EPIC logo

                           E P I C  A l e r t
Volume 13.09                                                 May 5, 2006

                            Published by the
               Electronic Privacy Information Center (EPIC)
                            Washington, D.C.


Table of Contents
[1] Secret Surveillance at an All-Time High
[2] Coalition Comments on Phone Record Privacy; FTC Brings 5 Cases
[3] Federal Appeal Pushes for WHOIS Privacy
[4] Privacy, Technology Experts Convene for CFP 2006
[5] EPIC Welcomes New Board Members
[6] News in Brief
[7] EPIC Bookstore: Herbert N. Foerstel's "Surveillance in the Stacks"
[8] Upcoming Conferences and Events

[1] Secret Surveillance at an All-Time High

Two annual reports recently released by federal agencies show that
surveillance activity conducted by the United States government has
continued to rise dramatically since the 9/11 terrorist attacks, with
use of investigative powers under the Foreign Intelligence Surveillance
Act again at an all-time high.

According to the Department of Justice's 2005 Foreign Intelligence
Surveillance Act Annual Report, the government made 2,074 applications
to the Foreign Intelligence Surveillance Court in 2005 for approval to
conduct physical or electronic searches. Two of the applications were
withdrawn before the court decided whether to approve them, though one
of these applications was later resubmitted and approved by the court. 
Though the court did not deny any of the applications, it did modify 61
applications before approving them.

The number of secret surveillance applications approved is a marked
increase over 2004's total of 1,758, which itself had been more than in
any previous year. The years 2003-2005 are the only ones since FISA's
1978 passage that more secret surveillance applications were granted
than federal wiretap warrants, which are issued only under a more
stringent legal standard.

For the first time, this year's annual report included information about
the government's requests for access to business records and issuance of
national security letters.  The report stated that the government issued
9,254 national security letters for information about 3,501 United
States persons in 2005.  The Justice Department also reported that it
made 155 applications for access to business records and production of
tangible things in 2005, all of which were approved by the court.

In related news, a report issued by the Administration Office of the
United States Courts shows that state and federal courts authorized
1,773 interceptions of wire, oral, and electronic communications in
2005, an increase of 4 percent over intercepts approved in 2004. Federal
officials requested 625 intercept applications in 2005, a 14 percent
decrease from the number requested in 2004.  Only one wiretap
application was denied last year.

2005 Foreign Intelligence Surveillance Act Annual Report:


2005 Wiretap Report (pdf):




EPIC's Wiretap Page:


[2] Coalition Comments on Phone Record Privacy; FTC Brings 5 Cases

A coalition of consumer and civil liberties groups joined EPIC in filing
comments with the Federal Communications Commission that urge the agency
to adopt stronger protections for phone records.  Phone records (and
other types of personal information held by businesses) are vulnerable
to "pretexting," a practice where an individual impersonates another
person, employs false pretenses, or otherwise uses trickery to obtain
information.  In 2005, EPIC identified 40 websites offering to obtain
phone records through pretexting, and filed a petition with the FCC to
require stronger rules for protecting phone records (See EPIC Alert
12.18 http://www.epic.org/alert/EPIC_Alert_12.18.html ).  FCC granted
the petition and may issue new rules to protect phone records this year.

The comments focus on the failure of phone carriers to shield customer
information from private investigators and online data brokers who use
pretexting.  In particular, the coalition argued that the use of
biographical identifiers as passwords, such as the Social Security
number and date of birth, has made phone records vulnerable to
pretexting.  These identifiers are widely available to pretexters
through subscriptions to commercial data broker services.

The coalition also warned the FCC that information sharing can
exacerbate privacy risks.  For instance, consumer lists can be used to
target the mature or other vulnerable populations.  And the more
information is shared among different companies, the greater the risk
that corrupt insiders can access and sell the data.

Under current rules, phone companies can share phone records unless the
customer opts out.  Many carriers use inconvenient and burdensome
systems to allow individuals to opt out.  The coalition argued that
since carriers have frustrated opt out rights, the standard should be
shifted to opt-in consent.

