EPIC logo

                           E P I C  A l e r t
Volume 13.11                                                June 2, 2006

                            Published by the
               Electronic Privacy Information Center (EPIC)
                            Washington, D.C.


Table of Contents
[1] Coalition Calls for HIPAA Compliance Review of Veterans Affairs
[2] European Court Blocks Passenger Data Transfer
[3] Supreme Court Rules Against Whistleblower
[4] EPIC Urges Privacy Safeguards for Traveler Database
[5] Gen. Michael Hayden Sworn in as CIA Director
[6] News in Brief
[7] EPIC Bookstore: Goldsmith and Wu: "Who Controls the Internet?"
[8] Upcoming Conferences and Events

[1] Coalition Calls for HIPAA Compliance Review of Veterans Affairs

Thirty organizations participating in the Consumer Coalition for Health
Privacy yesterday asked U.S. Department of Health and Human Services
Secretary Mike Leavitt to undertake a compliance review of the U.S.
Department of Veterans Affairs pursuant to the authority granted him by
the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Medical diagnostic codes and disability rating information about an
undisclosed number of disabled veterans were stolen last month from the
home of a VA employee along with 26.5 million veterans' names, birth
dates and Social Security numbers.

"Secretary Leavitt should do everything he can to ensure the privacy and
security of protected health and other highly sensitive information held
by the VA," according to Paul Feldman, Deputy Director of the Health
Privacy Project. "Ordering a HIPAA compliance review is a prudent step
the Secretary is authorized to take which will encourage better from the
VA in the future and will help assure veterans that our government takes
seriously the protection of their personal information. I hope the HHS
Office for Civil Rights will proceed with this review with all due

Earlier in May, a VA employee's home was burglarized.  Among the items
taken was a laptop from the agency that had been taken home containing
the health records of some 26.5 million veterans. Although the laptop
was stolen on May 3, officials were not notified of the breach until a
week later, with the public learning of the disclosure first on May 22. 
The analyst who took the data home has since been fired, and his
supervisor has resigned.

The breach likely violated the Standards for Privacy of Individually
Identifiable Health Information ("Privacy Rule") and the Security
Standards for the Protection of Electronic Protected Health Information
("Security Standards"), which were implemented under HIPAA. The rules
require that medical providers protect the security of health
information and keep it from being disclosed improperly.  While the
government has the ability to assess whether the VA may be liable under
civil or criminal law, individuals harmed do not have a private right of
action under HIPAA.

Coalition Letter to Health and Human Services:


Consumer Coalition for Health Privacy Home Page:


EPIC's Medical Privacy page:


[2] European Court Blocks Passenger Data Transfer

The European Court of Justice ruled that the 2004 airline passenger data
transfer agreement between the U.S. Department of Homeland Security and
the European Union is to be voided after September 30, 2006. The Court
held that the agreement was illegal because it exceeded the scope of the
EU 1995 Directive on data protection.

After the terrorist attacks of September 11, 2001, airlines entering the
United States were asked to provide the U.S. government with data on
their passengers. However, such transfers of personal data potentially
ran afoul of European law.  The European Commission thus attempted to
justify the data transfers under the 1995 Directive, which regulates the
processing of personal data. In May of 2004, the EU officially entered
into the data-sharing agreement with the U.S.

However, the European Parliament challenged the agreement in the
European Court of Justice. The court's decision invalidated the
agreement, not because of particular defects in the handling of
information, but on the grounds that the data transfers were not being
processed for economic reasons, but for security purposes.

Privacy International describes the holding as a "pyrrhic victory"
because the Court ruled on the basis of legal authority, and did not
address the privacy implications of the transfer of the personal data to
the U.S. The European Data Protection Supervisor is concerned that the
ruling has created a loophole because it is now uncertain whether or not
the 1995 Directive provides any protection at all to data collected for
commercial reasons but used for police matters.

U.S. and European negotiators will likely need to develop a new legal
framework if the transfer of information on European citizens to the
United States government continues.

EPIC's Page on EU-US Airline Passenger Data Disclosures:


Ruling of the European Court of Justice:


Text of the EU-US Agreement (pdf):


EPIC's Privacy Law Sourcebook (containing the text of the EU Data Directive):


Privacy International Statement on the Ruling:


[3] Supreme Court Rules Against Whistleblower

In a 5-4 decision, the Supreme Court held that public employees'
statements, if made in the course of the job, are not protected by the
First Amendment, and that an employer can retaliate against employees
for making them.

