EPIC logo

                            E P I C  A l e r t
Volume 14.17                                             August 24, 2007

                             Published by the
                Electronic Privacy Information Center (EPIC)
                             Washington, D.C.

Table of Contents
[1] EPIC Urges Court to Consider Privacy Interest in De-Identified Data
[2] Iraq Database a Potential "Hit List," Acknowledges Program Officer
[3] Spy Chief Opens Up On Surveillance
[4] Pentagon to End Threat Database
[5] Electronic Voting System Identifies Voters
[6] News in Brief
[7] EPIC Bookstore: "Information Security and Privacy"
[8] Upcoming Conferences and Events

[1] EPIC Urges Court to Consider Privacy Interest in De-Identified Data

EPIC and 16 experts in privacy law and technology filed a "friend of the
court" brief on Monday in a case concerning a New Hampshire state law
banning the sale of prescriber-identifiable prescription drug data for
marketing purposes. The experts urged the First Circuit Court of Appeals
to reverse the ruling of the lower court, which held that the New
Hampshire Prescription Confidentiality Act violated the free speech
rights of data mining companies IMS Health Inc. and Verispan LLC.

On June 30, 2006, the New Hampshire legislature unanimously passed the
Prescription Confidentiality Act, which prohibits prescription
information records that contain patient- or prescriber-identifiable
data from being transferred, licensed, sold, or used for most commercial
purposes. This includes marketing, advertising, and other forms of
promotion. The Act specifically bars the use of prescriber-identifiable
data for "physician detailing," which involves the sale of patient
prescription records to datamining firms that generate sales leads for
pharmaceutical companies. The Act explicitly permitted the use of this
data for such non-commercial purposes as research and education.

The Plaintiffs-Appellees, IMS Health and Verispan, are both data mining
companies which purchase and compile prescription information in order
to sell the data. In the District Court, IMS Health and Verispan alleged
that the new Act violated their First Amendment right to free speech,
claiming that: 1) the law was subject to strict scrutiny because it
provided a content-based restriction on non-commercial free speech; 2)
the law violated the First Amendment because it was not narrowly
tailored to serve compelling state interests; and 3) if the judge
determined that the law was subject to intermediate scrutiny because it
only restricted commercial speech, it still did not advance a
substantial government interest in a narrowly tailored way.

In the State's defense, the Attorney General argued: 1) that the law did
not implicate the First Amendment because it did not regulate speech;
and even if the Act did implicate speech, 2) the law should survive
intermediate scrutiny because it advanced the State's substantial
interests in promoting public health, controlling health care costs and
protecting the privacy of patients and doctors, while still allowing the
data to be used for non-commercial purposes. The District Court rejected
all of the Attorney General's arguments, finding that the government did
not have an interest in "preventing the dissemination of truthful
commercial information" and that the law was more expansive than
necessary to promote the State's interests. The District Court held that
the Act did not advance a substantial interest in protecting the privacy
of patients and health care providers. New Hampshire appealed to the
First Circuit Court of Appeals, which will soon hear the case.

There are approximately 1.4 million health care providers in the United
States. These providers write billions of prescriptions each year for
more than 8,000 different pharmaceutical products, which are filled at
54,000 retail pharmacies throughout the country. For every prescription
they fill, the retail pharmacies acquire records, which include: patient
name; prescriber identification; drug name; dosage requirement;
quantity; and date filled. In order to comply with federal and state
privacy laws, patient-identifying information is encrypted and
de-identified, often with software installed by the datamining companies
themselves. The rest of the prescription record remains intact. Thus, a
patient's entire drug history is correlated, and each provider can be
identified along with its prescribing habits. This practice raises
privacy concerns for both patients and health care providers, said EPIC
and the 16 experts in their brief.

EPIC and the experts said the lower court should be reversed, because it failed
to consider the substantial privacy interest in de-identified patient
data. Although de-identification measures are increasingly innovative
and computationally complex, patient data is still vulnerable to attacks
because sophisticated re-identification programs are also being
developed,ù the experts said. Individuals can be re-identified using
information such as zip code, date of birth, and gender and then
comparing that data to publicly available information. Such information
is easily accessible via birth and death records, incarceration reports,
voter registration files, and driver's license information.

