EPIC logo

=======================================================================
                              E P I C   A l e r t
=======================================================================
Volume 16.01                                           January 28, 2009
-----------------------------------------------------------------------

                                Published by the
                   Electronic Privacy Information Center (EPIC)
                                Washington, D.C.

                 http://www.epic.org/alert/EPIC_Alert_16.01.html

			"Defend Privacy. Support EPIC."
			     http://epic.org/donate


=======================================================================
Table of Contents
=======================================================================
[1] EPIC, Civil Society Celebrate International Privacy Day
[2] Supreme Court Permits Arrest Based on Police Database Error
     EPIC Amicus Brief Cited in Dissent
[3] EPIC, Experts Urge Supreme Court: Protect Anonymity & Pseudonymity
[4] Homeland Security Promotes Employment Verification System -
     EPIC Pursues Open Government Request
[5] Data Breaches on Rise in the US
[6] News in Brief
[7] EPIC Bookstore: "Blown to Bits"
[8] Upcoming Conferences and Events
  	- Subscription Information
  	- Privacy Policy
  	- About EPIC
  	- Donate to EPIC http://www.epic.org/donate
  	- Support Privacy '08 http://www.privacy08.org
	- Job Announcement

=======================================================================
[1] EPIC, Civil Society Celebrate International Privacy Day
=======================================================================

EPIC and civil society organizations around the world celebrated
International Privacy Day with a call to governments to sign on to the
Council of Europe Privacy Convention, which was opened for signature on
January 28, 1981. The object of the Privacy Convention, known as
"Convention 108," is to strengthen data protection for individuals with
regard to automatic processing of personal information relating to
them. As the Council of Europe explained,

    In order to secure for every individual, whatever his/her
    nationality or residence, respect for his/her rights and
    fundamental freedoms, and in particular his/her right to privacy,
    with regard to automatic processing of personal data relating to
    him/her, the Council of Europe elaborated the "Convention for the
    Protection of Individuals with regard to Automatic Processing of
    Personal Data" which was opened for signature on 28 January 1981.
    To this day, it still remains the only binding international legal
    instrument with a worldwide scope of application in this field,
    open to any country, including countries which are not members of
    the Council of Europe.

The Convention remains timely. As one source noted,

    In addition to being the first legally binding international
    instrument in the area of data protection, this Convention has
    withstood the test of time by being adaptive and fairly rigorous.
    Today the principles of this agreement are being examined for their
    applicability to the collection and processing of biometric data.

One scholar recently wrote that "It is not too difficult for the data
protection laws of quite a few non-European countries to meet the
requirements of Convention 108" and suggested "The opening up of
Convention 108 to non-European countries is one way of sidestepping
the cumbersome process of developing a new UN convention on privacy"
and concluded that "this approach deserves serious consideration by
Asia-Pacific and other governments that already have privacy laws of
international standard, or are considering introducing them."

Forty-one countries have ratified the Convention 108. Civil society
groups will continue their efforts to press for adoption of the
Convention among the countries that have not yet ratified.

They also noted that previous US objections to signing a Council of
Convention would no longer apply since the US had urged many countries
to sign the controversial Council of Europe Convention on Cybercrime.

On International Privacy Day, EPIC also honored eminent Italian jurist
Stefano Rodot� with the "International Privacy Champion" award. EPIC
said that Professor Rodot� has profoundly influenced the public's
understanding of human rights in the age of the Internet and described
Professor Rodot� as "a powerful advocate for the rights of the
citizen." Previous recipients of the EPIC Champion of Freedom Award
include Senator Patrick Leahy and Professor Pamela Samuelson.


EPIC, Council of Europe Privacy Convention:
     http://epic.org/privacy/intl/coeconvention/

COE Privacy Convention - Text
     http://conventions.coe.int/Treaty/en/Treaties/Html/108.htm

Graham Greenleaf, "Accession to Council of Europe privacy
Convention  108 by non-European states":
     http://epic.org/redirect/011509_GGreenleaf_coe108.html

International Privacy Day Campaign (with activities)
     http://www.facebook.com/home.php#/event.php?eid=54024777428

Privacy International:
     http://www.privacyinternational.org/

The Public Voice:
     http://www.thepublicvoice.org

Net Dialogue, INITIATIVE: COE's Convention for the Protection of
Individuals with regard to Automatic Processing of Personal Data:
     http://www.netdialogue.org/initiatives/coeautoprocess/

