EPIC logo



=======================================================================
                            E P I C  A l e r t
=======================================================================
Volume 11.12                                              June 24, 2004
-----------------------------------------------------------------------

                             Published by the
               Electronic Privacy Information Center (EPIC)
                             Washington, D.C.

            http://www.epic.org/alert/EPIC_Alert_11.12.html

======================================================================
Table of Contents
======================================================================

[1] Supreme Court Upholds Arrest for Refusal to Give Identification
[2] EPIC Recommends Protections for Social Security Numbers
[3] Info on PATRIOT Act Surveillance Authority Released
[4] EPIC Proposes RFID Privacy Guidelines to the FTC
[5] EPIC Opposes Ratification of Cybercrime Convention
[6] Top TSA Official Admits Vast Collection of Air Passenger Data
[7] News in Brief
[8] Upcoming Conferences and Events

======================================================================
[1] Supreme Court Upholds Arrest for Refusal to Give Identification
======================================================================

A sharply divided Supreme Court ruled on Monday that, under certain
circumstances, a person may be required to give his name to a police
officer.  The decision upheld a Nevada law allowing police to arrest
an individual when there are "suspicious circumstances surrounding his
presence" and he refuses to identify himself.

Larry Dudley Hiibel challenged the constitutionality of the law when
he was convicted for refusing to give his name to a police officer. He
asserted that the law violates the right against unreasonable search
and seizure based in the Fourth Amendment, and the right against
self-incrimination guaranteed by the Fifth Amendment.

The Supreme Court opinion, authored by Justice Kennedy, held only a
bare majority (5-4).  The Court narrowed its holding to the particular
facts of the case: "As we understand it, the statute does not require
a suspect to give the officer a driver's license of other document.
Provided that the suspect either states his name or communicates it by
other means . . . the statues is satisfied and no violation occurs."

When an officer stops an individual based on "reasonable suspicion,"
he has the right to "pat down" the person to search for weapons in
interest of the officer's safety.  However, the question of whether
the scope of such searches extended to allowing an officer to compel
identification had been unresolved.  The Court in Hiibel held that the
Nevada law was related to the "purpose, rationale and practical
demands" of the stop, leaving open the question of whether querying
vast criminal databases -- some of which may contain incorrect
information -- violates the Fourth Amendment.

Such databases are increasingly interconnected and available to
street-level police.  The most critical systems are severely flawed:
the National Crime Information Center (NCIC) database was exempted
from accuracy requirements by the Justice Department and the
Multi-State Anti-Terrorism Information Exchange (MATRIX) may be in
violation of state privacy laws.  Reliance on such systems may be an
unreasonable search since it must be "reasonably related in scope to
the circumstances which justified the initial stop," a question left
unanswered by the court.

Justices Breyer, Souter and Ginsberg strongly dissented based on the
Fourth Amendment prohibition against unreasonable searches and
seizures, following a long line of cases that held that an individual
is "not obliged to respond" when questioned by police, even when asked
to identify himself.

The Court also found that Hiibel's Fifth Amendment rights against
compelled self-incrimination were not violated because "As best we can
tell, petitioner refused to identify himself only because he thought
his name was none of the officer's business."  However, the Court
invited a case in which the individual's name itself may be
incriminating and "would furnish a link in the chain of evidence
needed to prosecute him."  Such a situation arises when extensive
criminal databases, some of which may contain incorrect information,
are searched in the normal course of a stop based on reasonable
suspicion.  Said the Court, "In that case, the court can then consider
whether the privilege applies, and, if the Fifth Amendment has been
violated, what remedy must follow."

Justice Stevens' dissenting opinion recognized the danger of vast
police databases, finding that -- in this context -- laws requiring an
individual to identify himself violate the Fifth Amendment.  "A name
can provide the key to a broad array of information about the person,
particularly in the hands of a police officer with access to a range
of law enforcement databases," asserted Justice Stevens.

EPIC was one of several groups to submit briefs in support of Hiibel.
EPIC's brief focused on the wealth of information in national law
enforcement databases that becomes available to police officers once
they input a person's name.  Other briefs in support of Hiibel focused
on the difficulty of proving one's identity, especially as it affects
the homeless, and the harms of punishing silence.