This privacy interest in part flows from the reality that data may not
be, in fact, truly de-identified, and also because de-identified data
does impact actual individuals. The experts explained that (1) the
information is not truly anonymized; (2) as a result, there are real
dangers to patient privacy in having this data trade, and therefore (3)
the state interest in protecting patient privacy, ignored by the court
below, requires reversal.

Amicus Brief of EPIC and 16 Experts in Privacy Law and Technology
(August 20, 2007) (pdf):


Opinion of the District Court (April 30, 2007) (pdf):


New Hampshire Prescription Confidentiality Act: 


EPIC's page on IMS Health v. Ayotte: 


[2] Iraq Database a Potential "Hit List," Acknowledges Program Officer

This week, the biometrics program manager in Iraq expressed concern that
the database containing biometrics and secret files on thousand of
Iraqis could "become a hit list if it gets in the wrong hands."
According to Lt. Col. Velliquette, the Iraqi system has approximately
750,000 records in its database.

Currently, the U.S. military administers the database of Iraqis'
personal information. According to reports, U.S. troops are using mobile
scanners to take fingerprints, eye scans, and input other personal data
from Iraqis at checkpoints, workplaces, the sites of attacks, and
door-to-door canvasses. The database information is tied to other Iraq
biometric databases at the Biometric Fusion Center in West Virginia.
There are at least 31 U.S. officials who have access to the database,
but this number is likely much higher. Further, the idea of the U.S.
military turning over the database system to the Iraqi government is
already under discussion.

In July, EPIC, Privacy International, and Human Rights Watch wrote to
the US Defense Secretary to warn that the system will lead to reprisals
and further killings. The letter draws attention to international
privacy obligations, including Article 12 of the Universal Declaration
of Human Rights, a document that the United States has endorsed. As the
USA Today article notes, "Many Iraqis carry fake IDs with last names
that suggest a sectarian background other than their own - a method of
survival in a country where violence between Sunnis and Shiites have
killed thousands since the war began."

There is as yet no indication of any privacy safeguards protecting
against the risk that this information will be used to fuel the ethnic
cleansing. A 2007 report from the Pentagon's Defense Science Board
stated that military use of biometric data raises substantial privacy

Letter from privacy groups to Robert Gates, Secretary of Defense, July
27, 2007 (pdf):


Council on Foreign Relations, "A National ID Program for Iraq?":


EPIC's Iraqi Biometric ID page:


Human Rights Watch's page on Iraq:


EPIC's page on Biometric Identifiers:


[3] Spy Chief Opens Up On Surveillance

In an on the record discussion with the El Paso Times, Director of
National Intelligence Michael McConnell revealed past and current
surveillance activities and border security.

For the first time, an administration official confirmed that private
sector companies illegally assisted with the President's domestic spying
program. Several telecommunication companies are being sued for this,
and McConnell says these lawsuits will bankrupt them.  McConnell argued
that these companies should have immunity for any past violations of
privacy laws, not just the going forward immunity that the new Foreign
Intelligence Surveillance Act (FISA) provides.

McConnell also added details to the impetus behind the recent revisions
in FISA. A FISA court judge refused to authorize certain interceptions
of wired communications without a warrant. Complaining that it took 200
man-hours to craft a warrant, McConnell argued that surveillance of a
foreigner in a foreign country should not be restricted. The new FISA
law removes from the jurisdiction of the FISA court surveillance that is
"directed at" a person "reasonably believed to be outside of the United

The bill, passed in July at the end of the legislative session, was
first submitted by the administration in April.  While the
administration's original proposal was 66 pages, the final document was
only 11 pages in length. McConnell discussed that he had problems with
one alternative proposal, because of language concerning minimization,
but he did not elaborate.

McConnell stated that under 100 US persons -- citizens or foreigners
in the United States -- are monitored.  Foreign numbers range in the
thousands. McConnell described the surveillance program as "surgical.”

According to the Department of Justice, there were 2,181 applications to
the Foreign Intelligence Surveillance Court for authority to conduct
electronic surveillance and physical searches for foreign intelligence
purposes. Of the 2,181 applications submitted, 2,176 applications were

Transcript: Debate on Foreign Intelligence Surveillance Act:


EPIC's Page on Foreign Intelligence Surveillance Act:


[4] Pentagon to End Threat Database

The Pentagon will end its Threat and Local Observation Notices (TALON)
Program. The program collects reports of activities that are alleged to
be threats to the Defense Department.  The program will be shut down as
of September 17, 2007. The Pentagon promises to propose a new program
for threat reporting. In the interim, information that the Pentagon
collects will be forwarded to the FBI's Guardian database. Earlier this
spring the Pentagon's intelligence chief, James Clapper, had recommended
that the program be shut down. At that time Clapper said that the
department would continue "to document and assess potential threats to
Defense Department resources."