EPIC, "Privacy and Human Rights"
     http://epic.org/phr06/

Statement of Senator Patrick Leahy on "Data Privacy Day"
     http://leahy.senate.gov/press/200901/012809B.HTML

Wikipedia, Stefano Rodota (Italian)
     http://it.wikipedia.org/wiki/Stefano_Rodot%C3%A0

Facebook Fan page, Stefano Rodota
     http://www.facebook.com/home.php#/pages/Stefano-Rodota/47114266507



=======================================================================
[2] Supreme Court Permits Arrest Based on Police Database Error,
     EPIC Amicus Brief Cited in Dissent
=======================================================================

The Supreme Court in a 5-4 opinion, held that the police may use false
information contained in a police database as the evidence for an
arrest. Chief Justice Roberts held that, "when police mistakes are the
result of negligence such as that described here, rather than systemic
error or reckless disregard of constitutional requirements, any
marginal deterrence does not 'pay its way.'"

In Herring v. US, the police searched and then arrested Bennie Dean
Herring based on incorrect information in a government database. He was
illegally arrested and searched even though he told the officers that
there was no arrest warrant, and no officer had seen or could produce
a copy of the arrest warrant. After he was indicted, Herring petitioned
the district court to suppress the evidence gathered incident to his
unlawful arrest, arguing the exclusionary rule prevented the use of
such evidence. But the district court ruled against him. Herring
then appealed to the Eleventh Circuit Court of Appeals, which affirmed
the district court's ruling. Herring thereafter petitioned for cert. to
the US Supreme Court.

Justice Ginsburg, writing for four of the Justices in dissent, said
that "negligent recordkeeping errors by law enforcement threaten
individual liberty, are susceptible to deterrence by the exclusionary
rule, and cannot be remedied effectively through other means." EPIC
filed a friend of the court brief urging the Justices to ensure the
accuracy of police databases, on behalf of 27 legal scholars and
technical experts and 13 privacy and civil liberty groups. The EPIC
brief was cited by the Justices in dissent.

Justice Ginsburg highlighting EPIC's brief underscored that "electronic
databases form the nervous system of contemporary criminal justice
operations" and "[p]olice today [could] access databases that include not
only the updated National Crime Information Center (NCIC), but also
terrorist watchlists, the Federal Government's employee eligibility
system, and various commercial databases." Further relying on EPIC's
brief, she also warned that the "risk of error stemming from these
databases is not slim" and they were "insufficiently monitored" and
"often out of date."

Justice Ginsburg disagreed with the majority opinion on three major
premises. She argued that restricting the remedy of suppression of
evidence to deliberate or reckless errors, defendants were left with
no remedy for violations of their constitutional rights. Secondly, she
raised her doubts that police forces possessed sufficient incentives
to maintain up-to-date records. Thirdly, Justice Ginsburg reasoned that
even when deliberate or reckless conduct was afoot, the Court's
assurance will often be an empty promise - as the defendant will
probably be unable to make the required showing.

Supreme Court Opinion (Jan. 14):
     http://epic.org/privacy/herring/07-513_opinion.pdf

"Friend-of-the-court," Brief by EPIC, 27 Legal Scholars and Technical
Experts and 13 Privacy and Civil Liberty Groups (pdf) (May 16, 2008):
     http://epic.org/privacy/herring/07-513tsac_epic.pdf

US Supreme Court Docket page for Herring v. US:
     http://www.supremecourtus.gov/docket/07-513.htm

EPIC page on Herring v. US 
     http://epic.org/privacy/herring/

EPIC's page on the 2003 online petition urging the reestablishment of
accuracy requirements for the FBI's National Crime Information Center,
the nation's largest criminal justice database:
     http://epic.org/privacy/ncic/



=======================================================================
[3] EPIC, Experts Urge Supreme Court: Protect Anonymity & Pseudonymity
=======================================================================

On December 19, 2008, EPIC filed a "friend of the court" brief in the
United States Supreme Court, urging the Justices to protect anonymous
and pseudonymous activities. The brief was filed on behalf of seventeen
legal scholars and technical experts.

In Flores-Figueroa v. United States, the Court will be asked to
determine whether individuals who include identification numbers that
are not theirs, but don't intentionally impersonate others, can be
subject to harsher punishments under federal law. EPIC explained that
anonymous and pseudonymous behavior is a cornerstone of privacy
protection in the identity management field. The brief urges the Court
to not "set a precedent that might inadvertently render the use of
privacy enhancing pseudonyms, anonymizers, and other techniques for
identity management unlawful."

