EPIC logo

                            E P I C  A l e r t
Volume 14.19                                          September 20, 2007

                             Published by the
                Electronic Privacy Information Center (EPIC)
                             Washington, D.C.

                            E P I C Special Event

          "The President, Privacy, and Domestic Surveillance"
               with Pulitzer Prize Winner Charlie Savage

                     Busboys & Poets, Washington DC
                        Friday, October 5, 2007

                            More information:


Table of Contents
[1] Privacy Groups File Additional Papers in Google-DoubleClick Merger 
[2] International Privacy Commissioners Conference Next Week
[3] Court Strikes Down PATRIOT Act Provision 
[4] DHS Privacy Advisory Panel Holds Hearing on Fusion Center
[5] Voting: Photo ID, New Standards, and Election Reform Update
[6] News in Brief
[7] EPIC Bookstore: "The Terror Presidency"
[8] Upcoming Conferences and Events
    - Subscription Information
    - Privacy Policy
    - About EPIC
    - Donate to EPIC

[1] Privacy Groups File Additional Papers in Google-DoubleClick Merger

At the National Press Club on Monday, EPIC, the Center for Digital
Democracy, and US PIRG announced a second supplement to the groups'
original complaint and subsequent supplement with the Federal Trade
Commission (FTC) concerning the proposed Google-DoubleClick merger. The
amended complaint details new facts supporting the conclusion that the
FTC should block Google's proposed acquisition of DoubleClick.

At the National Press Club discussion, "Google, Online Advertising, and
Privacy," an expert panel reviewed recent developments with online
privacy, including behavioral targeting, and the proposed merger of
Google and DoubleClick. The panel, moderated by EPIC's Associate
Director, Lillie Coney, included Melissa Ngo, Senior Counsel and
Director of EPIC's Identification and Surveillance Project; Jeff
Chester, Executive Director of the Center for Digital Democracy; Joe
Turow, Professor of Communications at the University of Pennsylvania's
Annenberg School for Communication; and Amina Fazlullah, Staff Attorney

The experts discussed the privacy and antitrust problems created by the
proposed Google-DoubleClick merger. Google and DoubleClick are both part
of the online targeted ad market, with DoubleClick as the dominant force
in rich media display ads. "[I]nstead of competing in the online
targeted-ad market, Google is trying to quickly buy its way to total
market dominance via a DoubleClick takeover," Chester said. He urged the
FTC to block the merger.

The experts also criticized Google's recent call for new global privacy
standards. Peter Fleischer, Google's Global Privacy Counsel, suggested
that new standards be based on the APEC Privacy Framework. The APEC
guidelines are "the weakest international privacy standards," Ngo said.
For example, APEC sets no limits on the retention of personal
information and places the burden on consumers to prove how and where
they are harmed. Last year, EPIC led a coalition in submitting comments
to the Department of Commerce detailing the shortcomings of the APEC
standards, especially in relation to the OECD Guidelines.

The OECD Guidelines, which have been widely followed in the Americas,
Europe, and Asia for more than 20 years, are much more protective of
private data. The OECD Guidelines are based on the principles that
individuals have the right to limit the use of personal information they
disclose to others, and businesses have a duty to safeguard the data
they collect. In their original complaint, EPIC, CDD and US PIRG alleged
specifically that Google failed to follow the OECD standards. Google is
calling for new global privacy standards as it is under investigation in
the US, Canada, Australia and Europe for possible violations of the OECD

Also on Monday, the Canadian Internet Policy and Public Interest Clinic
(CIPPIC) filed a formal complaint with the Privacy Commissioner of
Canada urging an investigation into the proposed merger. CIPPIC detailed
several ways in which Google and DoubleClick may be violating Canada's
Personal Information Protection and Electronic Documents Act, and
suggested the possibility of even more serious and widespread privacy
invasions if the merger is completed.

