EPIC logo


                                 E P I C  A l e r t
    Volume 15.16                                            August 8, 2008

                                  Published by the
                     Electronic Privacy Information Center (EPIC)
                                  Washington, D.C.


    Table of Contents
    [1] China to Spy on and Censor Olympic Visitors' Internet Activity
    [2] President Consolidates Surveillance Authority
    [3] FTC Approves Data Breach Settlements, Without Monetary Penalties
    [4] Registered Traveler Program Halted After Data Breach
    [5] Congressional Leaders Address Corporate Behavioral Profiling
    [6] News in Brief 
    [7] EPIC Bookstore: "Batman: The Dark Knight"
    [8] Upcoming Conferences and Events 
    	- Subscription Information 
    	- Privacy Policy 
    	- About EPIC 
    	- Donate to EPIC http://www.epic.org/donate
    	- Support Privacy '08 http://www.privacy08.org

    [1] China to Spy on and Censor Olympic Visitors' Internet Activity

    On July 30, 2008, Senators Sam Brownback and Jim Bunning introduced
    a Senate Resolution expressing concern regarding the "deterioration
    of respect for privacy and human rights in the People's Republic of
    China before the 2008 Olympic Games in Beijing." Senator Brownback
    announced that he has obtained an order from China's Public Security
    Bureau that requires foreign-owned hotels to install invasive
    snooping equipment that monitors Olympic visitors' Internet
    activity. The hardware and software installed on hotel networks will
    collect and transmit sensitive data from hotel guests, including
    foreign visitors and journalists, to the Chinese Government.
    Brownback observed that this directive contradicts China's pledge to
    the International Olympic Committee that the country would "maintain
    an environment free of government censorship during the Games."

    China's security practices prompted the U.S. State Department to
    issue a warning for Americans intending to travel to the 2008
    Beijing Olympics. The U.S. Government cautioned visitors to expect
    lowered standards of privacy, as well as surveillance by the Chinese
    authorities. The travel advisory warns that hotel rooms and offices
    may be subject to technical monitoring and may be accessed without
    the consent or knowledge of the occupant. In response, Chinese
    Foreign Ministry Spokesperson Qin Gang called the State Department
    warning "irresponsible" and maintained that foreign visitors would
    have privacy protections in China, as guaranteed by the law. The
    Chinese Constitution and statutes do provide some privacy
    protections, but enforcement has been uneven. The spying plan also
    contravenes longstanding international privacy and human rights
    norms, including Article 12 of the Universal Declaration of Human
    Rights, which prohibits "arbitrary interference with privacy,
    family, home or correspondence."

    In addition, Senators Sherrod Brown and James Inhofe sent a letter
    to IOC President Jacques Rogge calling on the International Olympic
    Committee to reverse a reported Internet censorship deal it has made
    with China. Contrary to promises made by China's Olympic organizing
    committee, the Chinese government will censor sensitive sites "not
    considered Games related." In 2001, to secure the Summer Olympics,
    China assured Olympic organizers that foreign journalists would enjoy
    "complete freedom to report" when they arrive in 2008. But, the
    temporary regulations enacted for the duration of the Games that
    allowed for reporting on "political, economic, social and cultural
    matters" included the caveat that such reporting be done "in
    conformity with Chinese laws and organizations." The IOC denied
    entering into any censorship arrangement and continues to encourage
    the Chinese officials "to provide media with the fullest access
    possible to report on the Olympic Games, including access to the
    Internet." Currently, web sites associated with sensitive issues are
    blocked, including those related to Amnesty International and Tibet.
    In the most recent edition of the annual Privacy and Human Rights
    report, EPIC reported that China was building a massive infrastructure
    for state surveillance and noted that US firms, such as China
    Information Security Technologies and L-1 Identity Solutions, were
    supplying surveillance equipment in apparent violation of the 
    Department of Commerce guidelines, adopted after the Tiananmen 
    Square  massacre of 1989. In September 2006, EPIC wrote to Commerce
    Secretary and urged Mr. Gutierrez to address the risk that the
    Chinese government would use the technology exported from the
    United States to track "dissidents, journalists, and members of 
    'unauthorized religions.'"

