WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 2002 >> [2002] EPICAlert 14

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 9.14 [2002] EPICAlert 14


Volume 9.14 July 25, 2002

Published by the Electronic Privacy Information Center (EPIC)
Washington, D.C.

Table of Contents

[1] FCC Declines to Address Location Privacy Issues
[2] White House Unveils Homeland Security Strategy
[3] EPIC Files Brief in Wrongful Invasion of Privacy Suit
[4] Federal Appeals Court Affirms FTC Privacy Order
[5] FCC Adopts Modified Opt-In Plan for Customer Information
[6] EPIC Critiques Digital Rights Management Systems
[7] EPIC Bookstore - Ruling the Root
[8] Upcoming Conferences and Events

[1] FCC Declines to Address Location Privacy Issues

The Federal Communications Commission has decided not to develop rulesgoverning the collection and use of location data generated bywireless communications systems. In an order released on July 24, theCommission said that a federal statute enacted in 1999 "imposes clearlegal obligations and protections for consumers," and that "the bettercourse is to vigorously enforce the law as written, without furtherclarification of the statutory provisions by rule." The FCC orderrejected a petition filed by the Cellular Telecommunications andInternet Association (CTIA) which requested a rulemaking process todevelop uniform standards to implement the privacy provisions of theWireless Communications and Public Safety Act (WCPSA), which requires"express prior authorization" by a consumer to approve "the use ordisclosure" of his or her "call location information."

EPIC supported the CTIA petition, and urged the FCC to establishcomprehensive, technologically neutral privacy protections that wouldenable consumers to maintain meaningful control over the collectionand use of location data. The Commission concluded that the privacyprovision contained in the WCPSA is adequate to protect consumers,
without any clarifying rules:

We find [the WCPSA's] requirement of "express prior authorization" leaves no doubt that a customer must explicitly articulate approval before a carrier can use that customer's location information. Thus, no rules are necessary because the statutory language is unambiguous,
imposing clear legal obligations and protections for consumers. . . . We are prepared to vigorously enforce the law as written, while monitoring whether further Commission action is necessary. We believe handling the information in accordance with the statute provides adequate consumer protection against intrusion of consumers' privacy.

Commissioner Michael Copps dissented from the FCC decision, citingEPIC's comments which noted that Commission rules are needed becausethe statute's meaning apparently is subject to varying interpretationswithin the wireless industry. Commissioner Copps wrote that "Congressdid not define 'location information,' and without Commission action,
consumers and carriers will not know what is contained in this opaqueterm until the question is subject to court action that follows apotential privacy violation."

The FCC Order is available at:

EPIC's initial comments and reply comments are available at:

[2] White House Unveils Homeland Security Strategy

President Bush released the long-awaited "National Strategy forHomeland Security" on July 16. The document seeks to provide anorganizing framework for homeland security initiatives. One of itskey proposals is the establishment of a new Department of HomelandSecurity, which is currently being considered by Congress (the billhas been reported out of the House Select Committee and debate on theHouse floor is scheduled to begin today). The legislation containsseveral amendments that would beneficial for privacy, includingestablishing a Chief Privacy Officer in the new department andexplicitly preventing the development of a national ID card. The newDepartment, if created, will fold several federal agencies into oneorganizational structure in an effort to better coordinate functions.
The National Strategy calls for increased information sharing amonggovernment agencies and with the private sector. EPIC and other opengovernment advocates have testified that greater transparency andmeans of public accountability must balance any increased andconcentrated government powers (see EPIC Alert 9.13).

Also among the proposals contained in the "National Strategy" areseveral measures that implicate privacy interests. The Strategy callson states to lead the effort to create minimum standards for driver'slicenses. Such a plan, while vague, appears to reject proposals bythe American Association of Motor Vehicle Administrations (AAMVA),
Sen. Richard Durbin (D-IL), and Reps. Tom Davis (R-VA) and James Moran(D-VA), that would rely on the federal government to mandate uniformstandards for state driver's licenses. EPIC's report, "Your PapersPlease," shows how a uniform driver's license regime could create anationwide system of identification. The National Research Council'sreport, "IDs - Not That Easy: Questions About Nationwide IdentitySystems," urges the government to proceed cautiously in this areabecause of the profound issues such an identification system wouldraise for the character of American society.

