EPIC logo

                            E P I C  A l e r t
Volume 14.15                                              July 27, 2007

                             Published by the
                Electronic Privacy Information Center (EPIC)
                             Washington, D.C.

Table of Contents
[1] Privacy Groups Object to US Military Database of Iraqis
[2] EPIC Urges Senate Committee to Repeal National Security Letters
[3] OECD Online Public Consultation for Upcoming Ministerial
[4] Department of Health Proposes New Records System 
[5] Medical Privacy Bill Introduced in Senate
[6] News in Brief
[7] EPIC Bookstore: "Privacy on the Line"
[8] Upcoming Conferences and Events

[1] Privacy Groups Object to US Military Database of Iraqis

On July 27, EPIC, Privacy International and Human Rights Watch wrote to
the US Secretary of Defense to warn that a new system of biometric
identification contravenes international privacy standards and could
lead to further reprisals and killings. The groups cite the particular
risk of identification requirements in regions of the world torn by
ethnic and religious division.

According to USA Today, U.S. troops are using mobile scanners to take
fingerprints, eye scans, and is linked to profiles maintained by the US
military. This information is then being used to build an unprecedented
secret database of Iraqis that is administered by the U.S. military.
However, there is as yet no indication of any privacy safeguards
protecting this information from illegitimate uses.

The secret profiling of Iraqis creates an unprecedented human rights
risk that could easily be exploited by a future government, and yet the
idea of the U.S. military turning over the database system to the Iraqi
government is already under discussion. In May 2007, the Council on
Foreign Relations, a prominent think tank, floated the possibility of a
national identification program for Iraq similar to the U.S. REAL ID
system. The proposal, also described in the New York Times, would
introduce biometric ID cards to Iraqis that could be read with portable
machines linked to a centralized database. The proposal also envisaged
Iraqi government census workers going door-to-door to catalogue
residents. The program's purported purpose would be to distinguish
insurgents from lawful citizens, but the proponents admitted that the
central database could also be misused for ethnic cleansing.

According to Gianni Magazzeni, head of the U.N. human rights office for
Iraq, "People are basically killed or taken away simply because of their
name, their identity or specific affiliations." Because names are
associated with religious identity, many Iraqis change their names or
carry fake IDs to avoid being murdered by rival sects. Numerous reports
indicate that Iraqis regularly risk death if they are proven to be of a
different sect than gunmen at a checkpoint. In July 2006, Shiite
militiamen established a fake checkpoint and killed up to 50 Sunnis
after examining their identification documents. The establishment of the
biometric database erodes what limited protection Iraqis have in
concealing their true identities.

The letter from EPIC, Privacy International and Human Rights Watch draws
attention to international privacy obligations, including Article 12 of
the Universal Declaration of Human Rights, that the United States has
endorsed. As the USA Today article notes, "Many Iraqis carry fake IDs
with last names that suggest a sectarian background other than their
own - a method of survival in a country where violence between Sunnis
and Shiites have killed thousands since the war began." The letter
concludes, "The new system of biometric identification and secret
profiles raises the very real possibility of future reprisals and
killings on a far more widespread basis."

Letter from privacy groups to Robert Gates, Secretary of Defense, July
27, 2007:


USA Today Article, July 13, 2007:


Council on Foreign Relations, "A National ID Program for Iraq?":


EPIC's Iraqi Biometric ID Page:


Human Rights Watch's page on Iraq:


EPIC's page on Biometric Identifiers:


[2] EPIC Urges Senate Committee to Repeal National Security Letters

On July 26, EPIC sent a letter to the Senate Committee on the Judiciary,
urging Congress to repeal the National Security Letter (NSL) authority
in the Patriot Act. NSLs are an extraordinary search procedure by which
the FBI can compel disclosure of certain customer and consumer data from
telephone companies, financial institutions, Internet service providers
and consumer credit agencies without judicial approval.