    Senate Resolution Regarding Olympic Spying, S. Res. 633:

    Letter to IOC President Jacques Rogge:

    U.S. State Department Travel Advisory for Olympics 2008:
    EPIC Letter to Secretary Gutierrez (Sept. 20, 2006)

    EPIC's Privacy and Human Rights report: 

    EPIC page on Olympic Privacy: 

    [2] President Consolidates Surveillance Authority

    On July 30, 2008, President Bush revised a key Executive Order that
    defines the authorities of the US intelligence agencies. First
    written in 1981, Executive Order 12333 establishes the "Goals,
    Directions, Duties, and Responsibilities with Respect to United
    States Intelligence Efforts" as well as the "Conduct of Intelligence
    Activities." The Director of National Intelligence (DNI) drafted the
    revised Order that grants the top intelligence office new powers to
    coordinate domestic surveillance. According to Director Mike
    McConnell, these amendments respond to key findings of the 9/11 and
    WMD Commissions while "maintain[ing] or strengthen[ing] the
    protections for privacy rights and civil liberties."

    The newly amended Order establishes the Director of National
    Intelligence as the head of the Intelligence Community who bears
    ultimate responsibility for the production and dissemination of
    intelligence. Also, the Director "may enter into intelligence
    related agreements with foreign governments and international
    organizations." The DNI exercises budgetary authority over the
    National Intelligence Program to create groups and acquire resources
    that facilitate the task of "lead[ing] a unified, coordinated, and
    effective intelligence effort." This Order contains several
    definitional changes, including the introduction of the terms "civil
    liberties" and "privacy," and replacement of the vaguely descriptive
    "special activities" with the better understood "covert action."

    Critics claim that the amended Executive Order 12333 unnecessarily
    expands Executive power. The American Civil Liberties Union has
    expressed fears that the new focus on domestic threats allows the
    DNI to task any agency to spy on American citizens at home. The
    Electronic Frontier Foundation asserts that the proposed amendments
    are unnecessary because sufficient mechanisms are already in place
    to conduct surveillance.  Currently, the National Security Agency
    may obtain the Attorney General's authorization for such
    surveillance only if the AG has probable cause to believe a U.S.
    person overseas is an agent of a foreign power, a spy, a terrorist,
    or someone who aids or abets them.

    Some legislators condemn the Bush administration's penchant for
    secrecy and prior violations of existing Executive Orders. Senators
    Russ Feingold and Sheldon Whitehouse plan to introduce a bill that
    requires the President to place a notice in the Federal Register
    upon modification or revocation of a published Order. Senator
    Feingold cites the administration's claim that the warrantless
    wiretapping program constituted a tacit amendment, not a violation,
    of Executive Order 12333.

    EPIC previously warned the 9/11 Commission that new surveillance
    authorities require new forms of oversight. Freedom of Information
    Act litigation pursued by EPIC found that the Intelligence Oversight
    Board has routinely failed to investigate unlawful investigations
    since passage of the Patriot Act and urged Congress to establish a
    statutory basis for oversight of intelligence abuses within the
    United States. 

    2008 Amendments to Executive Order 12333:

    Executive Order 12333:

    Senate Bill, S. 3405 (introduction pending):

    EPIC Testimony Before the 9-11 Commission:

    EPIC FOIA Notes #12: More Reports of Unlawful Intelligence Investigations
    EPIC Letter to Senators Specter and Chairman (June 16, 2006)

    [3] FTC Approves Data Breach Settlements, Without Monetary Penalties

    The Federal Trade Commission (FTC) has finalized two separate
    settlements, one with discount retailer TJX, and another with data
    brokers Reed Elsevier and Seisint. The settlements arise from the
    companies' failures to provide reasonable and appropriate security
    for sensitive consumer information, resulting in the exposure of the
    sensitive personal information of over 500,000 consumers and
    millions of dollars in financial fraud.  The final settlements
    announced this week impose security and audit responsibilities on
    the companies, but none of the financial penalties that EPIC had

    In April, EPIC filed comments with the FTC urging federal regulators
    to include civil penalties in the settlements. EPIC acknowledged the
    security and audit provisions may result in marginal improvements to
    the security and privacy practices of TJX (whose retail stores
    include Marshall's and TJMaxx) and to Reed Elsevier and Seisint, the
    databrokers responsible for the LexisNexis database service.
    However, EPIC argued that information security programs and audits
    were insufficient to safeguard the sensitive consumer data held by
    TJX and LexisNexis. EPIC argued that substantial civil penalties
    were warranted, not only as a punitive measure against TJX and
    LexisNexis, but also to provide strong practical incentives to these
    and companies who collect and store sensitive consumer data.

