WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 2002 >> [2002] EPICAlert 1

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 9.01 [2002] EPICAlert 1


Volume 9.01 January 14, 2002

Published by the Electronic Privacy Information Center (EPIC)
Washington, D.C.

Table of Contents

[1] State DMVs Developing National ID System
[2] EPIC Urges Qwest to Drop Marketing Plan
[3] Court Upholds FBI Use of Secret "Key Logger" Technology
[4] Companies Stop Privacy-Invasive Practices
[5] Student Privacy Protections Enacted
[6] Digital Rights Management Discussed at Future of Music Conference
[7] EPIC Bookstore - A National ID Card: A License to Live
[8] Upcoming Conferences and Events

[1] State DMVs Developing National ID System

A Task Force of the American Association of Motor VehicleAdministrators (AAMVA) announced plans today to increase uniformity ofstate driver's licenses and information sharing between states and lawenforcement agencies. The AAMVA proposal combines severalinitiatives, each with very different privacy implications, and asksfor $100 million in federal funding to determine what technologyshould be used and to expand information sharing capacity. Efforts toenhance document security and prevent forgery, such as improvedholograms and printing techniques, are a positive application oftechnology to the driver's license regime. The AAMVA also advocatesstricter enforcement and tougher penalties for fraud and abuse ofdriver's licenses occurring inside and outside of DMVs.

Standardization of driver's license security features and issuancestandards across the 50 states, as well as information sharing withfederal agencies and state law enforcement, would make the driver'slicense a de facto national identity card. The AAMVA has notdisclosed how the detailed personal information required to obtain alicense, including residency and immigration status and socialsecurity information, will be collected, used and shared under the newprogram. The AAMVA has also proposed making the driver's license aunique identifier. While they have not yet determined what technologywill be implemented, they plan to use biometric or other identifiersto positively ensure that license applicants are who they say theyare, and that no person holds more than one license. This proposalpresents the most significant privacy and security risks, which aredetailed in EPIC's ID Card and Biometrics pages referenced below.

The possible creation of national identification cards throughdriver's licenses deserves careful examination and open publicdiscussion. EPIC is in the process of drafting a memo discussing therisks and policy implications of national identification schemes, tobe prepared in time for the AAMVA's leadership summit, where the headsof the state DMVs will discuss the task force's recommendations.

AAMVA's website (including an archived webcast of the January 14thpress conference):

EPIC's ID Card Page:

EPIC's Biometrics Page:

[2] EPIC Urges Qwest to Drop Marketing Plan

Last week, millions of Qwest customers across the country receivedopt-out notices in their monthly billing statements. The notices,
which were contained within a pamphlet that said "the following willnot affect your billing," provided that Qwest could use customercalling data -- information such as services subscribed to and calllogs -- unless customers opted-out of this plan by calling a toll-freenumber within 30 days.

Customers attempting to call the toll-free number to opt-out havereported numerous difficulties, including long waits and disconnects.

The information that Qwest is planning on using is known as customerproprietary network information, and is protected from use absent"customer approval" by the 1996 Communications Act. The FCCpromulgated a rule in 1998 that required telecommunication carriers toobtain explicit customer approval (opt-in) before using suchinformation in any manner inconsistent with provision of services. TheFCC explicitly rejected an opt-out approach as insufficientlyprotective of customer privacy. However, in 1999 the US Court ofAppeals for the 10th Circuit ruled that the opt-in approach did notpass First Amendment scrutiny because the decision to require "opt-in"
was not adequately considered or supported by existing facts.

In response to this 1999 court decision, the FCC in October 2001issued a request for public comments, seeking advice on, among otherthings, whether an opt-in approach inherently violates the FirstAmendment. EPIC and consumer groups filed comments and reply commentsurging the FCC to implement an opt-in approach. Similar comments werefiled by 39 Attorneys General.

In a letter sent to Qwest President Afshin Mohebbi on January 7, EPICurged Qwest to suspend their marketing plan.

Although the initial comment period closed in November, the FCC hasannounced -- in the wake of Qwestís implementation of their marketingplan -- that they will continue to accept comments from anyone wishingto express their opinion in this ongoing debate. Consumers wishing todo so can comment by e-mail: <> or by regular mail:
FCC, 445 12th St. S.W., Washington, D.C. 20554, attn: ConsumerInformation Bureau. Reference Docket No. 96-115.

