EPIC logo

                           E P I C  A l e r t
Volume 13.20                                            October 6, 2006

                            Published by the
               Electronic Privacy Information Center (EPIC)
                            Washington, D.C.

Table of Contents
[1] Coalition Urges Congress to Investigate NSA Domestic Spying Program
[2] Belgian Officials Challenge U.S. Datamining Program
[3] U.S. and Europe Fail to Reach New Accord on Passenger Data
[4] EPIC, ACLU Hold Forum on ID Theft and Database Security
[5] EPIC Reminds Homeland Security to Publish Annual Privacy Report
[6] News in Brief
[7] EPIC Bookstore: Reconstructing the Fourth Amendment
[8] Upcoming Conferences and Events

[1] Coalition Urges Congress to Investigate NSA Domestic Spying Program

As the House Energy and Commerce Committee held hearings last week on
the Hewlett-Packard pretexting scandal, almost 40 organizations
(including EPIC, the American Library Association, the Liberty
Coalition, Republican Liberty Caucus, and People for the American Way)
in a joint statement urged the committee to "show the same level of
interest in the NSA spying as you have show in the investigation of the
Hewlett-Packard matter." The committee grilled Hewlett-Packard
executives for almost 8 hours, but the committee has yet to hold a
hearing on the National Security Agency's demand to US phone companies
for call records of Americans.

"The actions of Hewlett Packard executives, although egregious, pale in
comparison to the violation of the privacy rights of tens of millions of
American consumers that should be safeguarded by federal law within the
jurisdiction of the Committee," the organizations said. To date,
government officials have refused to give details about the program,
saying such disclosures could harm national security. However, news
reports indicate that the program is operating outside the bounds set by
the Foreign Intelligence Surveillance Act, which was passed to establish
a legal basis for foreign intelligence surveillance within the United

In the NSA program, the agency is gathering communications records for a
massive database so that it can analyze calling patterns as it tries to
find terrorist activity. According to newspaper reports, AT&T, SBC,
Verizon, and BellSouth handed over the data even though the government
did not have warrants. (BellSouth and Verizon have since denied
cooperating with the program.) Qwest refused to give its customers' data
to the government, because the government did not have warrants and
refused to have either the Foreign Intelligence Surveillance Court or
the U.S. Attorney General's office evaluate the legality of the program.

The joint statement follows an earlier EPIC request to FCC Chairman
Kevin Martin, which stated, "If telecommunications carriers disclosed
customer information to the NSA in the manner described in press
reports, then violations of section 222 of the Communications Act have

The Joint Statement to the House Energy and Commerce Committee (pdf):


EPIC's Request to FCC Chairman Kevin Martin (pdf):


EPIC's Page on Domestic Surveillance:


EPIC's Page on Pretexting:


[2] Belgian Officials Challenge U.S. Datamining Program

The Belgium Privacy Commission has found that SWIFT did not obey Belgium
law when it transferred vast amounts of financial data to the U.S.
Treasury Department. The secret financial surveillance program was
revealed in June and is under investigation in several countries for
possible violations of privacy laws.

In the program, begun shortly after the Sept. 11, 2001 attacks, the
Treasury Department uses broad, secret administrative subpoenas to
gather vast amounts of information from Belgium-based SWIFT, which
routes financial data among 7,800 financial institutions in more than
200 countries. These administrative subpoenas are not reviewed by any
judicial authority; the only review is by a high-level Treasury
Department official. Stuart Levey, Treasury's Undersecretary for
Terrorism and Financial Intelligence, said the SWIFT database has been
searched "tens of thousands" of times since the program began five years

In announcing the Commission's report, Belgian Prime Minister Guy
Verhofstadt said, "From the very beginning, SWIFT should have been aware
that fundamental European laws should also be respected." The Belgium
Privacy Commission found that SWIFT "made some substantial errors of
judgment in complying with the American subpoenas." The Commission said,
"SWIFT should have complied with its obligations under the Belgian
privacy law, amongst which the notification of the processing, the
information, and the obligation to comply with  the rules concerning
personal data transfer to countries outside the EU." 

Many have questioned the legality of the program under international
data protection laws. Civil liberties advocacy organization Privacy
International filed complaints with data protection and privacy
officials in 33 countries, calling the massive operation "a fishing
exercise rather than legally authorised investigation." The Data
Protection Commission for the German Lander of Schleswig-Holstein has
analyzed the US-SWIFT data transfers and concludes that the program
violates German and European data protection law. The Commission says
SWIFT should cease processing or retaining any data on intra-European
Union transactions in the U.S. The Privacy Commissioner of Canada also
is investigating the legality of the program under Canadian data
protection laws.

