EPIC logo

                              E P I C   A l e r t
Volume 16.09                                               May 15, 2009

                                Published by the
                   Electronic Privacy Information Center (EPIC)
                                Washington, D.C.


			"Defend Privacy. Support EPIC."


EPIC 15th Anniversary Dinner and the
EPIC Champion of Freedom Awards
Cosmos Club, Washington, DC
June 9, 2009

EPIC@15 Invitation: http://www.epic.org/epic15/invite.pdf
Your Reply: http://epic.org/epic15/reply.pdf
Register (or donate to EPIC@15): http://epic.org/register

Table of Contents
[1] "Identity Theft Law Applies Only to Intentional Impersonation"
[2] FOIA Documents Sought on Government Social Networking Agreements
[3] EPIC Urges Greater Accountability for Network Surveillance
[4] EPIC Testifies Before Congress on Data Breach Bill, Urges Changes
[5] Report Find Failure and Delay in Watchlist Name Removal
[6] News in Brief
[7] EPIC Bookstore: "Identity in the Age of Cloud Computing"
[8] Upcoming Conferences and Events
        - Join EPIC on Facebook http://epic.org/facebook
  	- Privacy Policy
  	- About EPIC
  	- Donate to EPIC http://epic.org/donate
  	- Subscription Information

[1] "Identity Theft Law Applies Only to Intentional Impersonation"
On May 4, 2009, the Supreme Court held that, to convict a person under
the federal "aggravated identity theft" law, the government must prove
that a defendant knew the identification numbers at issue belonged to
another person. The decision means that individuals who provide
inaccurate ID numbers, but don't intentionally impersonate others,
cannot be subject to enhanced criminal punishments under federal law.
EPIC filed an amicus brief in the case, arguing that the "unknowing use
of inaccurate credentials does not constitute identity theft," and
warning that an averse decision "threaten[ed] to impose aggravated
identity theft penalties on individuals who present inaccurate
credentials in an effort to protect their privacy through pseudonymous
or anonymous activities." The Supreme Court ruled that "ordinary
English usage" supports its reading of the ID theft statute, and
observed that the government's proposed contrary interpretation "leads
to exceedingly odd results."

In Flores-Figueroa v. United States, the Court was asked to determine
whether individuals who proffer identification numbers that are not
theirs, but don't intentionally impersonate others, can be subject to
harsher punishments under federal law. On December 19, 2008, EPIC
filed a "friend of the court" brief in the case, urging the Supreme
Court to protect anonymous and pseudonymous activities by ruling that
unintentional use of another person's ID number does not constitute
"identity theft" under federal law. The brief was filed on behalf of
17 legal scholars and technical experts. EPIC explained that anonymous
and pseudonymous behavior is a cornerstone of privacy protection in
the identity management field. The brief urges the Court to not "set
a precedent that might inadvertently render the use of privacy
enhancing pseudonyms, anonymizers, and other techniques for identity
management unlawful."

The EPIC amicus brief stated that the term "identity theft" "has a
specific meaning among technologists, academics, security
professionals, and other experts in the field of identity management."
"Identity theft" refers to the knowing impersonation of one person by
another. "The unknowing use of inaccurate credentials does not
constitute identity theft," amici argued. The EPIC brief explains that
precise use of technical concepts is crucial, particularly in a case
that could have imposed enhanced criminal identity theft penalties on
a person who presented an identity document that contained his own
name, but an inaccurate ID number.

The EPIC brief details the importance of anonymous and pseudonymous
credentials in identity management systems, and explains how an
averse decision in this case "threatens to impose aggravated identity
theft penalties on individuals who present inaccurate credentials in an
effort to protect their privacy through pseudonymous or anonymous
activities." EPIC also described the long and distinguished history of
pseudonymous activity, from the American founders' pseudonymous
advocacy for liberty through Mary Ann Evans' "George Eliot" nom de
plume and the U.S. government's issuance of pseudonymous credentials
to enrollees in the Department of Justice's Witness Protection Program.