Richard Ceballos was a deputy district attorney in Los Angeles when he
recommended to his superiors that they dismiss a case based upon a
faulty warrant.  After his superiors decided to proceed with the
prosecution despite Ceballos's concerns, Ceballos testified for defense
counsel in a challenge to the warrant.

Ceballos claimed that after this testimony, the District Attorney's
office retaliated against him by reassigning him, transferring him, and
denying him a promotion.  Ultimately, Ceballos sued, alleging that the
office had retaliated against him for exercising his First Amendment
rights, contrary to a line of Supreme Court cases that protected
employees who spoke out publicly against perceived injustices at their
public workplaces. However, the Supreme Court ruled against Ceballos,
holding that, since Ceballos's speech was made in the course of his

"Restricting speech that owes its existence to a public employee's
professional responsibilities does not infringe any liberties the
employee might have enjoyed as a private citizen," the Court said in an
opinion authored by Justice Kennedy. Restricting speech, the opinion
said, "simply reflects the exercise of employer control over what the
employer itself has commissioned or created."

Justice Souter, in a dissent joined by justices Stevens and Ginsburg,
stated that "this is an odd place to draw a distinction," and that it
could lead to employees who are most qualified to speak out on a subject
being deprived of First Amendment protections. The majority opinion
argues that such a rule will encourage public employers to maintain
robust and easy-to-use internal grievance procedures, at the risk of
their employees reporting out to the press.

However, if employees whose jobs include investigating and reporting
wrongdoing within a public employer (such as an inspector general or a
ombudsman) have no First Amendment protections for their speech, their
incentives for criticizing their employers and institutions could be
reduced, with negative effects on oversight.

Opinion in Garcetti v. Ceballos (pdf):


Amicus brief of the Government Accountability Project (pdf):


EPIC's Free Speech Page:


[4] EPIC Urges Privacy Safeguards for Traveler Database

In comments to Customs and Border Protection, EPIC urged the agency not
to exempt a vast database from legal requirements that protect privacy
and promote government accountability. The Global Enrollment System
would include employment history and biometric data, and it would cover
all individuals who "apply to use any form of automated or other
expedited inspection for verifying eligibility to cross the borders into
the United States."

Among many possible activities, the agency would use this system to
determine which travelers are "low-risk" and eligible for the "Trusted
Traveler" program. CBP seeks to exempt the Global Enrollment system from
provisions of the Privacy Act of 1974 that create judicially enforceable
rights of access and correction, and replace the Privacy Act provision
with a weak administrative right of access and redress. For redress, a
person must write to CBP Customer Satisfaction Unit in the Office of
Field Operations or the Homeland Security Director for Departmental
Disclosure and Freedom of Information Act. EPIC warned that the absence
of effective redress procedures would leave many travelers improperly
designated as "high-risk," and they would be subject to stricter
screening procedures.

This "Trusted Traveler" system also creates a substantial security risk,
as it divides travelers into categories whose criteria can be learned
and exploited. The program creates two classes of travelers: trusted and
not trusted. But, as security expert Bruce Schneier has explained, this
could also create a third category: "bad guys with the card." Criminals
could choose applicants without previous links to terrorism, who could
pass the background checks, to commit their crimes. Nor are such
candidates necessarily rare. For example, neither Oklahoma City bomber
Timothy McVeigh nor Unabomber Ted Kaczynski had previous ties to
terrorism, Schneier said.

EPIC detailed a number of approaches to this problem, none of which are
considered by the CBP in its proposed expansion of the Global Enrollment
System. First, the best procedure may be to subject all travelers to the
security screening that would be required for a suspicious traveler.
Second, if the Trusted Traveler program is adopted, it may be necessary
to include random security screenings even for those passengers who have
been designated "low-risk" travelers so that those who obtain such a
designation but intend harm will still be at risk of more thorough
security screening. Third, as EPIC has previously recommended, the best
approach may be to focus on security techniques that are intended to
detect devices and other materials that may threaten air travel safety
rather than profiling techniques that attempt to divine the intent of

The Global Enrollment System also has a strong risk of "mission creep,"
EPIC said. "Trusted Traveler" applicants must submit a substantial
amount of personally identifiable information, which could be used for
reasons other than the original security purposes for which the data was
gathered or volunteered. CBP has identified seven categories of "routine
uses" of personal data that would be collected and maintained in the
program's system of records. These routine uses are so broad as to be
meaningless, allowing for potential disclosure to virtually any
government agency worldwide for a vast array of actual or "potential"
undefined violations.