Under FCC procedural rules, any individual can file comments on this
issue until May 19th.

In related news, the Federal Trade Commission brought suit Wednesday
against five companies for obtaining phone records illegally. The suits
allege that the companies engaged in unfair business practices by
obtaining phone records without consent.  Earlier in the year, FTC sent
warning letters to 29 companies offering phone records online.

Coalition Comments:
EPIC Illegal Sale of Phone Records Page:
File Comments on the Proceeding:

FTC Page on Phone Records Lawsuits:


[3] Federal Appeal Pushes for WHOIS Privacy

EPIC has filed a friend of the court brief supporting the rights of .US
domain name holders not to publish their personal information on the
Internet. In 2005, the Department of Commerce, which administers the .US
domain, banned users from using proxy services that would protect
privacy. EPIC's brief supports one user who is trying to block the
Commerce Department policy. The EPIC brief argues that privacy experts
have made clear that personal information should not be routinely
accessible in the WHOIS database and that the policy for .US provides
much less protection when compared with the policies of other countries
for country code domains.

Every person who registers an Internet domain name must provide personal
contact information to a registrar during the registration process. 
This information, which includes a person's name, address, telephone
number, and email address, is then published in a publicly available
online database called WHOIS.  Many registrars will offer a "proxy
service," meaning that the company lists its own contact information in
WHOIS, and agrees to forward any message on to the domain name holder.

The .US domain is the United States' country code top level domain,
administered by the National Telecommunications and Information
Administration, a Commerce Department agency. In 2005, the agency
prohibited anyone with a .US domain name from using a registrar's proxy
service.  Robert Peterson, who owned a .US domain and wanted to protect
his home address and phone number, sued in federal court to prevent the
new rule from going into effect.

EPIC filed a friend of the court brief in support of Peterson, arguing
that, in addition to violating Peterson's First Amendment rights to
speak anonymously, the NTIA rule runs counter to the international trend
of protecting the privacy of users' WHOIS information. The country code
top level domains of other nations not only allow proxies, but some
actively encourage their use. Other countries go even farther, by
allowing users to opt out of personal information appearing in the
database or even preventing the information from being published in the
first place.

EPIC's Peterson v. NITA page:


EPIC's Amicus Brief:


[4] Privacy, Technology Experts Convene for CFP 2006

The 16th annual Computers, Freedom, and Privacy conference met this week
in Washington, DC. The event, presented by the Association for Computing
Machinery, covered a wide range of topics affecting technology and civil

An early plenary session discussed the possibility of federal privacy
legislation in the United States. Michael Hinze, a lawyer at Microsoft,
reiterated the software giant's call for broad federal privacy
legislation. However, other panelists, including David Solove, a law
professor at George Washington University, noted that the federal
proposals for privacy laws could weaken privacy protections by canceling
out stronger state law protections. Patrick Van Eecke, a practicing
lawyer in Belgium and a lecturer at the University of London, analyzed
the European model of broad privacy laws, concluding that the European
model is not as uniform as it seems, and that it can sometimes lead to
absurd results in court. James Assey, a Democratic lawyer for the Senate
Communications Subcommittee, guessed that a broad privacy law would not
likely be forthcoming in this session of Congress, though more limited
bills on phone record privacy have better chances.

Another panel discussed camera surveillance systems. Sharon Franklin of
the Constitution Project previewed a report, to be released later this
month, that sets out guidelines and best practices for camera
surveillance, including that cameras should only be installed when there
is a clearly articulated law enforcement purpose, and not merely a vague
reference to "lowering crime." Gus Hosein of Privacy International
described the proliferation of cameras (more than 4 million) in the
United Kingdom, even though government reports had shown the systems had
little effect on decreasing crime. Melissa Ngo of EPIC discussed the
large amount of federal homeland security funds being wasted on camera
systems. For example, Dillingham, Alaska has a population of 2,400, but
has just spent $202,000 in homeland security funds on 80 cameras - one
for every 30 people. Nicole Ozer of the ACLU of Northern California
discussed grassroots campaigns against camera surveillance systems in
the states, including California, which includes a right to privacy in
its state constitution.