    EPIC also noted that the FTC imposed $10 million in civil penalties
    in a similar settlement regarding privacy breaches by  Choicepoint.
    After EPIC filed a complaint in 2004 alleging that the databroker's
    business practices put consumers' privacy at risk, the Commission
    determined that ChoicePoint's failure to employ reasonable security
    policies compromised the sensitive personal data of more than
    163,000 consumers. Like the TJX and LexisNexis Consent Orders, the
    ChoicePoint settlement required the company to implement a
    comprehensive information security program and obtain independent
    audits of its information security programs for twenty years. Unlike
    the Consent Orders, the ChoicePoint settlement also required the
    company to pay $10 million in civil penalties and $5 million in
    consumer redress. "The similarities are striking between the
    ChoicePoint data breach on the one hand, and the TJX and LexisNexis
    breaches on the other," EPIC wrote to the FTC in April. "The
    difference between the financial penalty imposed in the ChoicePoint
    settlement and the TJX and LexisNexis Consent Orders is equally
    remarkable. Given the greater severity of the TJX and LexisNexis
    data breaches, each Consent Order should include civil penalties of
    at least $10 million - the civil penalty levied in the ChoicePoint

    The settlements arose from data breaches that exposed the sensitive
    personal information of over 500,000 consumers and resulted in
    millions of dollars in financial fraud.  According to the FTC
    complaint against TJX, the retailer, which operates over 2,500
    stores worldwide, failed to use reasonable and appropriate security
    measures to prevent unauthorized access to personal information on
    its computer networks.  As a result, an intruder was able to access
    tens of millions of credit and debit payment cards, as well as the
    personal information of approximately 455,000 consumers. Banks
    claimed that tens of millions of dollars in fraudulent charges were
    made on the cards and millions of cards were cancelled and reissued.
    In its action against data brokers Reed Elsevier (REI) and Seisint,
    the FTC alleged that the companies allowed customers to use
    easy-to-guess passwords to access Seisint's "Accurint" databases.
    The databases contained sensitive consumer information, including
    drivers license numbers and Social Security numbers. Identity
    thieves exploited these security failures, and obtained sensitive
    information about at least 316,000 consumers from Accurint
    databases. The identity thieves used the information to activate
    credit cards and open new accounts, and made fraudulent purchases on
    the cards and new accounts.

    EPIC's comments on the FTC consent orders with TJC, Reed Elseivier
    and Seisint: 

    FTC announces settlement with TJC, Reed Elsevier and Seisint for
    failing to provide adequate security for consumers' data (March 27,

    FTC approves final Consent Order (August 1, 2008):

    For more on data breaches and ID theft, see EPIC's Identity Theft:
    Its Causes and Solutions page:

    [4] Registered Traveler Program Halted After Data Breach

    The Transportation Security Administration (TSA) announced that it
    is suspending new applications to the Clear Registered Traveler
    Program after vulnerabilities were discovered in the storage of
    applicants' sensitive personal information. The security flaws came
    to light after an unencrypted laptop computer was stolen from San
    Francisco International Airport on July 26. The computer was owned
    by Verify Identity Pass (VIP), the company which operates the
    registered traveler scheme. It contained unencrypted personal
    information regarding approximately 33,000 travelers, including
    names, addresses, and passport and driver's license numbers.

    In the wake of the data theft, government officials suspended new
    applications to the Clear program, and also asked that the
    subcontractor for the program immediately notify the individuals
    impacted. In addition, San Francisco and all other airports using
    Clear have been instructed to ensure that VIP suspends enrollment,
    ceases use of any unencrypted computers, and secures the devices
    until encryption can be installed. TSA requires registered traveler
    service providers and sponsoring entities to encrypt all files
    containing participants' sensitive personal information.
    Noncompliance can result in actions including suspension of a
    program and possible civil penalties.

