Electronic Privacy Information Center

views updated

ELECTRONIC PRIVACY INFORMATION CENTER

Founded in 1994, the Washington-based, nonprofit Electronic Privacy Information Center (EPIC) serves as a clearinghouse to disseminate information concerning the protection of Internet users' privacy. Its founder and executive director, Marc Rotenburg, created the organization to address perceived Internet privacy violations committed by both the government and businesses that operate Web sites.

EPIC's Web site includes Internet privacy news, the organization's newsletter, details on pending legislation, and an "Online Guide to Practical Privacy Tools." It identifies suppliers of secured e-mail, anonymous re-mailers for private e-mail, and computer programs that permit users to surf anonymously or to block cookies. The site also archives reports and articles concerning computer security, free speech, and cryptography. The site's privacy section includes information about securing online privacy in the work-place, eliminating spam and junk mail, and protecting one's social security number. Finally, the site furnishes an annotated listing of relevant organizations, print publications, national and international Web sites, privacy tools, and electronic newsgroups.

Early in 2001, EPIC joined with 16 other organizations in calling on President George W. Bush and Congress to implement national online privacy protection measures. Their request promoted the establishment of proposed fair information practices to mandate that online companies make the personal information they collect via their Web sites available to Internet users. The proposal also argued for the right of users to be able to modify incorrect data that has been captured online and to limit companies' use of such data. It promoted the creation of a special commission devoted to monitoring online surveillance technologies. Finally, it recommended that the laws regulating user privacy online be created at the state, rather than the national level since state legislation could be more stringent than federal legislation. Online trade groups countered that they either should be permitted to police themselves or that federal privacy legislation should be drafted.

EPIC makes frequent use of the Freedom of Information Act (FOIA) in its online privacy litigation. Among its targets, EPIC has criticized the FBI for failing to guarantee whether its Carnivore Internet surveillance system, which debuted in 1997 as Omnivore, unduly violates the public's online privacy. Omnivore was created ostensibly to monitor criminals' use of the Internet. However, EPIC alleged that the FBI also monitored the Internet communications of ordinary individuals, in what constituted an excessive breach of their privacy rights. In July 2000 it filed a FOIA suit against the FBI to obtain the data gathered by Carnivore. A U.S. District Court judge ordered the FBI to release records generated by Carnivore to EPIC every 45 days, after the Bureau delayed in responding to EPIC's initial request for material. When it did release records, the FBI withheld or censored about 600 pages of material. The FBI also refused to provide the Carnivore source code, according to EPIC. The group's original FOIA request sought all records and documents on Carnivore, including the FBI's legal analysis of the system's impact on privacy and the source code describing how data is gathered.

Another FOIA suit, begun by EPIC in 1999 against the National Security Agency, sought the release of internal NSA documents concerning the legality of the agency's intelligence activities. EPIC also brought suit against the Federal Trade Commission (FTC) concerning the commission's investigation of consumer privacy complaints, as a result of which EPIC successfully obtained the material. Other U.S. government agencies that have been the object of EPIC litigation include the Department of State, the Department of Commerce, and the National Security Council.

EPIC has used similar tactics against members of online industries. For example, it filed a federal complaint against the online marketer DoubleClick Inc. for planning to merge data about Internet users, such as their addresses and purchasing habits, with offline databases and then sell that information without notifying consumers. EPIC's complaint successfully impeded DoubleClick from acting. Other EPIC targets included the Clinton administration and Intel, whom it threatened to boycott if the company activated technology in Pentium III chips that would have facilitated the tracking of Internet surfing.

EPIC also issued a series of "Surfer Beware" reports. Its first report in 1997, entitled "Surfer Beware: Personal Privacy and the Internet," formed the foundation for the FTC's review of online privacy practices, the Fair Information Practices, which it outlined in 1998. EPIC released its most recent report, "Surfer Beware III: Privacy Policies Without Privacy Protection," in winter 2000. This report investigated the top 100 most popular online shopping sites for their compliance with the Fair Information Practices. Despite the companies' claims that they secure their data, the report concluded that 18 of the shopping sites failed to display a privacy policy, 35 included profile-based advertisers that gathered personal data from the sites, and 86 used cookies.