EPIC logo

                           E P I C  A l e r t
Volume 13.15                                               July 27, 2006

                            Published by the
               Electronic Privacy Information Center (EPIC)
                            Washington, D.C.


Table of Contents
[1] Courts, Congress Ponder NSA Surveillance Issues
[2] EPIC Testifies on WHOIS Privacy and Phishing
[3] House Committees Hold Joint Hearing on E-voting
[4] House Nears Vote on Data Breach Bill
[5] D.C. Council Approves Temporary Expansion of Camera Use
[6] News in Brief
[7] EPIC Bookstore: Yochai Benkler's "The Wealth of Networks"
[8] Upcoming Conferences and Events

[1] Courts, Congress Ponder NSA Surveillance Issues

The legal battles over two different warrantless surveillance programs
conducted by the NSA continue, with a one private suit against AT&T
continuing in California and another being dismissed in Illinois. The
federal government has also sued the state of Missouri to prevent state
officials from investigating one of the NSA programs.

A federal district court judge in California allowed a suit against AT&T
to go forward, against the federal government's argument that the state
secrets privilege prevented the suit from being brought in the first
place. The lawsuit, brought on behalf of clients represented by the
Electronic Frontier Foundation, alleges that AT&T gave the government
access to its facilities to wiretap all of the calls and emails
traveling over AT&T's network. The judge held that the suit could
continue, noting that AT&T and the government had both disclosed
involvement in the clandestine surveillance program.

A federal judge in Illinois, however, dismissed a lawsuit challenging
AT&T's cooperation with the NSA in a related surveillance program. This
program allegedly resulted in the phone records of millions of Americans
being delivered to the NSA for data mining. The suit, brought by private
plaintiffs represented by the Illinois ACLU, was dismissed on the state
secrets doctrine.

The federal government also continues to block state investigations into
the NSA phone records program, with the Department of Justice suing the
Missouri Public Service Commission from investigating whether
telecommunications companies in their state turned over information to
the federal government in violation of law. In June, the Justice
Department sued the state of New Jersey to prevent the state attorney
general fro conducting a similar investigation.

In May, EPIC wrote to Kevin Martin, chairman of the Federal
Communications Commission, and urged the FCC to undertake an
investigation into the various reports that customer information was
improperly disclosed to the NSA. The EPIC letter stated, "If
telecommunication carriers disclosed customer information to the NSA in
the manner described in press reports, then violations of section 222 of
the Communications Act have occurred."

However, if a law pending in Congress is enacted, all these various
legal disputes may be rendered irrelevant. Senator Arlen Specter,
Chairman of the Senate Judiciary Committee, has, with the backing of the
White House, proposed a bill that would allow warrantless surveillance
programs to continue subject to the approval of the secretive Foreign
Intelligence Surveillance Court. Specter's bill would allow the court to
approve entire surveillance programs. The court currently reviews
applications for foreign surveillance and wiretaps. In the period from
2001 to 2005, the government has applied for 7,729 surveillance warrants
from the court. Of these, only four were denied.

Specter's bill has been severely criticized by civil liberties groups,
who say that it grants "Congressional authorization to the President's
unconstitutional conduct" and that it makes compliance with
well-established privacy safeguards "merely optional."

Order Denying the Government's Motion to Dismiss the EFF Suit (pdf):


Opinion Dismissing the Illinois Suit Against AT&T (pdf):


EPIC Letter to the FCC on Domestic Surveillance:


Senator Specter's Bill to Authorize Warrantless Domestic Surveillance:


Statement by Civil Liberties Groups Citicizing Specter Bill (pdf):


EPIC Resources on Domestic Surveillance:


[2] EPIC Testifies on WHOIS Privacy and Phishing

EPIC Executive Director Marc Rotenberg testified in support of new
privacy safeguards for the WHOIS database before a subcommittee of the
House Financial Services Committee. Currently anyone with an Internet
connection, including spammers, phishers, and stalkers, can access
information in the WHOIS database. Citing the growing risk of identity
theft, EPIC supported proposals to limit public access to personal

The WHOIS database contains the personal contact information of anyone
who registers a domain name. When a user decides to register a domain
name, he is usually asked for his name, address, email address, and
phone and fax numbers. The user must also provide the complete contact
information for a technical contact and an administrative contact.  In
the case of individuals or small organizations, the registrant himself
is often the administrative contact, providing his own home address and
telephone number. If a user does not provide his name or address, or
complete contact information for the technical and administrative
contacts, his domain name may be taken away. All of this information is
then published in the WHOIS database for anyone to access.