EPIC's Comments About the Global Enrollment System (pdf):


EPIC's Passenger Profiling Page:


More Analysis by Bruce Schneier of "Trusted Traveler" Programs:


[5] Gen. Michael Hayden Sworn in as CIA Director

Air Force Gen. Michael Hayden was sworn in as the new Director of the
Central Intelligence Agency earlier this week, a few days after the
Senate voted 78-15 to confirm him. For the last year, Hayden has served
as National Intelligence Director John Negroponte's top deputy. But
Hayden previously headed the National Security Agency and oversaw two
domestic surveillance programs recently revealed in newspaper reports.

Earlier this month, USA Today revealed that the phone call records of
tens of millions of Americans are being secretly collected by the NSA.
This is the second secret NSA domestic spying program revealed in the
last six months. In December, the New York Times revealed that President
Bush secretly issued an executive order in 2002 that authorized NSA to
conduct warrantless surveillance of international telephone and Internet
communications on American soil. Both programs are of dubious legality.

The USA Today report contradicts statements made by the White House and
Hayden that the domestic surveillance program was "highly targeted" and
directed only to "international communications." Hayden had defended the
surveillance program by saying that the privacy of Americans was
protected and suggesting that the government was not eavesdropping on
Americans without warrants. Hayden faced questions about the programs at
his confirmation hearings. Hayden was asked to reconcile his comments
with news reports, and Sen. Ron Wyden accused Hayden of making
contradictory or misleading statements.

Legislators also rejected Hayden's assurances that Congress had been
adequately briefed about the warrantless domestic surveillance programs.
Hayden said there were 13 briefings to eight congressional leaders from
both parties. Shortly before the hearings began, the administration
briefed all members of the Senate and House intelligence committees.
Sen. Olympia Snowe said that was too late. "I happen to believe that
with the programs in question, that the Congress was really, never
really consulted or informed in a manner that we could truly perform our
oversight role as co-equal branches of government," Snowe said.

Though legislators questioned Hayden about the programs, little has been
revealed publicly. When pressed for more information, Hayden repeatedly
said he would answer their questions in closed session, stating that the
information was classified.

EPIC Resources on Domestic Surveillance:


Senate Intelligence Committee Confirmation Hearing of General Michael
Hayden to be Director of the CIA:


President Bush's Remarks at Hayden's Swearing-In:


[6] News in Brief

Justice Department Presses for Internet Data Retention

The U.S. Department of Justice is pressing for Internet service
providers to store customer records and allow law enforcement to search
them for evidence of child pornography or terrorism. Although details of
the plan have not been finalized, the proposal would likely require
providers to store data for at least two years. The data would likely
include lists of web sites visited, email addresses contacted, and may
include search terms or instant messenger contacts. Attorney General
Alberto Gonzales and FBI Director Robert Mueller have organized a task
force to research the program.

EPIC's Data Retention Page:


In 1990s, NSA Developed Privacy-Friendly Data-Gathering Program

According to the Baltimore Sun, the National Security Agency developed a
pilot program in the late 1990s that would have enabled it to gather and
analyze telephone and Internet communications data without violating
federal privacy laws. The NSA ended the program after the Sept. 11, 2001
attacks, in part because of President Bush's secret order expanding the
agency's surveillance power. One privacy protection of the pilot
program, called ThinThread, was an automated auditing system to prevent
misuse or abuse of the data by analysts.

EPIC's Resources on Domestic Surveillance:


Attorney General Hints at Prosecuting Reporters Over NSA Story

U.S. Attorney General Alberto Gonzales said last week that he believed
there are federal laws that would allow the government to prosecute the
New York Times reporters who revealed a secret National Security Agency
eavesdropping program. After the story was published, President Bush
acknowledged that he secretly issued an executive order in 2002 that
authorized the NSA to conduct warrantless surveillance of international
telephone and Internet communications on American soil. He was referring
to espionage laws that, in some circumstances, ban the possession and
publication of certain classified data concerning national defense and
"communications intelligence activities."