On Thursday, a panel covered the privacy implications of databases
compiled in the wake of hurricanes Katrina and Rita. While Vincent
Sylvain of Policamp told of his firsthand experiences in New Orleans and
of the ways in which communications networks provided vital information
to residents and evacuees, Cindy Southworth of the Natonal Network to
End Domestic Violence and Dr. Deborah Peel of Patient Privacy Rights
explained how emergency database systems can easily put evacuees at
further risk.  Southworth explained how the evacuee locator databases
could easily aid a stalker or abuser, and argued that victims should be
able to receive basic services anonymously, or be able to shield their
identities from public databases.  Peel described the emergency
databases set up to catalog patient records for the hurricanes and
identified privacy vulnerabilities in each. The panel's moderator,
Lillie Coney of EPIC, pointed out that evacuees were also subjected en
masse to background checks in the states in which they sought refuge,
and suggested that emergency data gathering of all sorts should be
subject to privacy safeguards.

A wide range of other topics were also covered in depth, including
electronic voting systems, voter databases, network neutrality, and the
effects that blogging has on political campaigns.

Official Website of Computers, Freedom, and Privacy 2006:


EPIC's Preemption Page:


EPIC's Video Surveillance Page:


EPIC's Identity Theft Resources for Katrina Victims:


[5] EPIC Welcomes New Board Members

EPIC  is expanding both its board of directors and the EPIC advisory
board. Professor Anita L. Allen and Professor Jerry Kang are the newest
members of the EPIC board of directors. EPIC also welcomes Steven
Aftergood, James Bamford, Philip Friedman, Chris Larsen, Dr. Deborah
Peel, and Professor Ronald Rivest to the EPIC advisory board.

"We are very pleased to welcome this distinguished group to EPIC," said
EPIC Executive Director Marc Rotenberg. "EPIC benefits from the insight
and expertise of the individuals associated with the organization.
EPIC's new board members and advisory members have national reputations
for their work on civil rights, open government, medical privacy,
consumer privacy, and computer security."

Incoming EPIC board chair Barbara Simons expressed the organization's
appreciation for outgoing EPIC chair Oscar Gandy. "Oscar has been a
great friend and great inspiration to all of us at EPIC. We will miss

About the new members of the EPIC Board of Directors:

Anita L. Allen is the Henry R. Silverman Professor of Law and Professor
of Philosophy at the University of Pennsylvania Law School. She is a
leading expert on privacy law and contemporary ethics,legal philosophy,
law and literature, women's rights, and race relations. Allen is the
author of "Why Privacy Isn't Everything: Feminist Reflections on
Personal Accountability" (2003); "Privacy Law: Cases and Materials"
(with R. Turkington, West 2002); "Uneasy Access: Privacy for Women in a
Free Society" (1988); and, "The New Ethics: A Guided Tour of the 21st
Century Moral Landscape" (2004). She is also a commentator for the MSNBC
program, The Ethical Edge and writes a monthly column on ethics for the
Newark Star Ledger. She is a graduate of Harvard Law School and received
her Ph.D. in philosophy from the University of Michigan.

Jerry Kang is Professor of Law at UCLA. He is the author of
"Communications Law & Policy: Cases and Materials" (Foundation 2005) and
the coauthor of "Race, Rights, and Reparation: The Law and the Japanese
Internment" (Aspen 2001). He is magna cum laude graduate of Harvard
College and of Harvard Law School. He clerked for Judge William Norris
on the Ninth Circuit Court of Appeals and then worked at the National
Telecommunications and Information Administration on cyberspace policy.
His interdisciplinary articles on cyberspace privacy, pervasive
computing, cyber-race, and mass media-induced implicit bias have
appeared in leading journals, such as the Stanford and Harvard Law

About the new members of the EPIC Advisory Board:

Steven Aftergood is a senior research analyst at the Federation of
American Scientists. He directs the FAS Project on Government Secrecy,
which works to reduce the scope of government secrecy, to accelerate the
declassification of cold war documents, and to promote reform of
official secrecy practices. He writes and edits the email newsletter
Secrecy News, which is read by more than 10,000 self-selected
subscribers in media, government and among the general public.