The Senate Judiciary Committee will hold a hearing entitled "An
Examination of the Google-DoubleClick Merger and the Online Advertising
Industry: What Are the Risks for Competition and Privacy?" on Thursday,
September 27. Dave Drummond of Google, Brad Smith of Microsoft, Scott
Cleland of Precursor, Thomas Lenard of the Progress & Freedom
Foundation, and Marc Rotenberg of EPIC are expected to testify.

EPIC's Page on the Proposed Google-DoubleClick Merger (containing the
original FTC complaint and supplements):


Senate Judiciary Committee, "An Examination of the Google-DoubleClick
Merger and the Online Advertising Industry: What Are the Risks for
Competition and Privacy?":


Canadian Internet Policy and Public Interest Clinic (CIPPIC) Complaint
to the Privacy Commissioner of Canada (September 17, 2007) (pdf):


Peter Fleischer, Google Global Privacy Counsel, "Call for global privacy
standards," September 14, 2007:


Coalition Comments on APEC Cross-Border Privacy Rules (June 2006) (pdf):


APEC Privacy Framework:


Organization for Economic Cooperation and Development Privacy


EPIC's Privacy Law Sourcebook 2004:


[2] International Privacy Commissioners Conference Next Week

The 29th International Conference of Data Protection and Privacy
Commissioners, hosted by the Office of the Privacy Commissioner of
Canada, will be held on September 25-28, 2007, in Montreal, Canada. The
annual event draws Commissioners from around the world, as well as a
host of experts from academia, civil society and the private sector. 
The theme of this year's conference is “Privacy Horizons: Terra

Office of the Privacy Commissioner's media release explains that the
theme highlights the emphasis that conference organizers are placing on
the challenging issues that data protection and privacy commissioners
will need to address in the coming years. A group of leading
international privacy experts will tackle these issues in various
workshop, plenary and breakout sessions that deal with transborder data
flows, ubiquitous  computing, youth privacy, biometrics, globalization,
public safety, and the intersect between law and technology.

Privacy Commissioner of Canada, Jennifer Stoddart, stated that, “[o]ur
goal is to push the discussion on privacy rights and expectations
further this year, challenging commonly held assumptions and
spearheading innovative solutions to public and private sector issues.”

A civil society workshop, entitled “Privacy in a World Under
Surveillance,” will take place one day before the conference, on
September 24, 2007. This one-day workshop aims to increase awareness,
develop a broader understanding and a common analysis of privacy-related
issues among individuals, civil society organizations, the media, and
Data Protection and Privacy Commissioners, all the while strengthening
the capacity for action. Some of the issues to be addressed will
include: the efficacy of various regimes of privacy and data protection,
the surveillance of movement through monitoring and profiling of
travelers and implementation of new generation of entry-exit schemes,
the surveillance of telecommunications and financial transactions, the
implication of large scale IT systems across public sector including
health databases, and sharing of information and the principle of

29th International Conference of Data Protection and Privacy


Civil Society Workshop: Privacy in a World Under Surveillance:


[3] Court Strikes Down PATRIOT Act Provision

On September 6, a Federal court struck down a provision of the PATRIOT
Act relating to the use of National Security Letters (NSLs). The NSL
power is an extraordinary search procedure which gives the FBI the power
to compel the disclosure of costumer records held by banks, telephone
companies, Internet service providers and others without a warrant or
other judicial procedure. Recipients of NSL are prohibited from
disclosing their receipt of the NSL. This gag provision was the subject
of the lawsuit, filed by the ACLU.

The court stated that the gag provision was an unjustified restriction
on speech. The PATRIOT Act reauthorization allowed the FBI to bar the
recipients of NSLs from disclosing the fact that they have received such
a letter when the Director certifies that disclosure may result in
danger to national security or life or interference with a criminal,
intelligence or counterterrorism investigation. The recipient of the NSL
has a limited right to challenge the gag. Since the judiciary does not
have meaningful review of the gag order, the court found this was a
violation of first amendment free speech rights as well as the principle
of separation of powers.