Amici said that the term "identity theft" "has a specific meaning among
technologists, academics, security professionals, and other experts in
the field of identity management." "Identity theft" refers to the
knowing impersonation of one person by another. "The unknowing use of
inaccurate credentials does not constitute identity theft," amici
argued. The brief explains that precise use of technical concepts is
crucial, particularly in a case that could impose enhanced criminal
identity theft penalties on a person who presented an identity document
that contained his own name, but an inaccurate ID number.

The brief details the importance of anonymous and pseudonymous
credentials in identity management systems, and explains how an averse
decision in this case "threatens to impose aggravated identity theft
penalties on individuals who present inaccurate credentials in an
effort to protect their privacy through pseudonymous or anonymous
activities." EPIC also described the long and distinguished history of
pseudonymous activity, from the American founders' pseudonymous
advocacy for liberty through Mary Ann Evans' "George Eliot" nom de
plume and the U.S. government's issuance of pseudonymous credentials to
enrollees in the Department of Justice's Witness Protection Program.

In Flores-Figueroa v. United States, the petitioner challenged his
conviction for "aggravated identity theft" under the Identity Theft
Penalty Enhancement Act. Flores-Figueroa maintains that he did not
commit identity theft when he used an identity document with his
real name and an identity number that was not his to maintain
employment. 

The federal law provides for enhanced penalties when a person
"knowingly transfers, possesses, or uses, without lawful authority, a
means of identification of another person." Flores-Figueroa identified
himself by his real name to his employer, but provided a false Social
Security Number and false Permanent Resident Number. Both ID numbers
were issued to someone else, but neither person shared Flores-Figueroa's
name, and the government presented no evidence that Flores-Figueroa knew
that the ID numbers were assigned to real people. The case will resolve
whether a person can be convicted of aggravated identity theft if he
does not "knowingly" use an ID number assigned to "another person."

EPIC has advocated for strong protections against identity theft, and
opposed burdensome ID requirements. Earlier this year, EPIC encouraged
federal regulators to impose monetary penalties on companies that
exposed their customers' data to criminals. In addition, EPIC has long
supported the right of individuals to preserve their anonymity,
particularly in the face of ever more intrusive government
identification requirements.
 
"Friend-of-the-court," Brief by EPIC, Legal Scholars, Technical
Experts (Dec. 19, 2008):
    http://epic.org/privacy/flores-figueroa/121908_brief.pdf

US Supreme Court Docket page for Flores-Figueroa v. United States:
    http://www.supremecourtus.gov/docket/08-108.htm

EPIC's Flores-Figueroa v. United States page:
     http://epic.org/privacy/flores-figueroa/

EPIC's Identity Theft Page:
     http://epic.org/privacy/idtheft/

EPIC's Support for Constitutional Right to Anonymity in
Watchtower Bible v. Stratton:
     http://epic.org/free_speech/watchtower.html

Petitioner's Brief for Supreme Court Review in
Flores-Figueroa v. United States:
      http://epic.org/privacy/flores-figueroa/pet_amicus.pdf

The Government's Brief Regarding Supreme Court Review in
Flores-Figueroa v. United States:
     http://epic.org/privacy/flores-figueroa/gov_amicus.pdf



=======================================================================
[4] Homeland Security Promotes Employment Verification System -
     EPIC Pursues Open Government Request
=======================================================================

The Department of Homeland Security has issued a solicitation for
"Marketing and Advertising Services in Support of E-Verify." The
E-Verify program was created by the U.S. Department of Homeland
Security and the Social Security Administration to verify the work
authorization status of new hires. However, the Government
Accountability Office, the Social Security Administration's Inspector
General, and the CATO Institute have detailed many shortcomings of
E-Verify, and have highlighted high levels of inaccuracies in the
databases on which the program is based, employer misuse resulting in
discrimination and unlawful termination, the lack of privacy
protections as well as the program's high costs.

The USCIS solicitation, which runs into 64 pages, anticipates a
national level marketing and advertising campaign budget estimated at
$30 million all of which comes from taxpayer's money. In spite of being
fully aware of the limitations of the E-Verify program and a federal
court granting a preliminary injunction in implementing a DHS "Safe
Harbor" rule designed impose liability on disobeying employers, the
E-Verify program promotion not only seems to be continuing, but also
gathering steam.