James Bamford is an author and journalist, and one of the leading
experts on the US intelligence agencies. His 1982 best seller "The
Puzzle Palace" was the first book to describe the inner workings of the
National Security Agency. His subsequent books "Body of Secrets" (2001)
and "A Pretext for War" (2004) have received widespread acclaim.
Throughout his career, Mr. Bamford has made effective use of the Freedom
of Information Act. He was formerly Washington Investigative Producer
for ABC's World News Tonight.

Philip Friedman is a leading consumer attorney in Washington, DC. His
cases have established important precedent concerning the legal remedies
available to consumers, and also provided significant financial support
for law school clinics and consumer advocacy organizations throughout
the Washington, DC area. Mr. Friedman is also a specialist in election
law. Mr. Friedman is admitted to practice in the District of Columbia,
Maryland and California. Mr. Friedman is also a member of the American
Trial Lawyers Association, Trial Lawyers for Public Justice, and the
National Association of Consumer Advocates.

Chris Larsen is the CEO and co-founder of Prosper, America's first
people-to-people lending marketplace. Prior to Prosper, Mr. Larsen
co-founded and served as Chairman and CEO of E-LOAN. Mr. Larsen has also
been a tireless champion for privacy rights nationally and in California
where he co-founded and financially backed Californians for Privacy Now
(CFPN). Mr. Larsen and CFPN led and supported grassroots efforts to
safeguard consumers' privacy, and played a critical role in pressing the
California state legislature to pass the strongest financial privacy law
in the nation.

Dr. Deborah Peel is the founder of Patient Privacy Rights, based in
Austin, Texas, and one of the leading advocates for medical privacy in
the United States. A practicing psychiatrist for 27 years, she
understands that people will avoid or refuse necessary medical treatment
if they think others can see or use their private and personal medical
records. She has provided testimony to Congressional committees on
genetic privacy and medical record privacy. She recently led a coalition
of 26 organizations across the political spectrum that urged Congress to
insure that patients control access to their medical records in all
electronic health systems.

Ronald L. Rivest is the Andrew and Erna Viterbi Professor of Electrical
Engineering and Computer Science in MIT's Department of Electrical
Engineering and Computer Science. Professor Rivest He is a member of
MIT's Computer Science and Artificial Intelligence Laboratory (CSAIL), a
member of the lab's Theory of Computation Group and a founder of its
Cryptography and Information Security Group. He is also a founder of RSA
Data Security (now merged with Security Dynamics to form RSA Security)
and of Peppercoin. Professor Rivest has research interests in
cryptography, computer and network security, electronic voting, and

EPIC Board Members:


EPIC Advisory Board:


[6] News in Brief

Massachusetts High Court OKs Workplace Hidden Camera Surveillance

The Massachusetts Supreme Judicial Court recently held that a public
college employee who was videotaped changing clothes in a cubicle during
non-working hours had no expectation of privacy in that workspace.  Last
year, EPIC filed a "friend  of the court" brief in Nelson v. Salem State
College, a case  raising the question of whether a public employer can
conduct constant secret video surveillance of an employee.  EPIC's 
brief argued that society is prepared to recognize an expectation of
privacy in the workplace as reasonable.

The Opinion in Nelson v. Salem State College:


EPIC's Nelson v. Salem State College Page:


EPIC's Amicus Brief:


EPIC's Workplace Privacy Page:


New Hampshire Holds Off on REAL ID Rejection

The New Hampshire Senate voted 14-9 to create a study group analyzing
the pros and cons of implanting the REAL ID Act, rather than rejecting
the program outright, as the New Hampshire House of Representatives did.
New Hampshire had been chosen as the pilot state for the federal REAL ID
program, which mandates particular features to be built into state
drivers' licenses. The standardization process threatens to turn state
drivers' licenses into a de facto national ID card. The state-created
commission will report its findings in November.