    The Clear program permits users to bypass normal airport security
    lines after they enroll and undergo a background check. Applicants
    are required to fill out basic background information, then the
    company verifies an applicant's identity by requiring two forms of
    government-issued identification. Clear captures an applicant's
    photograph, fingerprint images and iris images. Clear is the largest
    registered traveler program participant with over 165,000 fliers for
    sixteen different programs at Albany, Cincinnati, Denver, Washington
    D.C. Dulles, Washington D.C. Reagan National, Indianapolis, Little
    Rock, New York LaGuardia, New York JFK, Newark, Oakland, Orlando,
    Salt Lake City, San Jose, San Francisco and Westchester Airports.

    EPIC has warned of the privacy and security risks posed by
    registered traveler programs.  EPIC has expressed concerns because
    the programs' members do not have the protections of the federal
    Privacy Act, as only government agencies are subject to the law.
    Also, the programs can suffer from mission creep - a risk that
    information volunteered will be used for reasons not related to
    their original aviation security purposes. EPIC has also warned
    about the problem of "false positives" within the system and the
    absence of effective redress procedures that would leave many
    travelers improperly designated as "high-risk."

    EPIC's page on passenger profiling:

    EPIC's Spotlight on Surveillance Regarding Registered Traveler

    TSA's press release on the suspension of the Clear program:


    [5] Congressional Leaders Address Corporate Behavioral Profiling

    Senior members of Congress have requested details of Internet
    companies' efforts to spy on their customers.  In a letter sent to
    33 companies, including AT&T, Time Warner, Microsoft, and Google,
    the Congressmen ask whether the companies have experimented with
    certain behavioral advertising techniques which impinge on consumer
    privacy and may fall afoul of federal law.

    The inquiries come after Congress criticized two companies that
    publicly announced their own plans to spy on their users. In May,
    some subscribers of Charter Communications' broadband Internet
    service received notices stating that Charter would soon begin to
    perform Deep Packet Inspection (DPI) of their Internet traffic.
    Charter had partnered with a company called NebuAd to use DPI
    techniques to develop profiles of customers' online behavior, and
    then target advertising at individual users. Charter dropped the
    program a month later, after Reps. Edward J. Markey (D-MA) and Joe
    Barton (R-TX) challenged its legality under the federal Wiretap Act
    and the Cable Television Privacy Act.

    In July, another internet service provider, Embarq, dropped its own
    partnership with NebuAd after Congressmen raised similar criticisms.
    Digital rights groups have documented how NebuAd's hardware uses
    security exploits to spy on users, violating fundamental
    expectations of Internet privacy and security. This week,
    Congressman Edward J. warned that "new technologies, such as 'deep
    packet inspection' technologies, have the ability to track every
    single website that a consumer visits while surfing the Web" and
    stated that these techniques "raise clear privacy issues."

    Members of Congress are now taking a preemptive step to determine
    whether other leading telcos and Internet firms are experimenting
    with similar invasive techniques. In the letter, leaders from both
    parties question the "growing trend of companies tailoring Internet
    advertising based upon consumers' Internet search, surfing, or other
    use."  They ask whether the companies correlate that data across
    other services or applications, and, if not, "what steps you take to
    make sure such correlation does not happen." They also seek
    assurances that the companies offer such targeted advertising as an
    "opt-in" service, and if not, asks how customers were notified of
    their opportunities to opt-out.  The letter also expresses concern
    that these practices may violate the privacy protections contained
    in the Communications Act of 1934, the Cable Act of 1984, and the
    Electronic Communications Privacy Act.  It also raises the prospect
    of new legislation "to ensure that the same protections apply
    regardless of the particular technologies or companies involved."