In other proposals, however, the Bush administration's apparentopposition to ID schemes is notably absent. The Strategy calls fordeveloping biometric technology, which purportedly "shows greatpromise." In an example cited in the document for a potentialapplication of biometrics -- preventing a terrorist from using falsedocuments and a disguise to elude airport security -- the White Houseappears to be contemplating placing a biometric identifier on allairline passengers' identification documents, including Americancitizens. All travel documents issued to aliens will incorporatebiometric identifiers by October 26, 2004, as per the Enhanced BorderSecurity and Visa Entry Reform Act of 2002. Steve Cooper, the ChiefInformation Officer of the Office of Homeland Security, is reported tobelieve that devising better ways to accurately identify individualsis a key part of the Bush administration's homeland security strategy,
although he claims that such systems will not be allowed to undercutcivil liberties. EPIC recently submitted a statement to the Senate onthe unreliability of current biometric technology for large-scaleidentification applications. The statement also argues that biometricdatabases are subject to new forms of abuse, which may be moredifficult to correct and could pose significant consequences forindividuals whose biometric identifier is compromised.

In another section that implicates privacy, the Strategy flags thedevelopment of systems to detect "hostile intent" as a high priority.
The document states that "the Department of Homeland Security wouldwork with private and public entities to develop a variety of systemsthat highlight such behavior and can trigger further investigation andanalysis of suspected individuals." EPIC is currently pursuing alawsuit against the Transportation Security Administration seekinginformation about the development of CAPPS-II system for aviationsecurity, which would use such a system (see EPIC Alert 9.05). Theadministration has been reluctant to share details about how suchsystems would be conceived and operated.

The "National Strategy For Homeland Security" is available at:

EPIC's Statement on Biometrics and Identity Theft:

EPIC's National ID Card page:

[3] EPIC Files Brief in Wrongful Invasion of Privacy Suit

EPIC has filed an amicus brief in a case brought by the estate of AmyBoyer, a woman stalked and killed by a man who obtained informationabout her through an online information brokerage/"pretexting" agency.
The brief argues that private investigators and information brokersshould be liable for wrongful privacy invasions of third parties aboutwhom they are collecting and disseminating information. The casearose after Amy Boyer was stalked and killed by a man who obtainedinformation about her through Docusearch, an information brokerage runby private investigators. Docusearch used pretexting to obtaininformation about Ms. Boyer, including her address, which wassubsequently used by its client to track and kill her.

Liam Youens contacted Docusearch to obtain the date of birth of AmyLynn Boyer, a young woman with whom Youens had been obsessed since thetwo attended high school together. Youens later contacted Docusearchto request Boyer's Social Security number (SSN) and employmentinformation. Docusearch was unable to provide Boyer's date of birth,
but obtained her SSN from a credit reporting agency as part of acredit header and provided it to Youens for $45. Docusearch obtainedBoyer's work address by having a subcontractor, Michelle Gambino,
place a "pretext" call to Boyer. Gambino pretended to be affiliatedwith Boyer's insurance company, and requested "verification" ofBoyer's work address in order to facilitate an overpayment refund.
Docusearch charged Youens $109 for this information. Then, on October15, 1999, Youens drove to Boyer's workplace and fatally shot her asshe left work. He then committed suicide. A subsequent policeinvestigation revealed that Youens kept firearms and ammunition in hisbedroom, and maintained a Web site containing references to stalkingand killing Boyer, as well as detailing plans to murder her entirefamily.

Amy Boyer's mother sued Docusearch and the individual privateinvestigators that worked with Youens for several claims, includingwrongful death and invasion of privacy. EPIC submitted an amicusbrief arguing that Docusearch should be liable under all claims.