The gag rule makes oversight of NSL uses difficult. EPIC, through its
various FOIA requests, and the Inspector General of the FBI have
previously discovered abuses of the NSL power.  Since the PATRIOT Act
enhanced the NSL authority, government use of NSLs and their gag
provision has grown dramatically, from a total of 8,500 letters issued
in the years prior to the enactment of the PATRIOT Act, and rising to
over 40,000 per year post-enactment. EPIC has called on congress to
scale back the NSL authority to pre-PATRIOT Act levels.

ACLU v. Gonzales, 04 Civ. 2614 (September 6, 2007) (pdf):


EPIC's page on National Security Letters:


[4] DHS Privacy Advisory Panel Holds Hearing on Fusion Center

The Data Privacy and Integrity Advisory Committee of the Department of
Homeland Security held a series of panel discussions on "information
fusion centers." The principal role of the fusion center is to compile,
analyze, and disseminate criminal/terrorist information and intelligence
and other information (including, but not limited to, public safety, law
enforcement, public health, social services, and public works) to
support efforts to anticipate, identify, prevent, and/or monitor
criminal/terrorist activity. Participants in the fusion center
development can include local, state, and federal law enforcement;
national security agencies; the Department of Defense; and private
sector companies.

The committee heard from Department of Homeland Security officials, a
representative from the State of Maryland's fusion center, a privacy and
civil liberties officer from the Director of National Intelligence, and
a panel of privacy and civil liberties advocates. EPIC provided
testimony to the committee on the need to make the process transparent
and accountable.

Fusion center surveillance projects are not new, and have been pursued
in other forms under the titles Total Information Awareness Project and
MATRIX.  The fusion center development and implementation process has
progressed to the issuance of several policy guidelines and
implementation of architecture.  The Institute for Intergovernmental
Research, a Department of Justice funded project, published the guidance
documents for fusion center development. These documents include the
Fusion Center Guidelines, and A Framework for Justice Information
Sharing: Service-Oriented Architecture, and Privacy, Civil Rights, and
Civil Liberties.

The guidance on Privacy, Civil Rights, and Civil Liberties supports the
consideration of Organization for Economic Co-operation and Development
privacy guidelines, which have no statutory enforcement authority within
the United States.  The Federal Privacy Act, which governs the actions
of federal government agencies, is argued to not apply because fusion
centers are not said to be federal entities.

The Department of Homeland Security has provided $380 million in grants
for the development and deployment of 43 fusion centers on the local and
state level.  There is a goal of supporting the creation of 70 fusion
centers throughout the nation.

EPIC's page on Total Information Awareness:


EPIC's page on Fusion Centers:


Fusion Center Guidelines (pdf):


Fusion Center Privacy, Civil Rights and Civil Liberties (pdf):


A Framework for Justice Information Sharing: Service-Oriented
Architecture (pdf):


[5] Voting: Photo ID, New Standards, and Election Reform Update

Recent election reform news in the United States include a court ruling
on photo voter identification requirements and electronic voting system
standards development.  A federal court ruled in favor of the State of
Georgia on the requirement that voters must present a photo voter ID
when voting in public elections.  The law was passed based on
unsubstantiated fears about voter fraud in public elections in the
state. The Georgia has issued 3,000 free photo identification documents
to date under the new photo voter identification requirement. According
to a US Census report, as of July 2005 the state of Georgia had an
estimated voting-age population of 6.4 million with only 4.5 million
state-issued photo identification documents.

An Elections Canada decision to allow veiled voters to cast ballots in
public elections was critiqued by Prime Minister Stephen Harper, who
said that the agency had defied Parliament by allowing women to wear
veils and burqas while voting.  Prime Minister Harper was referring to a
recently enacted law intended to address voter fraud, but it did not
require visual identification.  The law requires voters to provide one
piece of photo identification issued by any level of government, or the
voter may present two pieces of identification regardless of the issuer
which establish their name and address.