The Supreme Court opinion is available at:

     http://supct.law.cornell.edu/supct/html/03-5554.ZO.html

EPIC's amicus brief filed in Hiibel v. Sixth Judicial Court of Nevada:

     http://www.epic.org/privacy/hiibel/epic_amicus.pdf

For more information about the case, see EPIC's Hiibel v. Sixth
Judicial Court of Nevada Page:

     http://www.epic.org/privacy/hiibel

======================================================================
[2] EPIC Recommends Protections for Social Security Numbers
======================================================================

In testimony before the House Ways and Means Subcommittee on Social
Security, EPIC associate director Chris Hoofnagle argued that Congress
should regulate the collection, use, and disclosure of individuals'
Social Security Numbers (SSNs).  The hearing concerned H.R. 2971, the
Social Security Number Privacy and Identity Theft Prevention Act of
2003, which was introduced by Subcommittee Chairman Clay Shaw (R-FL)
and has bipartisan support.

H.R. 2971 would place limits on both private sector and government
disclosure of the SSN.  It would empower the Attorney General to allow
disclosure of the SSN where there is a compelling interest served
through use of the identifier that cannot be satisfied with an
alternative number.  Other provisions of the bill would prohibit the
printing of SSNs on government checks, employee ID badges, and
driver's licenses.  The legislation prohibits "coercive disclosure," a
practice in which a business conditions the provision of a product or
service upon disclosure of the SSN.  The bill also moves the SSN
"below the line," meaning that sale of SSNs from "credit headers,"
identification information from a credit report, would be subject to a
full set of Fair Credit Reporting Act protections.

EPIC made a number of recommendations for improvement of the
legislation.  EPIC recommended that exceptions allowing use of the SSN
be limited in duration, as time limits encourage users of the SSN to
transition to alternative identifiers.  Users of the SSN should also
be required to maintain technical safeguards and be subject to legal
liability for misuse of the identifier.  EPIC recommended that
Congress look to the leadership of state legislatures in crafting SSN
legislation.  Broad protections for the SSN have been provided
recently in Colorado, Arizona, and California.  Many states have
created protections for the SSN in specific sectors, including
limiting use of the identifier at educational institutions and
limiting its disclosure in public, vital, and death records.

EPIC's testimony closed with a recommendation that Congress examine
how dependence on the SSN exacerbates identity theft.  Businesses use
the SSN as both a record identifier and as a password, making it a
poor tool for both purposes.  Also, in a number of high-profile cases,
banks have issued credit to applicants based solely on a SSN match,
meaning that a criminal, armed only with a SSN, can commit identity
theft.  In one case detailed in the testimony, credit was granted to
an impostor who had a correct SSN but listed an incorrect date of
birth and address on an application.  If credit grantors relied less
on the SSN and were required to more carefully examine applications
for new accounts, identity theft would be harder to commit.

EPIC's testimony:

     http://www.epic.org/privacy/ssn/ssntestimony6.15.04.html

H.R. 2971, the Social Security Number Privacy and Identity Theft
Prevention Act of 2003:

     http://thomas.loc.gov/cgi-bin/bdquery/z?d108:h.r.2971:

For more information about privacy issues raised by Social Security
Numbers, see EPIC's SSN Page:

     http://www.epic.org/privacy/ssn

======================================================================
[3] Info on PATRIOT Act Surveillance Authority Released
======================================================================

EPIC received two sets of documents last week revealing that the scope
of the FBI's powers under a controversial provision of the USA PATRIOT
Act is broader than what government officials have publicly
acknowledged.

The documents concern Section 215 of the USA PATRIOT Act, which grants
the FBI the authority to request an order "requiring the production of
any tangible things (including books, records, papers, documents, and
other items)" relevant to an investigation of international terrorism
or clandestine intelligence activities.  United States citizens may be
investigated in part on the basis of their First Amendment activities,
and the FBI need not show a reason to believe that the target of a
surveillance order is engaged in criminal activity.

A memo obtained by EPIC and allied civil liberties groups, dated
October 15, 2003, shows that the FBI submitted an application for a
Section 215 order just weeks after Attorney General John Ashcroft
publicly stated that the controversial provision of the USA PATRIOT
Act had never been invoked.  The October 15 application does not
reveal the purpose of the investigation, or the type of information
sought.