In Flores-Figueroa v. United States, the petitioner challenged his
conviction for "aggravated identity theft" under the Identity Theft
Penalty Enhancement Act. Flores-Figueroa maintained that he did not
commit identity theft when he used an identity document with his real
name and an identity number that was not his to maintain employment.

Federal law provides for enhanced penalties when a person "knowingly
transfers, possesses, or uses, without lawful authority, a means of
identification of another person." Flores-Figueroa identified himself
by his real name to his employer, but provided a false Social Security
Number and false Permanent Resident Number. Both ID numbers were issued
to someone else, but neither person shared Flores-Figueroa's name, and
the government presented no evidence that Flores-Figueroa knew that the
ID numbers were assigned to real people. The case resolved whether a
person can be convicted of aggravated identity theft if he does not
"knowingly" use an ID number assigned to "another person."

EPIC has advocated for strong protections against identity theft, and
opposed burdensome ID requirements. In 2008, EPIC encouraged federal
regulators to impose monetary penalties on companies that exposed their
customers' data to criminals. In addition, EPIC has long supported the
right of individuals to preserve their anonymity, particularly in the
face of ever more intrusive government identification requirements.
Supreme Court Opinion in Flores-Figueroa v. United States:

"Friend-of-the-court," Brief by EPIC, Legal Scholars, Technical
Experts, and Privacy and Civil Liberty Groups (Dec. 19, 2008):

US Supreme Court Docket page for Flores-Figueroa v. United States:

EPIC's Flores-Figueroa v. United States page:

EPIC's Identity Theft Page:

EPIC's Support for Constitutional Right to Anonymity in
Watchtower Bible v. Stratton:

Petitioner's Brief for Supreme Court Review in
Flores-Figueroa v. United States:

The Government's Brief Regarding Supreme Court Review in
Flores-Figueroa v. United States:

[2] FOIA Documents Sought on Government Social Networking Agreements

EPIC submitted a Freedom of Information Act request to the General
Services Administration seeking agency records concerning agreements
the GSA negotiated between federal agencies and social networking
services, including Flickr, YouTube, Vimeo, Blip.tv, and Facebook.

News reports in March and April of 2009 stated that the GSA signed
agreements with social networking and cloud computing service providers
on the behalf of federal government agencies. The report revealed that
several government agencies had been seeking arrangements with Internet
service providers, but companies were reluctant to negotiate separate
agreements with each agency. Further, it was reported that the
government wanted to address three areas of concern: liability
limitations, endorsements, and freedom of information requests. The GSA
leverages the buying power of the federal government to acquire goods,
and services. The agency has the power to negotiate government wide
contracts and agreements with manufacturers and service providers.

EPIC is seeking disclosure of these agreements, which have not been
made public. Social networking applications make it easy for users to
share information about themselves with others.  Many online services
relay information about online associations as users create new
relationships. While government agencies may use social networking,
cloud computing, and Internet services to create greater transparency
on their activities, it remains unclear if there are data collection,
use, and sharing limitations.

In the FOIA request, EPIC is asking for the public release of the
contracts and any legal opinions concerning the application of the
Privacy Act of 1974 and Freedom of Information Act to the services that
collect information on citizens.

EPIC's Freedom of Information Request:

U.S. General Services Administration:

Social Networking Privacy, EPIC:

"GSA signs agreements with Web 2.0 providers," Doug Beizer,
Federal Computer Week, March 25, 2009:

"GSA signs agreement with Facebook," Doug Beizer, Federal
Computer Week, April 10, 2009:

[3] EPIC Urges Greater Accountability for Network Surveillance

EPIC asked Senator Patrick Leahy to investigate the Department of
Justice's failure to make public statistics detailing the federal use
of "pen registers" and "trap and trace" devices by requiring the DOJ
to submit the annual pen register reports to the Administrative Office
of U.S. Courts. 