EPIC's comments are available at:

EPICís reply comments are available at:

Attorneys General comments are available at:

EPICís letter to Qwest President Afshin Mohebbi:

[3] Court Upholds FBI Use of Secret "Key Logger" Technology

In a decision issued on December 26, a federal judge in New Jerseyupheld the legality of the FBI's use of a "key logger system" secretlyinstalled on a suspect's computer to capture his encryption passphraseand denied a defense motion to suppress evidence obtained through thetechnique. U.S. District Judge Nicholas Politan also allowedprosecutors to keep secret the specifics of the technology, sayingdisclosure "would cause identifiable damage to the national securityof the United States." The government had earlier invoked theClassified Information Procedures Act (CIPA) to conceal details of thesurveillance system (see EPIC Alert 8.16).

The gambling and loansharking case aginst defendant Nicodemo Scarfo,
Jr. has become the first to test the legality of law enforcementefforts to counter the use of encryption. The events of September 11seem to have had an influence in the case; Judge Politan wrote in thefirst paragraph of his opinion that "the matter takes on addedimportance in light of recent events and potential national securityimplications." Prosecutors and FBI officials met privately with thejudge on Sept. 28 to present "top-secret, classified evidence" aboutthe system and its use in national security investigations.

Scarfo's lawyers had argued that the "key-logger system" violated boththe Fourth Amendment (by collecting more information than needed) andthe federal wiretap statute (by intercepting modem transmissionswithout a wiretap order). They asserted that they needed, throughpre-trial discovery, a detailed explanation of the technology todetermine whether its use was improper. Politan ruled that anunclassified "summary" report on the system's capabilities providedthe defense with an adequate description.

The case will proceed to trial sometime in 2002; if convicted, Scarfocould raise the discovery and suppression issues on appeal.

The court's opinion is available at:

Other selected court documents on the Scarfo case are available at:

[4] Companies Stop Privacy-Invasive Practices

This month, two large companies revealed that they were putting an endto practices with major privacy implications, thereby sending animportant message to other industry groups that violation of consumerprivacy is not a profitable or useful enterprise.

First, as initially reported by CNET, DoubleClick has decided todiscontinue its profiling services. Effective December 31, 2001, thecompany no longer offers the targeted marketing that was once centralto its business plan. Relying on techniques such as cookies andweb-bugs to track users on the Internet, over the years DoubleClickbuilt up profiles on millions of individuals' surfing habits,
preferences, and past purchases. As a result, it earned considerablenotoriety as one of the worst invaders of personal privacy on theInternet. In February 2000, following complaints from EPIC andothers, the Federal Trade Commission launched a formal investigationof the company when it was reveale d that it planned to linkpersonally identifiable information to these formerly anonymousInternet profiles. That investigation was officially closed inJanuary 2001, consequent to DoubleClick's commitment to abide byself-regulatory guidelines for online profiling (see EPIC Alert 8.02).

Second, Dollar Rent-a-Car has ended its practice of requiringcustomers to be fingerprinted before renting a vehicle, because theeffort failed to meet its goal of reducing theft and fraud. Mr. JimSenese, Vice President of Quality Assurance at Dollar, is reported bythe Washington Post as saying that although there was some reductionin car theft over the course of the program, any savings that weremade did not compensate for the number of customers who were"irritated" by having to give thumbprints to the company.

In a related development on fingerprinting, a federal judge ruled lastweek that the technology used to "match" fingerprints does not meetstandards set by the Supreme Court for scientific evidence. JudgeLouis Pollak of the U.S. District Court found that expert witnessescannot rely on fingerprint analysis, which compares near perfectprints taken at the police station to partial smudges or latent printsfrom a crime scene, to conclusively determine that the latent print isthat of the accused person. In what has been described as a"blockbuster opinion," Judge Pollak's ruling casts doubt upon theincreased use of fingerprints as unique identifiers by private andpublic organizations, and may affect the evaluation of other forensictechniques such as handwriting and hair analysis.

Background information on DoubleClick:

CNET article on DoubleClick, January 8, 2002:

Washington Post article on Dollar Rent-a-Car, January 9, 2002:

New York Times article on Justice Pollak's decision, January 11, 2002:

[5] Student Privacy Protections Enacted

In December, Congress passed limited privacy protections for students.
The protections were passed because a number of companies collectpersonal information from children while they are at school formarketing purposes. Much of this profiling is conducted under thepretense of college admissions or job recruitment purposes, andparents are often not notified of the privacy policies associated withthe information collection. Companies such as American Student Listsell the survey data in profiles that include children's names,
contact information, sex, age, whether they own a telephone, income,
religion, and their race or ethnicity.