EPIC's Resources on Domestic Surveillance:


Canadian Privacy Commissioner Releases Annual Report

The Office of the Canadian Privacy Commissioner issued its annual report
to parliament on the implementation of the Personal Information
Protection and Electronic Documents Act (PIPEDA).  The report summarizes
legislative trends and a variety of PIPEDA complaints made to the
Commissioner's Office. The report also contains a review of the use of
radio frequency identification (RFID) devices within Canada,
highlighting the need for awareness and guidance in the use of this
potentially privacy-invasive technology.

Text of the Annual Report:


Office of the Privacy Commissioner:


Brennan Center Issues Internet Filtering Report

The Brennan Center for Justice at New York University School of Law has
issued an updated report on the effect of Internet filters on public
policy. The analysis of over 100 tests and studies through 2006 debunks
the notion that filters have gotten more accurate, and suggests that
policies requiring such filters be reexamined. The report adds valuable
new data and discussion to earlier reports on the impact of Internet
filters on free speech.

Internet Filters: a Public Policy Report:


  EPIC's "Filters and Freedom 2.0: Free Speech Perspectives
    on Internet Content Controls"


[7] EPIC Bookstore: Goldsmith and Wu: "Who Controls the Internet?"

Jack Goldsmith and Tim Wu. "Who Controls the Internet? Illusions of a
Borderless World. Oxford University Press, 2006.


"Is the Internet erasing national borders? Will the future of the Net be
set by Internet engineers, rogue programmers, the United Nations, or
powerful countries? Who's really in control of what's happening on the
Net? In this provocative new book, Jack Goldsmith and Tim Wu tell the
fascinating story of the Internet's challenge to governmental rule in
the 1990s, and the ensuing battles with governments around the world.
It's a book about the fate of one idea: that the Internet might liberate
us forever from government, borders, and even our physical selves. We
learn of Google's struggles with the French government and Yahoo's
capitulation to the Chinese regime; of how the European Union sets
privacy standards on the Net for the entire world; and of eBay's
struggles with fraud and how it slowly learned to trust the FBI. In a
decade of events the original vision is uprooted, as governments time
and time again assert their power to direct the future of the Internet.
The destiny of the Internet over the next decades, argue Goldsmith and
Wu, will reflect the interests of powerful nations and the conflicts
within and between them. While acknowledging the many attractions of the
earliest visions of the Internet, the authors describe the new order,
and speaking to both its surprising virtues and unavoidable vices. Far
from destroying the Internet, the experience of the last decade has lead
to a quiet rediscovery of some of the oldest functions and
justifications for territorial government. While territorial governments
have unavoidable problems, it has proven hard to replace what legitimacy
governments have, and harder yet to replace the system of rule of law
that controls the unchecked evils ofanarchy. While the Net will change
some of the ways that territorial states govern, it will not diminish
the oldest and most fundamental roles of government and challenges of

Well written and filled with fascinating examples, including colorful
portraits of many key players in Internet history, this is a work that
is bound to stir heated debate in the cyberspace community."

EPIC Publications:

"Information Privacy Law: Cases and Materials, Second Edition" Daniel J.
Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98.

This clear, comprehensive introduction to the field of information
privacy law allows instructors to enliven their teaching of fundamental
concepts by addressing both enduring and emerging controversies. The
Second Edition addresses numerous rapidly developing areas of privacy
law, including: identity theft, government data mining,and electronic
surveillance law, the Foreign Intelligence Surveillance Act,
intelligence sharing, RFID tags, GPS, sypware, web bugs, and more.
Information Privacy Law, Second Edition, builds a cohesive foundation
for an exciting course in this rapidly evolving area of law.


"Privacy & Human Rights 2004: An International Survey of Privacy Laws
and Developments" (EPIC 2004). Price: $50.

This annual report by EPIC and Privacy International provides an
overview of key privacy topics and reviews the state of privacy in over
60 countries around the world. The report outlines legal protections,
new challenges, and important issues and events relating to privacy.
Privacy & Human Rights 2004 is the most comprehensive report on privacy
and data protection ever published.