The Omnibus Crime Control and Safe Streets Act of 1968 requires the
Administrative Office of the United States Courts to report to
Congress the number and nature of federal and state applications for
orders authorizing or approving wiretaps. The statute requires that
specific information be provided to the court agency, including the
offenses under investigation, the location of the intercept, the cost
of the surveillance, and the number of arrests, trials, and convictions
that directly result from the surveillance. The Administrative office
has a proven track record of reliably collecting information and
publicly disseminating statistics regarding such wiretap orders.

Although law enforcement agents are not required to obtain search
warrants before using pen registers or trap and trace devices, the
Electronic Communications Privacy Act of 1986 requires the Attorney
General to "annually report to Congress on the number of pen register
orders, and orders for trap and trace devices applied for by law
enforcement agencies of the Department of Justice." Complying with
public reporting requirements is critical to ensuring transparency and
ensuring Congressional oversight.

Law enforcement agencies use pen registers and trap and trace devices
to conduct covert surveillance. Pen registers record outgoing non-
content information regarding telephone calls and Internet
communications. Non-content information includes telephone numbers
dialed and the length of calls, as well as the identities of an email
message's sender and recipient. Trap and trace devices capture the
same information concerning incoming communications.

Between 1999 and 2003, the Department of Justice failed to comply with
this requirement. The report provided failed to include all of the
information that the Pen Register Act required to be shared with
lawmakers and did not include information regarding the offenses for
which the pen register and trap and trace orders were obtained.
Further, the DOJ has failed to provide annual pen register reports to
Congress since 2004. EPIC stated that such "failure would demonstrate
ongoing, repeated breaches of the DOJ's statutory obligations to inform
the public and the Congress about the use of electronic surveillance

EPIC also called to attention the accuracy of the pen register reports
for the period 1999-2003. "Hybrid orders," which are used to determine
location information through the use of a suspect's cellular phone is
based on non-content information and therefore should also be included
in the DOJ's annual reports to Congress. Such surveillance had been
invoked using a combination of authorities under the Pen Register Act
and the Stored Communications Act.

EPIC specifically suggested that the Attorney General make public pen
register and trap and trace reports from 2004 through the present, and
to publicly disclose all future reports as a matter of course. EPIC
contended that if such information was made available in web 2.0
compatible formats, it would enable a more extensive analysis and
further the President's goal of enabling the use of new technology for
a more informed public. 

EPIC's letter to Senator Leahy:

Reporting Requirement on the Use of Pen Registers and Trap and Trace
Devices, Section 3126:

Wiretap Applications Decline in 2008:

2008 Wiretap Report:

EPIC's Page on Wiretapping:

Title III Electronic Surveillance 1968-2005:

EPIC's Page on Foreign Intelligence Surveillance Act (FISA):

[4] EPIC Testifies Before Congress on Data Breach Bill, Urges Changes

EPIC Director Marc Rotenberg testified before Congress on the Data
Accountability and Trust Act. The proposed statute requires the
implementation of policies and procedures regarding information
security practices of personal information and regulate the
information broker industry. The Act also sets up special requirements
for information brokers which includes submission of security policies
to the Federal Trade Commission and issuing of breach notifications.

Rotenberg said, "there is a need to make clear fundamental obligations
on the companies and organizations that collect and use personal data
on consumers and Internet users. It is simply too easy for firms today
to capture the benefits of data collection and ignore the risks. In the
absence of security obligations and breach notification requirements,
it is too easy for firms to continue bad practices." The EPIC Director
urged Congress to focus on broad obligations of these companies, to
make clear the incentives, and to encourage the development of the best

The recommendations included the use of text messaging and social
networking services to supplement the prescribed methods of email and
written notifications. Rotenberg also recommended that the security
obligation upon companies should continue to apply even if the
information disclosed was "public record" and there was no immediate
harm to the individual as it was likely that the breach would occur
again if the problem was left uncorrected.

Other suggestions included adopting a broader definition of personally
identifiable information to include any information that "identifies or
could identify a particular person." A major issue that arose in the
new act was that of preemption and the circumstances under which the
federal law would overwrite possibly more effective state information
security information. EPIC opposed the preemption of stronger state
laws and warned that adopting such a law would be a mistake as security
issues are rapidly changing and the states required the ability to
respond to emerging issues and "placing all of the authority to
respond here in Washington in one agency would be ... a critical
failure point."

The EPIC President also urged the Committee to add a private right of
action to the bill with a stipulated damage award against a company who
might improperly leak personal data as it would provide a necessary
backstop to the envisaged enforcement scheme which relied almost
exclusively on the FTC to act on its own discretion and without any
form of judicial review. Another problem highlighted in the breach
notification mechanism was the measure of discretion given to a company
in suspending notice requirements if it decided there was "no
reasonable risk of identity theft, fraud, or other unlawful conduct."

Rotenberg concluded the testimony by saying "many companies have poor
security practices and collect far more information than they need or
can safeguard" and "companies need to know that they will be expected
to protect the data they collect and that, when they fail to do so,
there will be consequences."

Marc Rotenberg - Testimony, May 5, 2009:

House Committee on Energy and Commerce, Subcommittee on Commerce, Trade
and Consumer Protection - Hearings, May 5, 2009:

H.R. 2221, the Data Accountability and Trust Act:

FTC Page on Identity Theft:

EPIC's Page on Identity Theft:

[5] Report Finds Failure and Delay in Watchlist Name Removal

The Office of the Inspector General at the Department of Justice
recently conducted an audit and found that many watchlist nominations
were processed in an untimely manner and the FBI had not consistently
nominated known or suspected terrorists to the consolidated terrorist
watchlist in accordance with FBI policy. The consolidated terrorist
watchlist was created in March 2004 and is managed by the Federal
Bureau of Investigation through its supervision of the Terrorist
Screening Center. The watchlist is meant to be used by screening
personnel at U.S. points of entry and by federal, state, local, and
tribal law enforcement officials.

As of December 31, 2008, the consolidated terrorist watchlist contained
more then 1.1 million known or suspected terrorist identities. Last
year, an audit report that examined the nomination process found that
initial watchlist nominations created by FBI field offices often
contained inaccuracies or were incomplete, leading to delays in the
inclusion of known or suspected terrorists on the watchlist. The
audit had determined that the FBI did not consistently update or
remove watchlist records when appropriate and FBI field offices had, at
times, bypassed some of the FBI's quality control mechanisms by
excluding FBI headquarters and submitting watchlist nominations
directly to the National Counterterrorism Center.

EPIC testified on cleaning up the nation's watchlists last year and
bringing to the attention of the Congress the lack of transparency
surrounding the process of removing one's name from the watchlist. EPIC
highlighted  problems with the security watchlist - first, the
databases in the system are not subject to the full safeguards of the
Privacy Act of 1974 as the Transportation Security Administration had
sought wide-ranging exemptions; and, the security watchlists on which
the system was based are riddled with inaccurate and obsolete data.
EPIC had also criticized the Secure Flight program as it could severely
restrict an individual's right to travel. Secure Flight receives
passenger and certain non-traveler information, conducts watchlist
matching against the consolidated terrorist watchlist, and transmits
boarding pass printing instructions back to aircraft operators.
However, relying on a flawed database would restrict legitimate
travelers from obtaining a boarding pass.

The OIG report found flaws in the watchlist maintenance even after
several reports were published calling attention to the same. The
report states that 78 percent of the initial watchlist nominations
reviewed were not processed in established FBI timeframes. In other
cases, the FBI failed to modify records as necessary, remove subjects
names within designated timeframes or altogether fail to remove names
even in closed cases. The agancy also found failure to place
appropriate individuals on the watchlist. Additionally, the report also
found that the FBI did not have a designated process to modify or
remove from a watchlist those subjects who were nominated through the
use of Information Intelligence Reports based on FBI sources overseas.