Among other FBI documents released last week is an internal FBI memo
from October 2003 acknowledging that Section 215 may be used to obtain
information about innocent people.  In discussing the FBI's ability to
obtain "business records" under the provision, an unknown FBI employee
writes:

"The business records request is not limited to the records of the
target of a full investigation. The request must simply be sought for
a full investigation.  Thus, if the business records relating to one
person are relevant to the full investigation of another person, those
records can be obtained by a [Foreign Intelligence Surveillance Court]
order despite the fact that there is no open investigation of the
person to whom the subject of the business records pertain."

Also released was an FBI memo indicating that any "tangible things,"
including apartment keys, may be obtained under Section 215.

A judge for the United States District Court for the District of
Columbia ordered release of the Section 215 documents last month,
overturning the FBI's decision to withhold the documents until 2005.
Under the District Court judge's order, more documents are to be
released in July.  The documents respond to an October 2003 Freedom of
Information Act request filed by EPIC, the American Civil Liberties
Union, the American Booksellers Foundation for Free Expression and the
Freedom to Read Foundation.

Another set of documents released to EPIC this month show that the FBI
acknowledges that it may obtain library patrons' reading and web
browsing documents without having probable cause.  This determination
is revealed in an e-mail sent by an unknown FBI official in December
2003, in which the official points out that the FBI web site
incorrectly stated that Section 215 requires that the FBI have
probable cause to request library records.  This inaccurate statement
was posted on the FBI website in response to the question "Can the FBI
look at your library records any time they want?"

Another e-mail concerns the criminal prohibition against librarians
informing their patrons about any Section 215 orders.  The e-mail
states: "One of the primary complaints from the librarians is that 215
orders must be complied with secretly, as if there is something
sinister about the fact that they would not be permitted to share with
others a request for information."  The e-mail writer goes on to
suggest that an FBI official, in his upcoming testimony on Section
215, address a certain case "as an example of why secrecy is
important."  That case, however, involved using pre-USA PATRIOT Act
authority to obtain a person's library web searches as part of an
espionage investigation.  There was no Section 215 authority at the
time of that investigation.

These documents were obtained by EPIC under a January 2004 Freedom of
Information Act request to the FBI.

For more information about Section 215 and other USA PATRIOT Act
provisions, see EPIC's USA PATRIOT Act Page:

     http://www.epic.org/privacy/terrorism/usapatriot

======================================================================
[4] EPIC Proposes RFID Privacy Guidelines to the FTC
======================================================================

In testimony to the Federal Trade Commission on radio frequency
identification (RFID) technologies, EPIC Policy Counsel Cedric Laurant
urged the agency to adopt strong privacy guidelines to protect
consumers against potential abuses of the tracking technology.

RFID is an emerging information technology designed to facilitate the
remote capture of information from physical objects.  Associated data
is stored on a small token (a "tag") affixed to, or embedded in, the
object.  Tags in use today are small enough to be invisibly embedded
in products and product packaging.  Data is read from these tags via
radio waves transmitted by special RFID reading devices.  RFID readers
are often connected to computer networks, facilitating the transfer of
data from the physical object to databases and software applications
thousands of miles away and allowing objects to be continually located
and tracked through space.  Today, major uses of RFID include supply
chain management, animal tracking, and electronic roadway toll
collection.

RFID technology represents a fundamental change in the information
technology infrastructure with dramatic privacy implications. 
Although the use of RFID in the retail sector is now primarily in the
supply chain, products with embedded RFID are beginning to appear on
store shelves.  Product level tagging, if left unregulated, could
facilitate unprecedented levels of consumer surveillance, tracking,
and profiling.

EPIC's testimony to the Commission proposed guidelines that outline
the duties of RFID users such as warehouses and retail stores, as well
as the rights of individuals who come in contact with RFID-enabled
products.  At a minimum, RFID users must clearly label or identify
products containing RFID, disable them before the completion of a
sale, attach tags in a way that makes them easily removable, and
designate an individual responsible for user compliance with RFID
guidelines.  Further, any RFID users that gather personal data about
individuals must inform them of the purpose and scope of the data's
use, obtain written consent before proceeding, enable individuals to
access and correct their data, and post a comprehensive privacy policy
establishing their duties towards customers.  The guidelines also
prohibit the use of RFID data to track or identify individuals beyond
what is required to manage inventory.