In other US voting news, the US Election Assistance Commission has made
public the draft 2007 voluntary voting system guidelines, which will be
open for a 120-day public comment period.  The draft document is a
complete overhaul of the standards published in the federal register in
2006.  The standards will not take effect before the 2008 general

Election Assistance Commission:


EPIC's page on Voting and Privacy:


National Committee for Voting Integrity:


Elections Canada:


[6] News in Brief

Illinois Gets New Public School Biometric Privacy Protection Law

Parents of Illinois public school children are given a new tool to
protect the privacy of their children.  The new law requires that
parents be given effective notice when “unique behavioral or
physiological characteristics, including fingerprint, hand geometry,
voice, or facial recognition or iris or retinal scans.”  Parents must
provide an opt-in for their children to participate in any biometric
identification program prior to the collection of fingerprint, iris, or
other biometric database creation process. Parents can at any time
request that their child's information be removed from a biometric
system of records, and the school cannot retain the information after a
child is no longer enrolled.

The law was strongly supported by concern parents who discovered that
contrary to their wishes their children had been enrolled into
fingerprint identification systems associated with school lunch

Illinois Act Concerning Education, SB1702:


EPIC's page on Biometric Identifiers:


EPIC's page on Theme Park Privacy:


GAO Reports on Progress at Homeland Security

The Government Accountability Office (GAO) reported that the Department
of Homeland Security (DHS) has made "varying" progress in achieving its
mission and management objectives. The GAO found more progress in
mission areas than in management,  and has seen more progress in DHS
developing plans than in implementing them. Of the department's 171
performance expectations -- drawn from executive orders, legislation and
other administration sources --  78 were achieved, 83 not achieved and
10 were not assessed. The greatest progress was made in maritime
security, while the least progress was made in emergency management and
in information technology management.

Department of Homeland Security: Progress Report on Implementation of
Mission an Management Functions GAO-07-1240T (pdf):


Justice Dept. Report: Terrorist Screening Database Error-Filled

The government's watchlists of known or suspected terrorists remain
filled with errors that can obstruct the capture of terrorists,
according to a report from the Justice Department's Inspector General.
"Furthermore, inaccurate, incomplete, and obsolete watchlist information
increases the chances of innocent persons being stopped or detained
during an encounter because of being misidentified as a watchlist
identity," and the Inspector General went on to criticize the redress
procedures. EPIC has repeatedly detailed the privacy and security
problems created by these inaccurate watchlists and their opaque redress
systems. Full application of the Privacy Act requirements to government
record systems is the only way to ensure that data is accurate and
complete, which is especially important in the context of watch lists,
where mistakes and misidentifications are costly.

Department of Justice, Office of Inspector General, "Follow-Up Audit of
the Terrorist Screening Center, Audit Report 07-41 (Redacted for Public
Release)," September 2007 (pdf):


EPIC's Page on Secure Flight:


Cities Consider ID Cards for Undocumented Immigrants

San Francisco and New York are debating proposals to create city
identification cards that would be available to any resident, regardless
of citizenship status. Such cards would establish legal identity and
residency and allow cardholders to access basic city services such as
banking, aid for the homeless and library access. In July, New Haven,
Conn., began issuing the first such city-sponsored ID cards to
undocumented immigrants. More than 1,500 people have applied for the New
Haven cards.

New York City Council Int. No. 602:


EPIC's Page on National ID Cards and the REAL ID Act:


[7] EPIC Bookstore: "The Terror Presidency"

“The Terror Presidency: Law and Judgment Inside the Bush Administration”
by Jack Goldsmith (Norton & Co. 2007)


On December 24, 2005, the New York Times reported that the President had
authorized electronic surveillance within the United States without
judicial approval. Within hours, EPIC submitted a Freedom of Information
Act request to the Department of Justice for the documents that were
drafted to support the President's decision.

We were interested in the legal basis for the program since two public
laws - the FISA and the 1968 wiretap law - are described as the
"exclusive means" for electronic surveillance in the United States. We
were curious about the reasoning that would permit the President to
obtain (and the telephone companies to disclose) the private
communications of American citizens outside the scope of the public law.