Granite State ID:


New Hampshire CASPIAN:


EPIC's National ID Page:


New York Seeks to Expand DNA Collection

In New York, legislators are considering requiring everyone convicted of
felonies and misdemeanors, including youthful offenders convicted in
criminal court, to submit their DNA to a central database. Currently, 43
states require DNA samples from people convicted of all felonies, but
none require samples from those convicted of all misdemeanors. Last
year, EPIC filed a "friend of the court" brief that detailed significant
privacy and accuracy problems with DNA collections.

NY State's Proposed "All Felons DNA Database Act":


EPIC's Kohler v. Englade page:


Justice Department Wants AT&T Wiretap Suit Dismissed

The Department of Justice has intervened in a lawsuit brought by the
Electronic Frontier Foundation against AT&T, which claims that the
telecommunications company helped the National Security Agency operate
an unlawful electronic surveillance program.  The Justice Department
claims that it needs to be a party to the suit, and that it will ask the
court to dismiss the case.  The government agency claims that the
lawsuit risks revealing information that could harm antional security.

EFF's Website on the AT&T Lawsuit:


EPIC's Domestic Surveillance Resources:


[7] EPIC Bookstore: Herbert N. Foerstel's "Surveillance in the Stacks"

Herbert N. Foerstel's "Surveillance in the Stacks: the FBI's Library
Awareness Program" (Greenwood Press, 1991).


“Foerstel, himself one of the leaders in the effort to expose the FBI's
notorious `spies in the stacks' program, writes as a partisan of privacy
rights with a well-earned distrust of the FBI's efforts to excuse itself
from observing those rights. In fairness to the other side, however, he
also gives full play to the arguments for national security and for the
prevention of the flow of `sensitive' information into foreign hands. In
this extensively documented and thoroughly researched tale, he offers
many stories of the courage and fortitude of librarians opposed to this
program, from the jailing of Zoia Horn to the eloquent indignation of
Columbia University's Paula Kaufman and the tenacious probing of Jim
Schmidt and the American Library Association's Intellectual Freedom
Committee. Less happy is his picture of the heavily politicized National
Commission on Libraries and Information Science (NCLIS) and others who
have acquiesced to the spying. The chapters on the political
ramifications of the program and the legal context of library
confidentiality are also valuable--although it is possible to argue with
some of Foerstal's conclusions. But this illuminating, cautionary work
is bound to remain an authoritative source on a vitally important

--­Library Journal

EPIC Publications:

"Information Privacy Law: Cases and Materials, Second Edition" Daniel J.
Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98.

This clear, comprehensive introduction to the field of information
privacy law allows instructors to enliven their teaching of fundamental
concepts by addressing both enduring and emerging controversies. The
Second Edition addresses numerous rapidly developing areas of privacy
law, including: identity theft, government data mining,and electronic
surveillance law, the Foreign Intelligence Surveillance Act,
intelligence sharing, RFID tags, GPS, sypware, web bugs, and more.
Information Privacy Law, Second Edition, builds a cohesive foundation
for an exciting course in this rapidly evolving area of law.


"Privacy & Human Rights 2004: An International Survey of Privacy Laws
and Developments" (EPIC 2004). Price: $50.

This annual report by EPIC and Privacy International provides an
overview of key privacy topics and reviews the state of privacy in over
60 countries around the world. The report outlines legal protections,
new challenges, and important issues and events relating to privacy.
Privacy & Human Rights 2004 is the most comprehensive report on privacy
and data protection ever published.