EPIC's Amicus Brief is available at:

EPIC has created a Web page with information about the Amy Boyer case:

[4] Federal Appeals Court Affirms FTC Privacy Order

A federal appeals court on July 17 upheld a decision by a lower courtthat limited the secondary use of individuals' financial informationand established that credit reporting agencies are "financialinstitutions" that must abide by federal financial privacyregulations. The U.S. Court of Appeals for the D.C. Circuit rejecteda challenge by Trans Union, a credit reporting agency, to privacyregulations promulgated by the Federal Trade Commission pursuant tothe Gramm-Leach-Bliley Act (GLBA). Trans Union had claimed that as acredit reporting agency, it was not subject to the FTC's rulemakingauthority under the GLBA; that the regulations' definition ofpersonally identifiable information was overbroad; that theregulations' restrictions on third-party reuse were inconsistent withthe GLBA; and that the regulations infringed on Trans Union's FirstAmendment free-speech rights. The GLBA was enacted in 1999 torestructure the financial services industry by eliminating legalbarriers to affiliations among financial services providers while alsogiving consumers more control over their personally identifiablefinancial information.

In addition to holding that credit reporting agencies are subject tothe GLBA's privacy regulations, the decision in Trans Union v. FederalTrade Commission sustains the FTC's finding that names, addresses,
telephone and social security numbers are considered nonpublicpersonal information under the GLBA and that financial institutionswishing to disclose such information to a third party must provideconsumers with notice of the institution's disclosure policy and anopportunity to opt out of disclosure. The court's decision alsoupholds FTC regulations prohibiting third parties, including creditreporting agencies, from reusing any personal information they mayreceive from other institutions. For example, credit reportingagencies that receive personally identifiable financial informationfrom another financial institution for credit verification purposesmay not reuse that information for marketing purposes.

The court also rejected Trans Union's contention that the regulations'
restrictions on disclosure and reuse of nonpublic personal informationviolated its free speech rights by preventing it from disseminatingtruthful, nonpersonal information, saying that such speech does notrelate to a matter of public concern and therefore is entitled toreduced constitutional protection. The court held that there is a"substantial" governmental interest in protecting the privacy ofconsumer credit information, and found the FTC regulations to benarrowly tailored to achieve that interest. The court rejected TransUnion's argument that the FTC could have restricted less speech bycreating an additional notice and opt-out mechanism for third parties.

"There is no reason to believe a consumer would be more eager torelinquish his privacy right to a [credit reporting agency] thatsubsequently obtains his [nonpublic personal information] than he wasto the financial institution with which he initially dealt," JudgeKaren Henderson wrote.

Trans Union L.L.C. v. Fed. Trade Comm'n, No. 01-5202, 2002 U.S. App.
LEXIS 14321 (D.C. Cir. July 16, 2002):

[5] FCC Adopts Modified Opt-In Plan for Customer Information

The Federal Communications Commission adopted rules last week designedto protect sensitive personal information of customers oftelecommunications carriers. The Order provides for opt-in customerapproval for carriers' release of customer information to thirdparties, but permits opt-out consent for release of information toaffiliated parties. The Order specifically states that the Commissionwill not block or preempt state efforts to regulate CPNI.

The regulations relate to "customer proprietary network information,"
which is protected from use absent "customer approval" by the 1996Communications Act. The FCC promulgated a rule in 1998 that requiredtelecommunication carriers to obtain explicit customer approval(opt-in) before using such information in any manner inconsistent withprovision of services. The FCC explicitly rejected an opt-outapproach as insufficiently protective of customer privacy. However,
in 1999 the U.S. Court of Appeals for the 10th Circuit ruled that theopt-in approach did not pass First Amendment scrutiny because thedecision to require "opt-in" was not adequately considered orsupported by existing facts.

In a statement issued with last week's regulations, Commissioner Coppscriticized the Commission's failure to adopt a total opt-in approach,
stating that the Order "does not preclude companies in all instancesfrom selling to the highest bidder personal and detailed informationabout who Americans call, when they call, and how long they talk, aslong as these companies use it for some 'communications related'
purpose and have some undefined and murky affiliation, agencyrelationship, or partnership with the phone company." Both ChairmanPowell and Commissioner Martin indicated that the FCC would revisitthe issue "if evidence in the marketplace indicates that these rulesare insufficient to protect the consumers' right to safeguard theirpersonal information."