On November 10, 2008, NPR began running a credit on its radio stations
which stated "[s]upport for NPR comes from NPR stations, and the
Department of Homeland Security (DHS), offering E-Verify, confirming
the legal working of new hires. At DHS dot gov slash E-Verify."
The ad running on NPR radio stations is part of a political campaign to
make E-Verify mandatory for all U.S. employers. By law, NPR can only
identify and not promote underwritings and sponsorship. In a letter
to the NPR Ombudsman, EPIC noted that E-Verify "could deny many
eligible individuals - including U.S. citizens and legal immigrants -
the opportunity to work," and is "ineffective as a solution to U.S.
immigration problems." The letter, however, failed to evoke a response.

Thereafter, EPIC filed a Freedom of Information request with DHS to
uncover all records, including contracts and related documents, between
DHS and NPR concerning the E-Verify promotion. The request included a
demand for expedited processing, which under statute, must elicitate a
response within 10 calendar days. Although DHS acknowledged the demand
for information, and referred the request for processing and direct
response to USCIS, the USCIS failed and/or neglected to reply with a
determination within the statutory timeframe which is the equivalent
of a denial. Therefore, EPIC  filed an appeal from the denial of the
request.


EPIC's Freedom of Information Request to DHS/USCIS:
     http://epic.org/privacy/e-verify/dhs_foia_120408.pdf

EPIC's Freedom of Information request Appeal to USCIS:
     http://epic.org/privacy/e-verify/DHS_EV_Appeal_01082008.pdf

EPIC's letter to NPR Ombudsman:
     http://epic.org/DHS_NPR_ltr_12-08.pdf

EPIC, "Spotlight on Surveillance: E-Verify System - DHS Changes Name,
But Problems Remain for U.S. Workers.":
     http://epic.org/privacy/surveillance/spotlight/0707/default.html

"Employment Verification - Challenges Exist in Implementing a Mandatory
Electronic Employment Verification System," United States Government
Accountability Office," June 10, 2008:
     http://www.gao.gov/new.items/d08895t.pdf

"Inspector General's Statement on SSA's Major Management and
Performance Challenges," Nov. 5, 2008:
     http://epic.org/redirect/120808_IG_SSA_statement.html



=======================================================================
[5] Data Breaches on Rise in the US
=======================================================================

The Identity Theft Resource Center, a nonprofit working to understand
and prevent of identity theft, issued a report for the year 2008 on
data breaches in the United States. The California based Center
reported that data breaches increased dramatically in 2008. The breach
report included 656 reported breaches at the end of 2008 and reflected
an increase of 47 percent over a total of 446 data breaches in 2007.

The ITRC classifies entities into five groups: Business, Educational,
Government/Military, Health/Medical and Financial/Credit. The rankings
of these groups have not changed since 2007. While data breaches from
Business and Educational entities were 240 and 131, Financial/Credit
related data breaches were reported to be 78. The ITRC also tracked
five categories of data loss methods: Insider Theft, Hacking, Data on
the Move, Accidental Exposure and Subcontractor. The report noted that
Insider Theft accounted for 15.7 percent, Hacking at 13.9 percent, Data
on the Move at 20.7 percent, Accidental Exposure at 14.4 percent, and
Subcontractor related data loss at 10.4 percent.

Electronic breaches accounted for 82.3 percent compared to paper
breaches at 17.7 percent. While the report identified 35.7 million
records potentially breached as per notification letters and
information provided by breached entities, 41.9 percent went unreported
or undisclosed making the total number of affected records an unreliable
number to use for any accurate reporting. The ITRC concluded that most
breached data was unprotected by either encryption or even passwords.

The ITRC advised agencies and companies to (a) minimize personnel with
access to personally identifying information, (b) encrypt mobile data
storage devices, (c) set policy for storage and transport of data,
(d) encrypt and securely store all data transfers and backups,
(e) properly destroy all paper documents before disposal, (f) update
computer security and (g) train employees on safe information handling.


Data Breaches are the leading cause of identity theft. The Federal
Trade Commission estimates that as many as 9 million Americans have
their identities stolen each year. Many states have laws that govern
how businesses should respond to data breaches, and what notice or
assistance they are required to provide to affected consumers.
Massachusetts recently established stringent rules for data security as
well.