Rotenberg said, "This means that both the law enforcement agent with
legal  authority to investigate crime and a person with the intent to
commit crime has the same  access to the WHOIS database. This represents
a significant privacy and security risk for  a domain name registrant."

While witnesses for the Department of Commerce and the financial
services companies argued for continuing unrestricted access to WHOIS
data, the witness for the Federal Trade Commission said that privacy
protection was necessary to protect consumers. Eileen Harrington, Deputy
Director of the Bureau of Consumer Protection, said, "The FTC, as the
primary enforcement agency for U.S. consumer privacy and data security
laws, is very concerned about protecting consumers' privacy. Thus, the
Commission has always recognized that registrants engaged in
non-commercial activity may require some privacy protection from public
access to their contact information, without compromising appropriate
real-time access by law enforcement agencies."

Rotenberg noted that the proposals to protect domain name owners'
personal information would not affect the ability of law enforcement to
access the database. There have been several cases of spammers and
fraudsters using the WHOIS database to target victims, including one of
the most prolific spammers in the United Kingdom.

A comprehensive review of privacy practices around the world, conducted
by EPIC, found that the current ICANN WHOIS data policy has "failed to
resolve the privacy risks faced by Internet users that result directly
from ICANNís own data  practices."

House Financial Services Hearing on Phishing and the WHOIS Database:


EPIC's Testimony on WHOIS (pdf):




EPIC's Privacy and Human Rights 2004 Report on WHOIS:


Privacy and Human Rights 2005 Edition:


[3] House Committees Hold Joint Hearing on E-voting

The House Committee on Science and the Committee on Administration held
a joint hearing on the effectiveness of electronic voting machines. The
hearing investigated the changes made in federal law by the Help America
Vote Act (HAVA) to voting technology certification and voting technology
guidance given to states.

Witnesses for the hearing included Mary Kiffmeyer, the Secretary of
State of Minnesota and David Wagner, a computer science professor at the
University of California, Berkeley who advised the state of California
on securing electronic voting systems.  These witnesses agreed that the
current guidance to states recently released by the Election Assistance
Commission is not sufficient and that more needs to be done to protect
votes cast in public elections.

The National Committee for Voting Integrity also participated in the
hearing by providing a written statement, which recommended greater
security for e-voting systems. NCVI also criticized the guidelines' lack
of focus on auditing, saying that the current review process for
ensuring that e-voting systems properly count votes is insufficient.
NCVI also noted that the Commission's guidelines, despite warning that
the use of wireless technology is risky, still provide recommendations
for implementing wireless technology in voting machines.

In related news, the National Research Council recently issued its
"Letter Report on Electronic Voting." The report indicated that many
jurisdictions may be unprepared for the 2006 general elections in
November. The report also emphasized the need for improved security,
transparency in vendor certification, and auditability of cast ballots.

Joint Hearing of the House Science and Administration Committees on
Electronic Voting:


NCVI Statement for the Hearing (pdf):


Text of the Help America Vote Act:


National Research Council Report on Electronic Voting:


EPIC Voting Page:


[4] House Nears Vote on Data Breach Bill

The House Financial Services Committee is pressing for a floor vote on
its version of a data breach bill, despite the concerns of state law
enforcement and consumer groups. State attorneys general have urged
Congress to pass a bill that preserves state protections and state
enforcement, while the Financial Services bill preempts state law. The
bill also drew harsh criticisms from a coalition of consumer groups, who
said that existing state laws are more effective at protecting

In a letter to House leadership signed by 48 state attorneys general,
the National Association of Attorneys General asked Congress to pass
data breach bills that would allow for states to retain their own 
consumer protections and also let state law enforcement supplement
federal enforcement efforts. The state officials also urged Congress to
pass a law that required breached companies to notify users in all
cases, not merely those that the company felt created a particular risk
of identity theft. The bill, however, does not allow for state
enforcement and requires that a breached entity find it "reasonably
likely" that breached data could be used to commit identity theft.