Commissioners' statements and the FCC press release are posted on theFCC website:

EPIC's CPNI page:

[6] EPIC Critiques Digital Rights Management Systems

EPIC recently submitted public comments in response to a recentDepartment of Commerce workshop on the current state of technicalstandards for digital rights management (DRM). The comments discussedthe potential harms of DRM on consumer and societal rights. Panelistsfrom the Recording Industry Association of America, the Motion PictureAssociation of America, Disney, two record companies, Microsoft, andAOL Time Warner were in attendance at the workshop. However, only onepanelist represented consumers, although the audience -- which was notallowed to address the roundtable -- was largely composed of publicinterest advocates.

The Department invited written submissions on four topics: theeffectiveness of DRM technologies to provide a more predictable andsecure environment for copyrighted material, major obstacles facing anopen commercial exchange of digital content, what a future frameworkfor success might entail, and current consumer attitudes towardsonline entertainment. EPIC responded to these questions by arguingthat existing DRM technologies, designed to increase predictabilityand security, invariably do so at the expense of consumers' rights toprivacy, freedom of expression, and "fair use," as well as the generalpromotion of science and the useful arts. Far from creating positiveconditions for commerce, EPIC argued that DRM subsidizes inefficientchannels of content delivery in the face of more efficient and moreequitable systems of distribution.

EPIC's Comments on DRM are available at:

EPIC's DRM Web Page:

[7] EPIC Bookstore - Ruling the Root

Milton L. Mueller, "Ruling the Root" (MIT Press 2002)

Ten years ago 1,500 people gathered in Kobe, Japan for the firstannual meeting of the Internet Society. The mood was upbeat and theprogram fast-paced. Panels and workshops explored net access in thedeveloping world, new network applications and technologies, andmulti-media techniques. A track on policy examined privacy, security,
appropriate use and globalization, but the focus at the conference wasclearly the protocols, not the policies. Lawyers were the exception.
There was no Mosaic, let alone Netscape. "Governance" was not yet onthe agenda.

Fast forward to the present. The recent meetings of ICANN, the entitycreated by the Department of Commerce to manage the central rootserver, have been nothing short of rancorous. An experiment inInternet self-governance has mutated into an exercise in secretpolicies, outraged critics, and increasing failures to make realpublic participation.

What has happened in the past decade that has turned Internet policyinto such unpleasant business? A good answer to this question will befound in Milton Mueller's Ruling the Root (MIT Press 2002).

Mueller traces the early days of root management, associated with thebenevolent rule of Jon Postel, through the efforts of Ira Magazinerand the Department of Commerce to create a non-profit corporation thatwould "reflect the will of the Internet community," on to the presentday struggles where the struggles over public participation,
legitimacy, and scope threaten to pull the plug on ICANN.

His interest is in understanding how the management of the root, whichperhaps was too easily called "governance," became institutionalized.
His conclusion is simple: instead of a decentralized form ofgovernance, root management came to resemble radio frequencyallocation where a scarce resource (or a perhaps more precisely, aresource made scarce) could be used to leverage other policy goals.
Or to push the Internet back into one of the boxes of Ithiel Pool'sfamous taxonomy of communications technologies, management of the rootwas treated as broadcast regulation rather than print publication.
Not surprisingly, a battle over the allocation of newly mintedproperty rights followed.

Mueller's writing is clear and the coverage of the topic extensive,
though some may find the discussion slow-going. This is not KatieHafner writing about the creation of the Internet or Steven Levy onthe birth of the hacker culture. But this is a careful and seriousexploration of a topic in desperate need of such treatment. Muellerpropose several theoretic models to explain such topics in Internetdevelopment as resource allocation and the formation of propertyrights, though Mueller's well chosen analogies may actually do more tohelp clarify some of the current policy challenges. Consider, forexample, why there is little public debate over Ethernet addresses(they are simply numbers, not names) or what the consequences might beof adopting a controlled vocabulary for network identities (cardcatalogs are too formal). As professor Michael Froomkin elsewhereobserved, the "metaphor is the key" in many of the critical technologypolicy debates.