ITRC Data Breach Report:
     http://epic.org/redirect/011509_ITRC_DataBreach_report.html

2008 Data Breach Total Soars, ITRC:
     http://epic.org/redirect/011509_ITRC_DataBreach_media.html

Federal Trade Commission's page on Data Breaches:
     http://epic.org/redirect/011509_FTC_DataBreach.html

Federal Trade Commission's page on Identity Theft:
     http://epic.org/redirect/011509_FTC_IdTheft.html

EPIC's page on Identity Theft:
     http://epic.org/privacy/idtheft/



=======================================================================
[6] News in Brief
=======================================================================

Federal Intelligence Court Rules Warrantless Wiretapping Legal

The Foreign Intelligence Surveillance Court of Review has ordered the
release of a redacted opinion which ruled in August, 2008 that
warrantless wiretapping of international phone calls and the
interception of e-mail messages were permissible. Giving support to the
Protect America Act, the Court found that "foreign intelligence
surveillance possesses characteristics that qualify" for an exception
in the interest of "national security."

Court Opinion:
     http://www.uscourts.gov/newsroom/2009/FISCR_Opinion.pdf

Court Order Authorizing Public Release:
     http://www.fas.org/irp/agency/doj/fisa/fiscr011209.pdf

Foreign Intelligence Surveillance Act:
     http://epic.org/privacy/terrorism/fisa/



Court Denies Rehearing in Prescription Privacy Law Case

The First Circuit Court of Appeals denied rehearing en banc in a case
which involved a recent New Hampshire law that banned the sale of
prescriber-identifiable prescription drug data for marketing purposes.
EPIC and sixteen experts in privacy and technology had filed a friend
of the court brief in the matter urging a reversal of a District Court
ruling that delayed enforcement of the New Hampshire Prescription
Confidentiality Act. In November last year, the First Circuit Court of 
Appeals upheld the ban following which a motion of en banc rehearing
had been filed.

Court Order denying re-hearing:
     http://epic.org/privacy/imshealth/CA1_enbanc_011409.pdf

Opinion Upholding New Hampshire Prescription Confidentiality Act:
     http://epic.org/privacy/imshealth/11_18_08_order.pdf

EPIC's Brief in Support of Prescription Privacy:
     http://epic.org/privacy/imshealth/epic_ims.pdf

New Hampshire Prescription Confidentiality Act:
     http://www.gencourt.state.nh.us/legislation/2006/HB1346.html

Maine's Prescription Privacy Law:
     http://epic.org/redirect/112008_ME_prescrption_privacy.html

Vermont's Prescription Privacy Law:
     http://epic.org/redirect/112008_VT_prescrption_privacy.html

EPIC's page on IMS Health Inc. v. Ayotte:
     http://epic.org/privacy/imshealth/default.html



EPIC, Patient Advocates Urge Congress to "ACT" on Privacy

EPIC and more than 25 members of the Coalition for Patient Privacy at a
news conference on January 14, 2009 in Washington, DC urged Congress to
include critical privacy safeguards for the medical record network that
may be included in the economic stimulus plan. The Coalition partners
are recommending that lawmakers "ACT" on privacy and provide
Accountability for access to health records, Control of personal
information, and Transparency to protect medical consumers from abuse.


Coalition for Patient Privacy:
     http://www.patientprivacyrights.org/

Coalition for Patient Privacy Press release:
     http://www.patientprivacyrights.org/site/R?i=-BviVrOz6zoN_13UqgbzhQ

Coalition letter to Congress:
     http://www.patientprivacyrights.org/site/R?i=dvCRMk51lVXnJoxfWoC9MQ

EPIC's page on Medical Privacy:
     http://epic.org/privacy/medical/default.html



Future of Privacy Forum Issues Recommendations for the Administration

The Future of Privacy Forum proposed seven privacy recommendations to
the upcoming administration. The FPF urged the President to also
appoint a Chief Privacy Officer (CPO) in order to recognize that
responsible use of data by businesses and government is critical to the
economy, to protecting civil liberties and to ensuring public safety.
Other recommendations were to appoint a Chief Privacy Officer to
promote fair information practices in both public and private sectors;
ensure that interactive tools used by the government to provide users
with enhanced transparency and controls; establish a standard
definition of personal information; increase technology and research
support for the Federal Trade Commission; enhance criminal law
enforcement support for the Federal Trade Commission; provide national
leadership to resolve the conflict between privacy and online safety
for youth; and encourage accountable business models.

Future of Privacy Forum Recommendations:
     http://www.net-security.org/secworld.php?id=6921



Trade Commission Proposes Consumer Authentication

The Federal Trade Commission issued a report recommending five measures
to help prevent Social Security numbers from being used for identity
theft. The report recommended improving consumer authentication,
restricting public display and transmission of Social Security Numbers,
establishing national standards for data protection and breach
notification, conducting outreach to business and consumers and
promoting coordination and information sharing on use of SSNs. The
Commission recommended that the Congress should strengthen the
procedures that private-sector organizations use to authenticate
their customers identities. Although the Commission recommended a
national data security standard to cover SSNs, it did not clarify that
such regulations should not pre-empt State regulations providing a
higher threshold of privacy.