The FBI's Terrorist Watchlist Nomination Practices, U.S. Department of
Justice, Office of the Inspector General, Audit Division,
Audit Report 09-25, May 2009:

Audit of the DOJ Terrorist Watchlist Nomination Processes:

EPIC Testimony, "Ensuring America's Security: Cleaning Up the Nation's

EPIC's page on Secure Flight:

EPIC's page on Air Travel Privacy:

EPIC's page on Registered Traveler Card: A Privatized Passenger ID:

EPIC's FOIA Note #8:

[6] News in Brief

New Administration Reverses Antitrust Policies, Focuses on Consumers

The head of the Justice Department's antitrust division, Christine A.
Varney, announced a change in the antitrust policies of the new
administration. The new policy is aimed at encouraging smaller
companies to bring complaints to the Justice Department about possible
inappropriate business practices by large companies. Ms. Varney stated,
"the current economic challenges raise unique issues for antitrust
authorities and private sectors... [a]ntitrust must be among the
frontline issues in the Government's broader response to the distressed
economy....[t]he Antitrust Division will be ready to take a lead role
in this effort." Criticizing the Section 2 Report of the previous
administration on various issues, the Antitrust Division Chief
withdrew the former policy and said the courts, antitrust
practitioners, and the business community could no longer rely on the
report as DOJ Policy. In 2007, EPIC requested the FTC to open an
investigation into the proposed acquisition of DoubleClick by Google.
In a hearing last year, EPIC President Marc Rotenberg testified before
the European Commission urging privacy safeguards and that stated
Google was beginning to reveal the characteristics of an "information
monopolist" and that it was important for governments to act and
preserve the rights of citizens and to safeguard competition and
innovation in the information economy.

Justice Department Withdraws Report on Antitrust Monopoly Law:

Christine A. Varney, Assistant Attorney General for Antitrust:

EPIC - Privacy? Proposed Google/DoubleClick Deal

CRS Publishes Report on Airport Passenger Screening

A Congressional Research Service report on Airport Passenger Screening
stated that policymakers and aviation security planners had not agreed
upon a well-defined strategy and plan for evolving airline passenger
and baggage screening functions to incorporate new technologies,
capabilities, and procedures to detect potential threats to aviation
security. The report also states that the whole-body imaging
technologies were deployed in an effort to reduce an elevated security
risk, while maintaining privacy rights and dignity of passengers
identified for secondary screening. However, earlier this year,
the TSA announced that the use of these devices would be the default
screening method. Last month, Congressman Jason Chaffetz (R-UT)
introduced legislation before Congress seeking a ban on these devices
from being used by the Transportation Security Administration in
various airports across America.

Airport Passenger Screening: Background and Issues for Congress,
April 23, 2009:

Congressman Chaffetz Seeks to Ban Whole-Body Imaging at Airports:

Joe Sharkey, Whole-Body Scans Pass First Airport Tests, April 6, 2009:

Testimony of Secretary Napolitano:

Spotlight on Surveillance- Plan to X-Ray Travelers Should Be
Stripped of Funding:

EPIC's Page on Air Travel Privacy:

X-Ray Backscatter Technology and Your Personal Privacy:

TSA's page on Backscatter:

Privacy and Consumer Groups Seek New FTC Commissioner

EPIC joined other privacy and consumer organizations in a letter to
President Obama urging the appointment of a pro-consumer Commissioner
to the Federal Trade Commission. The groups called for the appointment
of someone with a "distinguished record of achievement in consumer
affairs, with a demonstrated commitment to protecting the public from
all manner of unfair, deceptive, fraudulent, and non-competitive
monopolistic/oligopolistic business practices." The Commission has been
one person short of its full membership since former Chair Deborah
Platt Majoras left the agency last year. The President appointed Jon
Leibowitz to serve as the current chair of the FTC.

Letter to President Obama:

EPIC's Page on the Federal Trade Commission:

Red Flags Rule Enforcement Postponed Until August

The Federal Trade Commission postponed the enforcement of the "Red
Flags" identity theft rule which require financial institutions and
creditors to maintain identity theft prevention programs that
identify, detect, and respond to patterns, practices, or specific 
activities that could indicate identity theft. "Given the ongoing
debate about whether Congress wrote this provision too broadly,
delaying enforcement of the Red Flags Rule will allow industries
and associations to share guidance with their members, provide
low-risk entities an opportunity to use the template in developing
their programs, and give Congress time to consider the issue
further," FTC Chairman Jon Leibowitz said. The rules were developed
pursuant to the Fair and Accurate Credit Transactions Act of 2003. EPIC
had testified before Congress regarding the FACTA, supporting the
inclusion of stronger privacy and identity theft protections in
the law. "Americans need greater protections to address problems
with identity theft, privacy, and inaccuracy," EPIC argued.