The EU Article 29 Data Protection Working Party is also investigating
the financial data surveillance program. The Working Party has expressed
"immediate concerns about the lack of transparency which has surrounded
these arrangements." A report is expected soon, which Peter Schaar, Data
Privacy Commissioner of Germany and head of the Working Party, said he
expected would conclude that the program might violate European law
restricting government access to confidential banking records. The
report is expected to recommend that additional safeguards be put in
place to check how financial records are shared with American
intelligence officials.

Belgium Data Privacy Commission: Summary of the opinion on the transfer
of personal data by SCRL SWIFT following the UST (OFAC) subpoenas
(unofficial English translation) (pdf):


Privacy International Press Release Describing Complaints:


European Union Data Protection Laws:


EPIC's Spotlight on Surveillance on the SWIFT Program:


[3]U.S. and Europe Fail to Reach New Accord on Passenger Data

The European Union and the United States are in a legal vacuum four
months after the European Court of Justice (ECJ) struck down a passenger
name record deal that allowed the transfer of personal information on
European travelers to the U.S. government, as no accord was struck by
the court-appointed deadline of September 30.

Under the previous agreement, which had been in place since May 2004,
passenger name records (PNRs) on travelers from Europe were transmitted
to the U.S. Department of Homeland Security within 15 minutes of a
flight's departure. PNRs are data held by air carriers and travel agents
collected during booking, and can include passenger travel dates, home
and work addresses, payment details, members of the party and meal
preferences. The minimum amount required for a travel booking is a name,
contact information, and itinerary.

Since the ECJ ruled in May that the agreement was illegal because it
exceeded the scope of the 1995 EU Directive on data protection, the two
sides have been engaged in high-level negotiations over the terms of a
new accord. The Department of Homeland Security seeks increased access
to the passenger name records, including the right to share passenger
data with other U.S. government agencies. The European Union delegation
is concerned that such use of citizens' data will violate European
privacy laws. Washington has warned that if airlines do not disclose the
information, they may be subject to fines of $6,000 per passenger and
loss of landing rights. Conversely, European airlines face lawsuits by
European citizens for violating European privacy laws if the data is
disclosed to the U.S. without a new agreement. Officials say
negotiations will continue.

Last month, the Transatlantic Consumer Dialogue (TACD), a coalition of
US and EU consumer groups, wrote to US and EU officials, urging them to
include privacy safeguards into air passenger data sharing agreements.
The consumer groups request that officials considering PNR sharing abide
by three criteria. First, the agreement must respect the May 2006
European Court of Justice decision that PNR sharing agreements must have
an adequate legal basis and be respectful of U.S. and EU privacy laws.
Second, the U.S. and EU must conduct a study comparing the effectiveness
of passenger profiling with other safety techniques. Third, the groups
held that an annual report of PNR sharing must be published.

Ruling of the European Court of Justice:


Text of the EU-US Agreement (pdf):


EPIC's Privacy Law Sourcebook (containing the text of the EU Data


Text of TACD letter:


EPIC's Page on EU-US Airline Passenger Data Disclosures:


[4] EPIC, ACLU Hold Forum on ID Theft and Database Security

EPIC, the ACLU of Southern California and Occidental College held a
forum on identity theft and database security in Los Angeles on
September 21. The panelists discussed how to protect privacy and reduce
the risk of identity theft in the era of the Real ID Act, which mandates
federal identification standards for state driver's licenses and ID
cards, and requires states DMVs to collect sensitive personal
information in a massive database, accessible by DMVs in every state.

At the forum, Malek Moazzam Doulat, adjunct professor of religious
studies at Occidental College, moderated a discussion about the
implications of database security upon identity theft. California
Assemblyman Dario Frommer discussed his personal experience as an
identity theft victim. A representative of the Los Angeles District
Attorney's Office on Identity Theft explained the many ways that exploit
weaknesses in database security and security of documents such as bank
and health records to steal sensitive personal information.

Melissa Ngo, staff counsel and director of EPIC's Identification and
Surveillance Project, explained that the compilation of sensitive
personal data in large databases creates a tempting target for identity
thieves. Sometimes the thieves hack into systems, but because of large
databases in the government and companies, it is easy to buy financial
and biographical data of many Americans For instance, last year, data
broker ChoicePoint revealed that it had sold the personal information on
145,000 Americans to identity thieves. Fidelity Bank was able to buy DMV
data on 565,000 people from the State of Florida. The physical security
of these large databases is questionable, as well. This summer, a
burglary at the home of an analyst in the Veterans Administration put at
risk the information of 26.5 million veterans, active-duty troops and
their families.

Ramona Ripston, Executive Director of the ACLU of Southern California,
said the significant security risks inherent in large databases are
especially applicable in the case of REAL ID. This database would
include biographical data, Social Security numbers and images of
identification documents such as birth certificates or citizenship

On the same day as the forum, the National Conference of State
Legislatures released a report estimating that that the cost to the
states will be more than $11 billion over five years. States also
expressed concern regarding the application of the Drivers Privacy
Protection Act to the records retention and information sharing
requirements of Real ID.

National Conference of State Legislatures Report: The Real ID Act:
National Impact Analysis (pdf):


EPIC's Page on Identity Theft:


EPIC's Page on National ID Cards and REAL ID Act:


[5] EPIC Reminds Homeland Security to Publish Annual Privacy Report

In a September 26, 2006 letter to Hugo Teufel, the Chief Privacy Officer
of the Department of Homeland Security, EPIC asked when the DHS privacy
report would be made available. The Department is required by law to
provide an annual report to Congress.

Under the Homeland Security Act of 2002, the Chief Privacy Officer must
submit a report "on activities of the Department that affect privacy,
including complaints of privacy violations, implementation of the
Privacy Act of 1974, internal controls, and other matters." The last
report, which covered the period April 2003 to June 2004, was published
in February 2005. A year ago, then-Chief Privacy Officer Nuala O'Connor
Kelly said she hoped the annual report would be released "sometime in
the end of the next quarter."

EPIC also submitted letters to Senators Susan Collins and Joe Lieberman,
the Chairman and Ranking Member of the Senate Committee on Homeland
Security, asking about the late report. EPIC highlighted that, in
contrast to the Chief Privacy Officer, the DHS Inspector General has
routinely submitted semiannual reports to Congress on a timely basis.

On October 4, 2006, President Bush indicated in a signing statement on
the Homeland Security Appropriations Act that he might disregard a legal
requirement to ensure that the annual DHS privacy report is not
influenced by the White House. Section 522 of the Act, as passed, stated

     None of the funds made available in this Act may be used by any
     person other than the Privacy Officer appointed under section 222
     of the Homeland Security Act of 2002 (6 U.S.C. 142) to alter,
     direct that changes be made to, delay, or prohibit the transmission
     to Congress of any report prepared under paragraph (6) of such

However, the President wrote that he would "construe section 522 of the
Act, relating to privacy officer reports, in a manner consistent with
the President's constitutional authority to supervise the unitary
executive branch."

EPIC's Letter to Chief Privacy Officer Teufel (pdf):


Homeland Security Act of 2002 (pdf): 


DHS Chief Privacy Officer Report Covering April 2003 to June 2004 (pdf):


Department of Homeland Security Appropriations Act, 2007


Presidential Signing Statement, H.R. 5441


[6] News in Brief

Report: Security Vulnerabilities in Government Health Data Network

A report release this week by the Government Accountability Office
identified 47 weaknesses in the communications network used to transmit
medical data for the U.S. government's Medicare and Medicaid programs.
The claims data -- including patient names, Social Security numbers, and
medical information -- is sent to health-care facilities, contractors,
financial institutions and state Medicaid offices. The security
vulnerabilities could allow "unauthorized access to personally
identifiable medical data," according to the report.

Report: Information Security: The Centers for Medicare & Medicaid
Services Needs to Improve Controls over Key Communication Network (pdf):


EPIC's Page on Medical Privacy:


Supreme Court Ignores Appeal in DNA Database Case

The Supreme Court this week chose not to hear the appeal of a
Washington, D.C. resident who argued that the collection of his DNA for
a federal database violated the Fourth Amendment. EPIC filed an amicus
brief in support of Lamar Johnson's petition and emphasized three
particular flaws within the DNA collection program. First, the DNA
profile stored in CODIS contains more information than the unique
identifier the government claims. Second, the DNA database allows for
partial profile searching that implicates relatives of profiled
individuals. Third, the retention of the blood sample from which the DNA
profile is generated presents an opportunity for future privacy

EPIC's Page on Johnson v. Quander:


EPIC's Page on Genetic Privacy: 


D.C. Police Chief: Expanded Camera Surveillance Hasn't Cut Crime

In the seven weeks that they've been deployed, Washington, D.C.'s 48 new
surveillance cameras have not helped to solve any cases, according to
D.C.  Police Chief Charles Ramsey. He spoke before the D.C. Council's
Committee on the Judiciary about the emergency crime legislation adopted
on July 11. EPIC and other groups opposed the Council's decision to
expand camera surveillance, establish an earlier curfew, and grant
police access to confidential juvenile information. EPIC has repeatedly
warned the Council that the use of camera surveillance systems are
ineffective and prone to abuse.