FTC Issues Report on Social Security Numbers and Identity Theft:
     http://www.ftc.gov/opa/2008/12/ssnreport.shtm

Security in Numbers, SSNs and ID Theft:
     http://www.ftc.gov/os/2008/12/P075414ssnreport.pdf

EPIC's page on Identity Theft:
     http://epic.org/privacy/idtheft

EPIC's page on Privacy and Preemption:
     http://epic.org/privacy/preemption/



Consumer Groups Urge Trade Commission to Investigate Mobile Marketing

The Center for Digital Democracy and the U.S. Public Interest Research
Group filed a complaint with the Federal Trade Commission to
investigate the growing threat to consumer privacy in the mobile
advertising world. Certain services track, analyze, and target the
public and build secret profiles. Users are targeted based on their
online behavior and their location. The complaint urges the Commission
to define and clarify practices, review self-regulation, require notice
and disclosure and also protect the public. Earlier, thirty Privacy
Coalition members sent a letter to then President-elect Barack Obama
highlighting the importance of protecting consumer privacy in new
network services.


Center for Digital Democracy:
     http://www.democraticmedia.org/

U.S. Public Interest Research Group:
     http://www.uspirg.org/

Complaint before the FTC:
     http://www.democraticmedia.org/files/FTCmobile_complaint0109.pdf

The Federal Trade Commission:
     http://www.ftc.gov/

The Privacy Coalition:
     http://privacycoalition.org/

Privacy Coalition Letter to President-elect Barack Obama:
     http://epic.org/L6=http://epic.org/privacy/pdf/obama-ftc-ltr.pdf

EPIC's page on Privacy and Consumer Profiling:
     http://epic.org/privacy/profiling/default.html



Federal Regulator Reverses on Internet Content Filtering Plan

The Federal Communications Commission Chairman Kevin Martin has said
in an interview published by Ars Technica on Dec. 29 that he will not
pursue a government-mandated content filter as part of a proposal for
a nationwide free wireless broadband network. EPIC had opposed the
provision and said that it would create a dangerous precedent that
would encourage governments to limit access to unpopular or
controversial speech.

Kevin Martin's interview:
     http://epic.org/redirect/011509_FCC_KevinMartin_at.html



The Transportation Research Board Held Meeting

The Transportation Research Board held its 88th Annual Meeting in
Washington DC. Transportation, Energy, and Climate Change was the theme
for the event. The meeting featured 3,000 presenters in about 600
presentations that engaged 10,000 national and international
transportation professionals attending the event. The meeting featured
discussions about technology and its potential for addressing global
warming challenges and the efficient use of roads and highways. In
recent years, innovative surface transportation has exposed automobile
users to smart fee tolling systems offered automated payment options.
Privacy consequences of smart transportation systems were discussed
during the panel presentation "Valuing Privacy in Intelligent
Transportation Systems" held on Tuesday, January 12, 2009.


88th Annual Meeting, January 11-15, 2009,
Transportation Research Board:
     http://www.trb.org/Meeting/2009/default.asp



Chinese Filtering Circumvention Tools Sell User Data

The Berkman Center for Internet & Society reported that three of the
circumvention tools being used to bypass China's Great Firewall are
actually tracking and selling the individual web browsing histories of
their clients. The findings, which appeared on a blog, showed that the
sites employed deceptive languages regarding the safety of their use
and access and privacy policies were altogether absent. The tools,
DynaWeb FreeGate, GPass, and FirePhoenix have chosen a business
model of selling user data.


Hal Roberts, "watching technology," The Berkman Center for
Internet & Society:
     http://epic.org/redirect/011509_Berkman_Blog.html



=======================================================================
[7] EPIC Bookstore: "Blown to Bits"
=======================================================================

"Blown to Bits"
by Hal Abelson, Ken Ledeen & Harry Lewis

     http://www.powells.com/biblio/64-9780137135592-0?&PID=24075

The free flow of information in an increasingly connected world has
brought about technological feasibilities that years ago would have
sounded schizophrenic. Yet, as every person treads the digital world,
whether knowingly or unknowingly, they leave behind digital footprints
in a myriad of ways. This book examines how the ubiquity of technology
dilutes itself into the fabric of daily life, and the way our world
responds to those consequences.