The protections, included in H.R. 1, the "No Child Left Behind Act of2001," were primarily supported by Sen. Christopher Dodd (D-CT) andSen. Richard Shelby (R-AL). The original Dodd-Shelby proposalincluded notice and opt-in protections for all commercial collectionof data from schoolchildren. However, compromise language was adoptedafter a lobbying push by the student profiling industry.

The new protections grant parents the right to inspect all surveysadministered at school that were written by third parties. Localeducation agencies, which are defined as schools, school districts, orboards of education, must give notice of "arrangements to protectstudent privacy" and allow the parent to opt a child out ofparticipation where the survey instrument contains questions seekingpolitical affiliations, mental or psychological information, sexualbehavior, criminal behavior, income, or religious belief. Parents mayalso opt children out of surveys that collect personal information formarketing purposes.

These new protections contain significant loopholes. The opt-out formarketing does not apply where the information collection is formagazine subscriptions or for "student recognition programs."
However, magazine marketing is a significant purpose of studentprofiling. In addition, some student recognition programs have asignificant marketing component.

H.R. 1, The No Child Left Behind Act of 2001 (see section 1061):

EPIC's Profiling Page:

[6] Digital Rights Management Discussed at Future of Music Conference

The Future of Music Coalition (FMC) held its second annual policysummit on January 7-8, 2002, in Washington, D.C. Many topics werediscussed that relate to issues of music and technology policy,
copyright law, and other areas of interest to musicians, the media,
policymakers, and the public.

The emphasis of the conference was on finding ways to protect theinterests of artists and copyright holders, as well as themusic-loving public, in a constantly changing technologicalenvironment. There was also much talk of Digital Rights Management(DRM) and its efficacy as an anti-piracy technique.

Notably, in a keynote speech, Rep. Rick Boucher (D-VA) said that hewill take steps to nurture the broad availability of music on theInternet, and that he intends to introduce a bill that would eliminatethe anti- circumvention clause of the DMCA (section 1201).

Panelist bios, transcripts, and more post-conference information iscurrently available at the Future of Music Coalition website.

Links to FMC conference materials and press coverage:

EPIC's new Digital Rights Management Page:

[7] EPIC Bookstore - A National ID Card: A License to Live

A National ID Card: A License to Live, by Robert Ellis Smith

Just in time to illuminate a new national debate, A National ID Card:
A License to Live brings together the provocative writings of RobertEllis Smith, publisher of Privacy Journal newsletter, on the seriousconsequences of adopting a mandatory universal identity document. Thisbook includes a bibliography on the subject, a list of other nationsand their ID practices, a history of IDs and Social Security Numbersin the U.S., and a frank discussion of airport security thatdistinguishes the window-dressing from the workable solutions.

This book is also available from Privacy Journal at:

EPIC Publications:

"Privacy & Human Rights 2001: An International Survey of Privacy Lawsand Developments," (EPIC 2001). Price: $20.

This survey, by EPIC and Privacy International, reviews the state ofprivacy in over fifty countries around the world. The survey examinesa wide range of privacy issues including, data protection, telephonetapping, genetic databases, ID systems and freedom of informationlaws.

"The Privacy Law Sourcebook 2001: United States Law, InternationalLaw, and Recent Developments," Marc Rotenberg, editor (EPIC 2001).
Price: $40.

The "Physicians Desk Reference of the privacy world." An invaluableresource for students, attorneys, researchers and journalists who needan up-to-date collection of U.S. and International privacy law, aswell as a comprehensive listing of privacy resources.

"Filters and Freedom 2.0: Free Speech Perspectives on Internet ContentControls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet contentfiltering. These papers are instrumental in explaining why filteringthreatens free expression.

"The Consumer Law Sourcebook 2000: Electronic Commerce and the GlobalEconomy," Sarah Andrews, editor (EPIC 2000). Price: $40.

The Consumer Law Sourcebook provides a basic set of materials forconsumers, policy makers, practitioners and researchers who areinterested in the emerging field of electronic commerce. The focus ison framework legislation that articulates basic rights for consumersand the basic responsibilities for businesses in the online economy.

"Cryptography and Liberty 2000: An International Survey of EncryptionPolicy," Wayne Madsen and David Banisar, authors (EPIC 2000).
Price: $20.