In 2005, EPIC uncovered documents concerning NSLs that revealed
violations of law reported to the Intelligence Oversight Board. In a
letter to the Senate Judiciary Committee in October 2005, EPIC
highlighted the need for the Attorney General to report to Congress on
potentially unlawful intelligence investigations that are forwarded to
him from the Intelligence Oversight Board. In March 2007, EPIC said that
the findings by the Office of the Inspector General Report and EPIC
Freedom of Information Act requests were “particularly troubling in
light of the fact that the Attorney General told Congress during the
oversight hearings on Patriot Act Reauthorization that he was not aware
that violations of law had occurred.” A Washington Post article
discussed the results of an internal FBI audit that found that FBI
agents abused their NSL powers more than 1,000 times, far more than was
previously documented. On July 10, reports revealed that Attorney
General Alberto Gonzales had received specific reports about NSL abuses
when he testified to Congress that “[t]here has not been one certified
case of civil liberties abuse” when the reauthorization of the Patriot
Act was under scrutiny in 2005.

On June 13, the Federal Bureau of Investigations released new internal
guidelines for the use of NSLs. The guidelines fail to address the
concerns EPIC has expressed in its letters to the Senate Judiciary
Committee. The FBI's guidelines continue to allow NSLs to be issued
under the lower post-Patriot Act standard that the information “be
relevant to an investigation to protect against international terrorism
or foreign spying” provided that the investigation of a United States
person is not conducted “solely on the basis of activities protected by
the first amendment of the Constitution of the United States.” The
pre-Patriot Act standard required “specific and articulable facts giving
reason to believe that the customer of entity whose records are sought
is a foreign power or an agent of a foreign power.” The guidelines also
continue the practice of allowing field offices to issue NSLs, rather
than the pre-Patriot requirement of headquarters approval.

EPIC's Letter to Senators Specter and Leahy (July 26, 2007):


Statement Of Sen. Patrick Leahy, Chairman, Hearing On Oversight Of The
Department Of Justice:


EPIC's Letter to Senators Specter and Leahy (March 21, 2007) (pdf):


EPIC's Letter to Senators Specter and Leahy (Oct. 24, 2005) (pdf):


EPIC's NSL page:


[3] OECD Online Public Consultation for Upcoming Ministerial

The OECD has launched an online public consultation process to receive
input on the proposed themes and issues of the upcoming OECD Ministerial
to be held in Seoul, Korea on June 17-18, 2008. The theme of the
Ministerial is the “Future of the Internet Economy.” The Ministerial
represents an opportunity for high-level stakeholders from government,
business, the technical community, and civil society to consider broad
social, economic and technical trends shaping the development of the
Internet Economy, and to discuss policies that can respond to evolving
societal needs.

The questionnaire seeks comments on four policy areas. First, how can
the Internet be used to improve future economic performance and social
welfare? Second, in order to benefit from technology convergence, what
overarching principles are needed for the transition to the next
generation of high speed networks, what guidance will help consumers
navigate the transition, and what policies should be in place for
evolving RFID and sensor networks? Third, how can the OECD encourage
creativity in areas such as e-science, enable innovation and encourage
growth and employment, and enable maximum access to public sector
information and content and its re-use by the private sector? Lastly,
the OECD requests comments on the kinds of policies that are needed to
ensure the security of critical information infrastructure and combat
malicious software, to address digital identity management, to ensure
multi-stakeholder, cross-border co-operation for privacy, security and
consumer protection, to empower consumers online, and to ensure fair
mobile commerce transactions and combat online identity theft. Answers
should be brief, i.e. between 350-400 words, but the OECD welcomes any
supporting documents that individuals may wish to attach to their

The OECD states that the participation of all players in the dialogue is
important to ensure that the Ministerial is able to benefit from a wide
range of viewpoints and expertise. This important online outreach tool
provides an excellent opportunity for civil society members to
contribute comments, suggestions as well as papers and reports that may
aid in the formation of the Ministerial agenda. The comments will be
published online, and will be made available for consideration to the
OECD Secretariat, member countries, and participants at the next
preparatory OECD meetings in October, where the agenda for the
Ministerial will be discussed.