"FOIA 2004: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price:

This is the standard reference work covering all aspects of the Freedom
of Information Act, the Privacy Act, the Government in the Sunshine Act,
and the Federal Advisory Committee Act.  The 22nd edition fully updates
the manual that lawyers, journalists and researchers have relied on for
more than 25 years.  For those who litigate open government cases (or
need to learn how to litigate them), this is an essential reference


"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.

This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS).  This
reference guide provides the official UN documents, regional and
issue-oriented perspectives, and recommendations and proposals for
future action, as well as a useful list of resources and contacts for
individuals and organizations that wish to become more involved in the
WSIS process.


"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:

The Privacy Law Sourcebook, which has been called the "Physician's Desk
Reference" of the privacy world, is the leading resource for students,
attorneys, researchers, and journalists interested in pursuing privacy
law in the United States and around the world. It includes the full
texts of major privacy laws and directives such as the Fair Credit
Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well
as an up-to-date section on recent developments. New materials include
the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the


"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.


EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:

EPIC Bookstore http://www.epic.org/bookstore

"EPIC Bookshelf" at Powell's Books


EPIC also publishes EPIC FOIA Notes, which provides brief summaries of
interesting documents obtained from government agencies under the
Freedom of Information Act.

Subscribe to EPIC FOIA Notes at:

[8] Upcoming Conferences and Events

RFID Frequency spectrum: Requirements and Recommendations. European
Commission Information Society. June 2, 2006. Brussels, Belgium. For
more information: 

Call for papers for the CRCS Workshop 2006: Data Surveillance and
Privacy Protection. Center for Research on Computation and Society. June
3, 2006. Cambridge, Massachusetts. For more information:

7th Annual Institute on Privacy Law: Evolving Laws and Practices in a
Security-Driven World. Practising Law Institute. June 5-6, San
Francisco, California. June 19-20, New York, New York. July 17-18,
Chicago, Illinois. Live webcast available. For more information:

Canadian Biometric ID Documents: a Public Forum. University of Toronto.
June 15, 2006. Toronto, Ontario, Canada. For more information:

identitymashup: Who Controls and Protects the Digital Me? Berkman Center
for Internet & Society, Harvard Law School. June 19-21, 2006. Cambridge,
Massachusetts. For more information:

Call for papers for Identity and Identification in a Networked World.
Submissions due by July 5. New York University. Symposium on September
29-30, 2006. New York, New York. For more information:

Infosecurity New York. Reed Exhibitions. September 12-14, 2006. New
York, New York. For more information:

34th Research Conference on Communication, Information, and Internet
Policy. Telecommunications Policy Research Conference. September
29-October 1, 2006. Arlington, Virginia. For more information:

6th Annual Future of Music Policy Summit. Future of Music Coalition.
October 5-7, 2006. Montreal, Canada. For more information:

The IAPP Privacy Academy 2006. International Association of Privacy
Professionals. October 18-20, 2006. Toronto, Ontario, Canada. For more

International Conference on Privacy, Security, and Trust (PST 2006).
University of Ontario Institute of Technology. October 20-November 1,
2006. Markham, Ontario, Canada. For more information:

BSR 2006 Annual Conference. Business for Social Responsibility. November
7-10, 2006. New York, New York. For more information:

CFP2007: Computers, Freedom, and Privacy Conference. Association for
Computing Machinery. May 2007. Montreal, Canada. For more information:

Subscription Information

Subscribe/unsubscribe via web interface:


Back issues are available at:


The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities.  We do not sell, rent or share our
mailing list.  We also intend to challenge any subpoena or other legal
process seeking access to our mailing list.  We do not enhance (link to
other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail address
from this list, please follow the above instructions under "subscription

About EPIC

The Electronic Privacy Information Center is a public interest research
center in Washington, DC.  It was established in 1994 to focus public
attention on emerging privacy issues such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale of personal information. EPIC publishes the
EPIC Alert, pursues Freedom of Information Act litigation, and conducts
policy research.  For more information, see http://www.epic.org or write
EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202
483 1140 (tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible.  Checks
should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW,
Suite 200, Washington, DC 20009.  Or you can contribute online at:


Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation of encryption and
expanding wiretapping powers.

Thank you for your support.

------------------------- END EPIC Alert 13.11 -------------------------