Consumer groups have heavily criticized the Financial Services bill
lacking, stating that it actually made it more likely that companies who
have lost consumer data will be able to hide the breaches from
consumers. A coalition of consumer groups has issued a statement calling
the bill's notification policy a "don't know, don't tell" system. The
groups also criticized the bill's preemption of state law, saying that
it "does nothing for consumers and rolls back existing state consumer
protection laws."

A number of federal data breach bills have been proposed in Congress
this year, though few have implemented all of the proposals urged by
state governments and consumer groups. At least 33 states already have
data breach notification laws.

H.R. 3997, the Financial Data Protection Act:


Statement by Consumer Groups on the Financial Services Bill (pdf):


Statement by State Attorneys General on Data Breach Bills (pdf):


US PIRG's List of State Data Breach and Credit Freeze Laws:


EPIC's Data Brokers Page:


[5] D.C. Council Approves Temporary Expansion of Camera Use 

The D.C. Council agreed last week to install 23 surveillance cameras in
residential neighborhoods for the first time. This action, along with an
earlier curfew and police access to confidential juvenile information,
was taken in response to a proposal from Mayor Anthony Williams for
emergency legislation.

EPIC, the ACLU-National Capital Area and the Justice 4 D.C. Youth
Coalition were among the groups that protested in front of D.C. Council
headquarters against the measures. EPIC has repeatedly warned the
Council that the use of closed circuit television systems (CCTV) are
ineffective and prone to abuse. Studies have shown that it is more
effective to place more officers on the streets and improve lighting in
high-crime areas than to use CCTV, and that black males are
disproportionately scrutinized when camera surveillance systems are

The D.C. Metropolitan Police Department (MPD) currently has a wireless
network of 19 cameras mounted on the rooftops of various buildings
throughout the city at strategic vantage points such as the Smithsonian
Institution Castle, Dupont Circle, Union Station, and outside the city
in Arlington, Va. The cameras feed into the MPD's Joint Operations
Command Center, located at police headquarters.

The cameras are only turned on during major events and emergencies,
which is an important limitation that many other cities do not have.
Also important in protecting privacy are the city's policies governing
the use of the camera systems. They limit the time the data can be
retained. The new legislation changes this limited, specialized
surveillance of major events and emergencies into 24-hour surveillance
of daily life in D.C. neighborhoods. Cameras can range in price from
$40,000 to $100,000 each, and D.C. will spend $2.3 million to buy 23

Mayoral candidate and Ward 4 representative Adrian Fenty was the only
Council member to vote against the bill. He pointed out that not one
part of the emergency legislation was new; each proposal had been
rejected by the Council in previous sessions. Mayor Williams had
proposed an expansion of CCTV in April, but the Council did not approve
it. The measures will be in force for 90 days. The Council has scheduled
an October hearing to review use of surveillance cameras.

EPIC's Comments to the D.C. Council on the April CCTV proposal (pdf):


EPIC's December 2005 Spotlight on Surveillance about D.C.'s CCTV system:


D.C. Council Home Page:


The Observing Surveillance Project:


EPIC's Video Surveillance page:


[6] News in Brief

Homeland Security Selects New Privacy Officer 

The Department Homeland Security chose its associate general counsel,
Hugo Teufel III, as its new chief privacy officer. He will replace
acting privacy officer Maureen Cooney, who resigned on July 17th. Cooney
had replaced Nuala O'Connor Kelly, who resigned from the position in
September 2005 to become chief privacy officer at General Electric.
Privacy advocates questioned the appointment, citing Teufel's lack of