The Online Public Consultation is one of a series of initiatives aimed
at involving non-governmental stakeholders in the OECD Ministerial
meeting and in its preparation. The public consultation will be open
until Friday, September 14, 2007.

OECD Online Public Consultation Page:


The Public Voice page:


Public Voice OECD Ministerial page:


[4] Department of Health Proposes New Records System

On June 26, the Department of Health and Human Services (HHS) proposed
to establish the National Disaster Medical System (NDMS) Patient
Treatment and Tracking Records System. The goal of this new records
system is to collect individual health data from people receiving
medical care provided by NDMS. The NDMS is a joint effort between HHS,
the Department of Defense, the Department of Homeland Security, and the
Veteran's Administration to provide additional resources to supplement
the public health and health care actions local and state governments
provide during emergencies.

Under the proposal, all persons treated by NDMS medical staff may have
their health data recorded and placed into a record system. This would
include demographic information as well as data regarding patient
diagnosis, treatment, and location.   This data may be obtained from the
individual patients, their physicians, or by access to the health
records of patients.

The NDMS Patient Tracking System contains various “routine use”
disclosures to all the federal agencies that share responsibility for
evacuation and treatment of patients under NDMS in order to ensure the
highest level of patient care possible.  Routine use disclosures may
also be made to consultants, contractors, and grantees who may require
access to the health records for business purposes related to the
collection of the data.  Lastly, routine use disclosures will be made to
state and federal agencies as necessary to establish the benefit
entitlement of the patient or to help families locate evacuated family

The routine use disclosures contained within the NDMS Patient Tracking
System raise some privacy concerns that EPIC addressed in comments
submitted to HHS on July 26.  In the comments, EPIC stated that HHS
should build privacy protections into the system in order to ensure that
patients receive quality emergency health care without having to
sacrifice their medical privacy.  EPIC also urged HHS to clearly define
how the system of records notice will comport with the Health Insurance
and Portability Act (HIPAA).  Any proposed routine use disclosures that
violate HIPAA provisions should not be included.

The NDMS Patient Tracking System collects data during emergency
situations.  Due to the extreme nature of these events, privacy and
safety can easily be overlooked if they have not already been built into
the system.  EPIC urged HHS to consider the impact that the proposed
routine use disclosures could have on victims of domestic violence, as
well as other displaced individuals. After Hurricane Katrina, numerous
evacuees faced instances of personal information abuse. For this reason,
EPIC encourages the use of health data collected by the NDMS for patient
treatment purposes only.

EPIC's Webpage on Hurricane Katrina and Identity Theft:


EPIC's Webpage on Domestic Violence and Privacy:


EPIC's Comments on NDMS Patient Treatment and Tracking Records System


Department of Health and Human Services System of Records Notice (June
26, 2007) (pdf):


[5] Medical Privacy Bill Introduced in Senate

On July 18, the Health Information Privacy and Security Act of 2007
(HIPSA) (S.1814), was introduced into the Senate.  The bill was
sponsored by Senator Patrick Leahy (D-VT) and co-sponsored by Senator
Edward Kennedy (D-MA).  HIPSA seeks to provide individuals with access
to their personal health information while ensuring patient privacy.

HIPSA provides individuals the right to access their health data,
prohibits the use of health data without patient authorization. The bill
requires that organizations that store health information electronically
notify individuals of their privacy practices and establish adequate
safeguards to prevent security breaches, or face civil penalties. If a
breach does occur, the bill requires patient notification within 15 days
of the occurrence.  HIPSA also authorizes the Attorney General to file a
civil action against organizations that do not properly safeguard
electronic health records or provide individuals with information about
their health privacy rights.