EPIC also recently surveyed developers and manufacturers of RFID
technology, as well as retailers who have begun to employ RFID in the
supply chain and in the retail setting.  EPIC asked about their use of
RFID tags in the retail environment and requested details about how
they were enabling customers to disable tags (a process known as "tag
killing") or remove tags from retail merchandise.  Results from the
survey to date indicate that there is no standard for tag killing in
industry today.  Tags may be physically destroyed in the process or
simply erased for later recycling.  Leading retailer Wal-Mart has told
EPIC that there are no RFID tag readers anywhere on their sales
floors.  Further, both RFID manufacturers and end user retailers have
indicated that when consumers do buy products with RFID they are
clearly labeled and only embedded in packaging which can be easily
removed.  These practices should become industry standards.  Complete
results of the survey are available on the EPIC web site.

Over the past year there has been increased activity worldwide to
draft guidelines, principles and legislation governing the use of RFID
in order to protect privacy.  Last November, a joint position
statement on RFID use, signed by more than twenty consumer privacy and
civil liberties organizations including EPIC, called for a voluntary
moratorium on item-level RFID tagging until a formal technology
assessment process involving all stakeholders, including consumers,
can take place.  Also in November, a resolution on RFID was adopted at
the International Conference of Data Protection and Privacy
Commissioners in Sydney.  Country-level guidelines have been drafted
in Europe and Asia, and several bills have been introduced into state
legislatures in the United States.

EPIC's survey of the RFID industry:

     http://www.epic.org/privacy/rfid/survey.html

For more information about radio frequency identification
technologies, see EPIC's RFID page:

     http://www.epic.org/privacy/rfid

======================================================================
[5] EPIC Opposes Ratification of Cybercrime Convention
======================================================================

On June 17, EPIC submitted a letter to the Senate Committee on Foreign
Relations urging it to oppose the ratification of the Council of
Europe's Convention on Cybercrime (the Cybercrime Convention).  The
same day, the Committee held a hearing to consider whether the United
States should ratify the international treaty.

In 1997, the Council of Europe formed a Committee of Experts on Crime
in Cyberspace, and met in secret for several years drafting the
Cybercrime Convention, which was released in final form in June 2001. 
In November 2001, the United States joined about 30 other countries in
the ceremonial act of signing the Cybercrime Convention.  Since then,
only Albania, Croatia, Estonia, Hungary, Lithuania and Romania have
actually ratified the treaty.  On November 17, 2003, President Bush
transmitted the Convention, along with the State Department's report
on the treaty, to the U.S. Senate with a view to receiving its advice
and consent to ratification.  The State Department report states,
among other things, that adoption of the treaty will not require
implementation of any new legislation in the U.S.

EPIC's letter to the Committee recommended against ratification of the
Cybercrime Convention for several reasons.  First, the Convention
threatens core human rights protected by the U.S. Constitution.  The
treaty grants law enforcement authorities sweeping investigative
powers regarding computer surveillance, search and seizure, but fails
to provide adequate safeguards for privacy or checks on government use
of these powers.  While the treaty does mention a concern for privacy
protections, its language is weak and vague. The Cybercrime Convention
also ignores several important existing international treaties and
conventions regarding privacy and human rights, such as the 1948
Universal Declaration of Human Rights and the Council of Europe's own
1981 Convention for the Protection of Individuals with regard to the
Automatic Processing of Personal Data.

Second, the Cybercrime Convention was drafted in a secretive and
undemocratic manner.  Nineteen drafts of the treaty were produced
before the document was released to the public.  Even after public
release, little effort was made to incorporate concerns of privacy and
civil liberties groups.  The June 17 hearing before the Senate
Committee on Foreign Relations continued that trend.  The only
witnesses who testified about the Cybercrime Convention were
government officials, and no nongovernmental organizations or industry
groups were given the opportunity to participate.  The government
witnesses did not mention any criticisms or possible drawbacks of
ratifying the treaty.