FTC Will Grant Three-Month Delay of Enforcement of 'Red Flags' Rule
Requiring Creditors and Financial Institutions to Adopt Identity Theft
Prevention Programs:

Letter from the House Committee on Small Business to FTC Chairman
Jon Leibowitz:

Federal Register Notice Issuing "Red Flags" ID Theft Rules:

Agencies Issue Final Rules on Identity Theft Red Flags,
October 31, 2007:

EPIC's Page on Identity Theft:

Federal Commission Investigating Cloud Computing Issues

The FTC acknowledged examining privacy issues associated with
cloud computing networks at a testimony before Congress on a
proposed statute, the Data Accountability and Trust Act. In March,
EPIC had filed a complaint before Commission requesting it to open
an investigation into Google's Cloud Computing Services to
determine "the adequacy of the privacy and security safeguards"
following reports of a breach in Google Docs. EPIC had cited the
growing dependence of American consumers, businesses, and federal
agencies on cloud computing services, and had urged the Commission
to take "such measures as are necessary" to ensure the safety and
security of information submitted to Google. Subsequently, the
Commission had agreed to review EPIC's complaint.

FTC Testifies on Data Security, Peer-to-Peer File Sharing:

EPIC's complaint to the FTC:

FTC's letter to EPIC:

In re Google and Cloud Computing:

EPIC's Page on Cloud Computing:

MIT Calls for Papers on New Privacy Standards for PII Management

The SENSEable City Lab of the Massachusetts Institute of Technology is
launching the Engaging Data Initiative by hosting an international
forum on the application and management of personal electronic
information. The event includes a series of discussion panels and
conferences at MIT and seeks to understand and explore the societal
values of data and the influence it has on society by its use.  The
initiative aims to address issues and questions through invited talks,
paper presentations, and panel discussions. The forum strives to serve
as a platform to exchange ideas, discuss the latest developments in
the field, address significant issues, and create visions for the
future. The position papers must be 4-6 pages in length; technical
papers must be 6-8 pages in length. For further details, see links

Engaging Data:

Call for papers:


TACD Publishes Resolution on Social Networks:

The Trans Atlantic Consumer Dialogue made a Resolution on Social
Networking and made several recommendations directed towards the EU and
US governments and social network operators. The suggestions to the
governments included the prevention of access to social network
contingent on use of data for marketing purposes, requirement of
affirmative consent before data use, limiting personal information
available to applications running on them. The suggestions also
declared that social networks must enable an user to delete PII
obtained by third party services. Other recommendations included the
integration of privacy and security by design, preventing access by
search engines by default, and developing common ethical codes for
behavioral tracking and advertising online. In February, EPIC
prepared to file a complaint with the FTC against Facebook which
threatened to take ownership of user data. Facebook reverted to
its earlier terms of service just before the complaint was about to
be filed.

TACD - Resolution on Social Networking, May 2009:

EPIC's Page on Social Networking Privacy:

EPIC's Group Page on Facebook:

EU Parliament adopts Harbour Report Amendments on e-Privacy Directive

The European Parliament adopted a large majority of the Harbour Report
amendments on the revision of the E-Privacy Directive. The amendments
involve mandatory notification of breaches affecting personal data,
treating IP addresses as personal data instead of public information,
ensuring the processing of personal information for network security
purposes subject to Directive 95/46, requiring the informed consent of
user for using cookies or storing information. Stavros Lambrinidis,
Member of the European Parliament, also obtained a formal declaration
of the Commission, supporting the position of the Parliament and
affirming that legislative reforms and proposals will be defined in
order to extend the scope to all personal data inappropriately released,
handled, or used by service providers through the medium of an electronic
communications service, to all providers of information society services
and others.