The TALON program was heavily criticized, and the Pentagon had to
apologize, after documents revealed that TALON collected data on
peaceful anti-war and anti-nuclear meetings and protests. The documents
revealing this surveillance were obtained pursuant to the Freedom of
Information Act by the Servicemembers Legal Defense Network and the
ACLU. The department admitted that it had maintained the information
after it was determined that there was no threat from the protests past
the 90 days its guidelines provided for. The department also monitored
student speech and e-mails at several universities across the country,
tracking students involved in protesting military policies.

The interim replacement is the FBI-run Guardian Threat Tracking System.
The Guardian system follows all threats that FBI field offices choose to
enter into it.  As of 2005, Guardian contained 40,000 threats. Future
phases are planned where Guardian data is shared via a web-based
application with state and local law enforcement officials. Guardian
contains threats classified up to a "secret" level. Federal and state
law enforcement also shares data via Joint Terrorism Task Forces and
Information Fusion Centers.

DoD to Implement Interim Threat Reporting Procedures:


Pentagon to shut down controversial database:


EPIC's page on Information Fusion Centers and Privacy:


[5] Electronic Voting System Identifies Voters

Research undertaken by The Public Ballot, a voter privacy organization,
and reported on by CNET.com revealed that Ohio voter privacy is
threatened by the Election Systems and Software's voting machines. The
method of affixing a time stamp to each voter-verified paper audit
record is cited as the source of the voter privacy problem.  The state
of Ohio, along with retaining these records, also retains the poll
registration logs, which note the time each voter enters the voting
process.  Both types of information are treated as public information
and are available upon request.

Federal and state courts and legislatures have historically taken
measures to protect the right of voters to vote their conscience without
fear of retaliation. United States law requires that "All votes for
Representatives in Congress must be by written or printed ballot, or
voting machine, the use of which has been duly authorized by the State
law; and all votes received or recorded contrary to this section shall
be of no effect." The statute defines "ballot" in election provisions to
mean a "method which will insure, so far as possible, secrecy and
integrity of popular vote," and interprets the Congressional requirement
that elections be conducted by written or printed ballots or by machine
to include the notion that ballots must be secret.

EPIC's project the National Committee for Voting Integrity has testified
before the Election Assistance Commission and submitted testimony to
House and Senate Committees with jurisdiction in this area on the
problems associated with electronically produced ballots and the need to
protect voter privacy.

EPIC's Voting Privacy page:


National Committee for Voting Integrity:


[6] News in Brief

FISA Court to Review Disclosure of Documents

The Foreign Intelligence Surveillance Court required the Government to
respond to an ACLU request for the release of legal opinions concerning
the secret surveillance of Americans. The ACLU requested documents on
the legal reasoning on the scope of the government's wiretap
authorities. The government must respond by August 31, 2007.

The 9th Circuit Court of Appeals heard arguments in the case of Hepting
v. AT&T. In the class action lawsuit, customers accuse AT&T of violating
privacy laws by participating in government surveillance programs. The
government argued for the dismissal of the lawsuit because it threatened
to expose state secrets. The Electronic Frontier Foundation, lawyers for
Hepting, argued that the courts can adequately protect state secrets
while enforcing the law.

EPIC, in cooperation with the Stanford Constitutional Law Center, filed
a friend-of-the-court brief in "Hepting v. AT&T." The EPIC brief states,
"The statutes and constitutional provisions relied upon in the complaint
are designed to interpose the courts between citizens and the government
when government conducts surveillance that it naturally would prefer to
conduct in secret and wholly at its own discretion . . . This
litigation should thus proceed, lest the privacy claims here be made
effectively unreviewable."

EPIC's Hepting v. AT&T page:


EPIC's Resources on Domestic Surveillance:


DHS Warns States to Implement REAL ID

In a speech to the National Conference of State Legislatures earlier
this month, DHS Secretary Michael Chertoff told states that citizens in
states that do not implement REAL ID will have to use passports for
federal purposes, such as entering courthouses or flying domestically.
Passports currently cost $97 each, and the State Department admitted in
July that there is a significant backlog in processing passports because
of, among other things, "inept planning, underfunded preparations, and
popular misunderstanding of poorly crafted government advertising.”ù In
May, EPIC and 24 experts in privacy and technology submitted comments on
DHS's draft implementation regulations for the REAL ID Act warning the
federal agency not to go forward with the proposal. The group said that
the ill-conceived plan would create new security risks for the American
public, such as increasing the risk of and the damage caused by identity
theft. "DHS has the obligation to protect the privacy of citizens
affected by this system and must do more than the feeble attempts set
out in the draft regulations," the group said. Seventeen states have
passed legislation against REAL ID. There also are bills to repeal REAL
ID in both the U.S. House and Senate.

Department of Homeland Security's Rulemaking on REAL ID:


EPIC's page on National ID Cards and the REAL ID Act: 


US Broadens Use of Domestic Satellites

The Director of National Intelligence, Michael McConnell, authorized the
sharing of spy satellite information with non-intelligence state, local
and federal agencies.  The Department of Homeland Security, via its new
National Applications Office, will be coordinating access to the
information. It is expected that these entities will have access not
just to imagery, but also to the intelligence agencies' analysis and
production capabilities. These spy systems provide real time
capabilities, have more detail, and detect more information than
commercially available satellite imagery.

US To Expand Domestic Use of Spy Satellites:


EPIC's Video Surveillance page:


China Creates Vast Program for Surveillance and Identification of Its

At least 20,000 police surveillance cameras are being installed along
streets here in southern China and will soon be guided by sophisticated
computer software from an American-financed company to recognize
automatically the faces of police suspects and detect unusual activity.
Starting this month in a port neighborhood and then spreading across
Shenzhen, a city of 12.4 million people, residency cards fitted with
powerful computer chips programmed by the same company will be issued to
most citizens. Data on the chip will include not just the citizen's name
and address but also work history, educational background, religion,
ethnicity, police record, medical insurance status and landlord's phone
number. Even personal reproductive history will be included, for
enforcement of China's controversial “one child” policy.

EPIC's Video Surveillance page:


Privacy and Human Rights Report 2006:


OECD Public Consultation Open

The OECD has launched an online public consultation process to receive
input on the proposed themes and issues of the upcoming OECD Ministerial
to be held in Seoul, Korea on June 17-18, 2008. The theme of the
Ministerial is the “Future of the Internet Economy.” The Ministerial
represents an opportunity for high-level stakeholders from government,
business, the technical community, and civil society to consider broad
social, economic and technical trends shaping the development of the
Internet Economy, and to discuss policies that can respond to evolving
societal needs. The Online Public Consultation is one of a series of
initiatives aimed at involving non-governmental stakeholders in the OECD
Ministerial meeting and in its preparation. The public consultation will
be open until Friday, September 14, 2007.

OECD Online Public Consultation:


The Public Voice:


[7] EPIC Bookstore: "Information Security and Privacy"

Information Security and Privacy: A Practical Guide to Federal, State
and International Law by Andrew Serwin (Thomson West, 2007)


California lawyer Andrew Serwin's new privacy and information security
text provides a comprehensive understanding of the issues surrounding
the collection of information, the regulatory schemes currently in
place, and the steps that are required for compliance with privacy
legislation. The author provides detailed coverage of a wide range of
subjects in the ever-expanding field of data privacy and security. The
main focus of the reference book is on US federal and state law, but it also
includes two chapters on international privacy law, which describe the
legal frameworks of select EU countries as well as Argentina, Canada and

Each section provides an overview of the topic, followed by relevant
federal laws and specific state provisions. Topics include general
privacy restrictions, including Internet and telecom privacy laws,
financial privacy, medical privacy, unauthorized access to networks,
wiretapping and privacy in electronic communications including employee
monitoring, data security and data destruction. It also covers state
laws regarding security breaches, Social Security number restrictions,
identity theft, Internet privacy, and phishing and pharming laws. As
noted by the publisher, Serwin's text “not only provides the pertinent
regulations in a user-friendly reference, but also offers analysis and
practical advice.”

-- Allison Knight


EPIC Publications:

"Information Privacy Law: Cases and Materials, Second Edition" Daniel J.
Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98.