It may seem to odd to think that the memos written by a few lawyers
determine the reach of Presidential powers, but that is the reality of
the Office of Legal Counsel within the Department of Justice and the
basis for this fascinating book by former OLC head Jack Goldsmith.
Goldsmith, who is now a professor at Harvard Law School, describes the
significant powers of the office, noting at one point that it
essentially issues “Get out of Jail free” cards to both government
officials and private corporations who might otherwise be found guilty
of, say, violating federal wiretap laws.

To be fair, the opinions of the Office of Legal Counsel are given such
deference because they reflect the work of very well trained lawyers
who, though generally associated with the political views of the
President they serve, try to maintain the integrity and dispassion of a
good legal scholar. It is this tradition that Goldsmith wrestles with
during the difficult post-9/11 era in which many government officials
went to bed at night genuinely thankful that the United States had not
suffered a second terrorist attack.

Goldsmith writes that in the modern era the United States confronts an
increasingly complex web of legal rules and international obligations
(the Geneva Convention comes to mind) that limit actions by the
President and subject individuals to legal liability. Some conservative
critics have derided these rules as “lawfare,” an effort by countries
weaker than the United States to use legal procedures against the US.
Others might view this framework of international obligations and
respect for human rights as the realization of rule of law that has
helped promote peace and stability.

Goldsmith was prepared to engage in the difficult work of crafting the
legal opinions that would support the White House's terrorism policies,
but in the end concludes, in a subtle but powerful acknowledgment of the
rule of law, that the President's actions rested on “severely damaged
legal foundations.” The opinions written by his predecessors were sloppy
and asserted extraordinary Presidential powers. Goldsmith went about
revising these legal judgments and, in effect, changing the scope of
permissible actions by the US government, most notably in the area of
torture during interrogation.

Goldsmith also makes the pragmatic observation that when other
Presidents faced great challenges to US security - Lincoln during the
civil war, Roosevelt just prior to the US entry into the Second World
War -- they reached out to Congress and members of the opposing party to
explain their actions and build support for their efforts. The Bush
administration typically informed Congress, in highly classified
settings, only for the purpose of ensuring that future criticism could
be answered that key oversight committees were “kept in the loop.”
Conspiracy is another word that might apply.

Goldsmith presents some evidence that there was in fact a government
within the government - comprised of Dick Cheney and David Addington -
that took the occasion of a terrorist attack upon the United States to
refight old battles and to realign Constitutional powers in a manner
more to their liking. And it should be noted, also short-circuited the
high-level vetting of OLC opinions by outside experts that helped ensure
the President received the very best legal advice.

EPIC still has not obtained the documents we requested the day the
President's domestic surveillance program was disclosed, though we
recently received a favorable decision from a district court judge in
Washington, DC that has grown impatient with the government's
stonewalling. Considering the testimony of former Justice Department
official James Comey, this book by Jack Goldsmith, and the widely
reported effort by Alberto Gonzalez and White House Chief Staff Andrew
Card to get an ailing John Ashcroft on a hospital bed to continue the
President's surveillance program, one suspects that a “Go directly to
Jail, do not pass Go, do not collect $200” card may be found among the
legal opinions prepared by the Office of Legal Counsel.

- Marc Rotenberg


EPIC Publications:

"Information Privacy Law: Cases and Materials, Second Edition" Daniel J.
Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98.

This clear, comprehensive introduction to the field of information
privacy law allows instructors to enliven their teaching of fundamental
concepts by addressing both enduring and emerging controversies. The
Second Edition addresses numerous rapidly developing areas of privacy
law, including: identity theft, government data mining and electronic
surveillance law, the Foreign Intelligence Surveillance Act,
intelligence sharing, RFID tags, GPS, spyware, web bugs, and more.
Information Privacy Law, Second Edition, builds a cohesive foundation
for an exciting course in this rapidly evolving area of law.


"Privacy & Human Rights 2005: An International Survey of Privacy Laws
and Developments" (EPIC 2006). Price: $60.