Mueller touches briefly on some of the privacy problems that followfrom the current administration of the Internet. The WHOIS database,
originally intended to allow network administrators to find and fixproblems with minimal hassle, now offers one-stop shopping forspammers, criminal investigators, and copyright enforcers. That WHOISdata might be used for such purposes is probably unavoidable, butwhether WHOIS should be designed to facilitate such use is a topicthat deserves more debate.

Some of the conflicts in the growth of the Internet could beanticipated. The use of names rather than numbers to identifycomputers connected to the Internet created genuine concerns for bothtrademark maximalists and trademark minimalists. But it also createdvalue and to go back to a system of numbers at this point, as somehave urged, would still be a net loss.

Mueller himself seems to oscillate between skeptic and idealist as heoffers his own assessment of the prospects for Internet governance.
At times he appears critical of those, such as Internet law expertDavid Johnson and cyberprof David Post, who believed that a new formof government for the Internet was not only possible but necessary.
At other times, he chastises those trademark lawyers who vigorouslyprotected their clients interests in the .com domain asking why thiswas necessary when the Internet made possible a much broader domainspace. Well, yes, that would be true if the address space did indeedexpand, but scarcity is the current reality.

Mueller offers a clear warning that the institutionalization of theroot threatens to diminish the openness and decentralization of theInternet. But maybe there is another warning as well. Perhapsgovernance should be left to governments. At least governments thatcreate the opportunity to vote have found it very difficult to laterretract the right.

- Marc Rotenberg

EPIC Publications:

"Privacy & Human Rights 2001: An International Survey of Privacy Lawsand Developments," (EPIC 2001). Price: $20.

This survey, by EPIC and Privacy International, reviews the state ofprivacy in over fifty countries around the world. The survey examinesa wide range of privacy issues including, data protection, telephonetapping, genetic databases, ID systems and freedom of informationlaws.

"The Privacy Law Sourcebook 2001: United States Law, InternationalLaw, and Recent Developments," Marc Rotenberg, editor (EPIC 2001).
Price: $40.

The "Physicians Desk Reference of the privacy world." An invaluableresource for students, attorneys, researchers and journalists who needan up-to-date collection of U.S. and International privacy law, aswell as a comprehensive listing of privacy resources.

"Filters and Freedom 2.0: Free Speech Perspectives on Internet ContentControls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet contentfiltering. These papers are instrumental in explaining why filteringthreatens free expression.

"The Consumer Law Sourcebook 2000: Electronic Commerce and the GlobalEconomy," Sarah Andrews, editor (EPIC 2000). Price: $40.

The Consumer Law Sourcebook provides a basic set of materials forconsumers, policy makers, practitioners and researchers who areinterested in the emerging field of electronic commerce. The focus ison framework legislation that articulates basic rights for consumersand the basic responsibilities for businesses in the online economy.

"Cryptography and Liberty 2000: An International Survey of EncryptionPolicy," Wayne Madsen and David Banisar, authors (EPIC 2000).
Price: $20.

EPIC's third survey of encryption policies around the world. Theresults indicate that the efforts to reduce export controls on strongencryption products have largely succeeded, although severalgovernments are gaining new powers to combat the perceived threats ofencryption to law enforcement.