Police Chief Charles Ramsey's Statement at a Public Roundtable on
District Government's Response to the Crime Emergency:


EPIC's Page on Video Surveillance:


New Report Raises Questions About Privacy, Future of Internet

A detailed survey of technology thinkers and stakeholders predicts that
the Internet of 2020 will be more widespread, low-cost, and contribute
to a flattening of social hierarchies. However, the respondents also
express concerns about interoperability, government regulations,
commercial interests, and the loss of privacy. A significant 42% of
survey participants are pessimistic about human ability to control the
technology in the future. They predict that dangers and dependencies
will grow beyond our ability to stay in charge of technology. The survey
was conducted by the Pew Internet and American Life Project.

Report: The Future of the Internet II (pdf):


Committee For Voting Integrity Urges Safeguards in Maryland Elections

Last month, the state primary election in Montgomery County, Md.,
uncovered problems with electronic voting systems, including issues with
electronic poll books and missing voter access cards that significantly
delayed or prevented many voters from casting ballots. In a letter to
Montgomery County elections officials, the National Committee for Voting
Integrity offered constructive guidance as it prepares for the upcoming
general elections. Suggestions included: allowing voters to choose
whether to use a DRE voting systems or an optical scan ballot; ensuring
sufficient numbers of provisional ballots or alternative paper ballots
are available should complications or planning fail to meet a particular
contingency; and removing any wireless devices on DRE voting systems
before the voting process.

National Committee for Voting Integrity Letter to Maryland Elections


EPIC's Page on Voting:


Berlin Conference: How Surveillance Technology Affects Civil Liberties

At the "Informatik und Rustung" ("Computer Science and Warfare")
conference in Berlin last week, international technology and privacy
groups debated the impact of surveillance technologies upon civil
liberties. Participants such as Joseph Weizenbaum, professor emeritus of
computer science at MIT and the author of the seminal "Computer Power
and Human Reason," Klaus Brunnstein, President of the International
Federation for Information Processing, and Reiner Braun, Executive
Director of NATWISS, debated the application of technology for military
and civilian uses. Melissa Ngo, EPIC Staff Counsel, spoke about the
impact on civil liberties and significant security and privacy risks of
camera surveillance systems and radio frequency identification
technology. For example, when police use camera surveillance systems to
photograph and create files on people engaged in peaceful, legal
demonstrations, it has a chilling effect upon free speech.

EPIC's Page on Video Surveillance:


EPIC's Page on RFID:


Facebook Responds to Users' Demands for Increased Privacy

In response to the negative reactions of many of its users, Facebook put
new privacy controls on its News Feed feature into operation. Mark
Zuckerberg, CEO of Facebook, published an open letter on the Web site
apologizing for not having consulted with users prior to introducing
feature, which notified users of all their contacts' activities, such as
profile changes from "in a relationship" to "single." However, the
change is simply an opt-out and puts the burden on Facebook users to
protect their privacy. Over 700,000 users signed an online petition
demanding the company discontinue the feature, stating that this
compromised their privacy.

Letter from Mark Zuckerberg, Facebook CEO:


EPIC's Page on Social Networking Privacy:


[7] EPIC Bookstore: Reconstructing the Fourth Amendment

"Reconstructing the Fourth Amendment: A History of Search and Seizure,
1789-1868" by Andrew E. Taslitz (New York University Press 2006).


"The modern law of search and seizure permits warrantless searches that
ruin the citizenry's trust in law enforcement, harms minorities, and
embraces an individualistic notion of the rights that it protects,
ignoring essential roles that properly-conceived protections of privacy,
mobility, and property play in uniting Americans. Many believe the
Fourth Amendment is a poor bulwark against state tyrannies, particularly
during the War on Terror.

"Historical amnesia has obscured the Fourth Amendment's positive
aspects, and Andrew E. Taslitz rescues its forgotten history in
Reconstructing the Fourth Amendment, which includes two novel arguments.
First, that the original Fourth Amendment of 1791—born in political
struggle between the English and the colonists—served important
political functions, particularly in regulating expressive political
violence. Second, that the Amendment's meaning changed when the
Fourteenth Amendment was created to give teeth to outlawing slavery, and
its focus shifted from primary emphasis on individualistic privacy
notions as central to a white democratic polis to enhanced protections
for group privacy, individual mobility, and property in a multi-racial

"With an understanding of the historical roots of the Fourth Amendment,
suggests Taslitz, we can upend negative assumptions of modern search and
seizure law, and create new institutional approaches that give political
voice to citizens and safeguard against unnecessary humiliation and
dehumanization at the hands of the police."