Finally, very few European countries have ratified the Cybercrime
Convention.  In fact, the treaty remains very controversial in Europe,
particularly the provisions relating to the lack of protections for
the use, collection, and distribution of personal data.  As Italian
Privacy Commission official Giovanni Buttarelli noted at EPIC's recent
Freedom 2.0 conference in Washington, privacy and data protection have
come to be considered in the European Union Charter of Fundamental
Rights as fundamental human rights which European officials are
committed to protecting, and there is concern that the extensive
surveillance tools enabled by the Cybercrime Convention are threats to
a democratic society.

To become binding on the U.S., the treaty requires approval of
two-thirds of the Senate.  When the Senate considers a treaty, it may
approve it as written, approve it with specified conditions,
reservations, or understandings, reject and return it, or prevent its
entry into force by withholding approval. Chairman Richard Lugar has
indicated that the Foreign Relations Committee may soon act on the
Administration's ratification request, but treaty critics are asking
for additional hearings to address their concerns.

The text of the Convention on Cybercrime:

     http://conventions.coe.int/Treaty/en/Treaties/Html/185.htm

The hearing schedule and witnesses' testimonies:

     http://foreign.senate.gov/hearings/2004/hrg040617a.html

An explanation of the U.S. treaty ratification process is available
at:

     http://www.epic.org/redirect/ratification.html

For more information, see EPIC's page on the Council of Europe's
Convention on Cybercrime:

     http://www.epic.org/privacy/intl/ccc.html

======================================================================
[6] Top TSA Official Admits Vast Collection of Air Passenger Data
======================================================================

The Transportation Security Administration's top official has admitted
that Delta, Continental, America West, JetBlue and Frontier Airlines
disclosed passenger records to the agency's contractors in 2002 to
help them test the second generation Computer Assisted Passenger
Prescreening System (CAPPS II).  David Stone's concession, which was
made in sworn written testimony responding to questions asked by the
Senate Governmental Affairs Committee prior to his confirmation
hearing, contradicts repeated denials that the agency had acquired or
used real passenger data from airlines to test the controversial
passenger profiling system.

The admission flies in the face of a February report to Congress by
the General Accounting Office, Congress' investigative arm, which
stated that the Transportation Security Administration had tested
CAPPS II only with 32 simulated passenger records based upon
itineraries provided by agency employees and contractor staff.

Stone further disclosed that agency contractors were given passenger
records from Galileo International and "possibly" Apollo, two airline
reservation systems.  The agency directly received passenger
information from a third reservation system, Sabre, which is one of
the largest in the world and used by most Internet travel web sites.

Stone also stated that the agency failed to publish a "system of
records" notice for the collection of passenger records, which is
generally required by the Privacy Act.  Stone said the agency "did not
believe" that the notice was necessary because the personal
information was "not to be accessed or retrieved by name or personal
identifier to make individual determinations[.]"

Questions also arose earlier this year about the agency's compliance
with the federal privacy law in relation to passenger records.  In
February, the Department of Homeland Security Privacy Office chastised
the agency for acting "without appropriate regard for individual
privacy interests or the spirit of the Privacy Act" when it
facilitated the transfer of passenger data from JetBlue Airways to a
Defense Department contractor.

David Stone's answers to questions posed by the Senate Governmental
Affairs Committee:

     http://www.epic.org/privacy/airtravel/stone_answers.pdf

General Accounting Office's Report to Congress on CAPPS II:

    http://www.epic.org/privacy/airtravel/ago-capps-rpt.pdf

Department of Homeland Security Privacy Office's Report to the Public
on Events Surrounding JetBlue Data Transfer:

      http://www.epic.org/privacy/airtravel/jetblue/dhs_report.pdf

For more information about passenger data disclosures, see EPIC's page
on the Northwest Airlines disclosures:

     http://www.epic.org/privacy/airtravel/nasa

For more information about CAPPS II, see EPIC's Passenger Profiling
Page:

     http://www.epic.org/privacy/airtravel/profiling

=====================================================================
[7] News in Brief
======================================================================

EPIC LAWSUIT COMPELS RELEASE OF PASSENGER DATA INFO

Two weeks after EPIC filed suit to compel the Transportation Security
Administration and Federal Bureau of Investigation to release
information about their efforts to acquire airline passenger data from
major commercial airlines (see EPIC Alert 11.11), the FBI has granted
expedited processing of EPIC's request for information about the
agency's collection of a year's worth of passenger information from
numerous airlines after 9/11.  Last month, the FBI refused to expedite
EPIC's request on the grounds that "the primary activity of EPIC does
not appear to be information dissemination," though two federal judges
have found otherwise.  The Bureau also justified its denial by stating
that EPIC had not "demonstrated any particular urgency to inform the
pubic about the subject matter of [its] request beyond the public's
right to know generally."