EPIC publications and other books on privacy, open government, freeexpression, crypto and governance can be ordered at:

EPIC Bookstore

"EPIC Bookshelf" at Powell's Books

[8] Upcoming Conferences and Events

O'Reilly Open Source Convention. O'Reilly and Associates. July 22-26,
2002. San Diego, CA. For more information:

Cyberwar, Netwar and the Revolution in Military Affairs: Real Threatsand Virtual Myths. International School on Disarmament and Research onConflicts (ISODARCO). August 3-13, 2002. Trento, Italy. For moreinformation:

Emerging High Technology Legal Issues. University of Washington Schoolof Law, Washington Law School Foundation, and Shidler Center for LawCommerce and Technology. August 5-7, 2002. Seattle, WA. For moreinformation:

IT and Law. University of Geneva, University of Bern, SwissAssociation of IT and Law. September 9-10, 2002. Geneva, Switzerland.
For more information:

ILPF Conference 2002: Security v. Privacy. Internet Law & PolicyForum. September 17-19, 2002. Seattle, WA. For more information:

Privacy2002: Information, Security & New Global Realities. TechnologyPolicy Group. September 24-26, 2002. Cleveland, OH. For moreinformation:

Bridging the Digital Divide: Challenge and Opportunities. 3rd WorldSummit on Internet and Multimedia. October 8-11, 2002. Montreux,
Switzerland. For more information:

2002 WSEAS International Conference on Information Security (ICIS'02). World Scientific and Engineering Academy and Society. October14-17, 2002. Rio de Janeiro, Brazil. For more information:

IAPO Privacy & Security Conference. International Association ofPrivacy Officers. October 16-18, 2002. Chicago, IL. For moreinformation:

3rd Annual Privacy and Security Workshop: Privacy & Security: TotallyCommitted. Centre for Applied Cryptographic Research, University ofWaterloo and the Information and Privacy Commissioner/Ontario.
University of Toronto. November 7-8, 2002. Toronto, Canada. For moreinformation:

First Hawaii Biometrics Conference. Windward Community College,
Pacific Center for Advanced Technology Training (PCATT). November10-13, 2002. Waikiki, HI. For more information:

Transformations in Politics, Culture and Society. Inter-
Disciplinary.Net. December 6-8, 2002. Brussels, Belgium. For moreinformation:

18th Annual Computer Security Applications Conference (ACSAC):
Practical Solutions to Real Security Problems. Applied ComputerSecurity Associates. December 9-13, 2002. Las Vegas, NV. For moreinformation:

Third Annual Privacy Summit. International Association of PrivacyOfficers. February 26-28, 2003. Washington, DC. For more information:

CFP2003: 13th Annual Conference on Computers, Freedom, and Privacy.
Association for Computing Machinery (ACM). April 1-4, 2003. New York,
NY. For more information:

Subscription Information

Subscribe/unsubscribe via Web interface:

Subscribe/unsubscribe via email:

Subject line: "subscribe" or "unsubscribe" (no quotes)

Help with subscribing/unsubscribing:

Subject: "help" (no quotes)

Back issues are available at:

The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and tosend notices about EPIC activities. We do not sell, rent or share ourmailing list. We also intend to challenge any subpoena or other legalprocess seeking access to our mailing list. We do not enhance (linkto other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your email addressfrom this list, please follow the above instructions under"subscription information". Please contact if you wouldlike to change your subscription email address, if you areexperiencing subscription/unsubscription problems, or if you have anyother questions.

About EPIC

The Electronic Privacy Information Center is a public interestresearch center in Washington, DC. It was established in 1994 tofocus public attention on emerging privacy issues such as the ClipperChip, the Digital Telephony proposal, national ID cards, medicalrecord privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Actlitigation, and conducts policy research. For more information,
e-mail, or write EPIC, 1718Connecticut Ave., NW, Suite 200, Washington, DC 20009.
+1 202 483 1140 (tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic PrivacyInformation Center, contributions are welcome and fullytax-deductible. Checks should be made out to "EPIC" and sent to1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009.
Or you can contribute online at:

Drink coffee, support civil liberties, get a tax deduction, and learnLatin at the same time! Receive a free "sed quis custodietipsos custodes?" coffee mug with donation of $75 or more.

Your contributions will help support Freedom of Information Act andFirst Amendment litigation, strong and effective advocacy for theright of privacy and efforts to oppose government regulation ofencryption and expanding wiretapping powers.

Thank you for your support.

END EPIC Alert 9.14


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback