacy
and free expression tightly together."

"Silenced" does an admirable job of detailing the status of free
speech in 40-some nations around the world. As expected, different
regions maintain varied approaches to censorship and online
expression, but two themes emerge -- increasing censorship in the name
of anti-terrorism and the prevalence of a digital divide between the
haves and have-nots. Some of the report's most interesting segments
are included in the discussion of censorship in Middle East countries.
However, "Silenced" unfortunately pays short shrift to Latin America,
not even including Mexico in its study.

Overall, Privacy International and GreenNet Educational Trust's report
on Internet censorship is an important contribution to the scholarship
on the information society and provides a clear, convincing
perspective on the dangers of current attempts to control speech
online throughout the world. --Emily Cadei ================================ EPIC Publications: "The Privacy Law Sourcebook 2002: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2002). Price: $40. http://www.epic.org/bookstore/pls2002/ The "Physicians Desk Reference of the privacy world." An invaluable resource for students, attorneys, researchers and journalists who need an up-to-date collection of U.S. and International privacy law, as well as a comprehensive listing of privacy resources. ================================ "FOIA 2002: Litigation Under the Federal Open Government Laws," Harry Hammitt, David Sobel and Mark Zaid, editors (EPIC 2002). Price: $40. http://www.epic.org/bookstore/foia2002/ This is the standard reference work covering all aspects of the Freedom of Information Act, the Privacy Act, the Government in the Sunshine Act, and the Federal Advisory Committee Act. The 21st edition fully updates the manual that lawyers, journalists and researchers have relied on for more than 25 years. For those who litigate open government cases (or need to learn how to litigate them), this is an essential reference manual. ================================ "Privacy & Human Rights 2003: An International Survey of Privacy Laws and Developments" (EPIC 2002). Price: $35. http://www.epic.org/bookstore/phr2003/ This survey, by EPIC and Privacy International, reviews the state of privacy in over fifty-five countries around the world. The survey examines a wide range of privacy issues including data protection, passenger profiling, genetic databases, video surveillance, ID systems and freedom of information laws. ================================ "Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20. http://www.epic.org/bookstore/filters2.0/ A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ "The Consumer Law Sourcebook 2000: Electronic Commerce and the Global Economy," Sarah Andrews, editor (EPIC 2000). Price: $40. http://www.epic.org/cls/ The Consumer Law Sourcebook provides a basic set of materials for consumers, policy makers, practitioners and researchers who are interested in the emerging field of electronic commerce. The focus is on framework legislation that articulates basic rights for consumers and the basic responsibilities for businesses in the online economy. ================================ "Cryptography and Liberty 2000: An International Survey of Encryption Policy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price: $20. http://www.epic.org/bookstore/crypto00&/ EPIC's third survey of encryption policies around the world. The results indicate that the efforts to reduce export controls on strong encryption products have largely succeeded, although several governments are gaining new powers to combat the perceived threats of encryption to law enforcement. ================================ EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at: EPIC Bookstore http://www.epic.org/bookstore/ "EPIC Bookshelf" at Powell's Books http://www.powells.com/features/epic/epic.html ====================================================================== [8] Upcoming Conferences and Events ====================================================================== Panel Discussion on Electronic Voting Problems. Computer
Professionals for Social Responsibility. December 6, 2003.
Washington, DC. For more information:
http://www.cpsr.org/conferences/evoting/DC1203.html. Media Freedoms and the Arab World. The Arab Archives Institute. December 6-8, 2003. Amman, Jordan. For more information: email aainstitute@yahoo.com or see http://www.ijnet.org/FE_Article/newsarticle.asp?UILang=1&CId=115794& CIdLang=1. Building Trust and Confidence in Voting Systems. National Institute
of Standards and Technology. December 10-11, 2003. Gaithersburg, MD.
For more information: http://vote.nist.gov/overview.html. WHOLES - A Multiple View of Individual Privacy in a Networked World. Swedish Institute of Computer Science. January 30-31, 2004. Stockholm, Sweden. For more information: http://www.sics.se/privacy/wholes2004. The New Fair Credit Reporting Act. Privacy & American Business.
February 9-10, 2004. Washington, DC. Email info@pandab.org. O'Reilly Emerging Technology Conference. February 9-12, 2004. San
Diego, CA. For more information: http://conferences.oreilly.com/etech. IAPP 4th Annual Privacy & Security Summit & Expo. February 18-20,
2004. Washington, DC. For more information:
RSA Conference 2004 - The Art of Information Security. February
23-27, 2004. San Francisco, CA. For more information,
http://www.rsaconference.com. Securing Privacy in the Internet Age. Stanford Law School. March 13-14, 2004. Palo Alto, CA. For more information: http://cyberlaw.stanford.edu/privacysymposium/. International Conference on Data Privacy and Security in a Global Society. Wessex Institute. May 11-14, 2004. Skiathos, Greece. For more information: http://www.wessex.ac.uk/conferences/2004/datasecurity04/index.html. O'Reilly Open Source Convention. July 26-30, 2004. Portland, OR. For
more information: http://conferences.oreilly.com/oscon. ====================================================================== Subscription Information ====================================================================== Subscribe/unsubscribe via Web interface: http://mailman.epic.org/cgi-bin/mailman/listinfo/epic_news Subscribe/unsubscribe via e-mail: To: epic_news-request@mailman.epic.org Subject: "subscribe" or "unsubscribe" (no quotes) Automated help with subscribing/unsubscribing: To: epic_news-request@mailman.epic.org Subject: "help" (no quotes) Problems or questions? e-mail < info@epic.org> Back issues are available at: http://www.epic.org/alert/ The EPIC Alert displays best in a fixed-width font, such as Courier. ====================================================================== Privacy Policy ====================================================================== The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information". Please contact info@epic.org if you would like to change your subscription e-mail address, if you are experiencing subscription/unsubscription problems, or if you have any other questions. ====================================================================== About EPIC ====================================================================== The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, e-mail info@epic.org, http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at: http://www.epic.org/donate/ Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ---------------------- END EPIC Alert 10.24 ---------------------- .