This annual report by EPIC and Privacy International provides an
overview of key privacy topics and reviews the state of privacy in over
70 countries around the world. The report outlines legal protections,
new challenges, and important issues and events relating to privacy.
Privacy & Human Rights 2005 is the most comprehensive report on privacy
and data protection ever published.


"FOIA 2004: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price:

This is the standard reference work covering all aspects of the Freedom
of Information Act, the Privacy Act, the Government in the Sunshine Act,
and the Federal Advisory Committee Act.  The 22nd edition fully updates
the manual that lawyers, journalists and researchers have relied on for
more than 25 years.  For those who litigate open government cases (or
need to learn how to litigate them), this is an essential reference


"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.

This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS).  This
reference guide provides the official UN documents, regional and
issue-oriented perspectives, and recommendations and proposals for
future action, as well as a useful list of resources and contacts for
individuals and organizations that wish to become more involved in the
WSIS process.


"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:

The Privacy Law Sourcebook, which has been called the "Physician's Desk
Reference" of the privacy world, is the leading resource for students,
attorneys, researchers, and journalists interested in pursuing privacy
law in the United States and around the world. It includes the full
texts of major privacy laws and directives such as the Fair Credit
Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well
as an up-to-date section on recent developments. New materials include
the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the


"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.


EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:

EPIC Bookstore http://www.epic.org/bookstore

"EPIC Bookshelf" at Powell's Books


EPIC also publishes EPIC FOIA Notes, which provides brief summaries of
interesting documents obtained from government agencies under the
Freedom of Information Act.

Subscribe to EPIC FOIA Notes at:

[8] Upcoming Conferences and Events

PIPA Conference: Private Sector Privacy in a Changing World. September
20-21, 2007. Vancouver, Canada. For more information:

3rd 2007 Technical Assistance Seminar on International Implementation of
the APEC Privacy Framework. September 22-23, 2007. Vancouver, Canada.
For more information: http://www.oipcbc.org/APEC_2007.htm

Civil Society Privacy Conference: Privacy Rights in a World Under
Surveillance. September 25, 2007. Montreal, Canada. For more

29th International Conference of Data Protection and Privacy
Commissioners. September 25-28, 2007.  Montreal, Canada. For more

Georgetown University Law Center: Global Antitrust Enforcement
Symposium. September 26, 2007. Washington DC. For more information 

Dialogue Forum on Internet Rights. September 27, 2007. Rome, Italy. For
more information: http://www.funzionepubblica.it/dfir/

OECD and Industry Canada: Shaping Policies for Creativity, Confidence
and Convergence in the Digital World. October 3, 2007. Ottawa, Canada.
For more information:

University of Ottawa Faculty of Law: The Revealed "I". October 25-27,
2007. Ottawa, Canada. For more information:

Computer Professionals for Social Responsibility: Technology in Wartime
Conference. AJanuary 26, 2008. Stanford University. For more
information: http://cpsr.org/news/compiler/2007/Compiler200707#twc

Future of the Internet Economy - OECD Ministerial Meeting. June 14-18,
2008. Seoul, Korea. For more information:

Subscription Information

Subscribe/unsubscribe via web interface:


Back issues are available at:


The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities.  We do not sell, rent or share our
mailing list.  We also intend to challenge any subpoena or other legal
process seeking access to our mailing list.  We do not enhance (link to
other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail address
from this list, please follow the above instructions under "subscription

About EPIC

The Electronic Privacy Information Center is a public interest research
center in Washington, DC.  It was established in 1994 to focus public
attention on emerging privacy issues such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale of personal information. EPIC publishes the
EPIC Alert, pursues Freedom of Information Act litigation, and conducts
policy research.  For more information, see http://www.epic.org or write
EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202
483 1140 (tel), +1 202 483 1248 (fax).

Donate to EPIC

If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible.  Checks
should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW,
Suite 200, Washington, DC 20009.  Or you can contribute online at:


Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation of encryption and
expanding wiretapping powers.

Thank you for your support.

------------------------- END EPIC Alert 14.19 -------------------------