Further, HIPSA requires de-identification of individually identifiable
health information used for research purposes. The bill provides
exceptions for public safety, national security, and law enforcement
purposes.  In addition, providers may disclose health information to law
enforcement personnel and a patient's next of kin, so long as the
patient has been given the right to opt-out of the disclosure.

HIPSA will establish a health information privacy department within the
Department of Health and Human Services.  The department's main function
will be to provide consumers with information regarding their privacy
rights.  HIPSA makes it a federal crime to “knowingly and intentionally
disclose or use sensitive health information without an individual's
consent.”  If a person commits an offense, they may be fined $50,000 and
could be imprisoned for one year.  If the violation is committed with
the intent to sell or use the information for economic gain, violators
may be fined up to $500,000 and face up to 10 years in prison.

Health Information Privacy and Security Act of 2007, S.1814:


EPIC's Webpage on Medical Privacy:


Patient Privacy Rights


[6] News in Brief

New Report Reveals Increased Secrecy of US Government

A report by OpenTheGovernment.org and People For the American Way
Foundation documents how, at a time when technology should enable
government openness, the executive branch limits public access to public
information. According to "Government Secrecy: Decisions Without
Democracy 2007", President Bush has used executive orders to limit use
of the Freedom of Information Act and Presidential Records Act, expanded
the power to classify information for national security reasons, and
created a range of new categories of "sensitive" information. In some
cases, the government has gone so far as to reclassify documents that
had been available to the general public for many years.  The report
suggests that citizen journalists should utilize the Internet to
organize coalitions that promote openness and accountability, and to
publicize further governmental abuses by using services like YouTube and

Government Secrecy:  Decisions Without Democracy 2007 (pdf):


EPIC's FOIA page:


Spotlight on "National Network" of Fusion Centers

EPIC's current Spotlight on Surveillance reviews "fusion centers," data
sharing entities that acquire information from many sources, including
private sector firms and anonymous tipsters. The Department of Homeland
Security is seeking to create a national network of local and state
fusion centers. The federal agency has provided more than $380 million
to state and local governments in support of these centers. The fusion
center program gives DHS enormous domestic surveillance powers.

Spotlight on Surveillance: "National Network" of Fusion Centers Raises
Specter of COINTELPRO:


EPIC's Fusion Centers page:


Groups Urge FCC to Reject Network Filters

EPIC joined Public Knowledge and nine other privacy and consumer rights
groups in urging the Federal Communications Commission against requiring
broadband Internet Service Providers to use network filters on Web
content. Last month, NBC Universal Inc. requested the FCC mandate
content suppression in order to limit illegitimate broadband uses such
as online piracy through peer-to-peer file sharing. The privacy and
consumer rights groups explained, "Any attempt to use this technology to
control what may be done on the Internet will have serious unintended
consequences. Particularly, these technologies limit First Amendment
freedoms, stifle innovation, threaten personal privacy, and do little to
address the underlying problem."

Privacy and Consumer Rights Groups Comments  (July 16, 2007)  (pdf):


EPIC's Publication, “Filters & Freedom 2.0”:


Joint Consumer Comments on RFID in Europe

European consumer groups ANEC and BEUC have issued a joint policy paper
on RFID in Europe. The position paper, based on the European Commission
Communication on RFID from March 2007, is their contribution to the RFID
Experts stakeholder group and designed to help the European Commission
draft a recommendation on privacy and security aspects of RFID. The
groups recommended that the Commission begin "impartial and
comprehensive information campaigns on the RFID technology, its
potential benefits and risks," to help consumers choose whether to use
RFID. Also suggested is the formation of "a European committee dealing
with ethics should be created and consulted" concerning any RFID or near
field communication (NFC) technology applications."