EPIC's complaint is available at:

     http://www.epic.org/privacy/airtravelfoia/complaint.pdf

EPIC's motion for a preliminary injunction is available at:

     http://www.epic.org/privacy/airtravelfoia/pi_motion.pdf

For more information about passenger data disclosures, see EPIC's
Northwest Disclosure Page:

     http://www.epic.org/privacy/airtravel/nasa


LEGISLATORS INTRODUCE SWEEPING CIVIL LIBERTIES BILL

The Civil Liberties Restoration Act of 2004, a major piece of civil
liberties legislation, was introduced in Congress this month. 
Numbered H.R. 4591 in the House and S. 2528 in the Senate, the Act
would require, among other things, that the Attorney General comply
with the Privacy Act's accuracy requirements with respect to the data
entered in the National Crime Information Center Database (NCIC).  In
March 2003, a regulation had been issued exempting the NCIC from the
accuracy requirement.  The Act would also ensure that individuals who
are charged with a crime under the USA PATRIOT Act would see the
evidence against them under the procedure set forth in the Classified
Information Procedures Act.  Further, the Act would require federal
agencies to submit a report to Congress on their data mining
activities.

The text of the Civil Liberties Restoration Act of 2004:

     http://thomas.loc.gov/cgi-bin/bdquery/z?d108:s.02528:

For information about NCIC inaccuracy, see EPIC's Joint Letter to
Require Accuracy for the National Crime Information Center:

     http://www.epic.org/privacy/ncic


SENATE COMMITTEE CONSIDERS VOIP RULES

The Senate Committee on Science, Commerce, and Transportation heard
testimony on June 16 to consider S. 2281, the Voice-over-IP (VoIP)
Regulatory Freedom Act, sponsored by Senator John Sununu (R-NH). 
Under the proposed bill, VoIP providers would not be required to meet
wiretap standards set forth in the Communications Assistance for Law
Enforcement Act of 1994 (CALEA), though they would be required to
honor government wiretap orders.  The Justice Department contends that
applying CALEA-like requirements to VoIP would enable better real-time
communications interceptions and the ability to avoid tapping into
data from uninvolved third parties.  They also argue that wiretap
regulations should be technology neutral and that singling out
particular technologies for exemptions creates holes in law
enforcement's ability to protect national security.

The corresponding House bill, sponsored by Rep. Chip Pickering (R-MS),
explicitly extends CALEA design requirements to Internet telephony.

For more information about VoIP privacy issues, see the EPIC Internet
Telephony page:

     http://www.epic.org/privacy/voip


HOUSE SUBCOMMITTEE APPROVES SPYWARE BILL

In a brief mark-up session on June 17, the House Subcommittee on
Commerce, Trade and Consumer Protection approved an amended version of
H.R. 2929, the Securely Protect Yourself Against Cyber Trespass Act
(SPY ACT), setting the stage for consideration of the bill by the full
House Energy and Commerce Committee on June 24.

The amended H.R. 2929 prohibits certain deceptive practices related to
spyware such as hijacking a computer's functions, changing homepages
without authorization, and surreptitious keystroke logging. The bill
also regulates "information collection programs" by mandating express
consent before installation, the provision of an uncomplicated
disabling function, and the disclosure of the type of information
collected and then purpose of collecting it.  Under the current draft
of H.R. 2929, the Federal Trade Commission will assume enforcement
functions, with authorization to levy fines as large as $3 million for
certain violations.  The speed with which H.R. 2929 has moved from
subcommittee to full committee, and the bipartisan nature of the
bill's 32 co-sponsors, suggests that the full House is likely to pass
it this session.  However, the bill's efficacy might be undermined by
the fact that it includes no provisions for a private right of action,
and it preempts states from legislating their own privacy protections
against spyware.