EU Parliament Press Release:

Press Release, Office of Stavros Lambrinidis:

Stavros Lambrinidis, Socialist Group in the European Parliament:

[7] EPIC Bookstore: "Identity in the Age of Cloud Computing"

"Identity in the Age of Cloud Computing"
by J.D. Lasica

In the summer of 2008, 28 leaders and experts from the information and
communications technology world, financial, government, academic and
public policy leaders convened at Aspen, Colorado, to better understand
the implications of cloud computing and suggest policies for the
betterment of society. Out of these discussions emerged the substance
of this report. As the introduction suggests, the concept of identity
is undergoing a radical shift. No longer are recognized offline
parameters the sole criteria in defining "the very essence of who we
are." Instead, online reputation and digital socialization are the new
auras of one's identity.

The report presents factual developments in the evolution of cloud
computing, the current state of growth, and the factors blowing the
cloud forward. Based on the discussion of the participants, the
publication provides a birds-eye view on the possibilities and the
probabilities of things to come. While reading the book, one barely
notices the obvious technological advances that have already taken
place, but by taking a step back, it is easy to marvel at the full
spectrum of developments while trying to fathom the true impact the
internet has had on the people, society and human interactions.

Analyzing the changing concept of identity through the prism of cloud
computing is no elementary task. In the cloud ecosystem, the control
over the smattering of personal information is what defines the
boundaries between ensuring identity and losing privacy. And, if the
report is to be taken at face value, the commercial development of the
cloud is only at its nascent stage with old business models just
beginning to face the challenge of the new wave of cloud based
commerce. To ensure that a trade thrives in the digital economy, it
is imperative that young industries start off with their eyes gazed at
the cloud.

The discussions held last year bore ominously true earlier this year.
When revised Facebook policies threatened to take user information out
of the hands of their owners, the social networking giant faced
widespread criticism and public relations damage. Google Docs suffered
a security breach and the dangers of security in the cloud computing
environment became apparent even to the uninitiated. While the
perceived threats of last year may sound like a portentous
foreboding this year, the clock keeps ticking on the rate with which we
can analyze dangers in cloud computing and commence corrective action.

Overall, the report does a brilliant job at capturing the thoughts of
the experts and extracting the essence of the conference. An insightful
expedition into the realm of future cloud computing, this publication
is a must-read for anyone who desires to sojourn into the inevitable
destiny of the internet.

-- Anirban Sen

EPIC Publications:

"Litigation Under the Federal Open Government Laws 2008," edited by
Harry A. Hammitt, Marc Rotenberg, John A. Verdi, and Mark S. Zaid
(EPIC 2008). Price: $60.

Litigation Under the Federal Open Government Laws is the most
comprehensive, authoritative discussion of the federal open access
laws. This updated version includes new material regarding the
substantial FOIA amendments enacted on December 31, 2007. Many of the
recent amendments are effective as of December 31, 2008. The standard
reference work includes in-depth analysis of litigation under Freedom
of Information Act, Privacy Act, Federal Advisory Committee Act,
Government in the Sunshine Act. The fully updated 2008 volume is the
24th edition of the manual that lawyers, journalists and researchers
have relied on for more than 25 years. 


"Information Privacy Law: Cases and Materials, Second Edition" Daniel
J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98.


This clear, comprehensive introduction to the field of information
privacy law allows instructors to enliven their teaching of fundamental
concepts by addressing both enduring and emerging controversies. The
Second Edition addresses numerous rapidly developing areas of privacy
law, including: identity theft, government data mining and electronic
surveillance law, the Foreign Intelligence Surveillance Act,
intelligence sharing, RFID tags, GPS, spyware, web bugs, and more.
Information Privacy Law, Second Edition, builds a cohesive foundation
for an exciting course in this rapidly evolving area of law.


"Privacy & Human Rights 2006: An International Survey of Privacy Laws
and Developments" (EPIC 2007). Price: $75.