Homeland Security Press Release Announcing Teufel's Appointment:


House Bill Would Protect SSN Privacy

A bill giving the Federal Trade Commission the power to prohibit sales
of Social Security Numbers was approved by the House Energy and Commerce
Committee. The Social Security Number Protection Act, sponsored by
Representative Ed Markey, was first introduced in 2000, in response to
the stalking and murder of Amy Boyer, whose killer was able to locate a
wider variety of information about her after first purchasing her Social
Security number online. Social Security numbers, improperly misused as a
means of identification by many businesses, also act as a key for
identity thieves to access their victims' information.

Text of H.R. 1078, the Social Security Number Protection Act:


Indian Authorities Censor Blogs 

Thousands of blogs were rendered inaccessible in India for a period of 
several days. Entire domains, including blogspot.com and typepad.com,
each of which hosts thousands of blogs, were rendered inaccessible. The
Indian Department of Telecommunications issued a press release stating
that the censorship was targeted only at 17 particular websites, and
that the overblocking was the fault of Internet service providers.

Government Press Release on Blog Censorship:


National Database to Track College Students Proposed

In June, the Department of Education released a draft report endorsing a
controversial proposal to create a federal database of college student
records. The proposal would, in contrast to existing systems, contain
individually identifiable information on particular students. The
proposal was heavily criticized by colleges and universities, who
objected to the individualized tracking of their students. The
Department of Education justified the proposal, saying it wished to have
better statistics on part-time, transfer, or other nontraditional

Initial Version of the Department of Education's Draft Report (see pages
17 and 22) (pdf):


Latest Version of the Department of Education's Draft Report (see page
11) (pdf):


Amnesty International Releases Report on Tech Companies in China

Amnesty International has released a report condemning Internet
companies for collaborating with the Chinese government in suppressing
free speech. Focusing on the actions of Yahoo, Microsoft, and Google,
the report makes specific recommendations as to how Internet companies
operating in China might work to protect free speech and human rights
while doing business in the country. Yahoo has reportedly turned over
information on dissidents using its services to authorities, while
Microsoft and Google have respectively censored blogs and search results
that are critical of the Chinese government.

Amnesty Internationl Report on Tech Companies in China (pdf):


[7] EPIC Bookstore: Yochai Benkler's "The Wealth of Networks"

The Wealth of Networks: How Social Production Transforms Markets and
Freedom. Yochai Benkler. Yale University Press, 2006.


"With the radical changes in information production that the Internet
has introduced, we stand at an important moment of transition, says
Yochai Benkler in this thought-provoking book. The phenomenon he
describes as social production is reshaping markets, while at the same
time offering new opportunities to enhance individual freedom, cultural
diversity, political discourse, and justice. But these results are by no
means inevitable: a systematic campaign to protect the entrenched
industrial information economy of the last century threatens the promise
of today's emerging networked information environment.

In this comprehensive social theory of the Internet and the networked
information economy, Benkler describes how patterns of information,
knowledge, and cultural production are changing, and shows that the way
information and knowledge are made available can either limit or enlarge
the ways people can create and express themselves. He describes the
range of legal and policy choices that confront us and maintains that
there is much to be gained, or lost, by the decisions we make today."


EPIC Publications:

"Information Privacy Law: Cases and Materials, Second Edition" Daniel J.
Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98.

This clear, comprehensive introduction to the field of information
privacy law allows instructors to enliven their teaching of fundamental
concepts by addressing both enduring and emerging controversies. The
Second Edition addresses numerous rapidly developing areas of privacy
law, including: identity theft, government data mining,and electronic
surveillance law, the Foreign Intelligence Surveillance Act,
intelligence sharing, RFID tags, GPS, sypware, web bugs, and more.
Information Privacy Law, Second Edition, builds a cohesive foundation
for an exciting course in this rapidly evolving area of law.


"Privacy & Human Rights 2005: An International Survey of Privacy Laws
and Developments" (EPIC 2006). Price: $60.