This clear, comprehensive introduction to the field of information
privacy law allows instructors to enliven their teaching of fundamental
concepts by addressing both enduring and emerging controversies. The
Second Edition addresses numerous rapidly developing areas of privacy
law, including: identity theft, government data mining and electronic
surveillance law, the Foreign Intelligence Surveillance Act,
intelligence sharing, RFID tags, GPS, spyware, web bugs, and more.
Information Privacy Law, Second Edition, builds a cohesive foundation
for an exciting course in this rapidly evolving area of law.


"Privacy & Human Rights 2005: An International Survey of Privacy Laws
and Developments" (EPIC 2006). Price: $60.

This annual report by EPIC and Privacy International provides an
overview of key privacy topics and reviews the state of privacy in over
70 countries around the world. The report outlines legal protections,
new challenges, and important issues and events relating to privacy.
Privacy & Human Rights 2005 is the most comprehensive report on privacy
and data protection ever published.


"FOIA 2004: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price:

This is the standard reference work covering all aspects of the Freedom
of Information Act, the Privacy Act, the Government in the Sunshine Act,
and the Federal Advisory Committee Act.  The 22nd edition fully updates
the manual that lawyers, journalists and researchers have relied on for
more than 25 years.  For those who litigate open government cases (or
need to learn how to litigate them), this is an essential reference


"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.

This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS).  This
reference guide provides the official UN documents, regional and
issue-oriented perspectives, and recommendations and proposals for
future action, as well as a useful list of resources and contacts for
individuals and organizations that wish to become more involved in the
WSIS process.


"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:

The Privacy Law Sourcebook, which has been called the "Physician's Desk
Reference" of the privacy world, is the leading resource for students,
attorneys, researchers, and journalists interested in pursuing privacy
law in the United States and around the world. It includes the full
texts of major privacy laws and directives such as the Fair Credit
Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well
as an up-to-date section on recent developments. New materials include
the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the


"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.


EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:

EPIC Bookstore http://www.epic.org/bookstore

"EPIC Bookshelf" at Powell's Books


EPIC also publishes EPIC FOIA Notes, which provides brief summaries of
interesting documents obtained from government agencies under the
Freedom of Information Act.

Subscribe to EPIC FOIA Notes at:

[8] Upcoming Conferences and Events

7th Annual Future of Music Policy Summit. September 17-18, 2007.
Washington, DC. For more information

PIPA Conference: Private Sector Privacy in a Changing World. September
20-21, 2007. Vancouver, Canada. For more information:

Civil Society Privacy Conference: Privacy Rights in a World Under
Surveillance. September 25, 2007. Montreal, Canada. For more

29th International Conference of Data Protection and Privacy
Commissioners. September 25-28, 2007.  Montreal, Canada. For more

Internet Bill of Rights meeting. September 27, 2007. Rome, Italy. For
more information: http://www.internet-bill-of-rights.org/en/

OECD and Industry Canada: Shaping Policies for Creativity, Confidence
and Convergence in the Digital World. October 3, 2007. Ottawa, Canada.
For more information:

University of Ottawa Faculty of Law: The Revealed "I". October 25-27,
2007. Ottawa, Canada. For more information:

Computer Professionals for Social Responsibility: Technology in Wartime
Conference. AJanuary 26, 2008. Stanford University. For more
information: http://cpsr.org/news/compiler/2007/Compiler200707#twc

Future of the Internet Economy - OECD Ministerial Meeting. June 14-18,
2008. Seoul, Korea. For more information:

Subscription Information

Subscribe/unsubscribe via web interface:


Back issues are available at:


The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities.  We do not sell, rent or share our
mailing list.  We also intend to challenge any subpoena or other legal
process seeking access to our mailing list.  We do not enhance (link to
other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail address
from this list, please follow the above instructions under "subscription

About EPIC

The Electronic Privacy Information Center is a public interest research
center in Washington, DC.  It was established in 1994 to focus public
attention on emerging privacy issues such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale of personal information. EPIC publishes the
EPIC Alert, pursues Freedom of Information Act litigation, and conducts
policy research.  For more information, see http://www.epic.org or write
EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202
483 1140 (tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible.  Checks
should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW,
Suite 200, Washington, DC 20009.  Or you can contribute online at:


Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation of encryption and
expanding wiretapping powers.

Thank you for your support.

------------------------- END EPIC Alert 14.17 -------------------------