The text of H.R. 2929 is available at:

     http://www.epic.org/redirect/hr2929.html


ICANN EXTENDS WHOIS PUBLIC COMMENT PERIOD TO JULY 5

The Internet Corporation for Assigned Names and Numbers (ICANN) has
extended the deadline for public comments to be submitted on the WHOIS
policy development preliminary reports.  The WHOIS database is a
public directory of domain registrant data which is available and
searchable online.  Currently, registrants must enter such personal
information as name, address, telephone number, and e-mail address in
addition to technical contact information, all of which can be found
in the public WHOIS database.

Last year ICANN established three task forces to develop policy for
the WHOIS database.  The task forces' preliminary reports, which focus
on access, data, and accuracy, were recently released to the public.
Members of the public now have until July 5, 2004 to submit comments
to the three task forces developing the WHOIS policy.

For more information, visit the Public Voice web site:

     http://www.thepublicvoice.org/news/2004_whoiscomments.html

                     ================================

EPIC Publications:

"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.
http://www.epic.org/bookstore/pvsourcebook

This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS).  This
reference guide provides the official UN documents, regional and
issue-oriented perspectives, as well as recommendations and proposals
for future action, as well as a useful list of resources and contacts
for individuals and organizations that wish to become more involved in
the WSIS process.

                     ================================

"The Privacy Law Sourcebook 2003: United States Law, International
Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2003).
Price: $40. http://www.epic.org/bookstore/pls2003

The "Physicians Desk Reference of the privacy world."  An invaluable
resource for students, attorneys, researchers and journalists who need
an up-to-date collection of U.S. and International privacy law, as
well as a comprehensive listing of privacy resources.

                     ================================

"FOIA 2002: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Mark Zaid, editors (EPIC 2002). Price: $40.
http://www.epic.org/bookstore/foia2002

This is the standard reference work covering all aspects of the
Freedom of Information Act, the Privacy Act, the Government in the
Sunshine Act, and the Federal Advisory Committee Act.  The 21st
edition fully updates the manual that lawyers, journalists and
researchers have relied on for more than 25 years.  For those who
litigate open government cases (or need to learn how to litigate
them), this is an essential reference manual.

                     ================================

"Privacy & Human Rights 2003: An International Survey of Privacy Laws
and Developments" (EPIC 2002). Price: $35.
http://www.epic.org/bookstore/phr2003

This survey, by EPIC and Privacy International, reviews the state of
privacy in over fifty-five countries around the world.  The survey
examines a wide range of privacy issues including data protection,
passenger profiling, genetic databases, video surveillance, ID systems
and freedom of information laws.

                     ================================

"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.
http://www.epic.org/bookstore/filters2.0

A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.

                     ================================

"The Consumer Law Sourcebook 2000: Electronic Commerce and the Global
Economy," Sarah Andrews, editor (EPIC 2000). Price: $40.
http://www.epic.org/cls

The Consumer Law Sourcebook provides a basic set of materials for
consumers, policy makers, practitioners and researchers who are
interested in the emerging field of electronic commerce.  The focus is
on framework legislation that articulates basic rights for consumers
and the basic responsibilities for businesses in the online economy.

                     ================================

"Cryptography and Liberty 2000: An International Survey of Encryption
Policy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price:
$20.  http://www.epic.org/bookstore/crypto00&

EPIC's third survey of encryption policies around the world.  The
results indicate that the efforts to reduce export controls on strong
encryption products have largely succeeded, although several
governments are gaining new powers to combat the perceived threats of
encryption to law enforcement.

                     ================================

EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:

     EPIC Bookstore
     http://www.epic.org/bookstore

     "EPIC Bookshelf" at Powell's Books
     http://www.powells.com/features/epic/epic.html

======================================================================
[8] Upcoming Conferences and Events
======================================================================

ITU WSIS Thematic Meeting on Countering Spam.  International
Telecommunication Union and the World Summit on the Information
Society.  July 7-9, 2004.  Geneva, Switzerland.  For more information:
http://www.itu.int/osg/spu/spam/meeting7-9-04/index.html.

PORTIA Workshop on Sensitive Data in Medical, Financial, and
Content-Distribution Systems.  PORTIA Project.  July 8-9, 2004.
Stanford, CA.  For more information:
http://crypto.stanford.edu/portia/workshop.html.