    Letter from members of Congress to 33 telecom companies:

    Letter from senior members of Congress to Charter Communications:

    EPIC's page on Deep Packet Inspection and Privacy:

    [6] News in Brief

    Washington State Supreme Court rules in favor of privacy rights
    Last week the Washington State Supreme Court ruled in favor of the
    privacy rights of teachers accused of sexual misconduct. The lawsuit
    was brought by 15 teachers asking the judiciary to prevent their
    districts from releasing their identities in response to a
    public-records request by The Seattle Times. The court, in 6-3 vote,
    sided with the accused teachers, finding that the names of teachers
    must be disclosed only in cases where sexual misconduct has been
    found or some form of discipline has taken place. In unsubstantiated
    cases, the details of any investigation may be disclosed - but with
    the teacher's name redacted, or blacked out. Justice Mary Fairhurst,
    for the majority, wrote: "The mere fact of the allegation of sexual
    misconduct toward a minor may hold the teacher up to hatred and
    ridicule in the community, without any evidence that such misconduct
    ever occurred." Justice Barbara Madsen dissented, writing that as a
    consequence of the court's ruling, "predatory teachers may go
    undetected and unpunished. But the most unfortunate consequence, and
    one that is completely unacceptable, is that if predatory teachers
    are undetected, children will continue to suffer at their hands."

    Seattle Times Article:


    EPIC Files Brief in Email Privacy Case

    On August 1, 2008, EPIC submitted a brief in Bunnell v. MPAA, a
    privacy case pending in the Ninth Circuit Court of Appeals. EPIC's
    "friend of the court" brief supported enforcement of federal
    protections for email privacy. In Bunnell, a former TorrentSpy
    employee hacked the peer-to-peer search engine's corporate email
    server to copy private emails that were of interest to the MPAA, a
    motion picture industry group. The federal Wiretap Act bars
    unauthorized interception of electronic communications, and Bunnell,
    a TorrentSpy employee and victim of the email snooping, sued. Last
    year, a California federal trial court reasoned that emails secretly
    swiped en route to their final destination were not "intercepted"
    under the federal Wiretap Act because they were in milliseconds-long
    "storage" on an email server. EPIC argued that the federal law's
    language and legislative history reflect Congress' intent to
    prohibit exactly the sort of unauthorized email interceptions
    implicated by Bunnell. The Electronic Frontier Foundation and
    Stanford Law School's Center for Internet and Society also filed
    briefs in support of Bunnell and other TorrentSpy employees. EPIC
    previously advocated for email privacy protections in a similar
    case, U.S. v. Councilman. In Councilman, the First Circuit Court of
    Appeals agreed with EPIC, and ruled that the interception of e-mail
    in brief, temporary storage violates federal law.

    EPIC's Brief:

    EPIC page on Bunnell v. MPAA: 

    EPIC page on United States v. Councilman:

    The Wiretap Act: 

    Google Launches Street View Surveillance Project in Australia

    On August 4, 2008, Google Street View added Australia to its roster
    of countries subjected to 360-degree photographic surveillance.
    Google Street View enables users to view and navigate 360-degree
    street level imagery originally taken from cameras mounted on
    vehicles. In the past, Google Street View has posted compromising
    images that remain publicly available until someone files an online
    complaint. Privacy advocates worry that Google's images invade an
    individual's right to privacy. The Australian Privacy Foundation's
    expressed concerns regarding: the posting of individuals' images on
    the Internet without their consent; the unwanted identification of
    individuals' presence in a specific location; and the use of
    inappropriate or illegal photo collection techniques.

    Google Street View Australia:

    Australian Privacy Foundation's Policy on Google Street View:

    Policy Framework for Analyzing Location Privacy Issues:

    Massachusetts considers bill that includes breach notification

    Massachusetts is considering a bill that would create a notification
    requirement for medical records breaches.  The legislation -
    H4974/S2863, An Act to Promote Cost Containment, Transparency and
    Efficiency in the Delivery of Quality Health Care - has passed the
    senate and is awaiting the approval of the house. It includes
    privacy and data security protections within a statewide electronic
    medical records system, including notice of unauthorized disclosures
    of health information, providing patients an audit trail of who has
    accessed their records, and requiring that participation in an
    electronic medical record system be based on patient permission.
    H4974 has been applauded by the Aids Action Committee of
    Massachusetts for its strong protection of patient privacy, which is
    of particular concern to people with HIV/AIDS.