ANEC/BEUC, "Consumers' scenarios for a RFID policy: Joint ANEC/BEUC
Comments on the Communication on Radio Frequency Identification (RFID)
in Europe: Steps towards a policy framework" (pdf):


EPIC's page on RFID:


House and Senate Compromise on 9/11 Recommendations

The House and Senate have agreed to harmonize two competing bills, H.R.
1 and S. 4, in order to implement some of the 9/11 Commission
recommendations. The bills include a provision establishing regional
fusion centers for sharing criminal and terrorism information with state
and local officials. The bills also establish a Privacy and Civil
Liberties Oversight Board, which is to have access to relevant material
held by other agencies. Members are appointed by the president and
confirmed by the senate. The House bill, H.R. 1, originally proposed to
make the Oversight Board into an independent agency, but the harmonized
bills allow the Oversight Board to remain in the Executive Office of the

Improving America's Security Act of 2007, S. 4:


Improving America's Security Act of 2007, H.R. 1:


EPIC Spotlight on Fusion Centers:


EPIC 9/11 Commission Page


GAO Reports on Progress at DHS Privacy Office

The Government Accountability Office (GAO) has released a report on the
progress of the Department of Homeland Security (DHS) Privacy Office in
complying with its statutory mandates.  The GAO concluded that
significant progress has been made in meeting statutory requirements. 
For example, the Privacy Office has increased the number and quality of
Privacy Impact Assessments issued, and it has managed to incorporate
privacy considerations into DHS decision-making via the privacy advisory
committee and public workshops. However, the Privacy Office has not been
timely in issuing reports. This tardiness has delayed the effectiveness
of these reports and eroded the credibility of the Privacy Office.

DHS Privacy Office Has Made Progress but Faces Continuing Challenges


EPIC Privacy Oversight Page:


[7] EPIC Bookstore: "Privacy on the Line"

Privacy on the Line, The Politics of Wiretapping and Encryption, Updated
and Expanded Edition by Whitfield Diffie and Susan Landau (MIT Press,

This much-awaited update of Diffie and Landau's 1998 edition is greatly
appreciated by the privacy advocacy community. So much has happened in
the span of nine years: the terrorist attack of September 11, 2001;
public knowledge of government surveillance programs; increased use of
cryptography; and, the broad adoption of Internet-enabled communication

The publication is a wonderful exploration of the history of
communication privacy and the efforts by the US government to conduct
sanctioned and unsanctioned surveillance of domestic communication.
Domestic surveillance first began as a means of acquiring information on
criminal activities and quickly moved to documenting people's engagement
in social or political activities and their exercise of constitutionally
protected rights to expression and assembly. The argument that the
"Control of society is, in large part, control of communications," is
explained in detail by the authors as they walk the reader thought the
decades of various technologies, tactics, and rationales deployed by
government in its efforts to snoop.

The strongest recommendation for the book is its grasp of communication
technology and the issue of cryptography, which the authors propose is
the key factor that can make or break the privacy rights of
telecommunication users. The 1970s was the decade of enlightenment for
easy access by the public to affordable and practical cryptographic
tools.  Diffie, Hellman, Merkle, Rivest, Shamir, Adelman, Feistel, all
made significant contributions to online banking and digital commerce.
According to Diffie and Landau, the National Security Agency's efforts
to hobble research and business opportunities presented the greater
obstacle to public access to good cryptographic tools.

One key lesson that is provided by "Privacy on the Line": electronic
surveillance is unlike any other form of spying because the intruder can
hide the fact that a message or communication has been compromised.
Diffie and Landau make it very clear that only amateurs attempting to
spy on modern telecommunication systems would make mistakes that would
tip-off the target, and the National Security Agency is no amateur. This
updated edition makes for a great read - academic in nature, but very
accessible for someone interested in understanding the current debate
over the President's various domestic surveillance programs headed by
the National Security Agency.

-- Lillie Coney


EPIC Publications:

"Information Privacy Law: Cases and Materials, Second Edition" Daniel J.
Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98.

This clear, comprehensive introduction to the field of information
privacy law allows instructors to enliven their teaching of fundamental
concepts by addressing both enduring and emerging controversies. The
Second Edition addresses numerous rapidly developing areas of privacy
law, including: identity theft, government data mining and electronic
surveillance law, the Foreign Intelligence Surveillance Act,
intelligence sharing, RFID tags, GPS, spyware, web bugs, and more.
Information Privacy Law, Second Edition, builds a cohesive foundation
for an exciting course in this rapidly evolving area of law.