"FOIA 2004: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price:

This is the standard reference work covering all aspects of the Freedom
of Information Act, the Privacy Act, the Government in the Sunshine Act,
and the Federal Advisory Committee Act.  The 22nd edition fully updates
the manual that lawyers, journalists and researchers have relied on for
more than 25 years.  For those who litigate open government cases (or
need to learn how to litigate them), this is an essential reference


"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.

This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS).  This
reference guide provides the official UN documents, regional and
issue-oriented perspectives, and recommendations and proposals for
future action, as well as a useful list of resources and contacts for
individuals and organizations that wish to become more involved in the
WSIS process.


"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:

The Privacy Law Sourcebook, which has been called the "Physician's Desk
Reference" of the privacy world, is the leading resource for students,
attorneys, researchers, and journalists interested in pursuing privacy
law in the United States and around the world. It includes the full
texts of major privacy laws and directives such as the Fair Credit
Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well
as an up-to-date section on recent developments. New materials include
the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the


"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.


EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:

EPIC Bookstore http://www.epic.org/bookstore

"EPIC Bookshelf" at Powell's Books


EPIC also publishes EPIC FOIA Notes, which provides brief summaries of
interesting documents obtained from government agencies under the
Freedom of Information Act.

Subscribe to EPIC FOIA Notes at:

[8] Upcoming Conferences and Events

Conference on Data Protection and Security: A Transnational Discussion.
International Association of Young Lawyers. May 5-6, 2006. Washington,
DC. For more information:

Call for papers for the CRCS Workshop 2006: Data Surveillance and
Privacy Protection. Center for Research on Computation and Society. June
3, 2006. Cambridge, Massachusetts. For more information:

RFID Application Domains and Emerging Trends. European Commission
Infomration Society. May 15-16, 2006. Brussels, Belgium. For more

RFID Security, Data Protection & Privacy, Health and Safety
Issues. European Commission Infomration Society. May 16-17, 2006.
Brussels, Belgium. For more information: 

Interoperability, standardisation, governance, and Intellectual Property
Rights. European Commission Infomration Society. June 1, 2006. Brussels,
Belgium. For more information: 

RFID Frequency spectrum: Requirements and Recommendations. European
Commission Infomration Society. June 2, 2006. Brussels, Belgium. For
more information: 

7th Annual Institute on Privacy Law: Evolving Laws and Practices in a
Security-Driven World. Practising Law Institute. June 5-6, San
Francisco, California. June 19-20, New York, New York. July 17-18,
Chicago, Illinois. Live webcast available. For more information:

Infosecurity New York. Reed Exhibitions. September 12-14, 2006. New
York, New York. For more information:

34th Research Conference on Communication, Information, and Internet
Policy. Telecommunications Policy Research Conference. September
29-October 1, 2006. Arlington, Virginia. For more information:

The IAPP Privacy Academy 2006. International Association of Privacy
Professionals. October 18-20, 2006. Toronto, Ontario, Canada. For more

International Conference on Privacy, Security, and Trust (PST 2006).
University of Ontario Institute of Technology. October 20-November 1,
2006. Markham, Ontario, Canada. For more information:

BSR 2006 Annual Conference. Business for Social Responsibility. November
7-10, 2006. New York, New York. For more information:

Subscription Information

Subscribe/unsubscribe via web interface:


Back issues are available at:


The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities.  We do not sell, rent or share our
mailing list.  We also intend to challenge any subpoena or other legal
process seeking access to our mailing list.  We do not enhance (link to
other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail address
from this list, please follow the above instructions under "subscription

About EPIC

The Electronic Privacy Information Center is a public interest research
center in Washington, DC.  It was established in 1994 to focus public
attention on emerging privacy issues such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale of personal information. EPIC publishes the
EPIC Alert, pursues Freedom of Information Act litigation, and conducts
policy research.  For more information, see http://www.epic.org or write
EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202
483 1140 (tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible.  Checks
should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW,
Suite 200, Washington, DC 20009.  Or you can contribute online at:


Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation of encryption and
expanding wiretapping powers.

Thank you for your support.

------------------------- END EPIC Alert 13.09 -------------------------