    Amendments Proposed by the House:

    EPIC article on medical records privacy:

    AIDS Action Committee of Massachusetts Press Release:

    Soviet Dissident, Author, and Nobel Peace Prize Winner Laid To Rest

    Alexander Solzhenitsyn, the Russian dissident and Nobel Peace Prize
    winner who exposed the horrors of the Soviet Gulag, died this week. 
    Solzhenitsyn, who spent eleven years in the Gulag system soon after
    World War II, is best known for his massive study of the labor
    camps, "The Gulag Archipelago," as well as novels like "A Day In the
    Life Of Ivan Denisovich," a simple but detailed description of one
    day in a camp prisoner's life. Solzhenitsyn wrote powerfully about
    state surveillance. Justice Douglas cited Solzhenitsyn in a famous
    dissent in a Supreme Court case concerning  the chilling effects of
    police surveillance of political protest. There is also a famous
    passage in The Cancer Ward that was later cited in the 1973
    HEW Report, "Records, Computers and the Rights of Citizens," and
    David Burnham's "The Rise of the Computer State."
    "As every man goes through life he fills in a number of forms 
    for the record, each containing a number of questions . . . 
    There are thus hundreds of little threads radiating from every 
    man, millions of threads in all. If these threads were suddenly 
    to become visible, the whole sky would look like a spider's web, 
    and if they materialized like rubber bands, buses and trams and 
    even people would lose the ability to move and the wind would be 
    unable to carry torn-up newspapers or autumn leaves along the 
    streets of the city."
    Washington Post: Solzhenitsyn Buried in Moscow

   Laird v. Tatum, 408 U.S. 1 (US 1972)
    Records, Computers, and the Rights of Citizens (HEW 1973)
    Freedom Not Fear: International Campaign Against Surveillance Mania
    On October 11, 2008 the Electronic Privacy Information Center (EPIC)
    together with many people and organizations from around the world
    will take to the streets in a peaceful and creative action. Under
    the motto "Freedom Not Fear 2008", large demonstrations will include
    DJs, parties, art festivals, workshops of privacy enhancing
    technologies, and protest marches against data retention practices. 
    "Freedom Not Fear 2008" will take place in more than 30 capital
    cities including Washington DC. This worldwide campaign seeks to
    raise awareness for the need of greater freedom and democracy all
    over the World requesting: Cutback on surveillance; Evaluation of
    existing surveillance powers; Moratorium for new surveillance
    powers; Guaranteeing privacy, freedom of expression and information
    on the Internet. To join the campaign in the United States, please
    send a message to EPIC at thepublicvoice[at]datos-personales[dot]org

    Freedom Not Fear International Action Overview:
    The Freedom Not Fear Wiki:
    Get involved: Local organizers and media contacts:
    The Public Voice, Freedom not Fear Campaign:

    [7] EPIC Bookstore: "Batman: The Dark Knight"

    "Batman: The Dark Knight"

    As a summer full of nefarious privacy invasions draws to a close,
    EPIC thought it could afford a brief vacation. "Why so serious?" we
    asked, as we hung up our identity-protecting mask and joined the
    anonymous masses looking for escapism.  But The Dark Knight only
    reminded us that the anti-privacy villains never take a vacation.
    When they're hard to identify, it's just because they're hiding in

    In this comic-book world, as in the real world, the anti-privacy
    villains pose the biggest threat when they dress up as heroes.  The
    ambivalence that Gothamites feel toward Batman's high-tech
    terror-fighting techniques is a central theme of the movie.  The
    bat-cave features all the worst ideas invented by modern
    law-enforcement-surveillance cameras (bought from L-1?) that map
    facial features, imaging technology that knows no boundaries,
    fusion-center-like dossiers on every Gothamite, and the wiretapping
    of millions of cell phones. "Spying on 30 million people isn't part
    of my job description," retorts Batman's accomplice Lucius, when
    Batman tries to turn him into a Poindexter with sole control over
    these tools.  "You've turned every cell phone in Gotham into a
    microphone." Art imitates life so well, it must have been spying on

    Batman prefers to keep his identity private, and EPIC defends the
    right of all superheroes to do so.  And Gotham's press, police and
    general population take the same position-as long as it makes them
    safer.  But when the Joker blackmails the city in exchange for
    Batman's real name, Gotham's principled commitment to privacy goes
    up in chaos.  Thankfully, real-life privacy hero Senator Patrick
    Leahy, who never hides his views in a costume, enters briefly to
    take a courageous pro-privacy stand, telling the Joker to his face,
    "We're not intimidated by thugs."