EPIC Publications:

"Information Privacy Law: Cases and Materials, Second Edition" Daniel J.
Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98.

This clear, comprehensive introduction to the field of information
privacy law allows instructors to enliven their teaching of fundamental
concepts by addressing both enduring and emerging controversies. The
Second Edition addresses numerous rapidly developing areas of privacy
law, including: identity theft, government data mining and electronic
surveillance law, the Foreign Intelligence Surveillance Act,
intelligence sharing, RFID tags, GPS, spyware, web bugs, and more.
Information Privacy Law, Second Edition, builds a cohesive foundation
for an exciting course in this rapidly evolving area of law.


"Privacy & Human Rights 2005: An International Survey of Privacy Laws
and Developments" (EPIC 2006). Price: $60.

This annual report by EPIC and Privacy International provides an
overview of key privacy topics and reviews the state of privacy in over
70 countries around the world. The report outlines legal protections,
new challenges, and important issues and events relating to privacy.
Privacy & Human Rights 2005 is the most comprehensive report on privacy
and data protection ever published.


"FOIA 2004: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price:

This is the standard reference work covering all aspects of the Freedom
of Information Act, the Privacy Act, the Government in the Sunshine Act,
and the Federal Advisory Committee Act.  The 22nd edition fully updates
the manual that lawyers, journalists and researchers have relied on for
more than 25 years.  For those who litigate open government cases (or
need to learn how to litigate them), this is an essential reference


"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.

This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS).  This
reference guide provides the official UN documents, regional and
issue-oriented perspectives, and recommendations and proposals for
future action, as well as a useful list of resources and contacts for
individuals and organizations that wish to become more involved in the
WSIS process.


"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:

The Privacy Law Sourcebook, which has been called the "Physician's Desk
Reference" of the privacy world, is the leading resource for students,
attorneys, researchers, and journalists interested in pursuing privacy
law in the United States and around the world. It includes the full
texts of major privacy laws and directives such as the Fair Credit
Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well
as an up-to-date section on recent developments. New materials include
the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the


"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.


EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:

EPIC Bookstore http://www.epic.org/bookstore

"EPIC Bookshelf" at Powell's Books


EPIC also publishes EPIC FOIA Notes, which provides brief summaries of
interesting documents obtained from government agencies under the
Freedom of Information Act.

Subscribe to EPIC FOIA Notes at:

[8] Upcoming Conferences and Events

The IAPP Privacy Academy 2006. International Association of Privacy
Professionals. October 18-20, 2006. Toronto, Ontario, Canada. For more

International Conference on Privacy, Security, and Trust (PST 2006).
University of Ontario Institute of Technology. October 20-November 1,
2006. Markham, Ontario, Canada. For more information:

Internet Governance Forum (IGF) October 30-November 2, 2006. Athens,
Greece. For more information:

28th International Data Protection and Privacy Commissioners'
Conference. November 2-3, 2006. London, United Kingdom. For more

BSR 2006 Annual Conference. Business for Social Responsibility. November
7-10, 2006. New York, New York. For more information:

5th Conference on Privacy and Public Access to Court Records. Center for
Legal and Court Technology and Administrative Office of the United
States Courts. March 22-23, 2007. Williamsburg, Virginia. For more

CFP2007: Computers, Freedom, and Privacy Conference. Association for
Computing Machinery. May 2007. Montreal, Canada. For more information:

Subscription Information

Subscribe/unsubscribe via web interface:


Back issues are available at:


The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities.  We do not sell, rent or share our
mailing list.  We also intend to challenge any subpoena or other legal
process seeking access to our mailing list.  We do not enhance (link to
other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail address
from this list, please follow the above instructions under "subscription

About EPIC

The Electronic Privacy Information Center is a public interest research
center in Washington, DC.  It was established in 1994 to focus public
attention on emerging privacy issues such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale of personal information. EPIC publishes the
EPIC Alert, pursues Freedom of Information Act litigation, and conducts
policy research.  For more information, see http://www.epic.org or write
EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202
483 1140 (tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible.  Checks
should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW,
Suite 200, Washington, DC 20009.  Or you can contribute online at:


Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation of encryption and
expanding wiretapping powers.

Thank you for your support.

------------------------- END EPIC Alert 13.20 -------------------------