Each chapter begins with an engaging real life story. The authors
highlight the use of modern technology, sometimes as a tool, sometimes
as a crutch, and sometimes as a weapon. But each time with definite
consequences of how "bits" of information are not only changing
reality, but also our perception of the way we interact with the world.
"Your Life, Liberty and Happiness After the Digital Explosion" is an apt
tagline for the book which traces the evolution of the digital world -
the way we use it and the way it makes us adopt newer policies to
"govern" the explosion of digital information.

The book brings to the fore a series of varied impacts of technology.
Cell phone "pings" locating people in distress, the social costs of
seemingly innocuous surveillance, the disparity between what a computer
displays and what lies beneath, the unintended directories in the
online world, the ownership of the digital bit, and the lists of
problems it poses to the safety and security of the civilized world.
One cannot but marvel at the dichotomy of challenges and pleasures
that the digital life has whipped up.

Without being judgmental, Abelson, Ledeen and Lewis bring out the most
obvious and apparent facts offered by the new technology and give a
take on the good and the ill, the promises and the perils, and the
risks and the opportunities, without conveying the readers a sense of
foreboding. The authors explain complex computer and internet workings
without leaving a layman grappling with jargons and yet manage to give
the readers a sense of how we are headed towards a new era in information
exchange.

The authors declare that the value of technology depends on we use it
and conclude by foretelling that the ongoing digital explosion will
result in dramatic changes in our sense of personal identity and
privacy, our capacity for free speech, and the creativity that drives
human progress.

-- Anirban Sen



================================
EPIC Publications:

"Litigation Under the Federal Open Government Laws 2008," edited by
Harry A. Hammitt, Marc Rotenberg, John A. Verdi, and Mark S. Zaid
(EPIC 2008). Price: $60.

http://epic.org/bookstore/foia2008/
	
Litigation Under the Federal Open Government Laws is the most
comprehensive, authoritative discussion of the federal open access
laws. This updated version includes new material regarding the
substantial FOIA amendments enacted on December 31, 2007. Many of the
recent amendments are effective as of December 31, 2008. The standard
reference work includes in-depth analysis of litigation under Freedom
of Information Act, Privacy Act, Federal Advisory Committee Act,
Government in the Sunshine Act. The fully updated 2008 volume is the
24th edition of the manual that lawyers, journalists and researchers
have relied on for more than 25 years. 

================================

"Information Privacy Law: Cases and Materials, Second Edition" Daniel
J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98.

http://www.epic.org/redirect/aspen_ipl_casebook.html

This clear, comprehensive introduction to the field of information
privacy law allows instructors to enliven their teaching of fundamental
concepts by addressing both enduring and emerging controversies. The
Second Edition addresses numerous rapidly developing areas of privacy
law, including: identity theft, government data mining and electronic
surveillance law, the Foreign Intelligence Surveillance Act,
intelligence sharing, RFID tags, GPS, spyware, web bugs, and more.
Information Privacy Law, Second Edition, builds a cohesive foundation
for an exciting course in this rapidly evolving area of law.

================================

"Privacy & Human Rights 2006: An International Survey of Privacy Laws
and Developments" (EPIC 2007). Price: $75.
http://www.epic.org/phr06/

This annual report by EPIC and Privacy International provides an
overview of key privacy topics and reviews the state of privacy in over
75 countries around the world. The report outlines legal protections,
new challenges, and important issues and events relating to privacy.
Privacy & Human Rights 2006 is the most comprehensive report on privacy
and data protection ever published.

================================

"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.

http://www.epic.org/bookstore/pvsourcebook

This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS). This
reference guide provides the official UN documents, regional and
issue-oriented perspectives, and recommendations and proposals for
future action, as well as a useful list of resources and contacts for
individuals and organizations that wish to become more involved in the
WSIS process.

================================

"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:
$40.

http://www.epic.org/bookstore/pls2004/

The Privacy Law Sourcebook, which has been called the "Physician's Desk
Reference" of the privacy world, is the leading resource for students,
attorneys, researchers, and journalists interested in pursuing privacy
law in the United States and around the world. It includes the full
texts of major privacy laws and directives such as the Fair Credit
Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well
as an up-to-date section on recent developments. New materials include
the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the
CAN-SPAM Act.

================================

"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.

http://www.epic.org/bookstore/filters2.0

A collection of essays, studies, and critiques of Internet content
filtering. These papers are instrumental in explaining why filtering
threatens free expression.