    If only we were still living in a comic book in the '50s, where
    doing good meant fighting crime, and we knew exactly who the
    criminals were!  But after 9/11, that comic-book world-view sorely
    needed an update, and Dark Knight provides it.  The movie leaves us
    confused as to the identity of the real bad guy:  whether the real
    threat to Gotham is the terrorist-mob, still making headlines but
    long on the wane, or Batman, who leads a high-tech but invasive
    attack on that mob.  We also wonder whether the Joker can cow the
    public with enough high-profile threats that they will willingly
    betray their most cherished values.  "When the chips are down, these
    civilized people, they'll eat each other," laughs the Joker in a
    line that has been widely quoted.  What deserves greater mention is
    that when the Joker puts them to the test, they do not.

    -- Andrew Gradman


    EPIC Publications:

    "Information Privacy Law: Cases and Materials, Second Edition" Daniel J.
    Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98.


    This clear, comprehensive introduction to the field of information
    privacy law allows instructors to enliven their teaching of fundamental
    concepts by addressing both enduring and emerging controversies. The
    Second Edition addresses numerous rapidly developing areas of privacy
    law, including: identity theft, government data mining and electronic
    surveillance law, the Foreign Intelligence Surveillance Act,
    intelligence sharing, RFID tags, GPS, spyware, web bugs, and more.
    Information Privacy Law, Second Edition, builds a cohesive foundation
    for an exciting course in this rapidly evolving area of law.


    "Privacy & Human Rights 2006: An International Survey of Privacy Laws
    and Developments" (EPIC 2007). Price: $75.


    This annual report by EPIC and Privacy International provides an
    overview of key privacy topics and reviews the state of privacy in over
    75 countries around the world. The report outlines legal protections,
    new challenges, and important issues and events relating to privacy.
    Privacy & Human Rights 2006 is the most comprehensive report on privacy
    and data protection ever published.


    "FOIA 2006: Litigation Under the Federal Open Government Laws," Harry A.
    Hammitt, Marc Rotenberg, Melissa Ngo, and Mark S. Zaid, editors (EPIC
    2007). Price: $50.


    This is the standard reference work covering all aspects of the Freedom
    of Information Act, the Privacy Act, the Government in the Sunshine Act,
    and the Federal Advisory Committee Act.  The 23nd edition fully updates
    the manual that lawyers, journalists and researchers have relied on for
    more than 25 years.  For those who litigate open government cases (or
    need to learn how to litigate them), this is an essential reference


    "The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
    the Information Society" (EPIC 2004). Price: $40.


    This resource promotes a dialogue on the issues, the outcomes, and the
    process of the World Summit on the Information Society (WSIS).  This
    reference guide provides the official UN documents, regional and
    issue-oriented perspectives, and recommendations and proposals for
    future action, as well as a useful list of resources and contacts for
    individuals and organizations that wish to become more involved in the
    WSIS process.


    "The Privacy Law Sourcebook 2004: United States Law, International Law,
    and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:


    The Privacy Law Sourcebook, which has been called the "Physician's Desk
    Reference" of the privacy world, is the leading resource for students,
    attorneys, researchers, and journalists interested in pursuing privacy
    law in the United States and around the world. It includes the full
    texts of major privacy laws and directives such as the Fair Credit
    Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well
    as an up-to-date section on recent developments. New materials include
    the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the
    CAN-SPAM Act.


    "Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
    Controls" (EPIC 2001). Price: $20.


    A collection of essays, studies, and critiques of Internet content
    filtering.  These papers are instrumental in explaining why filtering
    threatens free expression.