This annual report by EPIC and Privacy International provides an
overview of key privacy topics and reviews the state of privacy in over
75 countries around the world. The report outlines legal protections,
new challenges, and important issues and events relating to privacy.
Privacy & Human Rights 2006 is the most comprehensive report on privacy
and data protection ever published.


"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.


This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS). This
reference guide provides the official UN documents, regional and
issue-oriented perspectives, and recommendations and proposals for
future action, as well as a useful list of resources and contacts for
individuals and organizations that wish to become more involved in the
WSIS process.


"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:


The Privacy Law Sourcebook, which has been called the "Physician's Desk
Reference" of the privacy world, is the leading resource for students,
attorneys, researchers, and journalists interested in pursuing privacy
law in the United States and around the world. It includes the full
texts of major privacy laws and directives such as the Fair Credit
Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as
well as an up-to-date section on recent developments. New materials
include the APEC Privacy Framework, the Video Voyeurism Prevention Act,
and the CAN-SPAM Act.


"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.


A collection of essays, studies, and critiques of Internet content
filtering. These papers are instrumental in explaining why filtering
threatens free expression.


EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:

EPIC Bookstore

"EPIC Bookshelf" at Powell's Books


EPIC also publishes EPIC FOIA Notes, which provides brief summaries of
interesting documents obtained from government agencies under the
Freedom of Information Act.

Subscribe to EPIC FOIA Notes at:

[8] Upcoming Conferences and Events

IEEE/SP 2009 Symposium on Security and Privacy,
"The IEEE Symposium on Security and Privacy has been the premier
forum for presenting developments in computer security and
electronic privacy, and for bringing together researchers and
practitioners in the field." Sunday, May 17, 2009 - Thursday, May
21, 2009, Oakland, California.
For more information, http://oakland09.cs.virginia.edu/

Web 2.0 Security & Privacy 2009, Thursday, May 21,
The Claremont Resort, Oakland, California. For more information,

Computers, Freedom, and Privacy, 19th Annual Conference, Washington,
D.C., June 1-4, 2009. For more information,

EPIC 15th Anniversary Dinner and the EPIC Champion of Freedom Awards,
Cosmos Club, Washington, DC, June 9, 2009. For invitation, see
http://www.epic.org/epic15/invite.pdf. Register at

IAPP - Practical Privacy Series - "Data Breach," "Data Governance,",
"Human Resources," and "Information Security and Privacy." 
Network Meeting Center at Techmart, Santa Clara, CA. June 17-18,
For more information, 

"The Transformation of Privacy Policy," Institutions, Markets
Technology Institute for Advanced Studies (IMT)Lucca, Italy, July 2-4,

Engaging Data: First International Forum on the Application and
Management of Personal Electronic Information hosted by
SENSEable City Lab, Massachusetts Institute of Technology.
For more information,

Join EPIC on Facebook

Join the Electronic Privacy Information Center on Facebook

Start a discussion on privacy. Let us know your thoughts.
Stay up to date with EPIC's events.
Support EPIC.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities. We do not sell, rent or share our
mailing list. We also intend to challenge any subpoena or other legal
process seeking access to our mailing list. We do not enhance (link to
other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail address
from this list, please follow the above instructions under "subscription

About EPIC

The Electronic Privacy Information Center is a public interest research
center in Washington, DC. It was established in 1994 to focus public
attention on emerging privacy issues such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale of personal information. EPIC publishes the
EPIC Alert, pursues Freedom of Information Act litigation, and conducts
policy research. For more information, see http://www.epic.org or write
EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202
483 1140 (tel), +1 202 483 1248 (fax).

Donate to EPIC

If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible. Checks
should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW,
Suite 200, Washington, DC 20009. Or you can contribute online at:


Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation of encryption and
expanding wiretapping powers.

Thank you for your support.

Subscription Information

Subscribe/unsubscribe via web interface:

Back issues are available at:

The EPIC Alert displays best in a fixed-width font, such as Courier.

------------------------- END EPIC Alert 16.09 ------------------------