This annual report by EPIC and Privacy International provides an
overview of key privacy topics and reviews the state of privacy in over
70 countries around the world. The report outlines legal protections,
new challenges, and important issues and events relating to privacy.
Privacy & Human Rights 2005 is the most comprehensive report on privacy
and data protection ever published.


"FOIA 2004: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price:

This is the standard reference work covering all aspects of the Freedom
of Information Act, the Privacy Act, the Government in the Sunshine Act,
and the Federal Advisory Committee Act.  The 22nd edition fully updates
the manual that lawyers, journalists and researchers have relied on for
more than 25 years.  For those who litigate open government cases (or
need to learn how to litigate them), this is an essential reference


"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.

This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS).  This
reference guide provides the official UN documents, regional and
issue-oriented perspectives, and recommendations and proposals for
future action, as well as a useful list of resources and contacts for
individuals and organizations that wish to become more involved in the
WSIS process.


"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:

The Privacy Law Sourcebook, which has been called the "Physician's Desk
Reference" of the privacy world, is the leading resource for students,
attorneys, researchers, and journalists interested in pursuing privacy
law in the United States and around the world. It includes the full
texts of major privacy laws and directives such as the Fair Credit
Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well
as an up-to-date section on recent developments. New materials include
the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the


"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.


EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:

EPIC Bookstore http://www.epic.org/bookstore

"EPIC Bookshelf" at Powell's Books


EPIC also publishes EPIC FOIA Notes, which provides brief summaries of
interesting documents obtained from government agencies under the
Freedom of Information Act.

Subscribe to EPIC FOIA Notes at:

[8] Upcoming Conferences and Events

7th Annual Institute on Privacy Law: Evolving Laws and Practices in a
Security-Driven World. Practising Law Institute. June 19-20, New York,
New York. July 17-18, Chicago, Illinois. Live webcast available. For
more information:

identitymashup: Who Controls and Protects the Digital Me? Berkman Center
for Internet & Society, Harvard Law School. June 19-21, 2006. Cambridge,
Massachusetts. For more information:

Call for papers for Identity and Identification in a Networked World.
Submissions due by July 5. New York University. Symposium on September
29-30, 2006. New York, New York. For more information:

Infosecurity New York. Reed Exhibitions. September 12-14, 2006. New
York, New York. For more information:

34th Research Conference on Communication, Information, and Internet
Policy. Telecommunications Policy Research Conference. September
29-October 1, 2006. Arlington, Virginia. For more information:

6th Annual Future of Music Policy Summit. Future of Music Coalition.
October 5-7, 2006. Montreal, Canada. For more information:

The IAPP Privacy Academy 2006. International Association of Privacy
Professionals. October 18-20, 2006. Toronto, Ontario, Canada. For more

International Conference on Privacy, Security, and Trust (PST 2006).
University of Ontario Institute of Technology. October 20-November 1,
2006. Markham, Ontario, Canada. For more information:

BSR 2006 Annual Conference. Business for Social Responsibility. November
7-10, 2006. New York, New York. For more information:

CFP2007: Computers, Freedom, and Privacy Conference. Association for
Computing Machinery. May 2007. Montreal, Canada. For more information:

Subscription Information

Subscribe/unsubscribe via web interface:


Back issues are available at:


The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities.  We do not sell, rent or share our
mailing list.  We also intend to challenge any subpoena or other legal
process seeking access to our mailing list.  We do not enhance (link to
other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail address
from this list, please follow the above instructions under "subscription

About EPIC

The Electronic Privacy Information Center is a public interest research
center in Washington, DC.  It was established in 1994 to focus public
attention on emerging privacy issues such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale of personal information. EPIC publishes the
EPIC Alert, pursues Freedom of Information Act litigation, and conducts
policy research.  For more information, see http://www.epic.org or write
EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202
483 1140 (tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible.  Checks
should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW,
Suite 200, Washington, DC 20009.  Or you can contribute online at:


Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation of encryption and
expanding wiretapping powers.

Thank you for your support.

------------------------- END EPIC Alert 13.15 -------------------------