    EPIC publications and other books on privacy, open government, free
    expression, crypto and governance can be ordered at:

    EPIC Bookstore http://www.epic.org/bookstore

    "EPIC Bookshelf" at Powell's Books


    EPIC also publishes EPIC FOIA Notes, which provides brief summaries of
    interesting documents obtained from government agencies under the
    Freedom of Information Act.
    Subscribe to EPIC FOIA Notes at:

    [8] Upcoming Conferences and Events

    Data Privacy in APEC: privacy in global transactions. August 11-12.
    Lima, Peru http://www.osiptel.gob.pe/apec2008/dataprivacy2/index.htm

    APEC Privacy Sub Enhancing Group Meeting. August 13-16. Lima-Peru

    The Privacy Symposium - Summer 2008: An Executive Education Program
    on Privacy and Data Security Policy and Practice, August 18-21,
    2008, Harvard University, Cambridge, MA. For more information:

    Latin America & The Caribbean Regional Preparatory Meeting for IGF.
    August 20, Montevideo, Uruguay.

    Privacy Awareness Week. August 24, 2008. Australia, New Zealand,
    Hong Kong, Korea and Canada. For more information:

    The Third International Conference on Legal, Security and Privacy
    Issues in IT. September 3-5, Prague, Czech Republic

    Youth Privacy Online: Take Control, Make It Your Choice! September
    4, 2008, Eaton Centre Marriott, Toronto. For more information:

    Access to Information: Twenty-five Years on. September 8, Minto
    Suites Hotel, Ottowa. For more information:

    The third annual Access to Knowledge Conference (A2K3).  September
    8-10, Geneva, Switzerland http://isp.law.yale.edu/

    High Level Expert Conference: Towards a European Policy on RFID.
    September 9, Brussels, Belgium

    Workshop on Applications of Private and Anonymous Communications.
    September 22, 2008. Istanbul, Turkey. For more information:

    World Summit on the Knowledge Society. September 24-28, Athens,
    Greece http://www.open-knowledge-society.org/summit.htm

    Europe-wide action day "Freedom not fear." October 11, 2008.
    Multiple sites. For more information:

    International Symposium on Data Protecion in Social Networks.
    October 13, 2008, Strasbourg. For more information:

    30th International Data Protection and Privacy Conference:
    Protecting Privacy in a Borderless World. October 15-17, 2008,
    Strasbourg. For more information:

    European Dialogue on Internet Governance (EuroDIG).  October 20-21,
    Strasbourg, France http://www.eurodig.org/

    Privacy in Social Network Sites Conference October 23-24, 2008.
    Delft University of Technology, Faculty of TPM, The Netherlands. For
    more information: http://www.ethicsandtechnology.eu

    Third Internet Governance Forum. December 3-6, 2008. Hyderabad,
    India. For more information: http://www.intgovforum.org

    Tilting perspectives on regulating technologies, Tilburg Institute
    for Law and Technology, and Society, Tilburg University.  December
    10-11, Tilburg, Netherlands

    Subscription Information

    Subscribe/unsubscribe via web interface:


    Back issues are available at:


    The EPIC Alert displays best in a fixed-width font, such as Courier.

    Privacy Policy

    The EPIC Alert mailing list is used only to mail the EPIC Alert and to
    send notices about EPIC activities.  We do not sell, rent or share our
    mailing list.  We also intend to challenge any subpoena or other legal
    process seeking access to our mailing list.  We do not enhance (link to
    other databases) our mailing list or require your actual name.

    In the event you wish to subscribe or unsubscribe your e-mail address
    from this list, please follow the above instructions under "subscription

    About EPIC

    The Electronic Privacy Information Center is a public interest research
    center in Washington, DC.  It was established in 1994 to focus public
    attention on emerging privacy issues such as the Clipper Chip, the
    Digital Telephony proposal, national ID cards, medical record privacy,
    and the collection and sale of personal information. EPIC publishes the
    EPIC Alert, pursues Freedom of Information Act litigation, and conducts
    policy research.  For more information, see http://www.epic.org or write
    EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202
    483 1140 (tel), +1 202 483 1248 (fax).

    Donate to EPIC

    If you'd like to support the work of the Electronic Privacy Information
    Center, contributions are welcome and fully tax-deductible.  Checks
    should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW,
    Suite 200, Washington, DC 20009.  Or you can contribute online at:

    Your contributions will help support Freedom of Information Act and
    First Amendment litigation, strong and effective advocacy for the right
    of privacy and efforts to oppose government regulation of encryption and
    expanding wiretapping powers.

    Thank you for your support.

    ------------------------- END EPIC Alert 15.16 -------------------------