O'Reilly Open Source Convention.  July 26-30, 2004.  Portland, OR.
For more information: http://conferences.oreilly.com/oscon.

2004 UK Big Brother Awards.  Privacy International.  July 28, 2004.
London, UK.  For more information:
http://www.privacyinternational.org/bigbrother/uk2004.

First Conference on Email and Anti-Spam.  American Association for
Artificial Intelligence and IEEE Technical Committee on Security and
Privacy.  July 30-31, 2004.  Mountain View, CA.  For more information:
http://www.ceas.cc.

Crypto 2004: The Twenty-Fourth Annual IACR Crypto Conference.
International Association for Cryptologic Research, IEEE Computer
Society Technical Committee on Security and Privacy, and the Computer
Science Department of the University of California, Santa Barbara.
August 15-19, 2004.  Santa Barbara, CA.  For more information:
http://www.iacr.org/conferences/crypto2004.

Ninth National HIPAA Summit.  September 12-14, 2004.  Baltimore, MD.
For more information: http://www.HIPAASummit.com.

Public Voice Symposium: Privacy in a New Era: Challenges,
Opportunities and Partnerships.  Electronic Privacy Information
Center, European Digital Rights Initiative (EDRi), and Privacy
International.  September 13, 2004.  Wroclaw, Poland.  For more
information:
http://www.thepublicvoice.org/events/wroclaw04/default.html.

The Right to Personal Data Protection -- the Right to Dignity.  26th
International Conference on Data Protection and Privacy Commissioners.
September 14-16, 2004.  Wroclaw, Poland.  For more information:
http://26konferencja.giodo.gov.pl.

2004 Telecommunications Policy Research Conference.  National Center
for Technology & Law, George Mason University School of Law.  October
1-3, 2004.  Arlington, VA.  For more information:
http://www.tprc.org/TPRC04/call04.htm.

Health Privacy Conference.  Office of the Information and Privacy
Commissioner of Alberta.  October 4-5, 2004.  Calgery, Alberta, Canada.
 For more information:
http://www.oipc.ab.ca/home/DetailsPage.cfm?ID=1453.

IAPP Privacy and Data Security Academy & Expo.  International
Association of Privacy Professionals.  October 27-29, 2004. New
Orleans, LA.  For more information:
http://www.privacyassociation.org/html/conferences.html.

Privacy and Security: Seeking the Middle Path.  Office of the
Information & Privacy Commissioner of Ontario; Centre for Innovation
Law and Policy, University of Toronto; and Center for Applied
Cryptographic Research, University of Waterloo.  Toronto, Ontario,
Canada.  October 28-29, 2004.  For more information:
http://www.epic.org/redirect/uwaterloo_conf.html.

CFP2005: Fifteenth Annual Conference on Computers, Freedom and
Privacy.  April 12-15, 2005.  Seattle, WA.  For more information:
http://www.cfp2005.org.

======================================================================
Subscription Information
======================================================================

Subscribe/unsubscribe via web interface:

     https://mailman.epic.org/cgi-bin/mailman/listinfo/epic_news

Back issues are available at:

     http://www.epic.org/alert

The EPIC Alert displays best in a fixed-width font, such as Courier.

======================================================================
Privacy Policy
======================================================================

The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities.  We do not sell, rent or share our
mailing list.  We also intend to challenge any subpoena or other legal
process seeking access to our mailing list.  We do not enhance (link
to other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail address
from this list, please follow the above instructions under
"subscription information."

======================================================================
About EPIC
======================================================================

The Electronic Privacy Information Center is a public interest
research center in Washington, DC.  It was established in 1994 to
focus public attention on emerging privacy issues such as the Clipper
Chip, the Digital Telephony proposal, national ID cards, medical
record privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Act
litigation, and conducts policy research.  For more information, see
http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite
200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248
(fax).

If you'd like to support the work of the Electronic Privacy
Information Center, contributions are welcome and fully
tax-deductible.  Checks should be made out to "EPIC" and sent to 1718
Connecticut Ave., NW, Suite 200, Washington, DC 20009.  Or you can
contribute online at:

     http://www.epic.org/donate

Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the
right of privacy and efforts to oppose government regulation of
encryption and expanding wiretapping powers.

Thank you for your support.

---------------------- END EPIC Alert 11.12 ----------------------

.