"Privacy & Human Rights 2005: An International Survey of Privacy Laws
and Developments" (EPIC 2006). Price: $60.

This annual report by EPIC and Privacy International provides an
overview of key privacy topics and reviews the state of privacy in over
70 countries around the world. The report outlines legal protections,
new challenges, and important issues and events relating to privacy.
Privacy & Human Rights 2005 is the most comprehensive report on privacy
and data protection ever published.


"FOIA 2004: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price:

This is the standard reference work covering all aspects of the Freedom
of Information Act, the Privacy Act, the Government in the Sunshine Act,
and the Federal Advisory Committee Act.  The 22nd edition fully updates
the manual that lawyers, journalists and researchers have relied on for
more than 25 years.  For those who litigate open government cases (or
need to learn how to litigate them), this is an essential reference


"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.

This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS).  This
reference guide provides the official UN documents, regional and
issue-oriented perspectives, and recommendations and proposals for
future action, as well as a useful list of resources and contacts for
individuals and organizations that wish to become more involved in the
WSIS process.


"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:

The Privacy Law Sourcebook, which has been called the "Physician's Desk
Reference" of the privacy world, is the leading resource for students,
attorneys, researchers, and journalists interested in pursuing privacy
law in the United States and around the world. It includes the full
texts of major privacy laws and directives such as the Fair Credit
Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well
as an up-to-date section on recent developments. New materials include
the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the


"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.


EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:

EPIC Bookstore http://www.epic.org/bookstore

"EPIC Bookshelf" at Powell's Books


EPIC also publishes EPIC FOIA Notes, which provides brief summaries of
interesting documents obtained from government agencies under the
Freedom of Information Act.

Subscribe to EPIC FOIA Notes at:

[8] Upcoming Conferences and Events

7th Annual Future of Music Policy Summit. September 17-18, 2007.
Washington, DC. For more information

PIPA Conference: Private Sector Privacy in a Changing World. September
20-21, 2007. Vancouver, Canada. For more information:

Civil Society Privacy Conference: Privacy Rights in a World Under
Surveillance. September 25, 2007. Montreal, Canada. For more

29th International Conference of Data Protection and Privacy
Commissioners. September 25-28, 2007.  Montreal, Canada. For more

Internet Bill of Rights meeting. September 27, 2007. Rome, Italy. For
more information: http://www.internet-bill-of-rights.org/en/

OECD and Industry Canada: Shaping Policies for Creativity, Confidence
and Convergence in the Digital World. October 3, 2007. Ottawa, Canada.
For more information:

University of Ottawa Faculty of Law: The Revealed "I". October 25-27,
2007. Ottawa, Canada. For more information:

Future of the Internet Economy - OECD Ministerial Meeting. June 14-18,
2008. Seoul, Korea. For more information:

Subscription Information

Subscribe/unsubscribe via web interface:


Back issues are available at:


The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities.  We do not sell, rent or share our
mailing list.  We also intend to challenge any subpoena or other legal
process seeking access to our mailing list.  We do not enhance (link to
other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail address
from this list, please follow the above instructions under "subscription

About EPIC

The Electronic Privacy Information Center is a public interest research
center in Washington, DC.  It was established in 1994 to focus public
attention on emerging privacy issues such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale of personal information. EPIC publishes the
EPIC Alert, pursues Freedom of Information Act litigation, and conducts
policy research.  For more information, see http://www.epic.org or write
EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202
483 1140 (tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible.  Checks
should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW,
Suite 200, Washington, DC 20009.  Or you can contribute online at:


Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation of encryption and
expanding wiretapping powers.

Thank you for your support.

------------------------- END EPIC Alert 14.15 -------------------------