================================

EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:

EPIC Bookstore
http://www.epic.org/bookstore

"EPIC Bookshelf" at Powell's Books
http://www.powells.com/bookshelf/epicorg.html

================================

EPIC also publishes EPIC FOIA Notes, which provides brief summaries of
interesting documents obtained from government agencies under the
Freedom of Information Act.

Subscribe to EPIC FOIA Notes at:
https:/mailman.epic.org/mailman/listinfo/foia_notes


=======================================================================
[8] Upcoming Conferences and Events
=======================================================================

The Privacy by Design Challenge - nine privacy leaders from major
corporations present their latest innovations in Privacy-Enhancing
Technologies. Toronto, Canada, January 28, 2009. For more
information, http://www.privacybydesign.ca/registration.htm


The American Conference Institute is hosting the 8th National Symposium
on Privacy and Security of Consumer and Employee Information at the
Four Points by Sheraton, Washington, D.C., January 27-28, 2009,
Washington, DC. http://www.americanconference.com/Privacy.htm


Notice and Request for Public Comments by the Federal Trade Commission
on Digital Rights Management Technologies.
Comments due by January 30, 2009.
Event: Wednesday, March 25, 2009, Seattle, WA.
For more information,
https://secure.commentworks.com/ftc-DRMtechnologies/


The IAPP Privacy Summit 2009 will be held between March 11-13, 2009,
at Washington, D.C. For more information, http://www.privacysummit.org


"Conference on International Aspects of Securing Personal Data,"
The Federal Trade Commission, Washington, D.C., March 16-17, 2009.
For more information, http://ftc.gov/opa/2008/12/datasec.shtm

IEEE Symposium on Security and Privacy, May 17-20, 2009,
The Claremont Resort, Oakland, California. For more information,
http://oakland09.cs.virginia.edu/

Web 2.0 Security & Privacy 2009, Thursday, May 21,
The Claremont Resort, Oakland, California. For more information,
http://w2spconf.com/2009/

Computers, Freedom, and Privacy, 19th Annual Conference, Washington,
D.C., June 1-4, 2009. For more information,
http://www.cfp2009.org/wiki/index.php/Main_Page


"The Transformation of Privacy Policy," Institutions, Markets
Technology Institute for Advanced Studies (IMT)Lucca, Italy, July 2-4,
2009.


=======================================================================
Subscription Information
=======================================================================

Subscribe/unsubscribe via web interface:
https://mailman.epic.org/mailman/listinfo/epic_news

Back issues are available at:
http://www.epic.org/alert


The EPIC Alert displays best in a fixed-width font, such as Courier.

=======================================================================
Privacy Policy
=======================================================================

The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities. We do not sell, rent or share our
mailing list. We also intend to challenge any subpoena or other legal
process seeking access to our mailing list. We do not enhance (link to
other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail address
from this list, please follow the above instructions under "subscription
information."

=======================================================================
About EPIC
=======================================================================

The Electronic Privacy Information Center is a public interest research
center in Washington, DC. It was established in 1994 to focus public
attention on emerging privacy issues such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale of personal information. EPIC publishes the
EPIC Alert, pursues Freedom of Information Act litigation, and conducts
policy research. For more information, see http://www.epic.org or write
EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202
483 1140 (tel), +1 202 483 1248 (fax).

=======================================================================
Donate to EPIC
=======================================================================

If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible. Checks
should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW,
Suite 200, Washington, DC 20009. Or you can contribute online at:

http://www.epic.org/donate

Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation of encryption and
expanding wiretapping powers.

Thank you for your support.

=======================================================================
Support Privacy '08
=======================================================================

If you would like more information on Privacy '08, go online and search
for "Privacy 08." You'll find a Privacy08 Cause at Facebook, Privacy08
at Twitter, a Privacy08 Channel on YouTube to come soon, and much more.
You can also order caps and t-shirts at CafePress Privacy08.

Start a discussion. Hold a meeting. Be creative. Spread the word. You
can donate online at epic.org. Support the campaign.

Facebook Cause:
http://www.epic.org/redirect/fbprivacy08.html

Twitter:
http://twitter.com/privacy08

CafePress:
http://www.cafepress.com/epicorg

========================================================================
                          E P I C   Job Announcement
========================================================================

        EPIC is seeking a smart, energetic, creative individual
                     for the position of Staff Counsel

                         Deadline: Jan. 31, 2009

                       Click here for more details
           http://www.epic.org/epic/jobs/counsel_1108.html


------------------------- END EPIC Alert 16.01-------------------------

.