EPIC's third survey of encryption policies around the world. Theresults indicate that the efforts to reduce export controls on strongencryption products have largely succeeded, although severalgovernments are gaining new powers to combat the perceived threats ofencryption to law enforcement.

EPIC publications and other books on privacy, open government, freeexpression, crypto and governance can be ordered at:

EPIC Bookstore

"EPIC Bookshelf" at Powell's Books

[8] Upcoming Conferences and Events

** POSTPONED! ** First Privacy Expo 2001. Privacy & American Businessand Privacy Council. Was November 27-29, 2001; will be rescheduled forFebruary or March 2002. Washington, DC. For more information:

** POSTPONED! ** Eighth Annual National "Managing the NEW PrivacyRevolution" Conference. Privacy & American Business and PrivacyCouncil. Was November 28-29, 2001; will be rescheduled for February orMarch 2002. Washington, DC. For more information:

Chief Privacy Officer Skills Development Workshop. PRIVA-C and SelectKnowledge. January 14-16, 2002 and February 18-20, 2002. Dallas, TX.
For more information:

Closing 'Windows' on Antitrust or Opening a New Era of Intervention?:
Competition Policy after the Microsoft Settlement. CATO Institute.
January 16, 2002. Washington, DC. For more information:

Debating Privacy and ICT: Before and After September 11th. RathenauInstituut. January 17, 2002. Amsterdam, The Netherlands. For moreinformation:

Eye in the Sky and Everywhere Else: Do Biometric Technologies ViolateOur Rights? CATO Insitute. January 24, 2002. Washington, DC. For moreinformation:

National Conference on Organized Resistance. American UniversityAnimal Rights Effort. January 25-27, 2002. Washington, DC. For moreinformation:

The Biometric Consortium Conference. February 13-15, 2002 (rescheduledfrom September 12-14, 2001). Arlington, VA. For more information:

CLA 6th Annual Cyberspace Camp Conference. Computer Law Association.
February 14-16. San Jose, CA. For more information:

Moving to the Forefront of Privacy Management for Bank & FinancialServices Executives. World Research Group. February 26-28, 2002. NewOrleans, LA. For more information:

2nd Annual BNA Summit: Combatting Cyber Attacks on your CorporateData. Bureau of National Affairs. February 27-28, 2002. Washington,
DC. For more information:

International Symposium on Freedom of Information and Privacy. Officeof the New Zealand Privacy Commissioner. March 28, 2002. Auckland, NewZealand. For more information:

Workshop on Privacy Enhancing Technologies. April 14-15, 2002. SanFrancisco, CA. For more information:

CFP 2002: The Twelfth Conference on Computers, Freedom & Privacy.
April 16-19, 2002. San Francisco, CA. For more information:

2002 IEEE Symposium on Security and Privacy. IEEE and theInternational Association for Cryptologic Research. May 12-15, 2002.
Oakland, CA. For more information:

INET 2002. Internet Society. June 18-21, 2002. Washington, DC. Formore information:

Subscription Information

Subscribe/unsubscribe via Web interface:

Subscribe/unsubscribe via email:

Subject line: "subscribe" or "unsubscribe"

Back issues are available at:

The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and tosend notices about EPIC activities. We do not sell, rent or share ourmailing list. We also intend to challenge any subpoena or other legalprocess seeking access to our mailing list. We do not enhance (linkto other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your email addressfrom this list, please follow the above instructions under"subscription information". Please contact if you wouldlike to change your subscription email address, or if you have anyother questions.

About EPIC

The Electronic Privacy Information Center is a public interestresearch center in Washington, DC. It was established in 1994 tofocus public attention on emerging privacy issues such as the ClipperChip, the Digital Telephony proposal, national ID cards, medicalrecord privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Actlitigation, and conducts policy research. For more information,
e-mail, or write EPIC, 1718Connecticut Ave., NW, Suite 200, Washington, DC 20009.
+1 202 483 1140 (tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic PrivacyInformation Center, contributions are welcome and fullytax-deductible. Checks should be made out to "EPIC" and sent to1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009.
Or you can contribute online at:

Drink coffee, support civil liberties, get a tax deduction, and learnLatin at the same time! Receive a free "sed quis custodietipsos custodes?" coffee mug with donation of $75 or more.

Your contributions will help support Freedom of Information Act andFirst Amendment litigation, strong and effective advocacy for theright of privacy and efforts to oppose government regulation ofencryption and expanding wiretapping powers.

Thank you for your support.

END EPIC Alert 9.01


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback